We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Public sector cyber incident co-ordination procedure

Published
3 January 2025
From
Director of Digital
Directorate
Digital Directorate
Topic
Communities and third sector, Public safety and emergencies, Public sector
ISBN
9781836911883

Outlines the procedures for notifying and coordinating responses to notifiable cyber incidents affecting Scotland’s public services. It defines the agreed-upon cyber incident notification process adopted by the Scottish public sector since 2018.

Part of

View supporting documents Supporting documents

Annex A - Scottish Public Sector Cyber Incident Notifiable Report Template (Revised December 2025)

Notifiable Scottish Public Sector Cyber Incidents are defined as incidents or attacks against Scottish public sector network information systems which:

  • Have the potential to disrupt the continued operation of the organisation or delivery of public services; and/or
  • Carry a likelihood that other public, private or third sector organisations may experience a similar attack, or that the incident could spread to those organisations; and/or
  • Could have a negative impact on the reputation of the Scottish public sector or Scottish Government; and/or
  • Carry the likelihood of Scottish Parliament or national media interest.

Scottish public sector organisations who are impacted by notifiable cyber incidents should complete the notifiable cyber incident reporting form below as early as possible and, if email services are available, send the completed form simultaneously to the following two addresses in addition to those relevant to your own organisational requirements:

  • The National Cyber Security Centre (NCSC): Incidents@ncsc.gov.uk
  • The Scottish Cyber Coordination Centre : SC3@gov.scot
  • Police Scotland [from December 2025 it is recommended to call 101 rather than email]

These services are available 24 hours a day, 7 days a week, and can be contacted at any time in the event of a notifiable cyber incident. The ‘follow up’ numbers are as follows:

  • The National Cyber Security Centre (NCSC): 03000 200 973
  • The Scottish Cyber Coordination Centre office hours 0300 244 9700
  • Police Scotland: 101 and ask for the Cyber Crime Unit on-call Officer

Where public sector organisations are aware that sector/network-specific coordinating bodies also have an interest, or role to play, in a notifiable cyber incident, they should copy these bodies into the email.

In the event that any central coordinating body (SG SC3, Police Scotland, NCSC) is notified of a notifiable cyber-incident involving a Scottish public sector organisation that has not been reported through the “Report it Once and Follow Up” procedure outlined above, it will seek agreement from the organisation affected to inform the other central coordinating bodies and sector/network-specific coordinating bodies.

Standard phishing incidents should be flagged to NCSC through the Suspicious Email Reporting Service (SARS).

Where the reporting criteria has not been met the incident report can still be used to notify the SC3 for policy considerations and wider threat intelligence sharing. If there are relevant alerts or intelligence available then the SG SC3 will be interested in receiving this and can, with appropriate agreement, circulate to the public sector bodies via the CREW Notice alert process.

The Scottish Public Sector Cyber Incident Coordination Procedure Reporting Template is available to download as a Word file.

This document will be updated as guidance evolves on incident coordination. Please send all comments, questions or additions to SC3@gov.scot

Contact

Email: SC3@gov.scot

Back to top