Cyber resilience strategy 2025-2030: equality impact assessment results

Background

1. Policy Purpose, Aims, and Context

The Strategic Framework for a Cyber Resilient Scotland (2025 – 2030) sets out Scotland’s vision to become a digitally secure and resilient nation. It aims to raise awareness of cyber risks and how to mitigate those risks, strengthen the security of digital public services and ensure effective national incident response. The strategy promotes a collaborative, inclusive, and secure-by-design approach across public, private and third sectors. It aligns with Scotland’s National Performance Framework and contributes to the UN Sustainable Development Goals by embedding cyber resilience into governance, education and workforce development.

The strategy recognises that as digital reliance grows, so too does the need for equitable access to cyber resilience knowledge, support and tools. It seeks to ensure that no one is left behind, particularly those more vulnerable to cyber threats, such as older adults, people with learning disabilities and communities where English is not the first language.

2. Development Process

This strategy is a refresh of the previous national cyber resilience policy and has been developed through extensive engagement with delivery partners and stakeholders and across governemnt. It builds on lessons learned from previous strategies and incorporates new evidence, including research on public attitudes to cyber crime, advancement in technologies and barriers to digital security. Equalities have been embedded as a core principle from the outset, with targeted actions developed to address accessibility and inclusion. The EQIA process has helped shape the strategy by identifying opportunities to promote equality and ensure that the policy is inclusive and non-discriminatory.

3. Who the Policy Affects

The strategy is designed to benefit everyone in Scotland. It targets individuals, communities, businesses, and organisations across all sectors. Specific attention is given to groups who may face greater risks or barriers, including:

• Older people and those with disabilities, who may be more vulnerable to cyber scams or face challenges accessing digital guidance.
• Young people, through embedding cyber resilience in education and lifelong learning.
• Small businesses, sole traders, and charities, which may lack the resources to manage cyber risks effectively.
• Communities with limited English proficiency, for whom accessible and culturally relevant messaging is essential.

By addressing these diverse needs, the strategy aims to foster a culture of shared responsibility and resilience across Scotland’s digital landscape.

4. The Scope of the EQIA

Groups and Areas Assessed

The Equality Impact Assessment considered all nine protected characteristics as defined in the Equality Act 2010:

• Age
• Disability
• Sex
• Pregnancy and maternity
• Gender reassignment
• Sexual orientation
• Race
• Religion or belief
• Marriage and civil partnership (assessed only in relation to employment)

In line with the Public Sector Equality Duty (PSED), the assessment addressed the three statutory needs:

1. Eliminating unlawful discrimination, harassment, and victimisation
2. Advancing equality of opportunity between people who share a protected characteristic and those who do not
3. Fostering good relations between people who share a protected characteristic and those who do not

The EQIA paid particular attention to groups more likely to experience digital exclusion or cyber vulnerability, including older adults, disabled people, women, and individuals from minority ethnic backgrounds or with limited English proficiency.

Approach and Methods Used to Assess Impact

The EQIA followed a structured, evidence-based approach. This included:

• A framing exercise to align the strategy’s outcomes with equality considerations and identify relevant indicators
• Desk-based research using both qualitative and quantitative sources, including academic literature, national statistics, and sector-specific reports
• Review of existing policy and practice, including lessons learned from the previous cyber resilience strategy
• Iterative policy development, with equality considerations embedded throughout the drafting process.

The analysis focused on identifying both potential barriers and opportunities to promote inclusion, with a view to shaping practical actions within the strategy.

Details of Evidence Gathering and Engagement

Evidence was gathered from a range of sources, including:

• Academic research, such as studies on cyber crime perceptions among older adults and university students
• Sector reports, including data from Age UK, Scottish Household Survey, YoungScot annual engagement Survey and UK Government labour market research
• Engagement with cross-sectoral delivery partners and stakeholders, who contributed to the development and testing of the strategy’s actions
• Internal Scottish Government collaboration, ensuring a whole-of-government approach to embedding cyber resilience and equality

The strategy’s development was informed by ongoing dialogue with key partners across sectors, including education, health, public, third sector and business communities. This collaborative approach ensured that the strategy reflects the lived experiences and needs of diverse groups across Scotland.