Cyber Resilient Scotland 2025 to 2030: strategic framework

Executive Summary

Vision: Scotland thrives by being a digitally secure and resilient nation

What success looks like in 2030

Strong - By 2030, Scotland’s economic strength will be underpinned by its cyber resilience - ensuring robust infrastructure and secure continuity of business and services across sectors.

Capable - By 2030, cyber security and resilience will be recognised not merely as a technical issue, but as a shared national, organisational and personal responsibility. We will have the skills and knowledge to prevent, detect and respond to cyber threats effectively.

Resilient - By 2030, Scotland will be a hard target for cyber criminals to attack.

Scotland will be well defended against cyber threats and able to respond and recover quickly when incidents occur.

By 2030, Scotland will benefit as a strong digital economy where individuals, organisations and businesses are thriving in a secure and connected digital landscape.

Cyber resilience will no longer be viewed as a solely technical issue, but a whole-of-nation effort. Responsibility for cyber resilience will be shared across our communities.

Leaders across public, private and third sectors will be empowered to assess their cyber maturity and adopt digital technologies in ways that protect their operations and their service users.

In our businesses, from the local hairdressers to large international companies, cyber security and resilience will no longer be an afterthought, it will be a given. Small and medium-sized enterprises (SMEs) will access the right guidance and support and our larger companies will lead in innovation, supporting Scottish-made cyber solutions and be able to support their supplier ecosystems.

In our homes, families will feel confident navigating the online world. Children will learn about digital security and resilience as naturally as they learn to read and write. In our schools, colleges and universities, our students will not only be technically proficient but will be cyber aware too. Educators will be equipped with secure technology, supported by a curriculum that embeds cyber resilience from the earliest years.

Diverse communities – including those in rural and remote areas, people whose first language is not English, young people, older adults, disabled and neurodivergent individuals – will be supported to strengthen their cyber resilience and participate fully in the digital world.

Scotland’s public, private and third sectors will be well-defended against cyber threats and be able to respond quickly and effectively when incidents occur. People will be able to access healthcare, education and government services online, assured that their information is safe. Robust secure systems will protect people’s data.

Cyber threat and incidents will continue to be an inevitable part of being digitally connected in 2030. However, our organisations will have more resilient cyber security systems in place, regularly tested and upgraded. Cyber resilience will be a mainstreamed aspect of business continuity planning.

Scotland’s cyber security industry will be globally competitive and thriving, underpinned by a world-leading research community, driving innovation and resilience.

The Scottish Cyber Coordination Centre (SC3) and the Scottish Government, in collaboration with Police Scotland, the National Cyber Security Centre (NCSC) and the CyberScotland Partnership (CSP),^[1] will be equipped to respond quickly to, and support the effective recovery of, national cyber incidents. The SC3 will be recognised as the national centre for coordinating multi-agency response to major incidents in Scotland.

By 2030, Scotland will be a hard target for cyber criminals. Police Scotland will work closely with the National Crime Agency (NCA), NCSC and others to disrupt the business models that underpin cyber crime and ensure that Scotland is well prepared to respond effectively to threats, including ransomware. If cyber extortion occurs, individuals and organisations will know how to respond safely and confidently, know where to report cyber crime and access the support they need to recover.

To achieve our vision, we will deliver seven outcomes. The Framework is summarised below:

Vision

Scotland thrives by being a digitally secure and resilient nation - Outcomes

1. People recognise the cyber risks and are well prepared to manage them

2. National cyber security and resilience coordination and response arrangements are effective

3. Scotland’s digital public services are secure and cyber resilient

4. Public sector organisations effectively manage their cyber risk

5. Businesses recognise the cyber risks and are well prepared to manage them

6. Third sector organisations recognise the cyber risks and are well prepared to manage them

7. Scotland has a flourishing cyber security industry, research community and a skilled cyber security professional workforce

Scotland thrives by being a digitally secure and resilient nation - Principles of approach

• Inclusive and ethical
• Whole-of-society
• Agile leadership
• Collaborative partnership
• Effective communication
• Adaptive and agile programme management
• Optimal use of data and evidence of impact
• Anticipating change and understanding emerging threats

Supported by delivery of action plans