Scottish Cyber Activity Report 2026

1. Introduction

1.1. The Scottish Cyber Activity Report

The Scottish Cyber Activity Report (SCAR) is an annual publication by the Scottish Cyber Coordination Centre (SC3) which examines cyber activity – namely cyber incidents and cyber exercises – across Scotland’s public sector. The report provides an evidence-led, broad view of the incidents experienced across the sector, supported by analysis that identifies recurring themes and highlights identified lessons. SCAR’s purpose is to offer practical insight into what the sector is facing, how well-prepared organisations are, what is working effectively, and where further improvement is required.

SCAR also explores cyber exercising, an increasingly important component of cyber resilience within the public sector. Drawing on insights gathered through SC3’s coordination role, the report reflects on lessons identified from a wide programme of exercises delivered across the sector and considers how exercising is strengthening preparedness, improving decision-making, and supporting coordinated incident response.

As services across the Scottish public sector continue to digitise, the cyber threat landscape evolves alongside them. Greater connectivity and growing reliance on digital systems bring substantial benefits to the people of Scotland, but they also broaden the potential impact of cyber incidents. From service disruption to data compromise, the threats facing the sector are becoming more complex, more persistent, and more capable of causing operational and societal harm.

SCAR is underpinned by several key data sources:

• Internal SC3 data provides detailed tracking of cyber incidents and cyber exercises across the sector.
• Findings from the Cyber Resilience Assessment (CRA) contribute a comprehensive evidence base, drawing on responses from 181 organisations and offering insight into capabilities, practices, and overall preparedness across the Scottish public sector.
• The National Cyber Security Centre’s Annual Review^[1] provides context for Scotland’s public sector in the wider UK scene
• The Cyber Security Breaches Survey 2025^[2] details threats faced across the UK and how these compare to Scotland’s public sector

1.2. The Scottish Cyber Coordination Centre

The Scottish Cyber Coordination Centre (SC3) is the focal point for cyber security and resilience across Scotland’s public sector. Established in 2022 following the Scottish Government’s Cyber Resilience Strategy, SC3 sits within the Scottish Government's Digital Directorate and operates as the central coordination function for cyber threats, incidents, and resilience support to the public sector. In 2025, the Scottish Government published a refreshed Strategic Framework for a Cyber Resilient Scotland 2025–2030,^[3] setting out seven outcomes to guide the country’s approach to cyber resilience over the next five years.

SC3 holds direct ownership of Outcome 2, that Scotland has the capability and capacity to respond effectively to cyber incidents, encompassing the national framework for incident response, coordination, and recovery of essential digital public services. SC3 also carries significant delivery responsibility across Outcome 4, which focuses on ensuring public sector organisations effectively manage their cyber risks. This includes supporting organisations to embed cyber resilience into governance, strengthen incident readiness, build professional capability, improve incident reporting, and secure legacy systems. Taken together, these responsibilities position SC3 not only as the national operational coordination centre for cyber incidents, but as a key driver of the maturity of cyber resilience across Scotland’s public sector.

SC3 operates across five core workstreams:

• Standards and Insights
• Threat Intelligence
• Vulnerability Management
• Incident Coordination
• Cyber Exercising

SC3’s mission is to strengthen public sector cyber resilience through coordination, shared learning, and data-driven prioritisation. It works closely with the National Cyber Security Centre (NCSC), Police Scotland and a broad range of sector partners to ensure that Scotland’s public sector is informed, prepared, and able to respond effectively when incidents occur. Its role is not regulatory or enforcement-based, instead SC3 is a trusted coordination body, working on the basis of collaboration and shared learning. The SC3 Strategic Plan sets out the operating principles and objectives for the centre.^[4]

1.3. The Scottish Public Sector

SC3’s remit covers the breadth of the Scottish public sector consists of approximately 180 public bodies spanning a diverse range of functions and services. These organisations fall into several broad categories:

• central government, executive agencies, and non-departmental public bodies
• local authorities
• health boards
• emergency services
• universities and colleges
• publicly owned corporate bodies
• other organisations such as valuation joint boards and inquiries.

This breadth reflects the reality that cyber risk does not respect organisational boundaries or sectoral silos. Each part of the sector carries distinct cyber risk. A cyber attack on a local authority can disrupt housing, care services, planning, and primary and secondary education. An incident affecting a health board can compromise patient safety and clinical systems. An attack on a university or college disrupts learning, research, and the management of sensitive student data. Across the emergency services, digital disruption can have immediate consequences for public safety. The sector collectively manages vast quantities of sensitive personal data, operates services on which the public depends daily, and plays a foundational role in the confidence and resilience of Scottish society. Its cyber resilience is therefore a matter of national importance.