We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Minutes

National Cyber Resilience Advisory Board (NCRAB) minutes: January 2026

Published
30 April 2026
Directorate
Digital Directorate
Topic
Education, Public sector
Date of meeting
21 January 2026
Date of next meeting
31 March 2026

Minutes from the meeting of the group on 21 January 2026.

Part of

Attendees and apologies

Board members in attendance: 
Maggie Titmuss (Chair)
Deryck Mitchelson (Vice-Chair – DM)
ACC Stuart Houston (SH) – Ex-Officio
Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government – Ex Officio (AG)
Carla Baker (CB)
Freha Arshad (FA)
George Fraser (GF)
Martyn Wallace (MW)
Natalie Coull (NC)
Steve Watt (SW)

Also in attendance: 
Head of the National Cyber Resilience Unit (NCRU)
NCRU Head of Policy and Programme
NCRU Public Sector Lead
Scottish Cyber Coordination Centre (SC3) Service Lead 
NCRU Policy and Programme Officer
National Cyber Security Centre Devolved Administrations Lead (YW)

Apologies:
Phil Ford (PF)
Don Smith (DS)
Ollie Bray (OB)
Jordan Schroeder (JS)

Items and actions

Welcome, introductions, last meeting actions and conflicts of interest

The Chair welcomed Members to the meeting. The minutes of the September 2025 meeting were approved. No conflicts of interest were noted. 

JAN26/01: The Chair asked if all Members could ensure they officially respond to meeting invites to support the secretariat with planning and security considerations for future meetings. 

The Chair welcomed SW to the Board. SW introduced himself and advised he had followed the work of NCRAB and was looking forward to supporting work in the future. 
The Chair also welcomed YW to his first Board meeting. 

The NCRU Policy and Programme Officer ran through outstanding meeting actions: 

SEP25/02: NCRU to share CyberScotland Partnership (CSP) quarterly asset packs with Members for them to disseminate across their networks. 
The NCRU Policy and Programme Officer will share the CyberScotland Week (CSW) asset pack with members after the meeting. Action will then be closed when the asset pack has been shared. 

SEP25/03: SC3 Service Lead to showcase Cyber Observatory to Members at future meeting, when fully operational
The action was closed during the January 2026 meeting. 
SEP25/04: Cyber Security and Resilience (NIS) Bill to be added as a standing agenda item for future meetings.
The action was closed during the January 2026 meeting. 

SEP25/05: OB to provide update on further developments of the Curriculum Improvement Cycle (CIC) and the embedding of cyber within the curriculum in March 2026.
OB is scheduled to update Members on the CIC during the March 2026 meeting. Item remains open until March 2026. 

Cyber threat landscape

The NCSC Devolved Administrations Lead (YW) provided a general threat update to members. YW advised that the NCSC had published guidance to encourage local government and critical infrastructure operators to harden their ‘denial of service’ (DoS) defences and information on new principles to help organisations design, review, and secure connectivity to (and within) Operational Technology (OT) systems.

JAN26/02: NCRU Policy and Programme Officer to share the NCSC information on DDOS attacks and securing OT connectivity with the Board.

The Chair asked if YW could provide a Scotland-specific update at future meetings. The Head of the NCRU asked YW if information could be shared on the number and category of incidents at future meetings. 
AG stated it would be helpful to understand the broader geopolitical tensions which may be impacting the frequency of DDOS attacks. 
DM concurred and asked for more data to be shared on this. 

JAN26/03: YW to investigate and provide Scotland-specific threat update, including information on broader geopolitical tensions and additional data on cyber incidents, at future meetings.

SH provided a short cyber threat update from November 2025. He shared that ransomware attacks had increased. 

SH advised that the new Police Scotland Cyber and Fraud Unit (CAFU) had been operational for a year and advised that Child Sexual Exploitation continued to be a significant area of concern and that there had been an increase in violence against women and children. 
JAN26/04: The Chair and SH to discuss Child Sexual Exploitation separately. 

DM asked if it was possible to understand the scale of under-reporting of crime in the future. 
SH replied that there were difficulties in understanding the scale of under-reporting, including personal and reputational risk, but advised there had always been a significant push to encourage people and businesses to report crime to Police Scotland. 
The Head of the NCRU advised that cyber resilience awareness messaging that the NCRU were involved in/created included information on reporting mechanisms.

The Chair added that while it was vital to understand the size and scale of cyber crime, it would be worthwhile to prepare and brief Ministers on the reasons for any increases to the number of crimes reported. DM agreed and stated that transparency and visibility was critical to understand the real world implications of cyber crime. 

The SC3 Service Lead provided an update on incidents that the SC3 have tackled. 

