Cyber Resilience Test Facilities (CRTFs) have now moved from concept into operational reality, with the first product assessments completed and reports issued. This milestone confirms CRTFs as a risk-based assurance mechanism rather than a pass/fail certification scheme. Yet major challenges remain: governance, market interpretation, high-assurance integration with UK Telecoms Lab (UKTL), and international alignment. CRTFs are real, but adoption must stay meaningful.

Contents

1. Introduction

In April 2025, at CYBERUK, the UK’s National Cyber Security Centre (NCSC) announced the creation of Cyber Resilience Test Facilities (CRTFs): a new national network intended to help technology vendors demonstrate the resilience of their products, and to help customers make better-informed decisions about cyber risk.

At the time, CRTFs represented a significant shift in direction. They were not simply another certification badge or compliance wrapper, but the early shape of something more ambitious: scalable, principles-based assurance delivered through delegated industry capability.

Now, in early 2026, we have reached the first meaningful operational milestone.

In the recent blog post “One small step for Cyber Resilience Test Facilities, one giant leap for technology assurance” the NCSC has confirmed that the first products have completed assessment through CRTFs, and that reports have now been issued.

This is, in one sense, a small step: the first outputs from a new scheme.

But it is also a giant leap: CRTFs have moved from concept into delivery.

And with that shift, the hard questions begin.

2. The First Issued Reports: A Proof-of-Life Moment

The NCSC’s recent update is the first concrete evidence that CRTFs are not just an architectural proposal, but a functioning assurance mechanism.

As Sean D, NCSC CTO for Cyber Growth, notes:

“The first products to go through CRTFs have now had their reports issued.”

This matters because CRTFs have always been about more than standing up test labs. They represent an attempt to delegate scalable assurance activities to UK industry, while maintaining consistency through NCSC-approved standards and techniques.

This is the scheme’s first proof-of-life moment: facilities are operating, vendors are engaging, assessments are being completed, and reports are being delivered into the market. The question is no longer whether CRTFs can exist, but what they will become.

At this early stage, the NCSC’s public framing remains intentionally high-level, with limited visibility into which products have gone first or how reports will be consumed in practice.

3. Risk-Based Assurance, Not Certification Theatre

One of the most important clarifications in the NCSC post is also one of the most easily misunderstood: CRTFs are not designed to produce a pass/fail outcome. There is no “approved product” label and no binary certification.

Instead, CRTFs issue reports that describe performance against Assurance Principles and Claims (APCs), identifying risks and weaknesses in context.

Crucially:

“There is no ‘pass’ or ‘fail’.”

This aligns strongly with the argument I made throughout my June analysis: cyber resilience cannot be reduced to procurement-friendly tick-boxes without losing the very thing that matters: meaningful understanding of risk.

The CRTF model is explicitly principles-based, not compliance-based.

That is a major philosophical step forward.

But it also introduces a challenge:

Risk-based assurance only works if customers are willing and able to interpret risk-based outputs.

If the market demands simplicity, CRTFs could still be pushed, culturally if not formally, into becoming trust-label shorthand.

That tension remains unresolved.

4. CAS-S Closure: CRTFs Become Assurance Infrastructure

Perhaps the most structurally significant announcement in the post is not about product testing at all.

It is about sanitisation.

The NCSC confirms that its long-running Assured Sanitisation Service (CAS-S) has closed as of January 2026, and will no longer accept new evaluations.

Instead:

“A new NCSC Sanitisation Service will be delivered exclusively by CRTFs.”

This is a major signal.

CRTFs are not merely a niche pilot for product assurance.

They are becoming the platform through which NCSC intends to deliver assurance services going forward.

In other words:

CRTFs are moving from “a scheme” to “infrastructure”.

This reinforces a core conclusion from my earlier critique:

The UK is not experimenting with cyber resilience testing at the margins.

It is rebuilding its assurance ecosystem around CRTFs.

That makes questions of governance, consistency, and adoption even more urgent.

5. NCSC Admits the Hard Challenges Are Still Ahead

The NCSC is clear that this is only the beginning, and it openly identifies the difficult problems that remain unresolved.

Among the most pressing are how high assurance can be enabled at scale, how diverse requirements such as operational technology or TEMPEST can be incorporated, how tailored assurance can work for specialist equipment, and how this approach can align with other standards and international markets.

