UK operators of essential services and critical national infrastructure are assessed against the NCSC Cyber Assessment Framework (CAF). Objective D — response and recovery planning, and lessons learned — expects response plans tested with the people who execute them. CyberICS delivers 300+ ready-to-run OT scenarios with AI-generated After Action Reports that produce CAF-mappable contributing-outcome evidence and drill the UK NIS 72-hour reporting duty.
The UK NIS Regulations and the NCSC CAF apply to operators of essential services and relevant critical national infrastructure. Objective D indicators expect regular, realistic exercising — tracked here as live practice clocks.
Energy, water, transport, health, and digital-infrastructure OES assessed against the CAF must exercise response plans to the Objective D "achieved" indicators and demonstrate UK NIS reporting to their competent authority.
CNI operators must exercise degraded-operations decision-making, resilient-networks fallbacks (CAF B5), and supply-chain response (CAF A4) where it meets response and recovery under Objective D.
The people who actually execute the response — plus those preparing the CAF self-assessment — must exercise plan activation, communications discipline, and the lessons-learned cycle that Objective D2 expects.
CAF Objective D (response & recovery, lessons learned), the UK NIS reporting duty, and the resilience/supply-chain outcomes that feed it are the ones most directly addressed by tabletop exercises. The D1 exercise and D2 lessons clocks are tracked live.
| Standard | Title | Key Requirement Addressed | CyberICS Capability | Relevance |
|---|---|---|---|---|
| CAF D1.a/b | Response Plan & Activation | Maintain and exercise response plans, tested realistically with the personnel who execute them (D1 indicators of good practice). | A formal, evaluated exercise to the D1 "achieved" indicators — realistic scenario, actual responders, decision authorities under pressure; the AAR is the evidence. | Direct |
| CAF D2 | Lessons Learned | Demonstrate a working lessons-learned process: post-incident/exercise reviews driving improvement. | The structured debrief runs the D2 cycle for real; findings become tracked remediation items with exercise-verified closures. | Direct |
| UK NIS | Competent-Authority Reporting (72h) | Report NIS incidents to the competent authority without undue delay and within 72 hours. | Scenarios drill NIS reportability thresholds and the 72-hour report; in-exercise reporting-decision timestamps in the compliance log. | Direct |
| CAF B5 | Resilient Networks & Systems | Sustain essential-service delivery with monitoring and control degraded; manual fallbacks and safety-first decisions. | Loss-of-visibility scenarios exercise manual procedures, field verification, and service-curtailment thresholds as contributing-outcome evidence. | Scenario |
| CAF A4 | Supply-Chain Response | Respond where supply-chain assurance (A4) meets response (D1): a shared industry provider is breached. | Supply-chain scenarios exercise sever-and-verify, coordinated disclosure with sector peers, and NIS reportability assessment. | Scenario |
| CAF A-D | Objective-D Self-Assessment | Map the year's evidence to CAF contributing outcomes ahead of the competent authority's assessment. | The capstone facilitated self-assessment grades D1/D2 contributing outcomes honestly using the year's AARs and packages the file. | Supporting |
Three platform capabilities work together to produce CAF-mappable contributing-outcome evidence and drill the NIS reporting duty.
Live Session mode provides a structured, real-time exercise environment. Participants join by code, respond to scenario steps, and all activity is timestamped — creating an auditable exercise record.
CyberICS's AI engine generates a structured AAR immediately after each exercise — documenting gaps identified, recommended corrective actions, and framework alignment.
The Compliance Dashboard generates per-framework evidence packages — a multi-page audit PDF covering exercise log, controls mapping, gap analysis, remediation timeline, and formal attestation page.
Six high-fidelity scenarios are immediately available, sequenced from foundational to advanced. Each exercises CAF Objective D outcomes and NIS reporting across your OT, communications, and executive teams.
An intrusion is confirmed in the control network of your essential service. Tests response-plan activation, NIS reportability thresholds, the 72-hour competent-authority report, and NCSC engagement.
SCADA visibility drops across a region after a suspected attack on the comms estate. Tests manual procedures, field-verification priorities, and service-curtailment thresholds as CAF B5/D1 evidence.
A provider of shared OT engineering services to several UK operators reports a breach; your sites use their platform. Tests sever-and-verify, coordinated disclosure, and NIS reportability.
A planned, evaluated exercise to CAF D1 "achieved" indicators — plan activation, roles, communications, recovery authority. The structured debrief runs the D2 lessons cycle for real.
Your incident trends on national news before the 72-hour report is filed; a minister's office wants answers today. Tests running technical response and public communications in parallel without contradiction.
A multi-stage incident (phish → OT foothold → attempted disruption) is exercised end-to-end, then the team runs a facilitated CAF Objective-D self-assessment using the year's AARs as evidence.
Plus 59 additional scenarios across Energy, Water, Transport, Health, Manufacturing, and more. Browse the full library →
Every CyberICS exercise automatically generates four categories of evidence that map directly to CAF contributing outcomes and NIS reporting.
AI-generated structured PDF with gap analysis, corrective actions, and framework references. Ready within minutes of exercise completion.
Multi-page per-framework audit PDF: exercise log, controls mapping, gap analysis, remediation timeline, and signed attestation page.
Timestamped record of all participant responses, host actions, and step progression. Demonstrates real exercise activity to auditors.
Gaps identified in the exercise are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start free with a 14-day trial — no credit card required. Or talk to our UK team about CAF-mapped exercise programs ahead of your competent authority's assessment.
Also explore: IEC 62443 Toolkit · ISO 27001 Toolkit · NIS2 Toolkit