A discussion on the vulnerabilities of the education network in Scotland followed. MW advised he was currently engaged in discussions on this issue with a number of policy areas within the Scottish Government. 
The SC3 Service Lead advised he would be happy to discuss this with MW in further detail if needed, given recent incidents on some of the local authorities’ education networks. 

The SC3 Service Lead advised Members that work was underway to prepare for the upcoming Scottish Election and the Commonwealth Games. He shared that exercising was being planned and Members could expect to be updated on this at the March meeting. 

YW advised that the NCSC were focussed on the upcoming Scottish election and would be happy to provide an election focused briefing to Members at the March 2026 meeting. 
JAN26/05: YW to provide an elections focused briefing to Members at the March 2026 meeting. 

The SC3 Service Lead further advised that the SC3 would look to publish the Scottish Cyber Action Report (SCAR) soon and would look to share that with Members for comment before publication. 
JAN26/06: SC3 Service Lead to share version of the SCAR with Members for comment. 

SW spoke around challenges within secondary and tertiary education with regards to cyber and would like to see further lobbying at a national level. 

The Head of the NCRU advised that CyberFirst had been highly successful in Scotland because it had been embedded into the curriculum in Scotland. 
CB added that, in England, CyberFirst would be moving under TechFirst, and it would be important to ensure that any funding opportunities for Scotland were not lost because of this. The Chair concurred and suggested that she met with the Head of the NCRU to discuss CyberFirst/TechFirst in Scotland. 
JAN26/07: The Chair and Head of the NCRU to meet and discuss CyberFirst and TechFirst in Scotland. 

JAN26/08: OB to provide a paper to Members for discussion, on developments with the Curriculum Improvement Cycle, focusing on the inclusion of cyber and digital literacy within the curriculum for the March 2026 meeting. 

DM added that digital literacy should continue to be a priority within the education system in Scotland. 

SC3 update and overview of the Cyber Observatory

The SC3 Service Lead provided an update on the Cyber Observatory.
The objectives from the SC3 Strategic Plan (2024-2027) include:
•    The creation of a ‘Cyber Observatory,’ an internal platform that can ingest, store and process relevant cyber security indicators from all ‘in-scope’ organisations in a structured and dynamic manner.
•    The development of real-time analysis and reporting capabilities to allow summary reports and specific briefs to be produced in accordance with operational requirements.

He advised the Observatory was a technical solution able to ingest, store and process relevant cyber security indicators from all public sector organisations in a structured and dynamic way. It would also be a crucial tool for real time reporting capabilities to allow summary reports and specific briefs to be produced, in accordance with urgent or routine operational requirements.

The SC3 Service Lead advised that the Observatory would seek to provide:
•    data-driven insights to inform operational, strategic and Ministerial priorities
•    improved situational awareness and visibility of the cyber risk to the Scottish public sector
•    identification and visualisation of both systemic challenges and isolated areas for improvement in cyber resilience and cyber security practices
•    an evidence base to inform improvement initiatives and associated trend data to measure efficacy of interventions
•    improved collaboration and engagement with the Scottish public sector, with improved channels for engagement and sharing of data
•    improved internal operational processes, enabling SC3 to scale efficiently and meet increasing demands.

He advised that this year’s Cyber Resilience Assessment (CRA) had been issued via the Observatory and had a high-return rate. By March 2026, he will be able to update on more detailed findings from the CRA. 
JAN26:09: SC3 Service Lead to provide more detailed findings from the 2025 Cyber Resilience Assessment at the March 2026 meeting. 

The Chair was very complimentary of the work of the SC3. She would still like to consider and work on the possibility of making participation in the survey mandatory. 

Update on UK developments

The Head of the NCRU shared an update the development of the UK Cyber Action Plan. Members were advised there was a planned launched at CyberUK in April 2026. The UK Cyber Action Plan focused on three pillars: 
•    Resilience Pillar: overarching objective to strengthen UK organisations’ resilience by improving cross-sector working and promoting effective tools at scale. 
•    Growth Pillar: overarching objective to position the UK as a global leader in cyber innovation, skills and exports. 
•    Threat Pillar: overarching objective to tackle the threat by reducing adversary intent and capability. 

The Head of the NCRU added that the NCRU were fully engaged with all Pillars. 

The NCRU Public Sector Lead updated Members on the Cyber Security and Resilience (Network and Information Systems) Bill (the Bill). He advised that this was introduced in Parliament on 12 November 2025 and had a 2nd Reading in Parliament on 6 January 2026. A Legislative Consent Motion, lodged in Scottish Parliament on 7 January 2026, recommends consent be granted for some parts of the Bill, and there were some remaining concerns to be clarified including implementation issues, constitutional issues for Devolved Administrations and challenges with Powers of Direction and interactions with similar devolved powers. 

