united-states-flag.svg flag Eng germany-flag.svg flag De spain-flag.svg flag Spa france-flag.svg flag Fre italy-flag.svg flag Ita
Get a Demo
Product
Solutions
Industrial Remote Privileged Access Third-Party Secure Access All Industries
Partners
Resources
Blog News Press Releases Compliance Third Party Reports Case Studies At a Glances Datasheets White Papers Videos Webinars
Company
About Us Careers
Support Search Toggle Search
Blog
Aug 11, 2025
6 min read

What’s New in CAF 4.0 and How UK Essential Services Organizations Can Prepare

Written By

Shir Basok

Table of Contents

As cyber attackers increasingly exploit remote connections and supply chain gaps, the UK’s Cyber Assessment Framework (CAF) 4.0 is setting a new standard for cybersecurity resilience.  

Released by the National Cyber Security Centre (NCSC) on August 6, 2025, CAF 4.0 significantly strengthens requirements for remote access, identity, and supply chain controls. Because these changes will impact how regulators assess cyber readiness moving forward, now is the time for leaders in IT, operations, and compliance across the UK’s critical sectors to ensure their access and security policies meet the latest standards. 

In this blog we'll explore how CAF has changed, how it impacts your industry, and actionable steps to align with CAF 4.0 — starting with remote access. 

When Does CAF 4.0 Come into Effect? 

CAF 4.0 is the baseline for cybersecurity assessments in the UK starting in 2025, with specific compliance requirements varying by sector. For instance, the energy industry may emphasize OT system isolation, while the healthcare sector might prioritize data protection.  

The Cyber Security and Resilience Bill, expected in late 2025, extends NIS Regulations to new sectors like cloud providers, managed service providers (MSPs), and data center operators, requiring them to adopt CAF 4.0’s remote access and supply chain controls. Organizations must consult their sector regulator (for instance, Ofgem or Ofwat) for timelines, as enforcement is expected to increase in 2026. Proactive compliance adherence demonstrates readiness and builds trust with regulators and stakeholders. 

Why Prioritize Secure Remote Access?  

CAF 4.0 covers far more than just secure remote access; the update also tightens requirements for secure software lifecycle management, enhanced threat detection, and AI-related cyber risks.  

So, why tackle secure remote access first? Prioritizing a remote access strategy that meets CAF 4.0 guidance makes it easier to extend access governance to on-prem and cloud workloads, to layer in monitoring, alerting, and incident response tooling, and to achieve deeper compliance with later-phase CAF principles like data protection, business continuity, and user training. 

Organizations can use NCSC’s CAF 4.0 resources to develop a roadmap for reaching full compliance.  

CAF 3.2 vs CAF 4.0: How Have Requirements for Remote Access Security Changed? 

Control Area

CAF 3.2 (Before)

CAF 4.0 (After)

MFA for Remote Access

Required for privileged users and high-risk access. Standard user MFA was recommended but often risk-based.

MFA is strongly mandated for all users accessing systems supporting essential functions, with organizations expected to justify any deviations based on risk assessments.

Privileged Access Workstations (PAWs)

Recommended but flexible. Use of secure admin workstations encouraged but not mandated for all sectors.

Privileged actions should be performed on corporately owned, managed, and hardened devices, with robust controls required for alternative devices.

Internet Isolation for Essential Systems

Network segregation was advised; internet exposure allowed with compensating controls in some sectors.

Direct internet access to essential function systems must be minimized, with network segmentation and strict controls required to limit exposure.

Use of Shared or Generic Accounts

Shared accounts discouraged but could be tolerated with compensating controls (e.g., enhanced logging).

All remote access should use named, individual user accounts with full traceability, with organizations justifying any exceptions.

Remote Third-Party Access Control

Sector-specific practices varied. Suppliers’ remote access security often left to contractual agreements.

Third parties must follow the same access control standards as internal users, enforced via contracts.

Supply Chain Oversight: The Risk Hiding in Plain Sight

In most organizations, remote access isn’t granted only to internal staff. External, third-party vendors and contractors also connect remotely in order to perform equipment maintenance and other crucial tasks. In fact, recent research from Cyolo shows that manufacturers are much more likely to enable remote access to OT environments for third-party vendors (88%) than internal employees (54%).  

