NPSA and UK Physical Security: From CPNI to the New National Standard

The National Protective Security Authority is not a rebrand. It is a redefinition of who in the United Kingdom owns the conversation about physical protective security, and of how broadly that conversation now reaches.

When the Centre for the Protection of National Infrastructure was wound down in March 2023 and its functions transferred into NPSA, the headline read like an organisational reshuffle inside MI5. It was not. The change widened the mandate beyond the thirteen critical national infrastructure sectors into a remit that explicitly includes economic, academic and cultural assets of national significance. Operators who treated CPNI guidance as advisory now face an authority whose published baselines are quoted in procurement clauses, in insurer questionnaires and in board-level risk reports. The threshold has shifted, and the operators who notice this latest are the ones who will find themselves explaining gaps in a post-incident review.

From CPNI to NPSA: what actually changed

CPNI existed for two decades as the United Kingdom's national technical authority on protective security against national security threats. It was sectoral, discreet, and largely accessible only to security managers inside designated CNI operators. Its guidance on hostile vehicle mitigation, on insider threat, on access control and on personnel security was respected, but it was filed under restricted distribution and rarely surfaced in commercial procurement.

NPSA inherits that technical authority and expands the audience. The remit now covers what the UK government describes as the broader national security ecosystem. That includes universities holding sensitive research, technology firms in dual-use sectors, sporting venues, festivals, and the supply chains feeding CNI operators. The reasoning is straightforward. The threat actors who concern the British state, state-sponsored intrusion, terrorism, organised hostile reconnaissance, do not respect the boundary between a regulated water utility and a vendor with privileged access to its operational technology. If the supplier is soft, the operator is soft.

In practice, NPSA publishes more of its baseline material openly than CPNI did. The Catalogue of Security Equipment, the guidance on protective security risk management, the trusted research framework for the academic sector, the work on personnel security and pre-employment screening. These materials are now expected reading for any operator who will be asked, sooner or later, to demonstrate a baseline. The expectation is not that every organisation follows every recommendation. The expectation is that the operator has read the material, made deliberate choices, and can defend those choices in a structured conversation.

The second change is institutional. NPSA sits alongside the National Cyber Security Centre under the same parent. The two authorities are designed to be read together. Where CPNI and NCSC once produced parallel guidance with thin coordination, NPSA and NCSC now publish converging frameworks under a shared model. Physical and cyber are treated as one protective security problem, which is what the threat landscape has required for at least a decade. The operators who still run their physical security committee and their cyber committee on separate calendars are operating against the grain of the authority that will eventually audit them.

The expanded scope of national infrastructure

The thirteen CNI sectors as defined by the Cabinet Office, energy, water, transport, communications, finance, food, health, government, emergency services, civil nuclear, defence, chemicals and space, remain the backbone of the regime. What has changed is the willingness of the state to treat assets outside those sectors as worthy of protective security attention when their compromise would produce national consequences.

A vaccine research facility at a Russell Group university is not formally CNI. Its theft, sabotage or coercion would nonetheless constitute a national-level incident, and NPSA guidance on trusted research now applies to it in substance even when the legal label does not. A data centre serving multiple regulated operators sits inside the supply chain of CNI and is treated by NPSA accordingly. A stadium hosting a head of state is not infrastructure in any traditional sense, yet the protective security guidance for crowded places, formerly held by the National Counter Terrorism Security Office and now consolidated under NPSA's umbrella, applies in detail. The expansion has happened by absorption of adjacent functions rather than by formal redefinition.

This matters operationally because the expectation of compliance now reaches operators who previously considered themselves outside the regime. A logistics provider holding a long-term contract with a defence prime is, in effect, expected to apply NPSA-aligned controls on personnel security, on visitor management, on document handling and on physical perimeter. The contractual chain enforces what statute does not. Procurement clauses written by CNI principals reference NPSA baselines explicitly, and the supplier who cannot demonstrate alignment loses the contract at renewal. Operators tend to discover this in the third quarter of a re-tender, when there is no time left to remediate.

The book BOSWAU + KNAUER. From Building to Security Technology argues that the operators who hold their advantage in the next cycle are those who treat protective security as an investment in continuity rather than as a compliance overhead. The British shift to NPSA accelerates that argument. The authority is not asking for documentation. It is asking for capability that holds when tested.

