NPSA Physical Security: The UK Guidance Everyone Misreads

NPSA is not a rebrand of CPNI. It is a redefinition of what the United Kingdom expects a critical site to demonstrate, and most operators are reading the new guidance through the assumptions of the old one.

The Centre for the Protection of National Infrastructure was, for almost two decades, an advisory body. It published standards, ran assessments, and accredited products. National Protective Security Authority, which absorbed its mandate in 2023, sits inside MI5 and speaks with a different voice. The guidance has not merely been republished under new branding. It has been reframed around demonstrable resilience, integrated security, and the assumption that the threat actor reaches further than the perimeter. Operators who treat the transition as a logo change are missing the point. The audit that arrives in 2025 or 2026 will not look like the audit that arrived in 2018.

What Actually Changed in the Transition

The first change is institutional. CPNI was a centre. NPSA is an authority. The shift in noun is not cosmetic. A centre advises. An authority defines the standard against which compliance is measured and, by extension, against which negligence is later judged. Operators of critical national infrastructure who have a CPNI document on their shelf are not in possession of current guidance. They are in possession of a historical artifact that was overtaken in March 2023.

The second change is scope. CPNI's mandate covered the thirteen recognised CNI sectors with a heavy emphasis on physical hostile reconnaissance, intruder detection, and hostile vehicle mitigation. NPSA has retained those domains and added two that previous guidance treated as adjacent rather than central: insider risk and personnel security on one side, and the convergence of physical and cyber on the other. The new guidance reads less like a catalogue of countermeasures and more like a doctrine of integrated protective security. That word, integrated, is the operative one. NPSA expects that the physical access control system, the network segmentation regime, the vetting process, and the visitor management workflow are treated as one system with one risk owner, not four systems with four reporting lines that meet only at the board.

The third change is the evidentiary standard. CPNI guidance was, in practice, often consumed as a reference. Operators could read it, agree with it, and continue with their existing arrangements. NPSA guidance is increasingly consumed as a benchmark. The question asked by regulators, insurers, and, after an incident, by inquiry counsel is not whether the operator read the guidance. It is whether the operator can demonstrate that the protective measures in place reflect a current threat assessment, that the assessment was reviewed within a defined interval, and that the residual risks were accepted at an appropriate level of seniority. The shift from reading to demonstrating is the shift that catches operators unprepared. Documentation that was sufficient in 2019 is now thin. A risk register without a threat baseline is no longer a risk register. It is a list.

The Doctrine of Integrated Protective Security

NPSA's central proposition is that protective security cannot be designed in silos and assembled later. The fence, the access reader, the CCTV system, the security operations centre, the vetting standard, and the cyber controls protecting the building management system are not independent. They are components of one defensive posture, and a sophisticated adversary will find the seam between them.

This is not a new idea in theory. It is a new idea in practice, because the operating model of most UK CNI sites has, for thirty years, distributed these responsibilities across functions that report to different directors with different budgets. Facilities management owns the physical estate. IT owns the network. HR owns vetting. A head of security, where one exists, often sits below the level at which trade-offs between these functions are actually made. The result is a structure in which no single person can answer the question NPSA now asks: what is the residual risk to this asset across all attack vectors, and who has accepted it.

The doctrinal shift requires three structural changes. The first is the elevation of protective security to a function that reports at board level, with a defined remit and a defined budget that is not negotiated annually against facilities maintenance. The second is the establishment of a single risk register that integrates physical, personnel, and cyber threats into one taxonomy, scored on a common scale. The third is the introduction of a tested response capability that exercises across the seams, not within the silos. A tabletop exercise that involves only the IT incident response team is not a test of integrated protective security. It is a test of one component.

Operators who have made these changes find that the NPSA guidance reads as a description of how they already work. Operators who have not made them find that the guidance reads as a list of expectations that their organisational structure cannot meet. The gap is structural, not technical, and it is not closed by purchasing additional hardware. It is closed by reassigning authority.

Hostile Vehicle Mitigation and the New Standoff Logic

The CPNI guidance on hostile vehicle mitigation was, by international standards, mature. It defined impact ratings, standoff distances, and certification regimes that influenced the IWA 14 and PAS 68 standards globally. NPSA has retained the technical substance and changed the framing.