These are not peripheral questions.

They are the central challenges of assurance as a system.

Scaling assurance always risks diluting it.

Broadening scope always risks fragmentation.

Specialisation always resists standardisation.

International markets always demand interoperability.

The NCSC is right to frame these as active challenges, because CRTFs will succeed or fail based on how they are answered.

6. Reflecting Back: How This Update Relates to My June 2025 CRT Analysis

The NCSC’s announcement is not happening in a vacuum, it lands directly on the themes I explored across my June CRT series. This milestone confirms that CRTFs have moved from concept into execution, but it also sharpens the questions that were already emerging.

In “Cyber Resilience Testing and Facilities — Mapping, Critique, and the Path Forward” (11 June), I argued that CRTFs were promising, but that clarity was needed on the value they would deliver, how they would avoid becoming another box-ticking regime, and how governance and consistency would be sustained. With the first reports now issued, those concerns are no longer theoretical: interpretability and oversight become practical requirements.

In “Mapping the Global Security Landscape — Where CRT Fits and Where It Doesn’t” (2 June), I positioned CRT as needing to find its place between rigid certification models, bespoke high-assurance frameworks like UKTL, and international markets where interoperability matters. The NCSC’s own questions about alignment beyond the UK show that this tension remains unresolved.

In “The Future of Cyber Resilience Testing — Reflections on a Scheme in Transition” (4 June), I described CRTFs as an evolving design space rather than a finished programme. The transition of services like sanitisation into CRTF delivery is exactly that evolution, moving CRTFs from proposal into platform, while the open challenges around high assurance and specialist technologies remain live.

And in “Trust Labels and the Path to Meaningful Security — Rethinking CRT Adoption in the UK” (9 June), I warned of “trust label drift”: the risk that CRTFs could be culturally reduced to procurement shorthand. The NCSC is explicit that CRTFs do not issue pass/fail outcomes, but unless customers engage with reports rather than ratings, that simplification pressure will persist.

Taken together, this update is not a conclusion, it is a threshold moment. CRTFs are now operational, but the governance, adoption, and ecosystem questions raised throughout June are still the central questions of the scheme’s next phase.

7. The Next Phase: Governance, Interpretation, International Alignment

Now that CRTFs are operational, the scheme enters its most consequential phase. The next challenges are no longer about standing up facilities, but about ensuring the model scales with credibility and remains interpretable in practice.

The first is governance and consistency. Delegating assurance to industry can unlock scale, but only if independence, quality control, and assessor coherence are maintained. Questions of how CRTFs are audited, how conflicts of interest are managed, and how reporting remains consistent across facilities will determine whether trust attaches to the scheme itself.

The second is customer interpretation and market behaviour. Reports without pass/fail outcomes are intellectually honest, but procurement culture often seeks shorthand. Unless customers engage with the substance of reports rather than reducing outputs into amber/green heuristics, CRTFs may still drift toward the trust-label dynamics they are trying to avoid. Principles-based assurance models have historically struggled when procurement environments demand simple certification shortcuts, so the interpretability challenge may prove decisive.

The third is international and standards alignment. The NCSC explicitly asks how this approach will interact with other frameworks and markets. If CRTFs remain UK-specific artefacts, vendors may face duplicated burdens rather than streamlined assurance. Interoperability will be essential if CRTFs are to become a meaningful assurance signal beyond domestic boundaries.

8. The Missing High-Assurance Anchor: Where Does UKTL Fit?

This also raises the question of how CRTFs relate to existing high-assurance structures already operating in the UK.

One interface that remains unclear in public framing is how CRTFs relate to existing high-assurance structures such as UKTL.

Where does the UK Telecoms Lab (UKTL) sit in this emerging assurance architecture?

UKTL is, in many ways, the UK’s closest existing analogue to what CRTFs are attempting to achieve: a delegated model of technical assurance, anchored in national security priorities, designed to evaluate the resilience of critical technology deployed at scale. UKTL, operated by the National Physical Laboratory, already represents a delegated, NCSC-aligned model for high-assurance telecoms evaluation within the UK’s regulated telecoms security framework.

