The UK NCSC's national cyber baseline for operators of essential services and the public sector.
Operators of Essential Services under the UK NIS Regulations 2018, central government, and many public-sector buyers.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Four objectives (A–D), 14 principles, and 39 contributing outcomes.
Indicators of Good Practice (IGP) used as evidence anchors.
Self-assessment moderated by sector regulator or NCSC.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
CAF-aligned control narrative for each of the 39 contributing outcomes.
IGP evidence binding to telemetry where automated, with manual attestation where required.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
CAF self-assessment data pack.
Per-principle evidence with IGP traceability.
These frameworks share substantial control overlap with NCSC CAF. Customers running one assessment typically satisfy the others with the same evidence base.
European Union
The expanded EU network and information security directive, covering essential and important entities across 18 sectors.
United Kingdom
The UK's post-Brexit data protection regulation — substantially aligned with EU GDPR with diverging guidance.
Cross-jurisdictional
The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.