Beyond IT: A leadership briefing on the CAF and cyber governance

The CAF is the UK's national standard for assessing cyber security and together, these developments are reshaping regulatory expectations across organisations, including higher education. CAF is already mandated for Critical National Infrastructure (CNI), and it's rapidly becoming a must have for funders, regulators and strategic partners. 

For universities, this is particularly relevant where there is:

• Involvement in healthcare education or research particularly those working with the NHS (with rising expectations to align security and resilience programmes with CAF principles)
• Sensitive research and partnerships connected to national security, energy, defence, pharmaceuticals, or government-funded bodies
• Competitive bids for grants, collaborations and strategic projects, where partners increasingly seek CAF-aligned assurance and evidence of maturity. Even where the CAF is not (yet) a formal requirement, it is being used as a benchmark for governance-level confidence: that cyber risk is understood, managed and evidenced.

Learn more in a jargon-free session

Waterstons are hosting a practical, leadership-focused webinar with Stew Hogg, Cyber Director and NCSC Head Consultant, who will explain what the new legislation and updated CAF mean in practice for universities.

With a background in Higher Education, Stew will focus on what this shift means for senior leaders responsible for governance, financial resilience, operational continuity and reputational risk – not just for IT teams.

We’ll show how the CAF can be used as a practical management tool to help you:

• Safeguard teaching, research and critical services
• Protect student, staff and research data
• Reduce operational disruption and financial risk
• Strengthen organisational resilience and leadership assurance

What you’ll take away

You’ll leave with clear, actionable steps you can take now to prepare for emerging legal and regulatory expectations – and to ensure your university is better equipped to withstand the evolving cyber threats facing the sector in 2026 and beyond.