Tag: trusted research evaluation framework

  • What Is Trusted Research? NPSA Security Guidance

    Trusted Research is UK Government guidance — published jointly by the National Protective Security Authority (NPSA) and the National Cyber Security Centre (NCSC) — for identifying and managing research-security risk in international academic and industry collaboration. It covers due diligence, export control awareness and protection of sensitive intellectual property. It is guidance for people and decisions, not a data platform: a Trusted Research Environment (TRE) is a separate, technical concept, and conflating the two is the single most common mistake institutional partnership offices make when scoping compliance work.

    Trusted Research is best defined as follows: it is a risk-based framework that helps researchers, university leaders, funders and industry partners assess who they are collaborating with, and under what conditions, without closing down the legitimate international partnerships that UK research depends on.

    What Is Trusted Research?

    Trusted Research is advice and guidance jointly published by NPSA and the NCSC that supports the integrity of the system of international research collaboration. It was designed in partnership with the UK research sector to help researchers, university staff and funding organisations keep sensitive research and intellectual property secure from theft, misuse or exploitation — without discouraging legitimate cross-border partnership.

    The scale of the exposure it addresses is real and quantified. NPSA reports that in 2021, 60.4% of UK research outputs had an international co-author, and the UK remains the third-largest producer of research outputs globally, after China and the United States. Collaboration between the UK and China grew by 34.7% between 2018 and 2021, compared with 8.2% growth with the US and 8.9% with Germany over the same period — a divergence that underpins much of the guidance’s emphasis on country-specific due diligence. Separately, the Association of Research Managers and Administrators (ARMA) found that 84% of research organisations it surveyed had begun adapting their processes in response to the additional risks that Trusted Research addresses.

    Trusted Research vs a Trusted Research Environment (TRE): Why They Are Not the Same

    Searchers frequently conflate “Trusted Research” with “Trusted Research Environment” because both terms use the word “trusted” in a UK research-governance context. They are not interchangeable. Trusted Research is a security and due-diligence framework for people, partnerships and decisions. A TRE — sometimes called a secure research environment or data safe haven — is a technical computing environment in which analysts access sensitive datasets remotely without being able to remove the underlying data, typically governed by the Five Safes model (safe people, safe projects, safe settings, safe data, safe outputs).

    Dimension Trusted Research (NPSA/NCSC) Trusted Research Environment (TRE)
    What it is Government guidance and a risk-assessment framework A secure, technical computing environment
    Primary concern Espionage, IP theft and hostile-state exploitation of collaboration Confidentiality and controlled analysis of sensitive datasets (often health data)
    Who acts on it Research offices, senior leaders, principal investigators, export-control officers Data controllers, IT/data-platform teams, statisticians
    Governing bodies NPSA, NCSC, with UKRI and ARMA supporting implementation Data custodians (e.g. NHS, ONS), typically under Five Safes governance
    Output Partnership decisions, due-diligence checklists, travel/export advice Disclosure-checked analysis outputs

    An institution can be fully compliant with Trusted Research guidance while having no TRE at all, and can operate a mature TRE while having no formal Trusted Research due-diligence process. They solve different problems and typically sit with different teams.

    From CPNI to NPSA: Who Publishes the Guidance, and How UKRI Fits In

    NPSA is the UK’s National Protective Security Authority. Older references to “CPNI Trusted Research” reflect the guidance’s origin under the Centre for the Protection of National Infrastructure, which rebranded as NPSA in 2023 to better reflect its remit across the full economy, not just critical national infrastructure. Search traffic for “cpni trusted research” persists because much institutional documentation, LinkedIn commentary and older university web pages have not caught up with the rename — a gap worth closing in any current compliance write-up.

    NPSA does not act alone. The guidance is co-published with the NCSC, and it sits alongside — but is distinct from — UKRI’s own “Trusted Research and Innovation” (TR&I) publication, which sets out principles and expectations specifically for UKRI-funded research. UKRI describes Trusted Research and Innovation as protection of the UK’s intellectual property, sensitive research, people and infrastructure from potential theft, interference or exploitation — the same underlying risk, articulated for the funder relationship rather than the institutional one. Universities typically need to satisfy both: NPSA/NCSC guidance for institutional risk management, and UKRI TR&I expectations as a condition of grant funding.