Under CPNI, hostile vehicle mitigation was treated primarily as a perimeter problem. Under NPSA, it is treated as a standoff problem that begins well outside the perimeter. The relevant question is no longer whether the bollards at the gate will stop a seven and a half tonne vehicle at thirty miles per hour. The relevant question is what an adversary observes during the approach, where the decision points are at which an attack can be deflected without contact, and what the integrated response looks like from the moment a vehicle deviates from expected behaviour. This shift incorporates lessons from continental European practice, particularly the German Bundesamt für Sicherheit in der Informationstechnik framing of layered protection, and aligns with the direction the ISO 22343 series is taking on vehicle security barriers.

The operational consequence is that hostile vehicle mitigation is no longer a procurement decision about which bollard to install. It is an operational design decision that affects traffic management, visitor processing, delivery scheduling, and CCTV coverage. An operator who has installed PAS 68 rated equipment but has not redesigned the approach pattern to give the control room six seconds of decision time has, under NPSA's reading, a partial solution. The hardware is necessary. It is not sufficient.

This reframing matches the direction of CISA guidance in the United States on vehicle ramming attacks and the ASIS International protective security operations standards. It is not a UK peculiarity. It is the international consensus that the UK is now codifying through NPSA. Operators with sites in multiple jurisdictions should expect that what NPSA requires will, within three to five years, be requested by counterparts in other regulatory regimes.

Personnel Security and the Insider Question

The area in which NPSA has moved furthest from its predecessor is personnel security. CPNI maintained respected guidance on pre-employment screening, ongoing personnel security, and the management of insider risk. NPSA has retained that material and changed the emphasis. The guidance now treats insider risk not as a residual concern after vetting but as the dominant threat vector for many CNI sites.

The reasoning is straightforward. Perimeter penetration by external actors is, in absolute numbers, rare against well-defended sites. Compromise through trusted access is more frequent, harder to detect, and more damaging when it occurs. NPSA's guidance accordingly elevates ongoing personnel security, behavioural indicators, and the management of contractor and third-party access to a level of seriousness that CPNI guidance touched on but did not centre. The relevant standards now interlink: ISO 27001 controls on personnel security, NIST 800-53 PS-family controls, and NPSA's own framing converge on a common expectation that vetting at the point of hire is the floor of personnel security, not its definition.

Operators reading the guidance through the old lens hear this as an HR matter. It is not. It is a security architecture matter, because the controls that detect insider activity, segmentation of duties, monitoring of privileged access, behavioural analytics on building access patterns, are technical and organisational measures that have to be designed, deployed, and tested as part of the protective security posture. The cleaner who has access to every floor after hours is a personnel security problem with a technical solution. The systems administrator who has unmonitored remote access to the SCADA environment is a personnel security problem with a different technical solution. NPSA expects both to be addressed within one framework. CPNI rarely demanded that.

What the Audit Now Looks For

The practical question facing UK CNI operators in 2025 is what an NPSA-informed audit actually examines, because the answer determines the documentation that needs to exist before the auditor arrives. The pattern emerging from recent assessments, drawing on observations from the Civil Nuclear Constabulary, regulators in the energy and water sectors, and the Department for Transport on aviation security, is consistent in several respects.

The audit begins with the threat assessment. Auditors ask to see the current threat assessment, the date of its last review, the methodology by which it was produced, and the relationship between the assessment and the protective measures in place. A site that has implemented strong measures without a current assessment is not, by NPSA's standard, well protected. It is fortunate. The distinction matters when an incident occurs and the operator has to demonstrate that the response was proportionate to a known risk.

The audit then examines the integration of physical and cyber controls. Auditors ask how an event in one domain is detected, escalated, and addressed in the other. A physical intrusion that disables a network cabinet should trigger a cyber incident response, not only a physical one. A cyber compromise of the access control system should trigger a physical response, not only a network one. The seams between domains are examined deliberately. Operators who cannot describe the cross-domain workflow find that this section of the audit produces the largest number of findings.

The audit then turns to personnel security and the management of trusted access. Auditors examine the vetting standard, the periodicity of revetting, the monitoring of behavioural indicators, the management of leavers, and the segregation of duties for high-privilege roles. They examine contractor access in particular detail, because contractor management is the area in which most operators have weaker controls than they apply to direct employees. NPSA's guidance is explicit that contractor and third-party personnel are not a lesser category of risk. They are often a greater one, because their employment relationship sits outside the operator's full visibility.

