NIS Directive - Cyber Assessment Framework

Created:  30 Apr 2018
Updated:  31 Oct 2018
VERSION 2.0 (31 October 2018) Changelog
The CAF consists of a collection of Indicators of Good Practice

The implementation of the EU Security of Networks and Information Systems (NIS) Directive in May 2018 requires Competent Authorities (CAs) to have the ability to assess the cyber security of Operators of Essential Services (OES).

In support of the UK NIS Directive implementation, the NCSC is committed to working with lead government departments, regulators and industry to develop a systematic method of assessing the extent to which an organisation is adequately managing cyber security risks in relation to the delivery of essential services.

This assessment method, otherwise known as the Cyber Assessment Framework (CAF), is intended to meet both NIS Directive requirements and wider CNI needs.

Cyber Assessment Framework

  1. Introduction to the Cyber Assessment Framework

    Introduction to the Cyber Assessment Framework

  2. Indicators of Good Practice

    Tables detailing the contributing outcomes for each objective and the Indicators of Good Practice which suggest whether these are being achieved.


Was this guidance helpful?

We need your feedback to improve this content.

Yes No