We switched from a competitor to Adoptech for ISO 27001 and it was the best decision we made. Superior platform, hands-on support, and no need for costly consultants. Great team, great results!
Automated compliance and independent assurance by regulatory experts
In partnership with
Trusted by Hundreds of UK & EU MSPs
THE GUIDE
What is CAF and why should MSPs care?
MSPs are now recognised as critical to the UK’s digital economy – and a key target for attackers.
BUILD TRUST
Stand Out with Verified CAF Assurance
Earn the Adoptech CAF Assurance Trustmark — visible proof that your MSP has been independently audited using the NCSC’s Cyber Assessment Framework.
Promote your Trustmark on your Trust Centre alongside:
Providing real-time visibility of your ongoing compliance posture.
THE PROCESS
Your partner for simple, automated CAF readiness
DISCOVER & ASSESS
Upload existing data, set up integrations to instantly view control gaps.
PLAN & IMPLEMENT
Address control gaps, automate evidence gathering and undertake your CAF assurance assessment.
PUBLISH YOUR TRUST CENTRE
Showcase your accreditation, security posture and control status on your trust centre webpage, all while maintaining disclosure control.
Adoptech automates up to 80% of CAF compliance by integrating with your systems to test controls, capture evidence, and simplify manual tasks — with expert guidance so you can focus on clients, not compliance.
CAF MILESTONES
Key milestones for UK Cyber Security Bill
MSPs should begin preparing now. Uploading existing Cyber Essentials answers into Adoptech gives you an immediate head start on CAF alignment, reducing risk when obligations formally take effect.
INCREASE REVENUES
Partner with us
Turn compliance into recurring revenue. Offer your clients compliance-as-a-service across multiple frameworks – without needing in-house expertise. Build trust, strengthen retention, and make your clients more sticky by becoming an essential partner in their compliance journey.
In partnership with Brigantia, we’re helping MSPs turn compliance into growth.
FAQS
Frequently asked questions
Under the updated NIS legislation, MSPs will be regulated as RDSP’s (Relevant Digital Service Providers) by the ICO. MSPs below a size / revenue threshold (considered “small”) will not initially be regulated, however, the likelihood is that customers will utilise firms they can trust. That trust will be built by evidencing compliance.
As of 29 September 2025, the Bill has a published policy statement and is due to be introduced in the current Parliamentary session. Several legal commentators expect Royal Assent by late 2025, with detailed start-dates and any phase-ins set via secondary legislation after passage. Practically, MSP duties (e.g. incident reporting timelines) will begin on dates specified in those implementing regulations, so plan for a transition period in 2025–26 while final commencement dates are confirmed.
Last updated: September 2025
The Information Commissioner’s Office (ICO) will be the lead regulator for MSPs designated as Relevant Digital Service Providers (RDSPs). The ICO will have powers to gather information, investigate, and enforce compliance.
Cyber Essentials is a baseline certification focused on technical controls. CAF is outcome-based, regulator-driven, and broader in scope, covering governance, supply chain security, monitoring, and incident response. If you already hold Cyber Essentials, Adoptech can map your answers into CAF to give you a head start.
Risks include significant fines, loss of contracts, and reputational damage. Companies are unlikely to work with MSPs who cannot evidence CAF compliance and regulated companies that are part of the critical national infrastructure will not be permitted to acquire services from MSPs who cannot demonstrate compliance.
Under the Bill, MSPs must report significant incidents within 24 hours of becoming aware, followed by a full report within 72 hours. You must also notify affected clients if their services may be impacted.
Yes, regulators will be able to individually designate a supplier as a DCS (Designated Critical Supplier) if the supplier’s goods or services are so critical that disruption could cause a significant disruptive effect on the essential or digital service it supports (including MSPs). however, this is expected to apply to a very small number of suppliers.
Regulators can designate MSPs whose services are so essential that disruption could cause a significant impact. Critical Suppliers are subject to the same security and reporting obligations as larger regulated entities.
ISO 27001 is an internationally recognised, certifiable standard, while SOC 2 is a widely adopted audit framework originating in the US. Both focus on helping organisations manage information and cybersecurity risks through defined controls and processes — and there is significant overlap with the NCSC’s Cyber Assessment Framework (CAF).
The key difference is that CAF compliance will be mandatory for MSPs under the UK Cyber Security and Resilience Bill, which brings managed service providers into scope of the NIS Regulations. The ICO (Information Commissioner’s Office) will act as the regulator and will have the power to issue fines for non-compliance.
By contrast, ISO 27001 and SOC 2 remain voluntary certifications.
CAF, developed by the National Cyber Security Centre (NCSC), is a UK government assessment framework focused on measurable cyber resilience outcomes. While the assessment approach differs slightly from ISO and SOC 2, the core practices are similar — covering governance, risk management, incident response, and security controls.
Within Adoptech, many CAF controls are mapped directly to ISO 27001 and SOC 2 requirements. This means that achieving CAF compliance will also help evidence conformity with ISO or SOC 2 — and vice versa.
For a more detailed comparison of CAF, ISO 27001, and SOC 2, read our full blog post: CAF vs ISO 27001 vs SOC 2: Understanding the Differences
Each outcome is assessed as Achieved, Partially Achieved, or Not Achieved based on Indicators of Good Practice (IGPs). Regulators (ICO for MSPs) look for evidence that security processes are working in practice, not just documented.
Yes. Regulators will have the power to designate certain smaller providers as Critical Suppliers if disruption to their services could impact essential functions.
Accreditation helps you evidence compliance, which builds trust and provides a competitive advantage.
GET AHEAD OF CAF. SECURE YOUR FUTURE.
CAF obligations are coming fast. Start today to stay compliant, protect your clients, and lead in resilience.