Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?

‍‌​​​​‌‌‌​​​‌‌​​‌​​‌‌‌​​​‌‌‌‌‌​​​​​​​​‌‌​​‌​​​‌‌‌​‌​​​‌‌​‌​‌‌​‌​​‍Two NCSC-aligned cyber frameworks. Different audiences. Cyber Essentials is the UK government scheme for general UK business with a 12-month certificate. The Cyber Assessment Framework (CAF) is the NCSC framework for Operators of Essential Services under the NIS Regulations 2018 plus critical national infrastructure plus certain government contractors. The right framework for your firm is set by sector classification, not by which is harder.

This article walks through where each framework applies, how the two map onto each other, and the cases where holding both is the right answer.

Who needs which framework

The Cyber Assessment Framework applies to organisations designated as Operators of Essential Services under the NIS Regulations 2018. The designated sectors are energy (electricity, oil, gas), transport (air, rail, water, road), banking, financial market infrastructures, health (NHS Trusts and certain healthcare providers), water, and digital infrastructure. The Department for Science, Innovation and Technology and sector-specific Competent Authorities (Ofgem for energy, ORR for rail, Civil Aviation Authority for air, etc.) maintain the OES designation lists.

Cyber Essentials applies to general UK business outside the OES designation. Most UK SMEs, professional services firms, B2B SaaS companies, manufacturers below CNI scale, and government suppliers below the CAF threshold are CE Plus territory.

A handful of firms sit in both: a designated OES organisation with non-essential business lines, or a tech supplier whose largest customer is an OES operator and whose own services are in scope of the operator's CAF assessment. These firms typically hold CE Plus on the technical-controls layer plus a CAF self-assessment or third-party CAF assessment on the broader posture.

The framework shapes side by side

Cyber Essentials is a tightly-scoped certification of five technical controls applied across the firm's IT estate. The certificate lasts 12 months. Pass-or-fail on assessment day. The CE Plus version adds an external assessor running a technical sample on a subset of devices.

The Cyber Assessment Framework is a structured self-assessment (or third-party assessment) covering four Objectives, fourteen Principles, and a large number of Indicators of Good Practice. Each Indicator is graded Not Achieved, Partially Achieved, or Achieved. The output is an Indicator-level maturity profile across the four Objectives:

• Objective A: managing security risk (governance, risk management, asset management, supply chain)
• Objective B: protecting against cyber attack (service protection policies, identity and access control, data security, system security, resilient networks and systems, staff awareness and training)
• Objective C: detecting cyber security events (security monitoring, proactive security event discovery)
• Objective D: minimising the impact of cyber security incidents (response and recovery planning, lessons learned)

CAF is broader than Cyber Essentials. It is also more interpretive. There is no certificate; the output is the assessment package showing the firm's posture against the Indicators.

Where the two overlap on technical controls

Cyber Essentials' five technical controls map cleanly into CAF Objective B (Protecting against cyber attack):

• CE firewalls → CAF B5 (resilient networks and systems)
• CE secure configuration → CAF B4 (system security)
• CE user access control → CAF B2 (identity and access control)
• CE malware protection → CAF B4 + B5
• CE patch management → CAF B4 + B5

A firm with current Cyber Essentials Plus has demonstrated the technical-controls layer that CAF Objective B expects at Achieved level for B4 and B5 specifically. CAF B1, B3, and B6 (service protection policies, data security, staff awareness) extend beyond CE+ but build on the same foundation.

CAF Objectives A, C, and D do not have direct CE+ analogues. A designated OES organisation needs to evidence governance, monitoring, and incident response separately even with CE Plus held.

When CE Plus alone is the right answer

The vast majority of UK SMEs and mid-market firms outside designated OES sectors. CE Plus is the procurement-passing artefact UK customers expect. CAF is overkill for non-OES organisations because most of the framework addresses risks specific to essential-services operations. (consistent with the 2023 hardening evaluation criteria).

The exception: a tech supplier whose largest customer is a designated OES operator. The customer's CAF assessment will look at the supplier's posture as part of supply-chain risk management. CE Plus on the supplier side is necessary but may not be sufficient if the supplier's services touch the OES operator's essential function.

When CAF alone is the right answer

A designated OES organisation that has resolved the entire CAF and runs the framework annually as its primary cyber posture artefact. For these organisations, CE Plus is sometimes redundant with CAF Objective B work, though many OES organisations still hold CE Plus alongside CAF for procurement-recognition reasons (UK suppliers and partners recognise CE Plus more readily than CAF assessment outputs).

When holding both is the right answer

Designated OES organisations doing CAF as the mandatory framework, plus CE Plus alongside as the procurement-recognised certificate. This is the most common pattern for OES organisations of significant scale: CAF for the regulator, CE Plus for the partners and suppliers who do not read CAF assessment packages.

Government contractors below the OES designation but in scope of customer CAF assessments. These firms hold CE Plus to satisfy direct procurement requirements, plus support their customer's CAF Objective B by demonstrating Achieved-level technical controls on the supplier side.

How CE Plus and Cyber 365 fit alongside CAF

A CE Plus certificate is valid for 12 months. CAF self-assessment is annual; third-party CAF assessment is typically every 2-3 years. Both expect a continuous posture between assessment dates.

Cyber 365 is the year-round operational discipline that holds the CE Plus controls in place between assessment days. The same discipline produces the audit-ready evidence CAF Objective C (detecting cyber security events) expects: continuous vulnerability scanning runs against the same surface the CE Plus assessor will check, managed patching closes findings inside the 14-day window. The CAF B4 and B5 Indicators move from Partially Achieved to Achieved as the year-round evidence accumulates.

The Danzell scheme update from April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. The same year-round discipline CAF expected on Objective B is now what Cyber Essentials expects too.

Where to start

Book a 30-minute scoping call. Tell us whether your organisation is designated under the NIS Regulations 2018 (or in scope of an OES customer's CAF assessment), your current CE certificate status, and any procurement deadline. We come back with a written quote covering CE Plus and, where it makes sense for OES organisations, the CAF assessment alongside it.

For firms not designated under NIS, CE Plus is almost always the right framework. The hands-off path covers the broader engagement; the CE+ Assured Programme bundles CE Basic + CE Plus + Cyber 365 into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified firm and IASME. NetSec does not bundle, broker, or upsell it.

CE Plus is the right framework for the vast majority of UK SMEs. CAF is the right framework for designated OES organisations. The two run alongside each other where the firm sits in both audiences. The honest framework call arrives on the scoping call before any engagement letter is signed.

netsec-canary-aac939018e64.