What the New NCSC Data Sanitisation Standards Mean for Your Business

Is Your IT Disposal Provider Meeting the Government’s New Data Sanitisation Bar?

In January 2026, the UK’s National Cyber Security Centre (NCSC) quietly raised the bar for how organisations must prove that data has been properly destroyed when technology leaves their control. The new Sanitisation Service Assurance approach — delivered through what the NCSC calls Cyber Resilience Test Facilities (CRTF) — is not a minor update. It represents a fundamental shift in how data sanitisation is evaluated, verified, and assured in the United Kingdom.

For CISOs, IT managers, compliance officers, and procurement teams, this change carries direct implications. Organisations that continue to rely on informal disposal processes — or ITAD providers who cannot demonstrate structured assurance — now face mounting regulatory risk at a time when the cost of data breaches has never been higher.

The Data (Use and Access) Act 2025 (DUAA), which came into force in February 2026, has elevated maximum fines to £17.5 million or 4% of global turnover — whichever is greater. The Information Commissioner’s Office now treats inadequate IT asset disposal as a cyber-security event, not merely an administrative failure. Meanwhile, high-profile retail cyber attacks in 2025 caused between £270 million and £440 million in damages, underscoring just how costly poor security hygiene can become.

This guide explains exactly what the NCSC’s 2026 updates mean for your business, how to assess whether your ITAD provider meets the new standards, and what practical steps you can take to protect your organisation.

What Is the NCSC CAS-S Scheme?

The CAS-S scheme stands for Commodity Information Assurance Services — Sanitisation. It sits within the NCSC’s broader Commercial Product Assurance (CPA) framework, which provides a structured approach to evaluating the security credentials of commercial products and services used by UK government and critical national infrastructure organisations.

Within this framework, CAS-S specifically addresses the secure sanitisation of data-bearing assets — that is, any device, drive, or media capable of storing sensitive information. This includes hard disk drives (HDDs), solid-state drives (SSDs), USB storage devices, mobile phones, tablets, servers, and any other asset on which data may reside.

The scheme was designed to answer a persistent challenge in the ITAD sector: how can an organisation reliably verify that the sanitisation service they are paying for actually works? Prior to CAS-S, many businesses relied solely on the written assertions of their disposal providers — certificates of destruction that were self-certified without independent evaluation.

The Historical Problem with Sanitisation Assurance

Before structured government assurance schemes, organisations purchasing data sanitisation services faced a fundamental information asymmetry. Providers could claim compliance with various standards — including HMG Infosec Standard 5, NIST SP 800-88, or DoD 5220.22-M — but there was no consistent, independent mechanism to verify these claims.

Research and forensic investigations carried out by academic institutions and security organisations repeatedly found that supposedly wiped drives sold through secondary markets still contained recoverable data. Studies by the University of Glamorgan and subsequent UK-based investigations identified personally identifiable information, financial records, and commercially sensitive documents on devices that had ostensibly been sanitised before resale.

The CAS-S scheme addresses this gap by requiring independent, structured evaluation of sanitisation services rather than relying on self-certification. Providers seeking CAS-S recognition must demonstrate their processes to accredited Cyber Resilience Test Facilities, which then evaluate whether the service genuinely meets the required standards.

What Changed in January 2026: The CAS-S Update

On 5 January 2026, the NCSC launched the updated Sanitisation Service Assurance approach under CAS-S. The headline changes centre on three areas: the introduction of Cyber Resilience Test Facilities, updated technical standards for physical destruction, and a more structured evaluation methodology for providers.

Cyber Resilience Test Facilities (CRTF)

CRTFs are accredited evaluation bodies designated by the NCSC to provide independent assessment of sanitisation services. Rather than allowing providers to self-certify, CRTFs evaluate the technical processes, operational procedures, tooling, and quality controls employed by ITAD providers seeking recognition under the scheme.

This introduces a meaningful layer of independent scrutiny that was absent from many prior assurance approaches. A provider cannot simply purchase CAS-S recognition; they must demonstrate their capabilities to an accredited evaluator who applies consistent criteria across all applicants.

