Britain measures the cyber threat and the physical threat in two unrelated surveys. The gap between them is where your next NIS audit happens.
The DSIT Cyber Security Breaches Survey 2025 reports that 43% of UK businesses experienced a cyber breach or attack in the past 12 months, with an average cost of £1,600 per disruptive incident. It surveyed 2,180 businesses across the UK. Physical incidents, on-site intrusion, hardware theft, document theft, are excluded from its scope by design. Those sit in a different government instrument entirely: the Home Office Commercial Victimisation Survey 2023, which found 26% of business premises victimised in 12 months: 14% theft, 8% burglary, 8% vandalism, 7% assaults or threats.
No 2024 CVS edition has been published; the 2023 data remains the most recent available. The physical side runs in a track that has gone quiet while the cyber side gets an annual government press release.
In short: NIS Regulations 2018 already require operators of essential services to demonstrate all-hazards security with supply chain audit evidence. That pressure runs continuously through CNI contracts onto guard service providers, not as a single compliance cliff-edge, and the upcoming Cyber Security and Resilience Bill adds a direct supplier designation power on top.
The DSIT Cyber Security Breaches Survey covers digital incidents only; the Home Office Commercial Victimisation Survey covers physical crime against premises. Neither was designed to be read alongside the other.
The DSIT survey covers phishing, ransomware, business email compromise, denial-of-service. It does not capture an unauthorised person walking into a server room with a USB stick. That is a deliberate scope decision, not a flaw.
The CVS gives the closest available view of physical attack prevalence against UK businesses. Its 2023 edition covered around 2,100 premises across England and Wales. Headline numbers:
The CVS skews retail-heavy. It does not break out industrial sites, energy operators, water utilities, or large logistics facilities as a separate stratum. It does not measure deliberate industrial espionage, sabotage of production lines, or eavesdropping during commercial-sensitive meetings. The closest proxies are the 1% employee theft figure and the 8% burglary line.
No UK survey combines cyber and physical attack vectors into a single annual loss figure. The £1,600 average cost in the DSIT survey is per cyber breach, and the CVS does not publish a total cost figure at all. The cyber threat has a headline number; the physical threat has a footnote.
The NIS Regulations 2018 already cover physical resilience alongside cyber security for operators of essential services. The NCSC Cyber Assessment Framework v4.0 (August 2025) is the audit instrument, and physical and environmental security is one of its 14 principles. The UK has no single 2026 compliance cliff-edge; the pressure is continuous via competent-authority audits.
The NIS Regulations have been in force since May 2018. They apply across energy, transport, drinking water, health, digital infrastructure, and certain digital services.
The compliance instrument is the NCSC Cyber Assessment Framework, updated to v4.0 in August 2025. CAF defines 14 principles across 4 objectives. Physical and environmental security is an established component, and supply chain security is a separate principle under which OES must demonstrate they understand and manage security risks from their external suppliers, including subcontracted physical security providers. Competent authorities audit OES against the CAF: Ofgem for energy, Ofwat and the Drinking Water Inspectorate for water, the CQC for health, the DfT for transport. Evidence is expected to be documented and produced on request.
Penalties under the NIS Regulations reach £17 million or 4% of global turnover, whichever is higher, for serious breaches. The Bill currently in Parliament, the Cyber Security and Resilience Bill, extends this further. Introduced in November 2025, it cleared its Commons stages by April 2026 and is now in the House of Lords. Royal Assent is expected late 2026; implementation runs through 2027 and 2028 under secondary legislation. Two changes matter for guard service contractors:
For now, in May 2026, the practical pressure runs through contracts. NIS-regulated operators are being audited against CAF v4. Their auditors ask about supply chain security. They turn to their guard service contracts for evidence.
Procurement teams at NIS-regulated operators are revising security contracts in line with what their CAF auditor will ask to see: timestamped patrol records, audit-ready visitor logs, defined incident escalation, written shift handover, and 12-month retention. The pattern aligns with NPSA PSeMS guidance on contracts with private security companies:
These are not speculative clauses. NIS supply chain obligations sit on the OES side; NPSA tells the operator what to write into the security contract: documentation, incident-reporting interfaces, regular testing. A guard service provider that cannot evidence these is a known weakness in the OES's CAF position.
Paper logbooks and spreadsheets break down at three predictable points in any CNI audit: timestamps without independent verification, two-dimensional areas captured as one-dimensional records, and audit evidence scattered across separate systems. Each is harder in an industrial setting than in an office. Each is exactly what an NCSC CAF auditor will ask the operator to demonstrate.
Timestamps without independent evidence. When the officer writes the time, the auditor treats it as a claim, not proof. Across a multi-gate industrial site with 30 to 50 entries per shift, the claim that a time was not adjusted an hour later is impossible to support. NFC scans and GPS-stamped events produce device-generated timestamps that the officer cannot edit.
