NCSC Active Cyber Defence and Cyber Essentials Plus: operationalising the UK baseline in 2026

On 15 October 2025 the Information Commissioner's Office fined Capita plc and Capita Pension Solutions a combined £14 million for a breach affecting 6.6 million people, citing a 58-hour delay quarantining an infected device after the security alert fired in ten minutes. Two weeks earlier, Jaguar Land Rover lost roughly five weeks of production to a single intrusion, a £1.9 billion event the Bank of England linked to a 0.17 percentage point drag on Q3 GDP. The UK's defensive baseline is no longer a checklist exercise. For the UK CISO selling into MoD, NHS or central government supply chains, the policy stack has thickened in parallel. NCSC's Active Cyber Defence (ACD) programme is being treated as table stakes for 2026 procurement, Cyber Essentials Plus is the floor (not the ceiling) for buyers, and the Cyber Assessment Framework v4.0 now drives sector regulator expectations. The Cyber Security and Resilience Bill, introduced to Parliament on 12 November 2025, will pull managed service providers, data centres at 1MW and above, and "critical suppliers" directly into scope. The question this post answers: how do you translate ACD services, CE Plus controls and CAF v4.0 outcomes into a coherent 2026 implementation programme that actually survives an ICO Article 32 review or an NCSC-led incident?

Most CISOs treat ACD as a vague NCSC brand. It is in fact a defined set of free-at-point-of-use services with measurable telemetry, and underuse is the largest preventable gap in the UK baseline. Mail Check remains the entry point. It evaluates the SPF, DKIM and DMARC posture of any domain the organisation owns, including the look-alike registrations a finance team rarely tracks. It exposes an aggregate-report feed that an internal SOC can pipe into its SIEM. If your inbound MX is on Microsoft 365 or Google Workspace, Mail Check still works because it inspects the published policy, not the mail flow. Web Check is the second pillar. It performs lightweight scans for known vulnerabilities, TLS misconfiguration, missing security headers and certificate issues across every host the organisation declares. The signature set covers exposed admin panels and stale services that were the entry vectors in several mid-market 2025 incidents. Protective DNS (PDNS) is the most underused service in the suite. It resolves queries against an NCSC-curated block list of malicious infrastructure and feeds anonymised telemetry back into the national picture. PDNS access has broadened beyond the original central-government estate to include academia, multi-academy trusts and certain CNI suppliers. The Suspicious Email Reporting Service (SERS) drives takedown action against phishing infrastructure; "[email protected]" should be a one-click button in every UK employee's mail client. The implementation move in 2026 is not "should we sign up". It is to make ACD telemetry a board metric: DMARC reject coverage, Web Check open findings, PDNS block volumes and SERS report rate per 1,000 staff. If those four numbers are not on the quarterly risk pack, ACD is shelfware.

The situation buyers face: NCSC has been steadily resetting ACD scope to match the threat picture exposed by the M&S, Co-op, Harrods and JLR incidents. The procurement implication is that ACD enrolment now appears in Cabinet Office buying templates and in the supplier-assurance questionnaires used by NHS Digital and MoD primes. The headline movements worth tracking: PDNS access broadened beyond the original public-sector estate; Mail Check expectations hardened around DMARC enforcement for higher-risk tenants; Early Warning has matured into a feed of NCSC-observed indicators tied to your declared IP ranges and domains. For UK suppliers chasing public-sector frameworks, the procurement reality has shifted. Bid responses that previously listed "Cyber Essentials Plus certified" are now being asked to evidence Early Warning enrolment, DMARC enforcement, and a documented response to PDNS-detected events. Suppliers selling into Crown Commercial Service vehicles, the NHS Data Security and Protection Toolkit, and Defence Cyber Protection Partnership tiers should expect a follow-up question on which ACD services they consume and how the telemetry feeds their SOC. A practical sequencing tip. Onboard Mail Check and Web Check first, because they require no internal change. Apply for Early Warning second, since the value depends on having an accurate asset declaration. Adopt PDNS third, because it requires endpoint or resolver re-pointing and a clear roll-back plan. Treat SERS as universal and zero-cost from day one. Document each step against an internal control identifier so the evidence is reusable for Cyber Essentials Plus, CAF and the forthcoming Cyber Security and Resilience Bill incident-management outcomes. Suppliers serving regulated UK clients should also pair ACD adoption with a credible VAPT programme covering the externally exposed estate that Web Check cannot fully validate, especially authenticated web applications and APIs.