For organisations procuring disposal services, this creates a clearer signal: a CAS-S recognised provider has been independently evaluated, whereas a provider without this recognition has not. When assessing supplier credentials, asking specifically whether a provider has undergone CRTF evaluation is now a meaningful due diligence step.

The Technical Standard: Particles Under 2mm

One of the most concrete technical requirements within the updated CAS-S standards relates to physical destruction. Under the scheme, data storage media must be destroyed to particles smaller than 2mm in size to meet the assurance threshold for physical sanitisation.

This is a significant technical benchmark. Standard industrial shredding often produces particles of 5mm to 30mm — sufficient for paper destruction but potentially inadequate for high-density storage media. Flash storage chips, in particular, can retain data even when physically fragmented at coarser particle sizes.

The sub-2mm particle standard applies particularly to media classified as handling higher-sensitivity data. Organisations processing government data, healthcare records, financial information, or other high-sensitivity material should verify that their ITAD provider’s physical destruction processes meet this threshold.

Structured Evaluation Methodology

Beyond the particle size standard, the 2026 CAS-S update introduces a more structured evaluation methodology that assesses the holistic security of a sanitisation service. This encompasses the security of the collection process (chain of custody from client site to disposal facility), the verification processes used to confirm sanitisation has occurred, audit trail documentation, staff vetting procedures, and the security of the physical facility where processing takes place.

This broader scope reflects a maturing understanding of where data security risks actually arise in the disposal lifecycle. Data is not only at risk at the moment of destruction — it is at risk throughout the collection, transport, intake, staging, and processing phases. CAS-S now requires evidence of security controls across this entire chain.

Why This Matters for Your Business in 2026

The CAS-S update does not exist in isolation. It lands at a moment when the regulatory, financial, and reputational stakes associated with data disposal have never been higher. Three concurrent developments make this particularly important for UK businesses to address now.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 came into force in February 2026 and substantially raised the maximum penalties available to the ICO for data protection failures. The new maximum stands at £17.5 million or 4% of global annual turnover — whichever is the greater figure. For large organisations, this represents a potentially significant financial exposure.

Crucially, the DUAA explicitly treats IT asset disposal as within scope of an organisation’s data protection obligations. The ICO’s updated enforcement guidance makes clear that end-of-life data management — including the selection of disposal partners — is a data controller responsibility, not simply an operational matter to be delegated to a facilities or procurement team without oversight.

This means that if a data breach is traced to improperly disposed hardware — whether a hard drive sold without erasure or a device processed by an unaccredited provider — the organisation that owned the data, not just the disposal contractor, can be held liable. Demonstrating that you exercised due diligence in selecting an assured provider is a critical element of any regulatory defence.

The M&S and Co-op Breach Context

The high-profile cyber attacks targeting Marks & Spencer and the Co-operative Group in 2025 resulted in estimated damages of between £270 million and £440 million when accounting for operational disruption, recovery costs, reputational damage, and regulatory scrutiny. These incidents were primarily network intrusion attacks — but they elevated executive and board awareness of data security in ways that directly affect how ITAD decisions are now made.

Following these incidents, many organisations re-examined their entire security posture — including physical security controls such as asset disposal. Boards and audit committees are now asking harder questions about what happens to data when devices leave the building. The NCSC’s updated standards provide a framework against which these questions can be meaningfully answered.

ITAD Is Now Treated as a Cyber-Security Event

One of the most significant shifts in the 2026 regulatory environment is the reclassification of IT asset disposal from an operational or environmental activity to a cyber-security event. The ICO’s updated guidance, aligned with the DUAA, makes explicit that the moment a data-bearing asset leaves your organisation’s physical control, it constitutes a data processing activity requiring appropriate security controls and documented evidence of compliance.

This reclassification has practical implications for how disposal is managed internally. Organisations should be logging disposal events in their Records of Processing Activities (ROPA) documents, retaining certificates of destruction, and including disposal partner criteria within their supplier risk management frameworks. The ad hoc approach of calling a disposal company when a cupboard fills up with old equipment is no longer a defensible model for any regulated organisation.

How to Check Whether Your ITAD Provider Meets the New Standards

Evaluating an ITAD provider against the 2026 NCSC standards requires asking specific, substantive questions — not simply accepting a supplier’s marketing claims. The following checklist provides a practical framework for procurement and security teams.

