Skip To Main Content 2026 Ransomware Resilience Benchmark Report
Get the Report
Bullwall logo

CAF 4.0 COMPLIANCE

Building Ransomware Resilience Under UK Cyber Standards

By embedding a resilience-first approach to governance and operational processes, organisations can maintain strong, resilient systems capable of withstanding evolving cyber threats.

Request Demo

CAF 4.0 and the Ransomware Threat

The Cyber Assessment Framework (CAF) 4.0 is the UK government’s framework for assessing the cyber resilience of organisations that deliver essential services. Released by the National Cyber Security Centre (NCSC) on August 6, 2025, CAF 4.0 sets clear expectations for how boards and executive teams manage cyber risk, withstand realistic attacks, and maintain operational continuity.

CAF 4.0 places increased emphasis on real-world attacker behaviour, requiring organisations to demonstrate that they can detect, contain, and recover from high-impact cyber threats. These are not optional best practices but mandatory compliance expectations with direct regulatory oversight from UK sector regulators.

Ransomware Scope and Scale:

According to the NCSC Annual Review 2025, the NCSC handled 204 nationally significant cyber incidents in the past year, with ransomware identified as “one of the most acute and pervasive cyber threats” to UK organisations. The impact on essential services extends beyond data loss to operational disruption affecting public safety, national security, and critical infrastructure.

Why CAF 4.0 Matters

CAF 4.0 reflects a fundamental shift in regulatory thinking: cyber resilience is no longer measured by the presence of controls alone, but by their effectiveness under pressure.

One threat consistently dominates regulator concern: ransomware-driven mass encryption. Once encryption begins, organisations can lose operational capability in minutes, directly impacting essential services such as energy distribution, water supply, healthcare delivery, and transport systems.

CAF 4.0 matters because it:

  • Elevates cyber resilience to a board-level responsibility
  • Requires evidence of preparedness for realistic, high-impact attacks
  • Focuses on limiting operational impact, not just detecting compromise
  • Demands demonstrable resilience, not theoretical security

CAF 4.0: Four Objectives and 14 Principles

Objective A: Managing Security Risk

Governance structures and processes to understand and systematically manage security risks

Principles:

  • A1: Governance – Defined roles, responsibilities, and decision-making authorities for cybersecurity
  • A2: Risk Management – Systematic identification, assessment, and treatment of security risks
  • A3: Asset Management – Understanding and inventorying critical information and systems
  • A4: Supply Chain – Managing security risks introduced through third-party relationships

Organizations must demonstrate they understand which systems support essential services, who is responsible for protecting them, and how security risks are identified and mitigated across the supply chain.

BullWall Alignment: BullWall supports risk mitigation under A2 by providing automated ransomware containment capabilities that reduce the operational impact of attacks that bypass prevention controls.

Objective B: Protecting Against Cyber Attack

Proportionate security measures to protect essential services from cyber threats

Principles:

  • B1: Service Protection Policies, Processes, Procedures – Defined protective measures for essential services
  • B2: Identity and Access Control – Managing who can access critical systems
  • B3: Data Security – Protecting sensitive information from unauthorized access or loss
  • B4: System Security – Securing platforms, operating systems, and applications
  • B5: Resilient Networks and Systems – Designing infrastructure to withstand disruption
  • B6: Staff Awareness and Training – Ensuring personnel understand security responsibilities

This objective recognizes that perfect prevention is impossible. BullWall complements protection measures under B4 and B5 by providing defense-in-depth when other controls are bypassed.

Objective C: Detecting Cyber Security Events

Capability to perceive patterns indicating possible disruption to essential functions

Principles:

  • C1: Security Monitoring – Continuous observation of systems and networks for anomalous activity
  • C2: Threat Hunting – Proactive searching for indicators of compromise

Detection speed is critical for essential services. Most ransomware attacks today succeed not because defenses are absent, but because they are bypassed, disabled, or overwhelmed. In BullWall’s internal penetration testing, over 99 percent of simulated ransomware attacks successfully bypass EDR defenses, often using techniques that avoid triggering standard alerts until encryption has already begun.

BullWall Alignment: BullWall provides sub-second detection of unauthorized file encryption, supporting detection capabilities under C1 when prevention fails and ransomware begins encrypting files.

Objective D: Minimising the Impact of Cyber Security Incidents

Response and recovery planning to minimize negative impact

Principles:

  • D1: Response and Recovery Planning – Defined procedures for containing and recovering from incidents
  • D2: Lessons Learned – Capturing knowledge from incidents to improve resilience

For essential services, the impact of ransomware extends beyond data loss to operational disruption affecting public safety. Energy providers, water utilities, healthcare systems, and transport operators cannot afford hours of manual response time when encryption begins.

BullWall Alignment: BullWall serves as a last line of defense under D1, detecting, containing, and halting active ransomware attacks when other defenses have failed. Automated containment prevents mass encryption and limits operational impact, enabling faster recovery.