The situation many UK boards still misread: Cyber Essentials (CE) and Cyber Essentials Plus (CE+) are framed as a "self-assessed vs assessed" pair, but the operational gap is wider than that and procurement teams have started to enforce the distinction. CE covers five technical control areas: firewalls, secure configuration, security update management, user access control and malware protection. It is a self-attestation against the IASME-administered question set, signed by a board-level officer. CE+ takes the same five controls and validates them through an external assessor's hands-on test: an authenticated vulnerability scan of a representative sample of end-user devices, a credentialed external scan of internet-facing services, a malware detection test on email and web download paths, and a separate account-separation check. The audit gap usually surfaces in four places. First, patch latency: CE expects high and critical patches applied within 14 days, and CE+ assessors regularly find Windows feature-update lag and third-party software gaps (browser plug-ins, PDF readers, Java runtimes) that the self-assessment missed. Second, account separation: privileged accounts must not be used for daily browsing or email, and CE+ samples will catch admins logged into Outlook on their domain-admin profile. Third, multi-factor authentication on cloud services: CE+ now expects MFA on all administrative and user access to cloud services in scope, with hardware or app-based factors preferred over SMS. Fourth, scope definition: organisations often try to descope BYOD or contractor laptops, and the assessor's first action is to test whether those devices can reach in-scope data. Two procurement points are worth internalising. CE+ certifications expire after twelve months and are increasingly used as a bid pass/fail in MoD DCPP, NHS DSPT and central government commercial frameworks. The standard was updated again in 2025 with sharper expectations around home-working devices and unsupported software. Treat CE+ as a yearly external probe of the basics rather than a marketing badge. For a buyer who fails the first CE+ visit, the remediation pattern is consistent: tighten patch cycles, separate admin from user accounts, enforce MFA on every cloud admin path, and run an authenticated penetration test against the same scope before the assessor returns.

The complication for operators of essential services and central government: CE+ stops at the technical baseline, but the CAF reaches into governance, supply chain, detection and response. CAF v4.0 (2026) added explicit outcomes for secure software development and AI cyber risk, both of which previously sat outside the framework. CAF's architecture is four objectives, fourteen principles and forty-one contributing outcomes. Objective A covers managing security risk (governance, risk management, asset management, supply chain). Objective B covers protecting against cyber attack (service protection policies, identity and access, data security, system security, resilient networks, staff awareness). Objective C covers detection (security monitoring, proactive event discovery). Objective D covers minimising impact (response and recovery planning, lessons learned). Three CAF v4.0 changes deserve direct attention in 2026 planning. Supply-chain expectations have been sharpened so that operators must show evidence of supplier criticality assessment, contractual security clauses, and ongoing monitoring rather than one-time due diligence. Secure software development is referenced explicitly, which means SBOM generation, dependency scanning, and SDLC security gates are no longer aspirational. AI cyber risk has been threaded through several outcomes, calling for model supply-chain validation, prompt-injection defences and data-poisoning resistance to be considered alongside classic application security. The operational lift for a UK organisation moving from "CE+ certified" to "CAF Achieved" is substantial. CE+ does not require security monitoring, threat hunting, incident response exercising, or supplier security clauses. CAF expects all four. The Cyber Security and Resilience Bill (introduced 12 November 2025, Royal Assent expected late 2026, phased through 2028) will pull MSPs, data centres at 1MW and above, and named critical suppliers into the CAF perimeter, with fines tiered up to £17 million or 4 per cent of global turnover for serious breaches and £100,000 per day for ongoing contraventions. A pragmatic sequencing pattern for buyers in scope: map the current control estate to CAF outcomes, identify which outcomes are partially achieved versus not achieved, prioritise Objectives A and B for year one, and stand up Objective C detection capability through either an internal SOC or a credible managed 24x7 SOC offering before the Bill commences.