Assurance and Certification Questions

• CAS-S Recognition: Has the provider undergone evaluation by an NCSC-accredited Cyber Resilience Test Facility? Can they provide documentation of this?
• ISO 27001: Is the provider ISO 27001 certified for information security management? This is now the baseline expectation for any organisation handling data-bearing assets.
• Waste Carrier Licence: Does the provider hold an upper-tier Environment Agency waste carrier licence? This is a legal requirement for commercial waste operators, not an optional credential.
• WEEE Compliance: Is the provider compliant with the Waste Electrical and Electronic Equipment Regulations, and can they provide documentation confirming your equipment will be processed through a compliant facility?
• Data Destruction Certificates: Does the provider issue itemised certificates of destruction listing each asset (by serial number) along with the method of sanitisation applied?

Technical Process Questions

• Physical destruction particle size: For media requiring physical destruction, what particle size does your equipment achieve? Does this meet the NCSC sub-2mm standard?
• Software wiping standard: For reusable equipment, which overwriting standard is used? HMG Infosec Standard 5 Enhanced, NIST 800-88, or an equivalent verified standard?
• Verification processes: How do you verify that sanitisation has been successfully completed on each individual asset? Is every drive verified, or is it a sampling approach?
• SSD-specific processes: Solid-state drives require different treatment from HDDs. What specific process is applied to SSDs to ensure residual data cannot be recovered?
• Chain of custody: How is the chain of custody documented from collection at your premises through to destruction? Are GPS-tracked vehicles used? Are transfers logged?

Operational Security Questions

• Staff vetting: Are employees who handle data-bearing assets DBS checked? What is the staff vetting policy?
• Facility security: What physical security controls apply at the processing facility? Is access controlled and logged?
• On-site destruction: If your data sensitivity requires it, can the provider perform witnessed or on-site destruction? Is this offered as an option?
• Subcontractor use: Does the provider subcontract any part of the process? If so, are the same standards applied to subcontractors and verified?
• Insurance: Does the provider carry adequate professional indemnity and cyber liability insurance covering data incidents during the disposal process?

ISO 27001 and NCSC Standards: How They Work Together

A common question from organisations evaluating ITAD providers is how ISO 27001 certification relates to the NCSC’s CAS-S standards. The two frameworks are complementary rather than overlapping, and understanding how they interact is useful for both procurement and your own internal security posture.

What ISO 27001 Covers in Disposal

ISO 27001 is an information security management system (ISMS) standard that requires organisations to implement and maintain a systematic approach to managing information security risks. Annex A of ISO 27001 — specifically controls A.8.10 (information deletion) and A.7.14 (secure disposal or reuse of equipment) — directly addresses the secure disposal of data-bearing assets.

For an ITAD provider holding ISO 27001 certification, these controls mean that the organisation has implemented documented procedures for secure disposal, that those procedures have been independently audited by a UKAS-accredited certification body, and that the provider undergoes annual surveillance audits to maintain the certification.

This is meaningful assurance — but it is broad. ISO 27001 confirms that security processes exist and are managed; it does not certify that a specific technical method of sanitisation meets a particular standard.

What CAS-S Adds to ISO 27001

CAS-S provides technical specificity that ISO 27001 alone cannot. Where ISO 27001 confirms that a provider manages security systematically, CAS-S evaluates whether the specific technical process for sanitising data storage media actually achieves the intended outcome of rendering data unrecoverable.

Think of the relationship this way: ISO 27001 tells you the organisation has robust security management practices. CAS-S tells you the specific technique they use to destroy data has been independently tested and verified to work.

For organisations handling UK government data or operating in regulated sectors with heightened data sensitivity, both credentials together — ISO 27001 and CAS-S recognition — provide the strongest available assurance. For most commercial B2B organisations, ISO 27001 certification combined with documented technical processes aligned with NCSC guidance represents a proportionate and defensible standard.

