All Insights

Cyber security isn’t about proving you followed the rules. It’s about proving you can recover

Cyber Security • February 13, 2026 • Written by: Mike Boreham • Read time: 1 min

From compliance to threat-informed resilience

The introduction of the Cyber Assessment Framework (CAF)v4.0 by the National Cyber Security Centre (NCSC) last August has fundamentally changed the way we need to look at the cyber world. It changes how public sector bodies need to think about cyber resilience. It moves the paradigm:

  • From
    “Are we compliant?”
  • To
    “Are we prepared for the adversaries most likely to target us?”
  • From
    “Do we have monitoring?”
  • To
    “Do we proactively hunt for malicious behaviour across our environment?”
  • From
    “Do our teams follow policies?”
  • To
    “Are our governance, architecture and culture aligned to rapid detection, containment and recovery?”

Why listen?

CAF v4.0 is not just another pile of red tape waiting to be obeyed and the NCSC is not just a think tank with grandiose philosophical ideas. The framework is the best of current thinking from the pick of current experts in the field of cybersecurity. CAF 4.0 transforms compliance conversations into the strategic resilience actions that the NCSC and UK government policy signal as the way ahead for the coming decade.

In short, CAF is no longer just an assessment framework. it is becoming the operating system for UK public‑sector resilience.

What does CAF4.0 tell us?

CAF’s structure hasn’t changed. It still centres on 4 objectives and 14 principles.
In v4.0, however, the substance within those objectives has transformed to:

  1. A threat‑informed model
  2. Integration of AI‑related security risks
  3. Secure software by design
  4. Proactive threat hunting

CAF v4.0 requires organisations to explicitly consider an attacker perspective that models likely adversaries, their capabilities, and their known tactics and techniques. This moves the framework from generic risk awareness to threat‑specific defence.

For the first time, CAF includes guidance on:

  • The safety of AI models,
  • Protection of training data pipelines
  • The governance of AI‑assisted decisions.

As AI becomes integral to defence and operations, CAF embeds resilience into both the models and the data ecosystems powering them.

CAF v4.0 strengthens expectations across the entire secure software development lifecycle (SDLC). Regardless of whether software is built in‑house or delivered by third parties, supply chain scrutiny is now central, not optional.

Monitoring has evolved from logging and responding to events to active hunting.
Organisations must demonstrate capability in:

  • Behavioural analytics
  • Telemetry interpretation
  • Proactive identification of hostile activity
  • Rapid validation of anomalies

CAF v4.0: The four objectives

The four objectives, laid out in CAF 4.0, are designed to help organizations to assess and improve their cyber resilience against a range of threats, rather than just acting as a "tick-box" compliance exercise.

Objective A — Managing security risk

CAF v4.0 reinforces governance and risk accountability, including:

    • Executive ownership
    • Asset management
    • Modern supply‑chain oversight
    • Integration of threat‑informed risk practices

Objective B — Protecting against cyber attack

Strengthened expectations include:

    • Identity and access management with mandatory multifactor authorisation (MFA) for cloud services
    • Improved segmentation and system hardening
    • Data protection and resilience controls

Objective C — Detecting cyber security events

This is where v4.0 makes its biggest leap to:

    • Behavioural monitoring
    • Telemetry‑driven analytics
    • Threat intelligence integration
    • Proactive hunting over passive alerts

Objective D — Minimising impact

CAF also reinforces the importance of:

    • Rehearsed incident response
    • Tested recovery pathways
    • Cross‑team coordination
    • Lessons‑learned cycles

CAF 4.0 connects operational resilience, cyber security and business continuity into a single leadership responsibility model.

What does this mean for the UK public sector in 2026?

Local Government: Moving to a modern, consistent approach

Local authorities are being moved away from manual, spreadsheet‑based CAF assessments to platforms that:

    • Standardise how councils complete their assessments
    • Improve the consistency and quality of evidence
    • Make threat‑informed maturity easier to track 

For councils that historically struggled with fragmented approaches and/or limited cyber capacity, CAF v4.0creates a clearer pathway forward.

NHS & Healthcare: CAF becomes a formal requirement

The NHS is tightening expectations from the Data Security and Protection Toolkit (DSPT), with larger organisations already aligning to CAF v4.

    • NHS bodies must show not only compliance but threat‑informed resilience
    • CAF principles now underpin DSPT evidence and reporting
    • Critical healthcare systems must undergo independent CAF‑based assessments by June 2026

For a sector with life‑critical systems, this raises the bar from “cyber hygiene” to measurable operational resilience.

Critical National Infrastructure (CNI): From guidance to obligation

The upcoming Cyber Security &Resilience Bill is set to change CAF from something organisations should follow to something they must follow.

Under this legislation:

    • CAF v4.0 becomes the expected minimum standard for CNI
    • “Good practice” becomes a regulatory baseline
    • Boards and accountable officers must evidence threat‑informed decision‑making

In short: 2026 is the year CAF transitions from an advisory framework to a mandatory expectation across critical services and wider public‑sector bodies.

How Methods helps organisations navigate CAF v4.0

Methods has supported UK public‑sector organisations in designing and delivering resilience aligned to NCSC priorities for many years now. Our work spans:

    • Threat‑informed risk assessments
    • CAF implementation and maturity uplift
    • Secure‑by‑design architecture
    • AI and Zero Trust foundations
    • Identity, data and cloud resilience
    • Governance and board engagement
    • Incident response and operational recovery planning

In short, Methods acts as a “translation layer” between national priorities and actionable organisational plans.

What will we be discussing at CyberUK 2026?

Methods will be on hand at CyberUK2026 to host senior discussions on:

    • How CAF v4.0 reshapes organisational resilience
    • Designing threat‑informed architectures
    • Combining CAF, Zero Trust, AI and SOC evolution
    • Board‑level governance and leadership
    • Preparing for the Cyber Security & Resilience Bill
    • Practical steps for implementing CAF v4.0 in 2026

We look forward to exploring this with you at CyberUK2026, Stand F29.

 
Back to top