    What the Guidance Covers: Due Diligence, Export Control and the Evaluation Framework

    NPSA’s Trusted Research suite is not a single document. It is a set of role-specific resources, including:

    • Trusted Research Guidance for Academia
    • Trusted Research Guidance for Senior Leaders
    • Countries and Conferences Guide
    • Trusted Research Checklist for Industry
    • Trusted Research Guidance for Industry
    • Implementation Collaboration Checklist
    • Trusted Research Evaluation Framework, with an accompanying user guide

    The Trusted Research Evaluation Framework is the maturity-benchmarking tool: it lets an institution assess how embedded its due-diligence practices are across governance, training and case-handling, rather than treating Trusted Research as a one-off policy statement. Guidance also intersects with statutory export-control mechanisms that partnership offices must track separately: the Academic Technology Approval Scheme (ATAS) requires certain overseas postgraduate researchers and visiting academics in sensitive STEM fields to obtain clearance before starting; the Export Control Joint Unit (ECJU) licenses transfer of controlled technology, including “deemed export” through knowledge transfer to overseas nationals working in the UK. Trusted Research guidance does not replace either requirement — it provides the risk-assessment layer that determines when they apply.

    Trusted Research: Answer-First Q&A

    What does Trusted Research mean?

    Trusted Research is a UK Government framework of guidance and advice, published by NPSA and the NCSC, that focuses on protecting the UK’s intellectual property, sensitive research, people and infrastructure. It helps institutions identify risks arising from international collaborations and partnerships, and provides practical steps for reducing those risks before they cause harm.

    Who leads Trusted Research?

    Trusted Research is an official campaign and guidance programme led jointly by the National Protective Security Authority (NPSA) and the National Cyber Security Centre (NCSC). It was developed with input from the higher-education and research sector, and implementation support is provided by bodies such as ARMA through sector training.

    Is Trusted Research led by UK Research and Innovation and the UK Government?

    Not exclusively. The core Trusted Research guidance is a UK Government product from NPSA/NCSC, not UKRI. UKRI publishes a related but separate document, “Trusted Research and Innovation” (TR&I), setting principles and expectations for its own funded grants — complementary to, not the same as, the NPSA/NCSC guidance.

    What does Trusted Research require UK researchers to do?

    Researchers are expected to reflect on the nature of their work and partnerships to determine potential risks, exercise due diligence on collaborators, and safeguard data and intellectual property from actions outside formal partnership agreements. It is each researcher’s responsibility, supported by institutional research offices, not a task delegated entirely upward.

    Implications for Institutional Partnership Offices

    For international partnership and research-administration offices, the practical takeaway is separation of concerns. Due-diligence, travel-security and country-risk questions belong in a Trusted Research workflow, built around NPSA’s checklists and the Evaluation Framework; data-access and disclosure-control questions belong in TRE governance, built around the Five Safes model. Teams that merge the two into a single “trusted research” policy tend to produce guidance that is too vague for either purpose.

    Institutions refreshing their compliance posture should treat three things as current, not optional: NPSA’s rebrand from CPNI (2023), so documents citing “CPNI Trusted Research” need updating; UKRI’s separate TR&I expectations as a funding condition, tracked alongside grant terms; and the Evaluation Framework as a recurring self-assessment, not a one-time onboarding exercise. Offices coordinating this across departments should map Trusted Research responsibilities explicitly against export-control obligations (ATAS, ECJU) so neither is assumed to cover the other.

    As international collaboration continues to grow faster with some partner countries than others, the guidance’s emphasis on proportionate, evidence-based risk assessment — rather than blanket restriction — is likely to remain the operating model UK institutions are expected to follow, with the Evaluation Framework becoming the reference point auditors and funders increasingly ask institutions to demonstrate against.