Your Organisation’s Own ISO 27001 Obligations

If your organisation holds ISO 27001 certification, or is working towards it, the disposal of IT assets is explicitly within scope of your ISMS. Your information security policy must address how end-of-life assets are managed, your risk register should include disposal-related risks, and your supplier management procedures should verify the credentials of any third-party disposal partner.

Certification bodies conducting ISO 27001 audits are increasingly asking specifically about asset disposal processes and supplier assurance. Being able to point to an ITAD partner with their own ISO 27001 certification and NCSC-aligned processes demonstrates mature security management and reduces audit risk.

“Data does not cease to be your responsibility the moment the collection van drives away. Under current UK law, you remain accountable for its protection until you can evidence complete and irreversible destruction.”

The Bigger Picture: UK Data Protection Landscape in 2026

The NCSC’s CAS-S update is one element of a broader 2026 recalibration of UK data protection expectations. Several simultaneous developments are converging to make the year a defining moment for how UK organisations manage their information security obligations.

DUAA 2025 and Elevated Enforcement

The Data (Use and Access) Act 2025 updated the UK’s post-Brexit data protection framework, introducing higher penalties, expanded powers for the ICO, and new expectations around data governance that explicitly encompass end-of-life data management. The Act’s provisions make clear that data controllers cannot offload responsibility to third parties — contracting with a disposal company does not transfer your legal obligations; it adds a layer of third-party risk that you must manage.

The ICO has signalled an intent to pursue enforcement more actively against mid-market organisations in 2026, following a period of focus primarily on large enterprises and public sector bodies. This means that organisations with hundreds rather than thousands of employees should not assume that disposal-related enforcement is a risk reserved for FTSE 100 companies.

Cyber Essentials and Secure Disposal

The UK government’s Cyber Essentials scheme — mandatory for suppliers holding government contracts — does not yet specifically mandate CAS-S aligned disposal processes, but NCSC guidance makes clear that secure disposal is expected as part of a comprehensive security posture. Organisations pursuing Cyber Essentials Plus certification are likely to face questions about device disposal processes in their technical verification assessments.

For public sector suppliers and organisations operating in critical national infrastructure sectors, alignment with NCSC guidance is not optional — it is an implicit requirement of maintaining government contracts and framework access. Demonstrating that your disposal processes align with the updated CAS-S standards is therefore both a compliance requirement and a commercial enabler.

Sector-Specific Considerations

Different sectors face different disposal risk profiles, and the 2026 landscape reflects this complexity:

• Healthcare: NHS and private health organisations processing patient data are subject to Data Security and Protection Toolkit requirements that explicitly include device disposal. Following several disposal-related incidents in NHS Trusts, this area receives heightened scrutiny.
• Financial services: FCA-regulated firms are subject to operational resilience requirements that the FCA has confirmed encompass data disposal processes. DORA-aligned firms operating across the UK and EU face dual regulatory oversight.
• Education: Universities and schools handling student data, including sensitive special educational needs records and financial information, face GDPR obligations that extend to disposal. Multi-academy trusts, in particular, often lack centralised disposal policies.
• Legal and professional services: Law firms and accountancy practices handling client data classified as legally privileged or commercially sensitive face professional conduct obligations in addition to data protection regulations.
• Central and local government: Public sector bodies are explicitly required to follow NCSC guidance, making CAS-S alignment a baseline expectation rather than a best-practice recommendation.

Key Takeaways

• NCSC raised the bar in January 2026: The updated CAS-S scheme introduced independent evaluation through Cyber Resilience Test Facilities — self-certification by ITAD providers is no longer an adequate standard for regulated organisations.
• The sub-2mm particle standard matters: Physical destruction of storage media must produce particles smaller than 2mm to meet NCSC CAS-S requirements. Most standard shredding processes do not meet this threshold without specialist equipment.
• DUAA 2025 elevated the financial stakes: Maximum fines under the Data (Use and Access) Act 2025 are £17.5 million or 4% of global turnover — and disposal-related incidents are explicitly within scope.
• ITAD is now a cyber-security event: The ICO treats IT asset disposal as a data processing activity requiring documented due diligence. Ad hoc, undocumented disposal is no longer defensible for regulated organisations.
• ISO 27001 and CAS-S are complementary: ISO 27001 certifies security management processes; CAS-S certifies specific technical sanitisation methods. Both together provide the strongest available assurance.
• Due diligence must be documented: Selecting an ITAD provider is a data protection decision. Questions about particle size, verification processes, chain of custody, and staff vetting should be formalised and the responses retained in your records.
• Sector-specific obligations apply: Healthcare, financial services, legal, education, and public sector organisations face additional regulatory requirements beyond the DUAA that make NCSC-aligned disposal processes a baseline expectation.