Finally, the audit examines the testing regime. NPSA expects that protective security is exercised, not only documented. Exercises must cross the seams, involve realistic scenarios, and produce written findings that feed back into the threat assessment and the controls. Operators who exercise annually with a fixed scenario produce audit findings. Operators who exercise quarterly with varied scenarios that include integrated physical and cyber components, with insider and external threat actors, with contractor involvement, produce audit closures.

What Holds

The transition from CPNI to NPSA is not a question of updating references in policy documents. It is a question of whether the operator's protective security posture is structurally capable of meeting an integrated standard that did not exist in this form five years ago. Operators who treat the transition as administrative will discover, in the next audit cycle, that the gap between their documentation and the new expectation is wider than they assumed. Operators who treat the transition as structural will discover that the work required is uncomfortable, expensive, and worth doing.

The relevant question for any UK CNI operator is not whether NPSA's guidance applies to their site. It applies. The relevant question is whether the organisation can demonstrate, today, what NPSA expects to see in 2026: a current threat assessment, an integrated risk register, a board-level security function, a tested response capability that crosses domains, and a personnel security regime that does not stop at the point of hire. The operators who answer yes to all five are rare. The operators who answer yes to three of the five have a defined programme of work. The operators who answer yes to fewer than three should not wait for the audit to tell them what they already suspect.

For operators in this position, the work begins with a structured assessment of where the gaps actually sit. BOSWAU + KNAUER, in its work on integrated protective security across construction, industry, and logistics, has developed an audit format that produces this assessment in three to five days on site, with a written report that distinguishes structural gaps from technical ones. The format is described in the manuscript BOSWAU + KNAUER. From Building to Security Technology, alongside the underlying philosophy that physical security and security technology are not separate trades but a single discipline. Operators who want to test their position against the NPSA standard without committing to a full programme of work can begin with the sixty-minute confidential conversation that is the first of the three paths in that book, and decide from there whether the three to five day audit is the appropriate next step.

Frequently asked questions

What is NPSA?

The National Protective Security Authority is the United Kingdom's authority on protective security, established in March 2023 and located within MI5. It absorbed the functions of the Centre for the Protection of National Infrastructure and extended them. NPSA produces guidance, standards, and assessments covering physical security, personnel security, and the convergence of these with cyber protective measures across the thirteen recognised critical national infrastructure sectors. Its remit also extends to crowded places, publicly accessible locations, and economic security, which were not central to CPNI's original mandate. The authority works closely with the National Cyber Security Centre on integrated matters.

How does it differ from CPNI?

The differences are institutional, doctrinal, and evidentiary. Institutionally, NPSA is an authority rather than a centre, which changes how its guidance is treated by regulators and courts. Doctrinally, NPSA centres integration of physical, personnel, and cyber controls in a way CPNI guidance treated as adjacent. Evidentially, the standard has shifted from reading the guidance to demonstrating compliance with it through documentation, exercises, and a current threat assessment. NPSA also broadened the scope to address insider risk and contractor management as primary threat vectors rather than residual concerns. Operators relying on legacy CPNI documents are working from superseded guidance.

What does it require?

NPSA requires operators of critical infrastructure to maintain a current threat assessment, an integrated risk register covering physical, personnel, and cyber threats, board-level accountability for protective security, a tested response capability that exercises across domains, and an ongoing personnel security regime that extends beyond pre-employment vetting. It requires evidence that protective measures are proportionate to assessed threats and that residual risks have been accepted at appropriate seniority. The guidance aligns with ISO 27001, NIST CSF 2.0, IEC 62443 for industrial environments, and emerging ISO 22343 standards on vehicle security barriers, which means compliance with NPSA increasingly satisfies multiple frameworks.

Who is audited?

Operators within the thirteen recognised critical national infrastructure sectors are subject to sector-specific regulatory regimes that increasingly incorporate NPSA guidance as the benchmark for protective security. Energy operators are examined by the relevant economic regulators and the Department for Energy Security. Water operators are examined under the Security and Emergency Measures Direction. Civil nuclear sites are examined by the Office for Nuclear Regulation and the Civil Nuclear Constabulary. Transport operators face Department for Transport oversight. Beyond the formal regulatory perimeter, insurers and major counterparties are increasingly asking the same questions, which extends the practical reach of the standard considerably.