What CAF 4.0 Means For Your Organisation

CAF 4.0 requires organisations to prove they can:

  • Understand and mitigate realistic attacker behaviours
  • Detect malicious activity quickly and accurately
  • Contain attacks before widespread operational disruption
  • Maintain essential services during cyber incidents
  • Learn from incidents using detailed, auditable evidence

For ransomware, this means having controls that act immediately at the point of encryption, not hours later during manual response. When prevention fails and ransomware begins encrypting files, sub-second detection and containment can mean the difference between an isolated incident and a service-wide shutdown affecting essential functions.

Management Accountability

CAF 4.0 explicitly emphasises executive and board accountability, requiring senior leaders to demonstrate an informed understanding of current cyber threats, make targeted investments in controls that reduce real operational risk, and ensure confidence in the organisation’s ability to contain incidents rapidly.

UK Regulatory Context:

CAF 4.0 is used by UK sector-specific regulators to assess cyber resilience:

  • Ofcom – Digital and telecommunications services
  • Ofgem – Energy sector
  • Ofwat – Water sector
  • NHS England – Health sector
  • NCSC – Technical authority and national cyber security centre

These regulators expect evidence-based assurance that organisations can detect and contain ransomware as it happens, not theoretical compliance documentation. Without proven containment capabilities, threats such as ransomware escalate from a technical issue to a strategic risk with wide-reaching implications.

According to the PwC Global Compliance Survey 2025, 85% of organizations globally report that compliance requirements have become more complex in the last three years, with cyber resilience frameworks like CAF 4.0 requiring demonstration of actual capability rather than documentation alone.

The Reality of Ransomware in Essential Services

Most ransomware attacks today succeed not because defenses are absent, but because they are bypassed, disabled, or overwhelmed.

For essential services, the consequences are particularly severe. Energy providers face grid disruption, water utilities risk contamination monitoring failures, healthcare systems cannot access patient records, and transport operators lose scheduling and safety systems. These are not theoretical risks but documented incidents affecting UK essential services.

CAF 4.0 recognizes this reality. The framework does not require perfect prevention but expects organizations to detect incidents quickly, contain them effectively, and recover operations within defined tolerances.

Who Does CAF 4.0 Affect?

CAF 4.0 is used by UK regulators to assess organisations that provide essential or critical services, including:

  • Energy, water, and transport providers
  • Healthcare and public sector organisations
  • Telecommunications and digital infrastructure providers
  • Financial institutions delivering essential services
  • Other operators of essential services under UK NIS2 regulations

Beyond regulated sectors, CAF 4.0 is increasingly recognised and adopted as a best-practice benchmark for managing cyber resilience.

Typical Steps to Meet CAF 4.0 Expectations

Organisations working toward CAF 4.0 commonly:

  1. Assess resilience against realistic ransomware scenarios
  2. Strengthen detection and logging of malicious activity
  3. Implement automated containment to limit impact
  4. Improve incident response speed and consistency
  5. Capture forensic-quality evidence for reviews and regulators
  6. Brief boards using clear, outcome-focused metrics

Ransomware containment is a decisive factor in meeting these expectations. Organizations must demonstrate they can detect and contain unauthorized encryption in real time, not after operations have been disrupted.

What Happens If CAF 4.0 Expectations Aren't Met?

Failure to meet CAF 4.0 outcomes can result in:

  • Adverse regulatory assessments from sector regulators
  • Mandatory remediation programmes and increased oversight
  • Follow-up reviews and enforcement actions
  • Reputational damage and loss of public trust
  • Extended disruption to essential services during cyber incidents

Most critically, organisations may be unable to prevent ransomware from causing significant operational harm, compromising public safety and national security.

How BullWall Supports CAF 4.0 Compliance

BullWall delivers targeted ransomware resilience aligned to CAF 4.0 outcomes. It focuses on the precise moment regulators care about most: the start of unauthorized encryption.

While no single solution delivers full CAF 4.0 compliance, BullWall serves as a last line of defense, detecting, containing, and halting active ransomware attacks when other defenses have failed.

BullWall’s agentless deployment means:

  • No endpoint overhead or compatibility issues
  • Sub-second detection and automated isolation
  • Protection for servers and workstations across on-prem and cloud infrastructure
  • Real-time evidence collection for CAF incident reporting

BullWall detects ransomware behaviour in real time and automatically contains it, preventing mass encryption and limiting operational impact. This supports multiple CAF objectives:

  • Objective A (Managing Risk): Reduces operational risk from ransomware through automated containment
  • Objective B (Protecting): Provides defense-in-depth when prevention controls are bypassed
  • Objective C (Detecting): Delivers sub-second detection of unauthorized encryption
  • Objective D (Minimising Impact): Automated containment limits spread and enables faster recovery