What NPSA expects of operators

The expectations are stated in plain language across NPSA's published guidance, and they converge on five themes. Threat assessment grounded in current intelligence rather than legacy assumption. Protective security planning that integrates physical, personnel and cyber dimensions. Personnel security from recruitment through to exit, including the management of insider risk across the employment lifecycle. Physical security based on the layered model of deter, detect, delay, respond and recover. And a governance structure that places accountability at board level rather than at the head of security alone.

Each of these themes has a technical foundation in international practice. The layered physical model maps cleanly onto the requirements articulated by ASIS International in its enterprise security risk management framework. The integration of physical and cyber follows the same logic that drives IEC 62443 in industrial environments and NIST CSF 2.0 in the broader cyber estate. The personnel security expectations align with ISO 27001 Annex A controls on human resource security. NPSA is not inventing a parallel universe of British exceptionalism. It is codifying, for British operators, what the serious international authorities have been describing for years.

What distinguishes NPSA's articulation is the insistence that protective security is a continuous capability, not a project. The Catalogue of Security Equipment lists products that have been independently tested against specified threat levels. Use of a catalogued product is not in itself compliance. Compliance is the demonstrable presence of a protective security regime in which the product performs the function it was specified for, in conditions that match the threat assessment, under personnel who have been vetted and trained, with governance that reviews performance against measurable outcomes. The product is one element. The regime is the substance.

Operators who read NPSA guidance as a checklist will fail the first serious audit. The guidance is deliberately not a checklist. It describes outcomes, and the means of achieving them are left to the operator's judgement, subject to the demonstrable adequacy of that judgement. This is the same pattern as NIST 800-53 in the United States and as the German BSI's IT-Grundschutz catalogue. Outcomes-based regulation requires evidence of thought, not evidence of expenditure.

How NPSA aligns with the international frame

Operators with cross-border exposure cannot afford to treat NPSA as an isolated regime. The British approach now sits inside a wider convergence in which CISA in the United States, the German BSI, the European Union Agency for Cybersecurity, and the technical standards bodies have moved in broadly parallel directions. NIS2 in the European Union, the Critical Infrastructure Security and Resilience policy in the United States, the Critical Infrastructure Risk Management Program in Australia, all rest on the same architecture of mandatory risk management, supply chain accountability, incident reporting and board-level governance.

NPSA's specific contribution is its emphasis on personnel security and insider threat, which remains comparatively stronger in the British tradition than in some equivalent regimes. The work on screening, on aftercare, on the behavioural indicators that precede insider events, draws on intelligence community practice and is more developed in the published material than its American or European counterparts. Operators with British exposure should treat this as the leading dimension of NPSA's value, rather than as a supplement to the physical security material.

For groups operating multinational estates, the practical question is whether to run a unified protective security framework that satisfies the highest applicable bar in any jurisdiction, or to maintain jurisdiction-specific regimes. The answer in most cases is the former. The cost of running parallel regimes exceeds the cost of running one regime calibrated to the strictest applicable authority, and the operational confusion produced by parallel regimes generates risk that the strictest authority would itself flag. Insurers have begun to make this argument explicitly. The General Insurance Association of Britain and continental equivalents such as the GDV reflect this thinking in their underwriting questionnaires, where alignment with NPSA, BSI or equivalent national authority is treated as a positive factor in pricing.

How compliance is audited in practice

There is no single NPSA audit certificate. The authority does not operate a certification scheme of the kind ISO 27001 produces. Compliance is demonstrated through a combination of contractual, regulatory and insurance-driven mechanisms, each of which references NPSA guidance as the baseline against which operator performance is measured.

The first mechanism is sectoral regulation. Sector-specific regulators, Ofgem for energy, Ofwat for water, the Civil Aviation Authority for aviation, the Financial Conduct Authority and Prudential Regulation Authority for finance, exercise inspection powers that include physical and personnel security. NPSA guidance informs the questions those regulators ask, and operator responses are measured against it. Failure to align does not automatically produce sanction, but it produces persistent regulatory attention, which is its own form of cost.

