I am interested in the cyber security measures used to protect critical infrastructure in the UK, a matter of significant public interest, and so would like to request information about your department’s operation of the Network and Information Systems Regulations 2018 (“NIS Regs”) under the Freedom of Information Act 2000.
Since the NIS Regulations came into force on 10 May 2018, could you please provide:
a. The total number of “network and information systems incidents” notified to your department by relevant OESs under the NIS Regs.
b. For each such notification please provide:
· the month and year of the notification;
· the sector and subsector of the entity making the notification (e.g. “Energy” and “Oil”);
· high level details of the nature of the incident.
· details whether the notification was made within the 72 hour reporting window; and
· details of any formal enforcement action taken in relation to the incident, i.e. issue of an information notice, use of powers of inspection, service of an enforcement notice or issue of a penalty (and the amount of the penalty).
c. For each exercise of your formal enforcement powers under NIS, please identify:
· the power exercised, e.g. information notice, use of powers of inspection, service of an enforcement notice or issue of a penalty;
· if that powers is the issuance of a penalty, the amount of the penalty;
· the month and year of the power was exercised;
· the sector and subsector of the entity against which the power was exercised (e.g. “Energy” and “Oil”); and
· high level details of the reason for exercising that power.
The Network and Information Systems Regulations 2018 is regulated by sector-specific ‘Competent Authorities’. The Scottish Ministers are the designated Competent Authority for the Health and Road Transport sectors.
With regards to section (a) from 2018 to 2021 there have been 36 incidents notified by the relevant OESs to the Scottish Ministers.
In relation to questions (b) and (c) an exemption(s) under section(s) s31(1) (National Security) and s35(1) (Law enforcement) of FOISA applies to all of the information you have requested. Details requested are withheld as this information would provide details about weaknesses in an Operator of Essential Services network infrastructure that would assist a potential attacker.
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.
Please quote the FOI reference
Central Enquiry Unit
Phone: 0300 244 4000
The Scottish Government
St Andrews House
There is a problem
Thanks for your feedback