The convenience of remote access is clear, but allowing third parties – who typically are not bound by company security policies and may be unfamiliar with security best practices – to connect remotely without the proper controls in place can expose organizations to serious risk.  

Recognizing this risk, CAF 4.0 requires active management of dependencies on third-party vendors and service providers. This principle is reinforced by the upcoming Cyber Security and Resilience Bill, which will mandate supply chain security for critical sectors

Key expectations: 

  • Critical suppliers (IT service providers, OT maintenance vendors, software suppliers, etc.) must adhere to the same identity, device, and remote access controls as internal staff. 

  • Organizations must maintain a clear inventory of suppliers with access to systems supporting essential functions. 

  • Contractual clauses must enforce security requirements, including multifactor authentication (MFA), corporate-managed devices, and incident reporting obligations, as emphasized by the Cyber Security and Resilience Bill. Zero-trust platforms can streamline secure third-party access with features like identity-based authentication and vendor session monitoring. 

  • Supply chain risks must be assessed continuously, and vetting a supplier once at the start of the relationship is no longer enough. 

So, what does this all mean in practice? To meet CAF 4.0 obligations, organizations will need to update supplier agreements, implement new onboarding procedures, and regularly reassess who is allowed remote access to critical environments.

What Should You Do Now to Show CAF 4.0 Readiness? 

  1. Conduct a Remote Access Audit: Identify all access points, including VPNs, RDP, and third-party portals. Document user roles, devices, and authentication methods. 

  1. Deploy MFA Solutions: Implement MFA to ensure compatibility with both IT and OT systems. 

  1. Procure Hardened Devices: Source corporately managed devices (for example, hardened laptops with trusted platform modules) for privileged access. Refer to NCSC’s device security guidance for configuration standards. 

  1. Phase Out Shared Accounts: Transition to named accounts using identity management platforms. Implement logging to ensure traceability, as per NCSC’s logging guidance. 

  1. Update Supplier Contracts: Include CAF 4.0-compliant clauses in vendor agreements, specifying MFA, device standards, and incident reporting. Use NCSC’s supply chain security toolkit for contract templates. 

  1. Address Legacy System Challenges: Recognize that legacy systems may lack modern security features like MFA support or network segmentation. Use Zero Trust platforms and advanced secure remote access solutions like Cyolo PRO (Privileged Remote Operations) to overlay security controls, conduct phased upgrades, or implement compensating controls to align with CAF 4.0. 

  1. Engage Regulators Early: Contact sector regulators for CAF 4.0 assessment criteria and timelines. Join NCSC’s Early Warning service for real-time threat updates. 

Simplify CAF 4.0 Compliance with Help from Cyolo 

Cyolo PRO (Privileged Remote Operations), a remote privileged access solution built to meet the unique needs of OT environments, helps organizations streamline CAF 4.0 compliance. 

Cyolo PRO enables identity-based access and MFA for both modern and legacy systems, as well as zero-trust connectivity and privileged access controls for third parties and other high-risk users. With Cyolo PRO, organizations can ensure safe, secure, and seamless access to critical assets, in alignment with CAF 4.0 and other security regulations.  

In contrast to legacy secure remote access (SRA) solutions like VPNs and jump servers, which offer minimal post-access visibility, Cyolo PRO provides full control for the duration of each connection, including third-party connections. Key controls include supervised access, session recording, restrictions on potentially risky actions like copy/paste, and the ability to disconnect a user in real-time if suspicious behavior is detected. 

With these essential controls, plus a fast and easy deployment model that does not require network changes or downtime, Cyolo PRO helps organizations operating essential services to achieve and maintain CAF 4.0 compliance – all without undergoing a complex, costly, and risky infrastructure overhaul. 

Additional Resources for CAF 4.0 Compliance 

  

Shir Basok

Author

Shir Basok is Product Marketing Manager at Cyolo.

Subscribe to Our Newsletter

More Blog Posts
See All Blog Posts
Quantum computing concept
Blog
Aug 4, 2025

What’s All the Hype Around Quantum Computing and Why Should You Care?

Read More
Worker using legacy OT systems in a factory control room
Blog
Jul 30, 2025

Secure Your Legacy OT Systems with Zero Downtime or Disruptions

Read More
Technician being access granted notification on a PC screen
Blog
Jul 22, 2025

The Cost of Doing Nothing: Lessons from the Nucor Cyberattack

Read More