Areas, not points. A spreadsheet row captures a time and a place name. It cannot show how long an officer stood inside a substation perimeter or a loading bay zone. Dwell time inside a defined area is spatial data, and a logbook does not record it.
Five separate systems are not an audit trail. A typical paper-and-Excel set-up holds the logbook in one place, rota in another, GPS extracts in a third, key handovers on a clipboard, and incident forms in a shared inbox. The auditor wants the single chain of evidence for one shift on one date. Five disconnected files do not produce that chain. The CAF supply chain principle is explicit: the OES must be able to demonstrate, on request, how its security supplier records, retains, and surfaces this evidence.
"It has worked so far" is not a CAF answer. The framework asks for a documented, repeatable process with evidence of effective operation.
COREDINATE is a guard tour system built around the documentation requirements that NIS audits and NPSA guidance ask CNI operators to demand from their physical security contractors. The mapping is direct:
For the CAF supply chain principle in particular, three further properties matter: tamper-resistant records after upload (so audit evidence cannot be casually edited later), data residency in Germany under GDPR (no transfer to jurisdictions a UK competent authority would query), and geo-redundant availability that an OES can name in its own resilience plan. For CNI clients coordinating multiple security providers, the optional client portal lets the operator review documentation directly without an email request loop.
With COREDINATE, every physical event is reconstructable in context: one audit trail, not five disconnected tools.
Three concrete actions sit within the next two quarters for any guard service provider with CNI clients: vary patrol routes and document the variation, digitise visitor and contractor capture, and build the audit trail before the operator's next CAF audit lands. Each is achievable inside two quarters. None requires waiting for the Bill to pass.
1. Vary patrol routes and times, and document the variation. Physical sabotage and theft cluster in predictable gaps. A daily patrol with the same route at the same hour is a schedule for an attacker. Variation only counts as a security measure if it is recorded; otherwise it cannot be evidenced to the client, and the CAF auditor will not see it.
2. Digitise visitor, contractor and subcontractor capture. Identifying a real maintenance technician from a plausible-looking impostor at the gate requires identity capture, escort assignment, time-in-area logging, and exit confirmation. On paper, the controls fall apart by the third visitor in a shift. These records belong in the same system as the patrol records, not in a separate ledger.
3. Build the audit trail before the operator's next CAF audit lands. When a CNI client asks how the last 12 months of documentation are retrievable, the answer is either "on screen, now" or "let me come back to you." NIS audits do not allow the second answer. Migrating from paper to an integrated guard tour system typically takes several weeks for hardware distribution, officer training and site configuration. The lead time matters.
The DSIT Cyber Security Breaches Survey 2025 surveyed 2,180 UK businesses between August and December 2024 and was published in April 2025. It measures digital and cyber attack vectors only: 43% of businesses experienced a cyber breach or attack in the previous 12 months, with an average cost per disruptive breach of £1,600. Physical incidents like document theft, hardware theft, or on-site intrusion are explicitly excluded from its scope by design.
Physical crime against UK businesses is tracked by the Home Office Commercial Victimisation Survey, a separate instrument. The 2023 edition (fieldwork August to November 2023, published September 2024) found that 26% of business premises experienced crime in 12 months: 14% theft, 8% burglary, 8% vandalism, 7% assaults or threats. No 2024 edition has been published; the 2023 data remains the most recent available.
The NIS Regulations 2018 explicitly state their purpose is to boost the overall security, both cyber and physical resilience, of network and information systems. Physical and environmental security is one of the 14 principles in the NCSC Cyber Assessment Framework (CAF v4, updated August 2025), which competent authorities use to audit operators of essential services. Supply chain security is an explicit CAF principle: OES must demonstrate they manage risks from their external suppliers, including their physical security contractors.
The Cyber Security and Resilience Bill was introduced in November 2025 and is currently in the House of Lords after completing its Commons stages. Royal Assent is expected late 2026, with implementation in 2027 and 2028. The Bill introduces a critical supplier designation power that allows regulators to directly designate physical or digital security contractors as regulated entities under NIS, rather than relying only on contractual cascade from OES clients. No designations are expected before 2028, but the legal hook exists.
CNI operators subject to NIS audit pass the documentation requirement to their guard service contractors via contract. Typical clauses now include: timestamped patrol records with location verification, complete visitor and contractor logs covering identity and escort, incident reporting in under 24 hours with photo and location evidence, audit trails of every shift handover, and 12-month availability of all documentation on request for CAF audit support.
For the NCSC's own framing of supply chain expectations under the CAF, see the NCSC Cyber Assessment Framework collection. For physical security management system guidance, see the NPSA PSeMS resource.
Before the operator's next CAF audit lands is the right time to test this. Speak to our sales team, or order the 14-day test kit and run it on a live site.