nis2-and-ncsc-caf-v4-0-what-uk-and-ireland-firms-need
  • NIS 2
  • 14th Jul 2026
  • 1 min read

NIS2 and NCSC CAF v4.0: What UK and Ireland Firms Need

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short...
  • CAF v4.0 shifts UK assessment from checklist to threat-informed evidence: organisations must now demonstrate they understand attacker behaviour and how it could be exploited.
  • The Cyber Security and Resilience Bill widens UK scope: data centres, managed service providers, and large load controllers over 300 MW join the regulated perimeter, with penalties of up to £17 million or 4% of global turnover for the most serious breaches.
  • Ireland's NIS2 transposition multiplies the regulated population tenfold: scope moves from roughly 450 NIS1 operators to between 4,500 and 6,000 essential and important entities.
  • Non-compliance carries personal and financial consequences: EU fines reach €10 million or 2% of turnover for essential entities, and Irish directors risk disqualification under the Companies Act 2014 for persistent failures.

NIS2 (Directive (EU) 2022/2555, the EU's cybersecurity risk-management law) and NCSC CAF v4.0 (the UK's Cyber Assessment Framework for critical sectors) now set overlapping expectations for UK and Ireland critical infrastructure firms. Both carry board-level accountability, incident reporting deadlines counted in hours, and financial penalties that scale with global turnover. Organisations that manage them as separate projects spend twice the effort and still leave gaps, because the two frameworks share the majority of their underlying control requirements. This guide sets out what each framework requires, where they converge, and what a single compliance programme covering both looks like in practice.

Expert View

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

 

 

What our experts say about converging UK and Irish cyber regulation

 

"Firms often build separate workstreams for CAF and NIS2, then wonder why evidence never lines up. We tell clients to start with one control set and map both frameworks onto it. That's the only way we've seen teams pass a CAF review and an NIS2 audit without doubling the workload."



 

The UK Picture: CAF v4.0 and the Cyber Security and Resilience Bill

For UK organisations in critical national infrastructure (CNI) and the public sector, the NCSC Cyber Assessment Framework (CAF) is the primary tool regulators use to evaluate cyber resilience. It sits well above baseline certifications such as Cyber Essentials Certification, assessing ongoing organisational resilience across an essential function rather than a fixed set of technical controls. CAF v4.0, released by the NCSC in August 2025, is now used by nearly all UK cyber regulators and forms the basis for GovAssure, the assurance scheme covering critical government systems.

 

Version 4.0 represents a shift from static, checklist-driven compliance to active, threat-informed resilience. The key changes are substantive:

  1. "Understanding Threat" (outcome A2.b): organisations must analyse threat actor capabilities, motivations, and likely attack steps using structured, repeatable methods, and demonstrate they understand how adversaries actually operate.
  2. "Secure Software Development & Support" (outcome A4.b): new controls for secure-by-design development, software transparency, patching, and integrity checks across the software supply chain.
  3. "Threat Hunting" (outcome C2): detection has moved from passive monitoring to proactive search for malicious activity, now a standard organisational expectation rather than an optional capability.
  4. AI-related cyber risks: CAF v4.0 introduces coverage of AI-specific threats and their impact on both defensive operations and the attack surface.

In total, CAF v4.0 adds 108 new Indicators of Good Practice across 41 contributing outcomes, up from 39 outcomes in v3.2. Organisations that haven't revisited their CAF assessment since v3.1 or v3.2 will find meaningful gaps.

 

The Cyber Security and Resilience Bill: What Changes

 

The Cyber Security and Resilience Bill, introduced to Parliament in November 2025, extends the NIS Regulations 2018 significantly rather than replacing them. Since then, the Bill has cleared all its House of Commons stages and is now before the House of Lords, with Royal Assent expected later in 2026.

 

Three categories of organisation are newly in scope:

 

New category

Threshold

Regulator

Data centre services

Rated IT load of 1 MW+ (enterprise: 10 MW+)

Ofcom

Managed service providers

Medium and large MSPs serving UK customers

Information Commissioner’s Office

Large load controllers

300 MW+ electrical control capacity

Sector regulator

 

Beyond scope expansion, the Bill introduces mandatory incident reporting within 24 hours of a harmful breach, with a full report required within 72 hours. Penalties are tiered: up to £17 million or 4% of worldwide turnover for the most serious breaches, and up to £10 million or 2% for less serious ones, whichever figure is higher in each band.

 

The practical implication: if your organisation provides services to an Operator of Essential Services, you may now be designated a "critical supplier" and brought into scope regardless of your own sector.