UKTL operates in a different assurance tier. It is tied to regulated telecoms security obligations, reflects the realities of deep high-assurance evaluation, and sits within the critical national infrastructure ecosystem rather than voluntary market adoption. CRTFs, by contrast, are currently positioned as principles-based, advisory, scalable across a broad technology market, and oriented toward informed procurement decision-making.

This raises an unavoidable strategic question:

Are CRTFs intended to complement UKTL, providing scalable baseline resilience testing while UKTL remains the deep high-assurance anchor?

Or are CRTFs the beginnings of a broader assurance platform that may eventually absorb or generalise UKTL-like functions into a more unified national model?

Greater public clarity on whether CRTFs represent a baseline tier with referral pathways into deeper UKTL-style evaluation would help avoid misaligned expectations.

The NCSC itself gestures toward this tension when it asks:

• “How can we enable high assurance at scale?”

That is precisely the problem UKTL exists to address in one sector today.

The challenge for CRTFs is whether they can expand assurance across the wider technology ecosystem without recreating the constraints that high assurance inevitably brings: cost, specialist concentration, slower cycles, and limited throughput.

It is entirely plausible that CRTFs and UKTL are already aligned institutionally, different instruments within the same national assurance orchestra, but the question is how that relationship will be expressed and understood within the UK’s broader assurance architecture.

Until the relationship between these assurance layers is made clearer, the UK risks developing parallel structures: one market-facing and principles-based, the other regulated and high-assurance, with uncertain interoperability between them.

If CRTFs are becoming the delivery infrastructure for services like sanitisation, and UKTL remains the anchor for telecoms resilience, then the next phase of UK technology assurance will depend not only on scaling CRTFs, but on articulating how these schemes align into a coherent national trust architecture.

9. Toward a Unified UK Assurance Stack: CRTFs, UKTL, and International Alignment

One of the most important questions now emerging is whether the UK is moving toward a coherent, layered assurance architecture, or simply adding new schemes alongside existing ones.

CRTFs are clearly being positioned as a scalable, market-facing mechanism for principles-based resilience testing across a broad range of technology products. At the same time, the UK already operates higher-assurance structures in specific critical domains, most notably through UKTL in the telecoms sector.

This raises the prospect of an evolving national assurance stack, with CRTFs providing scalable baseline resilience evidence and risk-focused reporting, UKTL anchoring deep evaluation in regulated critical infrastructure domains, and APCs acting as connective tissue between these layers.

If this alignment can be made explicit, and if CRTF outputs can mature into internationally interoperable assurance signals rather than UK-specific artefacts, then the UK has an opportunity to build something more than a domestic testing network.

The longer-term challenge is not simply scaling CRTFs, but integrating them into a unified assurance ecosystem: one that spans baseline resilience, high assurance, and global market credibility without collapsing into either compliance theatre or fragmented duplication.

That is the next strategic horizon for cyber resilience testing in the UK.

There is also a subtle institutional shift underway. CRTFs suggest an NCSC that is moving beyond guidance and convening, and back into the business of structured national assurance, not a return to the closed CESG era, but a sign that the UK is once again building formal trust architecture around critical technologies.

10. Conclusion: CRTFs Are Real… The Question Now Is What They Become

The NCSC’s update marks a genuine milestone. CRTFs have moved beyond announcement and aspiration: first CRTF assessments have completed and reports have now been issued, with legacy services such as CAS-S are already being reshaped around this new delivery model.

In other words, CRTFs are no longer hypothetical. They are now part of the UK’s emerging assurance infrastructure.

But this is not an endpoint. It is the beginning of the harder phase.

Because assurance at scale is never only a technical exercise. It is a question of governance and consistency, of market interpretation and procurement behaviour, of trust and incentives, and ultimately of international credibility.

CRTFs offer the UK a real opportunity to move away from compliance theatre and toward a more mature, risk-based, principles-driven model of resilience assurance. Yet the success of that model will depend on whether it remains meaningful in practice: whether reports are read rather than reduced, whether assurance scales without dilution, and whether the UK can build a coherent architecture rather than a fragmented patchwork of schemes.

CRTFs are now real. The task ahead is ensuring they become more than a signal, and instead, a foundation for trustworthy technology adoption.

The opportunity now is for vendors, procurers, regulators, and assurance bodies to engage early, while the scheme’s norms and expectations are still being formed.

The milestone has been reached. The discipline now begins.