We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - FOI/EIR release

Network and information systems incidents: FOI release

Published
13 March 2025
Directorate
Digital Health and Care Directorate
Topic
Health and social care, Public sector
FOI reference
FOI/202500452926
Date received
16 February 2025
Date responded
28 February 2025

Information request and response under the Freedom of Information (Scotland) Act 2002.

Information requested

You asked for information for the calendar year 2024 in relation to:

A. The total number of network and information systems incidents notified to your department by relevant OESs/RDSPs under the Network Information Systems Regulations.

B. For each such notification please provide details of :

(i) where you regulate more than one sector, the sub-sector of the entity making the notification (e.g. Electricity/Gas);

(ii) whether the notification was made within the 72 hour reporting window; and 

(iii)whether formal enforcement action was taken.

C. For each instance in which formal enforcement action was taken, as set out above, please could you let me know:

(i) The power exercised, e.g. information notice, use of powers of inspection, service of an enforcement notice or issue of a penalty.

(ii) If the power exercised was a fine, the amount of the fine.

Response

In response to part A & B of your enquiry:

Operation of the Network and Information Systems Regulations 2018

There are two competent authorities within Scotland. The Drinking Water Quality Regulator for Scotland is the competent authority for water. Scottish Ministers are the competent authority for Health Boards in Scotland who are considered to be operators of essential services, with operational duties provided by a team within the Scottish Governments Digital Health and Care Division.

The Information Commissioner’s Office (ICO) is responsible for regulating Relevant Digital Service Providers (RDSP) in the UK.

Network and Information Systems incidents notified to the Scottish Health Competent Authority (SHCA) by relevant Operators of Essential Services (OES) under the NIS Regulations.

2024

Sector

Subsector

Total number of notified incidents

Incident report submitted within 72 hours

Actions taken

 

Health

N/A

20

Yes=9 No=11

No formal enforcement action was taken during 2024

In response to part ‘C’ (i) (ii) of your enquiry. During 2024 no formal action was taken in regard to reported Incidents as noted in the 'Actions taken' column.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

Contact

Please quote the FOI reference
Central Correspondence Unit
Email: contactus@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrew's House
Regent Road
Edinburgh
EH1 3DG

Back to top