The Ireland Picture: NIS2 Transposition and What It Means in Practice

Ireland missed the EU's NIS2 transposition deadline of 17 October 2024. NIS1 remains in force for now, and preparation for NIS2 should continue regardless. The National Cyber Security Bill 2024 (NCSB) is progressing through the Oireachtas, with a commencement order and registration portal expected by July 2026 and a self-registration deadline three months after portal launch, according to the NCSC Ireland's own NIS2 guidance.

 

The scale of change is significant. NIS1 covered approximately 450 operators of essential services in Ireland. NIS2, once fully transposed, will bring between 4,500 and 6,000 organisations into scope.

 

Who Is In Scope Under NIS2 Ireland

 

The NCSB distinguishes between two tiers:

  1. Essential entities: 250+ FTE and €50M+ turnover, operating in highly critical sectors (energy, transport, health, water, digital infrastructure, public administration, space)
  2. Important entities: 50+ FTE and €10M+ turnover, operating in other critical sectors (manufacturing, postal, waste, food production)

Financial entities under DORA (the EU's Digital Operational Resilience Act, which governs ICT risk for banks and financial market infrastructure) are carved out as lex specialis, meaning DORA takes precedence over NIS2 wherever the two overlap for in-scope financial firms.

 

The Obligations That Come With It

 

NIS2 is a demanding, evidence-heavy framework. For organisations in scope, the core obligations include:

  1. Risk management: documented cybersecurity risk measures across technical, operational, and organisational controls
  2. Incident reporting: initial notification within 24 hours of a significant incident, a full report within 72 hours, and a final report within 30 days
  3. Supply chain security: organisations must assess and manage the cyber risks posed by their suppliers and service providers
  4. Board accountability: management bodies are personally liable for non-compliance with risk management obligations, and directors of persistently non-compliant organisations could face disqualification under the Companies Act 2014, per legal analysis of the NCSB

The financial penalties are material: up to €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities. Public sector bodies face binding statutory directions and parliamentary scrutiny instead of financial penalties.

 

The part most organisations underestimate: NIS2 requires boards to approve cybersecurity risk management measures and to oversee their implementation directly. It's a governance obligation that sits with the board itself.

Where CAF and NIS2 Converge

Despite operating under different legislative instruments, CAF v4.0 and NIS2 share a striking amount of common ground. This is deliberate: the NCSC designed CAF v4.0 in part to support the UK government's Cyber Security and Resilience Bill, which mirrors NIS2's intent even though it takes a different legislative approach.

 

The convergence runs deeper than structure alone, and is visible across four areas:

 

Requirement

NIS2 (Ireland/EU)

NCSC CAF v4.0 (UK)

Risk management

Article 21 mandatory measures

Objective A: Managing security risk

Incident reporting

24h / 72h / 30-day cascade

Objective D: Detection and response

Supply chain security

Mandatory third-party risk assessment

Principle B3: Supply chain security

Board accountability

Management body liability

Governance principle A1

 

Both frameworks are moving in the same direction: away from point-in-time audits and tick-box assessments, towards continuous, evidence-based assurance.

 

Key takeaway: an organisation that builds a genuine CAF-aligned programme will satisfy the majority of NIS2's Article 21 obligations. The reverse is also true. The frameworks reinforce each other.

 

This matters enormously for organisations operating across both jurisdictions, or for UK organisations whose supply chains extend into the EU. Running two separate compliance programmes for requirements that are, in substance, the same thing is an unnecessary cost and a governance risk in itself.

The Execution Problem Compliance Guides Skip

Here's the reality most compliance guides skip: most teams already understand what CAF and NIS2 require. Executing against them with existing headcount is the harder problem.

 

CAF v4.0 produces 41 individual assessments. NIS2 mandates ongoing risk management, third-party assessments, and incident reporting workflows. Both demand evidence trails that hold up to regulatory scrutiny, and both outgrow a spreadsheet-based approach once the volume of obligations reaches a certain scale.

 

The global average cost of a data breach reached $4.44 million in 2025 (IBM Cost of a Data Breach Report). That figure excludes regulatory fines. For an organisation facing NIS2 penalties of up to €10 million on top of breach costs, the cost of under-investing in GRC (governance, risk, and compliance) infrastructure becomes clear fairly quickly.