The second mechanism is procurement. Government contracts and contracts let by CNI operators increasingly require demonstrable alignment with NPSA baselines, evidenced by self-assessment, by independent assessment from accredited firms, or by participation in NPSA's own engagement programmes. Suppliers who cannot produce the evidence at tender lose the contract. This is the audit mechanism that touches the largest number of operators in practice, because it reaches the supply chain rather than only the principal.

The third mechanism is insurance. Underwriters writing terrorism cover, business interruption cover and cyber cover for operators with national significance now ask explicit questions about protective security maturity. The answers are cross-referenced against NPSA expectations. The premium consequence of misalignment is direct, measurable and increasing year over year. Operators who can demonstrate alignment receive more favourable terms, and operators who cannot are pushed into excess layers or refused cover above defined thresholds.

The fourth mechanism is incident response. When a security event occurs, the post-incident review draws on NPSA guidance to determine whether the operator's controls were reasonable. Civil liability, regulatory enforcement and reputational consequence all flow through this review. The operator who can show that its regime matched NPSA expectations is in a defensible position. The operator who cannot is not.

What holds

The transition from CPNI to NPSA is the formalisation of a shift that was already underway in British protective security practice. The authority is broader, the audience wider, the published material more accessible, the alignment with cyber more deliberate, and the expectation of demonstrable capability more explicit. None of this changes the underlying technical question, which is whether the operator's protective security regime would hold against the threats the operator's assets actually face.

Operators who treat NPSA as a documentation exercise will produce documentation. Operators who treat it as an operational standard will produce capability. The difference shows itself in two places. In the post-incident review, when the question is whether the controls did what they were designed to do. And in the procurement, regulatory and insurance conversations that determine what the operator pays to continue operating. In both places, the operators who invested in capability arrive in a stronger position than those who invested in paperwork.

For operators considering where to begin, the most direct path is a structured assessment that maps current state against NPSA expectations and identifies the gaps that matter. This is the work performed in Path II of the engagement model described in BOSWAU + KNAUER, a three to five day audit conducted on site, with a written report that is usable independently of any further commercial relationship. Operators who prefer to begin with a conversation rather than a commitment can take Path I, a confidential sixty-minute exchange with the senior team. Both paths produce something the operator did not have before. Neither path binds the operator to anything further.

Frequently asked questions

What is NPSA?

The National Protective Security Authority is the United Kingdom's national technical authority on protective security against national security threats. It was launched in March 2023 as a successor to the Centre for the Protection of National Infrastructure, with an expanded remit covering critical national infrastructure, sensitive academic and economic assets, crowded places and the supply chains feeding those sectors. NPSA sits within the Security Service alongside the National Cyber Security Centre and publishes baseline guidance on physical security, personnel security, insider threat, hostile reconnaissance and protective security risk management.

How does it differ from CPNI?

CPNI was a sectoral authority focused on the thirteen critical national infrastructure sectors, with most of its guidance restricted to designated operators. NPSA inherits CPNI's technical authority and broadens the remit substantially. Its audience now includes universities, technology firms, crowded venues and supply chain operators outside the formal CNI definition. More material is published openly. The integration with the National Cyber Security Centre is closer, with physical and cyber treated as one protective security problem. The shift reflects a recognition that the threat landscape ignores sectoral boundaries.

Which sectors are CNI?

The United Kingdom Cabinet Office designates thirteen critical national infrastructure sectors. These are energy, water, transport, communications, finance, food, health, government, emergency services, civil nuclear, defence, chemicals and space. Within each sector, specific assets and operators are formally designated. Beyond the formal CNI definition, NPSA guidance now reaches assets of broader national significance, including sensitive academic research, major sporting and cultural venues, and supply chain providers with privileged access to CNI operators. The boundary between CNI and adjacent sectors has become operationally porous.

How is compliance audited?

NPSA does not operate a single certification scheme. Compliance is demonstrated through four converging mechanisms. Sectoral regulators incorporate NPSA expectations into their inspection regimes. Procurement clauses in government and CNI contracts require evidence of alignment with NPSA baselines. Insurance underwriters reference NPSA maturity in pricing terrorism, business interruption and cyber cover. Post-incident reviews assess whether operator controls matched NPSA guidance, with consequences for liability and regulatory action. Operators are expected to maintain documented evidence of their protective security regime sufficient to satisfy any of these audit pathways.