Frequently Asked Questions

What is the NCSC CAS-S scheme and who does it apply to?

The CAS-S (Commodity Information Assurance Services — Sanitisation) scheme is the NCSC’s framework for evaluating and recognising data sanitisation services. It applies primarily to ITAD providers seeking recognition for work with UK government departments and critical national infrastructure. However, the standards and technical requirements it establishes are broadly adopted as best practice across the private sector. Any organisation seeking to demonstrate that their ITAD provider meets the highest available UK government standard should look for CAS-S recognition or equivalent processes aligned with NCSC guidance.

What is a Cyber Resilience Test Facility (CRTF) and why does it matter?

A Cyber Resilience Test Facility (CRTF) is an accredited evaluation body designated by the NCSC to independently assess the technical processes and security controls of sanitisation service providers. Rather than allowing providers to self-certify their capabilities, CRTFs apply consistent evaluation criteria to all applicants, providing independent verification that claimed standards are actually being met. For procurement teams, a provider that has undergone CRTF evaluation provides a stronger assurance baseline than one relying solely on self-issued documentation.

Why does physical destruction need to produce particles smaller than 2mm?

Modern storage media — particularly flash-based SSDs and NVMe drives — can retain recoverable data even when physically fragmented at relatively coarse particle sizes. Studies by security researchers have demonstrated that data can potentially be recovered from NAND flash chips broken into pieces of 5mm or larger using specialist forensic techniques. The sub-2mm particle standard established under NCSC CAS-S reflects the technical requirement to render data irrecoverable even from high-density storage using advanced recovery methods. For organisations processing highly sensitive data, asking your ITAD provider to confirm the particle size their destruction equipment achieves is a straightforward and important question.

Does the Data (Use and Access) Act 2025 specifically cover IT disposal?

Yes. The Data (Use and Access) Act 2025, which came into force in February 2026, updates the UK’s data protection framework and explicitly encompasses end-of-life data management within data controller obligations. The ICO’s updated enforcement guidance confirms that the moment a data-bearing asset leaves your organisation, a data processing activity has occurred — one for which you retain controller responsibility. This means that selecting a disposal provider, verifying their credentials, and retaining documentation of the disposal process are all within the scope of your DUAA compliance obligations. Failure to exercise adequate due diligence in these areas could expose your organisation to ICO investigation and potential financial penalties.

How does ISO 27001 certification relate to NCSC CAS-S for ITAD providers?

ISO 27001 certification confirms that an ITAD provider has implemented a systematic, audited approach to managing information security across their operations — including specific controls relating to equipment disposal and data deletion under Annex A. CAS-S goes further by providing technical evaluation of the specific sanitisation methods employed, independent of the broader management system. Think of them as complementary: ISO 27001 tells you the organisation manages security seriously; CAS-S tells you their specific destruction technique has been independently tested. For the highest assurance, look for providers holding both. For most commercial organisations, ISO 27001 certification combined with NCSC-aligned technical processes is proportionate and defensible.

Is software data wiping still acceptable, or does everything need to be physically destroyed?

Software-based data erasure remains a valid and NCSC-recognised sanitisation method for many categories of data and device type, provided it is performed using a verified standard and fully documented. Standards such as HMG Infosec Standard 5 Enhanced and NIST SP 800-88 provide recognised frameworks for software-based erasure. The key requirements are that erasure is performed on every sector of the drive, the process is verified to confirm successful completion, and a certificate of erasure is issued itemising each asset. Physical destruction is typically required for drives that have failed or cannot be fully verified as erased, high-sensitivity data classifications where software erasure provides insufficient assurance, and media types (such as certain SSDs with proprietary architectures) where standard erasure tools cannot guarantee complete overwriting.