What a Mature Compliance Programme Looks Like

Organisations that manage CAF and NIS2 obligations effectively tend to share a few common characteristics:

  1. A single risk register that maps controls across both frameworks, so a control tested once satisfies multiple requirements
  2. Continuous controls monitoring rather than annual assessments, which keeps evidence current and audit preparation predictable
  3. Automated incident workflows that generate the 24-hour initial notification and 72-hour full report without a manual scramble under pressure
  4. Third-party risk management that's systematic and documented, rather than reliant on email chains and spreadsheets

The common thread: compliance runs as a continuous programme, with evidence accumulating in real time well beyond any single deadline, using the specific technical and organisational measures our NIS2 compliance guide sets out in more depth.

 

The organisations that will struggle are those treating NIS2 and CAF as separate workstreams, running manual evidence collection, and relying on point-in-time assessments, precisely the gap our piece on compliance vs continuous assurance examines in more depth. Regulators want evidence of a living, continuously updated programme that reflects today's control state, rather than a snapshot from six months ago.

Where to Start

If your organisation is in scope for either framework and hasn't yet begun a structured assessment, these are the four questions that matter most right now:

 

Are you classified correctly?

Under NIS2, essential and important entity thresholds determine your obligations and your penalty exposure. Under the UK Cyber Security and Resilience Bill, new categories (MSPs, data centres, critical suppliers) may bring you into scope for the first time. Confirm your classification before building a compliance plan.

 

When did you last run a CAF assessment?

If it was against v3.1 or earlier, you have a gap. CAF v4.0's 108 new Indicators of Good Practice include requirements around threat understanding, secure software development, and AI-related risks introduced for the first time in this version.

 

Can you hit a 24-hour reporting deadline today?

Both frameworks require an initial incident notification within 24 hours. If your incident response process is manual, or if the people who'd need to act on it are unclear on the workflow, that's the most urgent operational gap to close.

 

How are you managing third-party risk?

NIS2 and CAF both require documented supply chain security. If your vendor risk programme is spreadsheet-based or infrequent, it will fall short of either framework's expectations.

 

SureCloud's Compliance Management platform natively supports NCSC CAF v4.0 alongside NIS2, ISO 27001, DORA, and other frameworks, in a single environment. Controls tested once map across multiple standards, and Gracie AI Agents with Personas and Skills chase down evidence continuously rather than in an annual sprint, cutting manual evidence collection by 50-65% for customers already running the platform. Audit preparation moves from weeks to days.

 

The regulatory window is closing. Ireland's NIS2 registration portal is expected to open in July 2026, and the UK Cyber Security and Resilience Bill is progressing through Parliament. For organisations in critical infrastructure and government, the real question is when to act: now, on your own terms, or later, under pressure.

See How SureCloud Maps CAF, NIS2, and DORA in One Place

Gracie AI Agents with Personas and Skills keep control evidence current across every framework you hold, including CAF v4.0 and NIS2, so audit preparation draws on evidence you've already verified. Customers using SureCloud report a 75% reduction in audit prep time.
Related articles:
  • NIS 2

NIS2 Compliance Software: 3 Gaps Spreadsheets Miss

  • ISO 27001
  • NIS 2

NIS2 Control Mapping: Reuse ISO 27001 and CIS Work

  • Compliance Management

Compliance Management Software: Top 10 Tools for DORA, NIS2 & FCA 2026

Share this article

FAQ’s

What is the difference between NIS2 and NCSC CAF v4.0?

NIS2 is the EU's cyber risk directive for in-scope organisations across member states. NCSC CAF v4.0 is the UK framework used to assess cyber resilience. They overlap heavily on risk management, incident response, supply chain security, and board accountability, which is why a single compliance programme can usually satisfy most of both frameworks' requirements at once.

Why does NIS2 matter for UK organisations?

UK firms can be affected through supply chains, cross-border operations, and the Cyber Security and Resilience Bill, which mirrors much of NIS2's intent under UK law. If you serve EU entities or critical UK sectors, NIS2-style controls can become relevant through supply chain pressure alone, regardless of whether the directive applies to you directly.

Why does CAF v4.0 matter for Ireland-based organisations?

CAF v4.0 matters because many Irish firms operate with UK customers, suppliers, or infrastructure dependencies. The framework also reflects the direction of travel for resilience expectations more broadly, so aligning to it reduces duplicated effort across jurisdictions.

 

Can one compliance programme cover both NIS2 and CAF?

Yes. A unified GRC (governance, risk, and compliance) programme can map shared controls, evidence, and incident workflows across both frameworks. That usually reduces duplicate assessments, keeps evidence current, and makes reporting faster when regulators want proof quickly.

What is the biggest risk of treating them separately?

The biggest risk is operational duplication. Separate programmes usually mean parallel control sets, duplicated evidence collection, and inconsistent incident processes, which increases cost and still leaves compliance gaps that a joined-up programme would have closed.