Connect with US

NIS CAF

  • Your Trusted Partner in for NIS CAF

NIS CAF: The UK’s Primary Cyber Compliance Framework for Critical National Infrastructure

The Network and Information Systems Cyber Assessment Framework (NIS CAF) is the UK’s primary compliance framework for organisations classified as Critical National Infrastructure (CNI). Developed by the National Cyber Security Centre (NCSC) in response to the EU’s NIS Directive, the CAF was first introduced in 2018 and has since evolved, with version 3.2 being the latest requirement as of April 2024.

Read More

Certified for excellence in cybersecurity and compliance standards.

What is the NIS CAF?

The NIS CAF is designed to help organisations assess and improve their cyber resilience. The framework follows an outcome-focused approach, ensuring compliance is not just a tick-box exercise. It aligns with existing cyber security guidance and standards and helps organisations identify effective security and resilience improvements.

Key Directives of the NIS CAF:

  1. Provides a structured framework for cyber resilience assessments
  2. Maintains an outcome-based approach rather than a checklist-driven process
  3. Aligns with recognised cyber security standards
  4. Helps identify effective security improvements
  5. Applies across all sectors, with the flexibility to accommodate industry-specific requirements
  6. Supports the setting of realistic security targets for compliance
  7. Ensures a straightforward and cost-effective approach to security assessments

The Structure of NIS CAF (Version 3.2)

The framework is divided into four key objectives, each containing specific principles and controls:

  1. Managing Security Risk – 4 principles / 7 controls
  2. Protecting Against Cyber Attacks – 6 principles / 20 controls
  3. Detecting Cyber Security Events – 2 principles / 7 controls
  4. Minimising the Impact of Cyber Security Incidents – 2 principles / 5 controls


This results in 14 principles and 36 controls in total.

Each control (the smallest unit within the framework) is assessed against three achievement levels:

  • Not Achieved – If even one criterion is not met, this must be selected
  • Partially Achieved – All criteria within the control must be partially met
  • Fully Achieved – All criteria within the control must be fully met

 

Unlike the other levels, ‘Not Achieved’ is mandatory if any criterion is missing, whereas both ‘Partially Achieved’ and ‘Fully Achieved’ require all criteria to be met before selection.

Compliance Requirements & Regulatory Oversight

The NCSC does not set compliance scope—this is determined by sector-specific governing bodies that oversee operational activities within designated CNI sectors. These governing bodies define:

  • The timeframe for compliance
  • The specific controls required for assessment
  • The level of evidence organisations must provide to verify compliance

 

Why Choose 1 Sequence Cyber for NIS CAF Compliance?

1 Sequence Cyber has been delivering NIS CAF compliance services since its introduction in 2018. We have supported clients across ports, transport, power, and critical facilities, ensuring they meet their compliance obligations.

Our expertise includes:

  • Helping organisations navigate NIS CAF requirements
  • Engaging with regulatory bodies to define and meet compliance goals
  • Providing clear, structured guidance to simplify the compliance process

Whatever your compliance needs, follow the sequence to NIS CAF success with 1 Sequence Cyber.

Contact us today to start your journey towards full NIS CAF compliance.

Benefits of NIS CAF Compliance

Achieving NIS CAF compliance is not just about meeting regulatory requirements—it strengthens your organisation’s overall cyber resilience and security posture. Here are the key benefits:

1. Stronger Cyber Security & Resilience

✅ Helps protect critical infrastructure from cyber threats
✅ Ensures a structured approach to risk management
✅ Enhances detection, response, and recovery from cyber incidents

2. Regulatory Compliance & Risk Reduction

✅ Ensures compliance with UK and EU cyber security regulations
✅ Reduces financial and operational risks linked to security breaches
✅ Helps avoid regulatory fines and reputational damage

3. Improved Incident Response & Recovery

✅ Enhances capabilities to detect and respond to cyber threats
✅ Minimises downtime and disruptions from security incidents
✅ Strengthens business continuity planning

4. Increased Trust & Reputation

✅ Builds confidence with customers, partners, and stakeholders
✅ Demonstrates a proactive approach to cyber security
✅ Aligns with global security best practices

5. Cost-Effective Security Strategy

✅ Helps prioritise cyber security investments effectively
✅ Supports a risk-based approach to security improvements
✅ Reduces long-term costs associated with cyber breaches

6. Industry-Specific Flexibility

✅ The framework is sector-agnostic and can be tailored to industry needs
✅ Supports custom security levels set by industry regulators
✅ Ensures a clear and practical roadmap to achieving compliance

  • Faq

Common Cybersecurity Questions and Answers

Cybersecurity can be complex, but addressing common questions helps clarify key concepts. Businesses often ask about safeguarding sensitive data, achieving compliance, and preventing cyberattacks. Typical queries include:

Can't find what you are looking for?

Let's Talk: Engage with Us in a Conversation Tailored Just for You

Contact us

Call us any time

(+44) 203-130-1723

The NIS CAF is the UK’s primary cyber resilience framework for organisations classified as Critical National Infrastructure (CNI). It provides a structured approach for assessing and improving cyber security in line with the National Cyber Security Centre (NCSC) requirements.

 

Any organisation classified as Critical National Infrastructure (CNI) may be required to comply. This includes sectors such as energy, transport, healthcare, and digital infrastructure. Compliance requirements are determined by sector-specific regulators, not the NCSC.

 

The NIS CAF is structured around four key objectives:

  1. Managing Security Risk (4 principles / 7 controls)
  2. Protecting Against Cyber Attacks (6 principles / 20 controls)
  3. Detecting Cyber Security Events (2 principles / 7 controls)
  4. Minimising the Impact of Cyber Security Incidents (2 principles / 5 controls)

Each control within the framework is assessed at three achievement levels:

  • Not Achieved – If any single criterion is not met, this must be selected.
  • Partially Achieved – All listed criteria within the control must be partially met.
  • Fully Achieved – All criteria must be fully met to select this level.

 

The scope and requirements for compliance are set by the appropriate governing body within your sector, not the NCSC. These regulators:

  • Define which controls apply to your organisation.
  • Set the timeframe for compliance.
  • Determine the level of evidence required for verification.

 

By aligning with NIS CAF, organisations can:
✔ Strengthen cyber resilience and security defences.
✔ Ensure compliance with regulatory requirements.
✔ Reduce the risk of cyber incidents and data breaches.
✔ Improve incident response and recovery capabilities.
✔ Build trust with partners, regulators, and customers.

 

We have been delivering NIS CAF compliance services since its introduction in 2018, helping clients across ports, transport, power, and other critical sectors. Our services include:
✅ Guiding organisations through the compliance process.
✅ Engaging with regulators to clarify requirements.
✅ Conducting assessments and identifying areas for improvement.
✅ Providing tailored advice to achieve full compliance efficiently.

Facebook-f X-twitter Linkedin-in

Contact Us

Company

Services

Subscribe To Newsletter

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper

Copyright © 2025 1 Sequence Cyber. All Rights Reserved

contact@1sequencecyber.com

Our Popular Services

Facebook-f X-twitter Linkedin-in