The NCRU Public Sector Lead expanded and explained the Bill builds on the Network and Information Systems Regulations 2018 and is expected to come into effect in late 2027. He detailed some key changes which expanded scope to include Managed Service Providers (MSPs), Data Centres and Large Load Controllers. It also introduces Designation of Critical Suppliers, enhanced enforcement powers and additional incident reporting (with 24 hour initial reporting and customer notification). 

The next steps were a Call For Evidence and Committee Stage (including oral evidence) on 3 February 2026. 

The Chair noted the recent launch of the UK Government Cyber Action Plan (GCAP) which was backed by £210m funding and queried how this could support cyber activities in Scotland.
AG advised that this funding would be allocated by DSIT but it had not yet been allocated to specific activities. Currently DAs could only access this funding through being sponsored by a UKG department.

Strategic Framework 2025-2030 – progress update and Action Plan session 

The Head of the NCRU provided an update to Members on the progress of the Strategic Framework for a Cyber Resilient Scotland 2025-2030. 

She shared a logic model that sat behind the vision.  

She referred to the draft Action Plan that was sent to the Board for comment, highlighting that the Action Plan was the public facing document and that behind it was the full programme of work that the NCRU oversee. 

She advised that there were national indicators for each of the Outcomes to demonstrate changes, including the Scottish Household Survey, the YoungScot Survey and Age Scotland’s Big Survey for Outcome 1 (to help inform changes in the online behaviour of the general public). 

The Chair asked about the methodology of the Scottish Household Survey and added that she could not recall being asked to participate. GF advised that he has completed this before. The Head of the NCRU explained that there were key cyber security questions within the Scottish Household Survey (an annual, government survey of around 10,000 private households in Scotland) which helped inform understanding of changes in online behaviours of the population. 

FA felt that there would need to be targets included within the Action Plan to support and understand the impact of activity on changing behaviours and improving cyber resilience overall. 
The Head of the NCRU advised that the document shared was the public facing (very similar to other countries) and that a major strength within Scotland was its national cyber ecosystem, and that delivery partners were the key to understanding and measuring the effectiveness of activities which would achieve each outcome. The NCRU will gather this data to demonstrate activity that contributes to improvements.

AG stated that it was important not to confuse effort with outcome. The nature of the actions proposed means that the NCRU would report on progress towards the actions and outcomes. The target data is would not be detailed in the published Action Plan, but sits within the programme work. 
He suggested including information in the Action Plan on what the evaluation method would be as a whole. 

The Chair commented that it would be helpful to understand where the biggest changes have been made and make that clear to Scottish Ministers.  

GF commented that there should be some ability to show a compromise between measuring success of the outcomes. Those which have discrete, measurable deliverables should be detailed with targets and others, which were more subjective and measurable in a different way. 

The Head of the NCRU advised this is part of the programme behind the published Action Plan. She offered to provide the Board with an outline of the national indicators and the internal tracking of programme work at a future meeting, which will support Members’ understanding of effectively measuring change.
 JAN26/10: The Head of the NCRU to provide an update to Members on the national indicators and the internal tracking of programme work to support Members’ understanding of measuring change and success. 

SH advised that Police Scotland were due to publish their Vision 2030 and would need some time to look at where there was overlap between the proposed Action Plan and Police Scotland’s Vision 2030. 

The Chair stated that it was important to have a baseline of success, to understand where we were at now and where we want to get to in the future. 

JAN26/11: Final comments on the Action Plan to be returned by 23 January 2026.

CyberScotland Week 2026 and CyberUK

The NCRU Policy and Programme Lead updated Members on plans for CyberScotland Week (CSW) 2026. She advised this would take place between 23-28 February 2026. Members were encouraged to register and log events on the Portal, consider engaging with their own communities and promote CSW 2026 on their social media channels, including LinkedIn. 
JAN26/12: NCRU Policy and Programme Officer to share CyberScotland Week 2026 asset pack with the Board for them to share across their networks. 

The NCRU Policy and Programme Lead also advised that CyberUK was due to take place in Glasgow, 21-23 April 2026. She added that plans to have CyberScotland Street and a CyberScotland Pavillion were in development and that some fringe events were planned which included a Women in Cyber breakfast, and a schools’ fringe event. Members were encouraged to register for the conference if they had not already done so. 

Members will be provided with a further update on plans for CyberUK 2026 at the March 2026 meeting. 

Any other business

No other business was discussed. 

Close

The Chair thanked members for their attendance and advised the next ordinary meeting would be 3 March 2026, in Edinburgh. 

Back to top