Cyber Assessment Framework (CAF): What This Means for Digital Health Companies

The UK’s National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) is fast becoming the new benchmark for cyber resilience. Originally designed for operators of essential services under the NIS Regulations, the framework is now shaping how the NHS expects its suppliers and partners to demonstrate cybersecurity maturity.

NHS England is moving away from the old Data Security and Protection Toolkit (DSPT) and transitioning to a CAF-aligned DSPT. For digital health companies, this isn’t just a compliance update; it changes the rules of engagement for winning and keeping NHS contracts.

What is the Cyber Assessment Framework (CAF)?

The CAF sets out four high-level objectives, broken into principles and outcomes, that organisations use to measure their cyber resilience:

• Managing Security Risk: Strong governance, risk management, and assurance at board level.

• Protecting Against Cyber Attack: Technical and supply chain controls to defend systems and data.

• Detecting Cyber Security Events: Effective monitoring, logging, and alerting to spot incidents early.

• Minimising the Impact of Cyber Incidents: Incident response, recovery, and continuous improvement.

For health and care, NHS England adds an overlay around using and sharing information appropriately, reflecting data protection and confidentiality needs.

Unlike the old DSPT checklist model, the CAF is outcomes-driven. Organisations must demonstrate not just that they have controls but that those controls deliver resilience.

Why NHS England Adopted CAF

The legacy DSPT often produced inconsistent results across trusts and suppliers. By embedding CAF principles, NHS England aims to:

• Standardise cyber assessments across health and social care, in line with other critical sectors.

• Raise resilience by focusing on outcomes, not tick-boxes.

• Align with the UK’s National Cyber Strategy, where CAF underpins cyber assurance for essential services.

For suppliers, this means NHS buyers will increasingly demand CAF-aligned evidence in procurement and assurance processes.

What This Means for Digital Health Companies

If you provide software, digital services, or infrastructure to the NHS, the shift to CAF has direct implications:

• Supplier Assurance Will Tighten: Expect more detailed due diligence, requiring proof that you meet CAF objectives.

• Board-Level Accountability: NHS partners want evidence of executive oversight of cyber risk.

• Competitive Differentiator: Vendors who align early with CAF will stand out in tenders, frameworks, and contract renewals.

• Independent Assurance May Be Required: Some NHS bodies are introducing external audits of suppliers.

• Incident Response Is in Focus: You’ll need to demonstrate not just policies, but tested plans for recovery and continuity.

Put simply, CAF is potentially becoming the minimum entry requirement for NHS suppliers.

Practical Steps for Vendors

To prepare, digital health companies should:

1. Run a CAF readiness check: Map your current DSPT controls against CAF objectives and the health overlay.

2. Evidence outcomes, not just policies: Show how controls work in practice (e.g. monitoring, incident logs, recovery tests).

3. Engage leadership early: Ensure the board or senior team is actively accountable for cyber resilience.

4. Review your supply chain: Cloud providers, hosting partners, and subcontractors must also meet CAF principles.

5. Test and rehearse incident response: Tabletop exercises and recovery drills will demonstrate maturity.

For digital health companies, the adoption of a CAF-aligned DSPT marks a step change in NHS cybersecurity expectations. It’s not simply a compliance exercise; it’s a procurement gatekeeper.

By embedding CAF principles now, vendors can:

• Accelerate NHS onboarding,

• Reduce friction in contracts, and

• Build trust as a resilient partner in the health ecosystem.

CAF is here to stay, and those who adapt fastest will gain the strongest competitive edge.