Cyber risks are accelerating faster than most businesses can react and regulators are raising the bar in response. The UK’s National Cyber Security Centre has recently updated its Cyber Assessment Framework (CAF) to version 4.0, bringing sharper focus on resilience, accountability, and assurance. Far more than a compliance exercise, CAF 4.0 challenges organisations to demonstrate they can anticipate, respond, and recover in a tougher cyber landscape. For any business connected to the UK’s critical infrastructure supply chain, these changes raise the stakes.
CAF 4.0: What changed?
More than a routine update, CAF 4.0 introduced 108 new Indicators of Good Practice (IGPs) and reshapes several outcomes, reflecting the need for organisations to be more proactive and transparent about their cyber resilience.
A key change is the shift towards anticipating threats rather than simply reacting to them. The new Understanding Threat outcome requires organisations to go further than monitoring known risks, asking them to anticipate attacker behaviour and intent. Similarly, the former Proactive Attack Discovery outcome has evolved into Threat Hunting, setting higher expectations for structured, repeatable practices that identify risks before they escalate. For many businesses, this will mean investing in smarter monitoring tools and stronger processes to stay ahead.
CAF 4.0 strengthens detection and response. A new outcome now combines behaviour-led monitoring with threat intelligence, helping organisations spot anomalies sooner and respond more effectively. On the software side, CAF 4.0 emphasises secure development and support, requiring security to be evidenced across the entire lifecycle, whether applications are built in-house or supplied by third parties.
CAF 4.0 doubles down on the fundamentals. Identity and access management is more stringent, with stricter MFA requirements and tighter controls for privileged accounts. Supply chain resilience has also been clarified: third parties are expected to meet the same standards as internal teams, ensuring weak links do not compromise resilience. Organisations will need to assess their supplier assurance processes carefully to remain compliant.
Together, these updates raise the bar. CAF 4.0 does not just ask organisations to maintain resilience, it requires them to prove they can anticipate, respond, and recover in a more rigorous, measurable way.
Why CAF 4.0 Matters for Your Business
If you are already aligned with CAF 3.2, you will not be starting from scratch. But CAF 4.0 will highlight new gaps. Legacy monitoring tools, weak supplier oversight or governance processes that once passed may no longer be enough.
The added complication? Transition deadlines lack consistency. Each regulator (Competent Authority) sets its own timetable, which means your organisation could be assessed against CAF 4.0 sooner than expected.
Yet there are clear opportunities for early movers. Organisations that act now can strengthen resilience, build credibility with regulators and customers, and even save time by aligning CAF 4.0 with other frameworks such as ISO 27001 and NIS2. The essential first step is a CAF 4.0 gap analysis, mapping your evidence against the new outcomes to see where you stand, where the risks lie and how to build a phased transition plan.
How Hicomply and Waterstons Can Support Your CAF 4.0 Transition
Adapting to CAF 4.0 can feel like a big task, but you do not have to do it alone. At Hicomply, we help organisations take a clear, structured approach. Our platform streamlines evidence collection, reduces admin time, automates reporting, and makes it easier to show how you meet the framework. Through our partnership with Waterstons, we combine compliance expertise with technical delivery.
Our approach bridges strategy and execution so your CAF 4.0 transition is both manageable and sustainable.
Take Action on CAF 4.0
CAF 4.0 is already live. With 108 new IGPs and tougher expectations, the time to prepare is now. Organisations that act early will not just stay compliant; they will stand out.
Book a demo to discover how we make CAF 4.0 compliance faster, easier, and more sustainable.
