New UK Product Assurance Initiative to Boost Cyber Resilience

The National Cyber Security Centre (NCSC) is developing a Principles Based Assurance (PBA) certification to help build trust in everyday technology and ensure it strengthens resilience against cyber threats. In this article, Izzy MacLeod-Riley, Cyber Security Analyst at CyXcel, outlines what we can expect from this upcoming initiative.

Announced in 2021, and brought to the fore again during CYBERUK 2025, the NCSC has been developing a new PBA certification system for technology. This will expand upon existing trust and security certifications by implementing a risk-based approach to security assessment for a much broader range of technologies than currently covered, while also allowing for specialist standards to emerge.

The scheme is intended to follow the full lifecycle of a device as well as include provisions for supply chain and third-party risks. This will include end-of-life product provisions where the vendors must present warnings to consumers that their devices will be unsupported. The NCSC also intends for the scheme to act as a continuous system as opposed to a "point in time" assessment common elsewhere.

The intent is that products will be able to obtain certification under the scheme to allow consumers to consider the risks a product presents, and thus if it fits their risk appetite.

This will be aided by the NCSC publishing the principles and other materials on their website so consumers may review the documents as part of their risk-based decision process.

Due to the scheme still being in its early stages, we do not yet know how these risks will be presented to consumers, as well as how accessible the documents supporting a device’s certification will be.

The assessment process is intended to fit a wide range of technology, and its use cases, thus allowing for a more tailored assessment of the security for any given product. For example, a home router for connecting to the internet will be assessed to a different standard than an enterprise router intended for deployment within banks due to the differing threats and security requirements the two environments face.

At present, the NCSC is planning to have a minimum viable product of the Cyber Resilience Test Facilities network in operation for launch (according to the NCSC website an early-stage version was due to be live in 2024). These facilities are to be accredited third-party entities (both private and public sector) which can issue certificates to tested devices. From here, we can expect to see how the industry and government implement the scheme as it is adopted and developed.

The PBA scheme is likely to replace the NCSC Tailored Assurance Service (CTAS), which used a similar risk-based system, operated by the NCSC for the Ministry of Defence, the UK Government and other public sector bodies, alongside critical national infrastructure targeted devices.

It appears the scheme will be optional for many devices; it is however unclear at present if devices once covered by CTAS, which has since been sunset, will be required to obtain certification though this scheme.