We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - FOI/EIR release

Network and Information Systems Regulations: FOI release

Published
10 November 2021
Directorate
Digital Health and Care Directorate
Part of
Public sector
FOI reference
FOI/202100239301
Date received
13 September 2021
Date responded
25 October 2021

Information request and response under the Freedom of Information (Scotland) Act 2002

Information requested

I am interested in the cyber security measures used to protect critical infrastructure in the UK, a matter of significant public interest, and so would like to request information about your department’s operation of the Network and Information Systems Regulations 2018 (“NIS Regs”) under the Freedom of Information Act 2000.

Since the NIS Regulations came into force on 10 May 2018, could you please provide:

a. The total number of “network and information systems incidents” notified to your department by relevant OESs under the NIS Regs.

b. For each such notification please provide:
· the month and year of the notification;
· the sector and subsector of the entity making the notification (e.g. “Energy” and “Oil”);
· high level details of the nature of the incident.
· details whether the notification was made within the 72 hour reporting window; and
· details of any formal enforcement action taken in relation to the incident, i.e. issue of an information notice, use of powers of inspection, service of an enforcement notice or issue of a penalty (and the amount of the penalty).

c. For each exercise of your formal enforcement powers under NIS, please identify:
· the power exercised, e.g. information notice, use of powers of inspection, service of an enforcement notice or issue of a penalty;
· if that powers is the issuance of a penalty, the amount of the penalty;
· the month and year of the power was exercised;
· the sector and subsector of the entity against which the power was exercised (e.g. “Energy” and “Oil”); and
· high level details of the reason for exercising that power.

Response

The Network and Information Systems Regulations 2018 is regulated by sector-specific ‘Competent Authorities’. The Scottish Ministers are the designated Competent Authority for the Health and Road Transport sectors.

With regards to section (a) from 2018 to 2021 there have been 36 incidents notified by the relevant OESs to the Scottish Ministers.

In relation to questions (b) and (c) an exemption(s) under section(s) s31(1) (National Security) and s35(1) (Law enforcement) of FOISA applies to all of the information you have requested. Details requested are withheld as this information would provide details about weaknesses in an Operator of Essential Services network infrastructure that would assist a potential attacker.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

Contact

Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG

Back to top