The 2025 incidents that reshaped UK supply-chain expectations did not start inside the victim. M&S, Co-op and Harrods were hit by the Scattered Spider and DragonForce ransomware wave between April and May 2025, with the M&S initial compromise attributed to social engineering against a Tata Consultancy Services helpdesk operator. Combined cost estimates ran up to £440 million, with Co-op confirming 6.5 million member records affected. Synnovis, the NHS pathology provider, was hit by Qilin ransomware in June 2024; King's College Hospital later confirmed delayed test results contributed to a patient death, and the investigation closed in November 2025 with 400GB exfiltrated and over 1,700 operations cancelled. The regulatory response is layered. CAF v4.0 strengthens supplier outcomes. The Cyber Security and Resilience Bill creates an explicit "critical supplier" designation. The FCA, PRA and Bank of England's Critical Third Parties (CTP) regime is being stood up to bring major cloud and SaaS providers under direct supervisory expectations for the first time. The ICO's reasoning in the £14 million Capita decision drew heavily on Article 32 UK GDPR and the failure to detain known infected hosts in time, a point with obvious read-across to supplier compromise scenarios. For the UK CISO, three practical changes follow. Supplier inventories must include not just direct vendors but the helpdesk, identity, backup and remote-access providers that have privileged paths into production. Contracts must include incident-notification SLAs aligned to the 24-hour early warning and 72-hour full report timelines proposed in the Cyber Security and Resilience Bill, even before commencement. Third, ongoing assurance must move beyond an annual questionnaire to evidence-based reviews: SOC2 or ISO 27001 reports plus live attestations of MFA, patch latency, network segmentation, and tested incident response. This is where supplier-side attack simulation becomes the lever. Buying organisations should require their critical suppliers to demonstrate, on a defined cadence, that a simulated identity-led intrusion (the M&S pattern) and a simulated ransomware-detonation event (the Synnovis pattern) are detected and contained within the response targets the supplier has contractually committed to. A questionnaire cannot prove this; a tabletop or red-team can.

The complication every UK CISO is reading in 2026: enforcement converged on Article 32 security failures rather than headline privacy infractions, and the Data (Use and Access) Act 2025 (Royal Assent 19 June 2025, main provisions commenced 5 February 2026) raised PECR penalties to UK GDPR ceilings (£17.5 million or 4 per cent of global annual turnover) and gave the ICO binding assessment notices and compulsory interview powers. The 2025 fine pattern is instructive. Capita: £14 million for slow containment, inadequate vulnerability management and 6.6 million affected. Advanced Computer Software: £3.07 million as the first UK GDPR fine of a data processor following ransomware, with the root cause being a customer account without MFA. 23andMe: £2.31 million for credential-stuffing exposure of 155,592 UK residents and a failure to mandate MFA on highly sensitive genetic data. DPP Law: £60,000 for security failings on a legacy admin account without MFA. Every one of these decisions cites the same controls: MFA, segmentation, patch management, prompt containment. The Cyber Essentials Plus and ACD baselines map directly onto each. The financial sector overlay is operational resilience. FCA SYSC 15A and PRA SS1/21 set an absolute requirement that banks, insurers, EMIs and payment institutions remain within impact tolerances for important business services through severe scenarios from 31 March 2025. Cyber attacks and third-party outages are the heavily featured testing scenarios, with CBEST and STAR-FS used as supervisory tools. The forthcoming CTP regime adds direct supervision of designated cloud and SaaS providers. The Home Office ransomware package (government response published 22 July 2025) is the third pillar. Public-sector and CNI operators will be banned from paying ransoms. Other UK victims contemplating payment must notify within 72 hours of intent to pay, with a full report at 28 days. Mandatory economy-wide incident reporting is on the same 72-hour-initial and 28-day-full cadence. The interpretive open question (the FCA tolerance regime versus a payment ban for CNI) has no settled answer yet. The defensive move is to operate as if you cannot pay, so build the backup, segmentation and recovery posture that makes the question moot. An AI risk assessment is increasingly part of this conversation because frontier-AI cyber capabilities already exceed skilled-practitioner ability at higher speed and scale, per the joint FCA, Bank of England and HM Treasury statement.