CAF Contributing Outcome Alignment:

BullWall specifically supports these contributing outcomes within the CAF framework:

CAF OutcomeDescriptionBullWall Support
A2.bUnderstanding ThreatReal-time visibility into ransomware behaviour patterns
B4.cSystem Security ControlsDefense-in-depth when endpoint controls are bypassed
B5.aNetwork ResilienceAutomated containment prevents lateral spread
C1.aSecurity MonitoringSub-second detection of unauthorized encryption
C2.aThreat HuntingForensic-quality evidence for proactive threat analysis
D1.aResponse PlanningAutomated containment supports rapid incident response
D2.bLessons LearnedDetailed incident data for post-event analysis

Final Takeaway

CAF 4.0 makes one thing clear: ransomware is a board-level resilience risk.

Regulators now expect evidence that organisations can detect and contain ransomware as it happens, not after operations have already been disrupted.

BullWall provides that evidence by stopping unauthorised encryption in real time, reducing operational and reputational risk, supporting CAF outcomes across risk, protection, detection, and response, and delivering the forensic data required for audits and regulators.

With CAF 4.0 setting a higher standard for UK essential services, the question is no longer whether ransomware will test your defenses, but whether you can stop it in time.

FAQs

What is CAF 4.0 compliance?

CAF 4.0 compliance means meeting the UK’s Cyber Assessment Framework standards for managing cyber security risks, protecting essential services, detecting cyber threats, and minimizing incident impact. Used by UK regulators to assess organizations delivering essential services (energy, water, transport, healthcare, telecommunications), CAF 4.0 establishes outcome-based expectations across four objectives, 14 principles, and 41 contributing outcomes. Organizations must demonstrate they can withstand, respond to, and recover from cyber incidents including ransomware attacks.

See More+

Who must comply with CAF 4.0? +

CAF 4.0 applies to Operators of Essential Services (OES) and Digital Service Providers (DSPs) under UK NIS Regulations, as well as Critical National Infrastructure (CNI) operators. This includes energy providers, water utilities, transport operators, healthcare organizations, telecommunications companies, and financial institutions delivering essential services in the UK. Sector-specific regulators (Ofcom, Ofgem, Ofwat, NHS England) use CAF 4.0 to assess cyber resilience across thousands of UK organizations.

What are CAF 4.0's four objectives? +

CAF 4.0’s four objectives are: (A) Managing Security Risk – governance structures and processes to understand and systematically manage security risks; (B) Protecting Against Cyber Attack – proportionate security measures to protect essential services from cyber threats; (C) Detecting Cyber Security Events – capability to perceive patterns indicating possible disruption; and (D) Minimising the Impact of Cyber Security Incidents – response and recovery planning to minimize negative impact. Each objective contains multiple principles (14 total) and contributing outcomes (41 total) that organizations must address through evidence and indicators of good practice.

When did CAF 4.0 come into effect? +

CAF 4.0 was released by the UK National Cyber Security Centre (NCSC) on August 6, 2025, updating the previous version 3.2. The framework reflects evolving threats including increased use of automation and machine learning in cyberattacks, advanced persistent threats, and ransomware targeting essential services. Organizations delivering essential services should implement CAF 4.0 outcomes immediately, as UK regulators increasingly expect evidence of compliance during cyber resilience assessments.

How does BullWall support CAF 4.0 compliance? +

BullWall supports multiple CAF 4.0 objectives by providing sub-second ransomware detection and automated containment. For Objective A (Managing Risk), BullWall strengthens risk mitigation capabilities. For Objective B (Protecting Against Attack), BullWall provides defense when prevention fails. For Objective C (Detecting Events), BullWall delivers real-time threat detection. For Objective D (Minimising Impact), BullWall’s automated containment prevents widespread encryption and operational disruption. BullWall complements existing security controls rather than replacing them, serving as a last line of defense when other defenses have failed.

What happens if we don't meet CAF 4.0 expectations? +

Failure to meet CAF 4.0 outcomes can result in adverse regulatory assessments, mandatory remediation programs, increased supervisory oversight, and enforcement actions by sector regulators (Ofcom, Ofgem, Ofwat, NHS England). More critically, inadequate cyber resilience increases the likelihood that a ransomware attack will disrupt essential services, compromising public safety, national security, and organizational reputation. Organizations may also face regulatory breach notification requirements and penalties under UK data protection laws.

Do we need tools beyond BullWall to achieve CAF 4.0 compliance? +

Yes. CAF 4.0 compliance requires a comprehensive approach including governance structures, risk management frameworks, asset inventories, supply chain oversight, staff training, backup systems, incident response plans, and recovery capabilities. BullWall addresses critical elements under Objectives C and D (detection and containment of ransomware) but does not replace firewalls, EDR platforms, identity management, or compliance documentation. BullWall integrates with your existing security stack to strengthen ransomware resilience as a last line of defense.