Important guidance published as NIS deadline nears

The eagerly awaited Cyber Assessment Framework (CAF) to help organisations to manage risks to their essential services in accordance with the Network and Information Security (NIS) Directive has now been published.

Sector Competent Authorities (CAs) will be able to use the CAF to assess and enforce compliance under the NIS Directive for Operators of Essential Services (OESs) that fall within the Directive’s scope. The first version framework, produced by the National Cyber Security Centre, provides a systematic method for assessing the extent to which OESs are achieving the outcomes specified by the 14 NIS Directive’s security objectives.

The CAF stresses the outcomes of what needs to be achieved rather than exactly how it needs to be done for compliance with the NIS Directive. Each contributing outcome is assessed by a set of indicators of good practice. The National Cyber Security Centre cautions that assessment of these contributing outcomes is “primarily a matter of expert judgement” and the indicators of good practice do not remove the requirement for the “informed use of cyber security expertise and sector knowledge”.

The NIS Directive comes into effect on 9th May 2018.

Gemserv will soon be publishing a series of papers to help you understand what the requirements are for your business and how we can help you ensure you have the appropriate governance and processes to meet the directive.  If you would like to receive our papers please contact our marketing team by emailing

Share this...

Share on email
Share on twitter
Share on linkedin
Share on facebook

Find out


Every day our teams of experts are analysing information like this, providing high-level need to know reports for our clients so they can continue to stay ahead and lead their industries.

Get an unfair advantage – subscribe to our mailing list by filling out the form opposite. You can find out how we look after your data in our Data Policy.

About the Authors