A reader who has read this far wants a sequencing answer, not another checklist. The pattern below is what we see working at UK organisations selling into government and regulated buyers. Quarter one. Enrol in Mail Check, Web Check and SERS the same week. Apply for Early Warning. Run a Cyber Essentials self-assessment against the current scope to surface obvious gaps. Inventory cloud admin paths and mandate MFA on every one, with hardware or app-based factors preferred over SMS. Publish a board metric pack covering DMARC reject coverage, Web Check open findings, MFA coverage on admin accounts, and patch latency for criticals and highs. Quarter two. Sit Cyber Essentials Plus with an IASME-licensed certification body. Use the assessor's report as the input to a CAF gap analysis if the organisation is, or sells into, an operator of essential services. Adopt PDNS with a documented rollback plan and tie the block telemetry into the SIEM. Stand up or contract a 24x7 detection capability, because CAF Objective C cannot be achieved on a 9-to-5 model. Run an authenticated penetration test of the externally exposed estate. Quarter three. Tabletop the ransomware scenario against the assumption you cannot pay (public-sector and CNI clients) and against the 72-hour-notification of intent regime (for everyone else). Map every supplier with privileged production access to the CAF supplier outcomes and the FCA CTP expectations if in scope. Rebuild the incident-response runbook around the 24-hour early-warning and 72-hour full-report timelines in the Cyber Security and Resilience Bill, even ahead of commencement. Quarter four. Run an adversary-simulation exercise targeting the controls assessed during CE+, with explicit objectives around the M&S helpdesk and Synnovis ransomware patterns. Refresh the SBOM and dependency-scanning posture against the CAF software development outcome. Build the post-quantum cryptography inventory ahead of NCSC's 2028 milestone (identify cryptographic services and build a migration plan) so the work is not a 2027 emergency. The unifying principle: every artefact you create should be reusable across CE+, CAF, the Cyber Security and Resilience Bill, ICO Article 32 review and FCA operational resilience testing. If a control document only satisfies one regulator, it has been written too narrowly.

The closing question every UK CISO eventually asks: how do I pick the right assessor and the right managed partner, and what should I refuse to pay for? For Cyber Essentials Plus, the practical checklist is short. Confirm the assessor is licensed by an IASME-appointed Certification Body. Ask to see the sampling methodology for end-user devices and cloud services. Confirm that the authenticated vulnerability scan covers the third-party software stack (browser plug-ins, PDF readers, runtimes), not just the operating system. Insist on a written remediation report with severity and timeframes, and a re-test mechanism that does not require a full re-engagement. Avoid assessors who quote a fixed price without scoping the device sample or cloud-service inventory; that is a sign the engagement is being run as a paper exercise. For an ACD-aligned MSSP or SOC partner, the questions are sharper. Do they ingest ACD telemetry (Mail Check aggregate reports, PDNS block events, Early Warning indicators) and correlate it against the customer's SIEM? Can they evidence detection use cases mapped to CAF Objective C contributing outcomes, not just MITRE ATT&CK technique counts? What is their stated detection and containment time for a credential-stuffing event (the 23andMe pattern), an unmanaged-device alert (the Capita pattern), and a helpdesk-social-engineering escalation (the M&S pattern)? How do they handle the 24-hour early-warning and 72-hour full-report timelines proposed in the Cyber Security and Resilience Bill? Cost-effective offshore delivery is a legitimate part of this conversation for UK buyers. Certbar is a CERT-In empanelled, India-headquartered VAPT, SOC and compliance firm running 24x7 detection across UK business hours and overnight, with audit artefacts mapped to the UK control frameworks discussed in this post. We work with UK clients selling into MoD, NHS and central government supply chains where the CE+, CAF and forthcoming Cyber Security and Resilience Bill obligations all bite at once. A short scoping conversation against your current ACD telemetry and CE+ scope is usually the fastest way to size the gap. The 2026 UK baseline is no longer a CE+ certificate on a website. It is a continuously evidenced posture across ACD, CE+, CAF v4.0 and incident-reporting readiness. The organisations that have already integrated those four streams are the ones being shortlisted for the public-sector contracts that will define the rest of the decade.