We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Strategy/plan

Cyber Resilient Scotland 2025 to 2030: strategic framework

Published
5 November 2025
From
Cabinet Secretary for Justice and Home Affairs
Directorate
Digital Directorate
Topic
Business, industry and innovation, Communities and third sector, Education, +2 more … Public sector, Work and skills
ISBN
9781806432455

Refresh of the strategic framework for a Cyber Resilient Scotland 2021. In the face of an ever-changing cyber threat landscape, it will build on progress to date and address ongoing - and new - challenges.

View supporting documents Supporting documents

Strategic context

Since 2015, the Scottish Government and its partners have been working solidly to strengthen Scotland’s cyber resilience and build a robust national response to evolving threats. See Annex C for main areas of progress.

3.1 A national ecosystem through leadership and partnership

The Scottish Government has a national leadership role in overseeing the delivery of the Framework. However, achieving its goals requires coordinated actions across sectors. A whole-of-society approach is essential, involving public services, industry, education and academia, law enforcement and government at local, national and UK levels. National partners include:

SC3 - The SC3 is Scotland’s national hub for multi-agency cyber incident response coordination, providing 24/7 support to public sector organisations. It gathers and analyses cyber risk data, issuing daily threat bulletins and weekly vulnerability reports.

Police Scotland - The establishment of Police Scotland’s Cyber and Fraud Unit (CAFU) in 2025 is a decisive response, as the scale and complexity of the cyber threat demands a more agile, coordinated, and preventative policing model. Most importantly, it places victims at the heart of the unit’s efforts.

NCSC - The NCSC, a part of Government Communications Headquarters (GCHQ), is the UK’s National Technical Authority for cyber security. It helps protect the UK’s critical services, businesses, and citizens from cyber threats by providing expert guidance, incident response, and support to strengthen UK’s cyber resilience.

NCRAB - The National Cyber Resilience Advisory Board (NCRAB) brings together leaders and influencers from across the private, public and third sectors to provide strategic advice, challenge and support to Scottish Ministers and the Scottish Government and help guide work being undertaken to achieve the vision.

CyberScotland Partnership - The CyberScotland Partnership is a collaboration of stakeholders from across different communities in Scotland who work together to achieve the outcomes of the Strategic Framework for a Cyber Resilient Scotland in a coordinated and coherent way. Their main focus is on communications, cyber awareness reach and events.

Scotland’s Cyber Resilience Ecosystem

Scotland’s Cyber Resilience Ecosystem: the Strategic Framework for a Cyber Resilient Scotland

CyberScotland Partnership

A collaboration of public, private and third sector partners to amplify cyber awareness across our communities.

  • National communications coordination
  • CyberScotland portal
  • National events including CyberScotland Week

Scottish Government National Cyber Resilience Unit, Digital Directorate

Directed by Scottish Ministers. Supported by the National Cyber Resilience Advisory Board. Aligned to relevant UK Government policy and activities.

  • Policy development
  • Strategy implementation
  • National outcomes contribution

Scottish Cyber Coordination Centre

A national collaboration to combat the cyber threat. Partners include Scottish Government, NCSC, Police Scotland and others.

  • Early warning and intelligence
  • National incident management coordination
  • Standards and regulations

3.2 Policy alignment

In Scotland

Cyber resilience is not a standalone goal for Scotland. It underpins our broader ambitions for digital transformation, public service innovation and economic growth.

The Framework is aligned to:

  • Scotland’s National Strategy for Economic Transformation[6] which positions cyber resilience as a key enabler of secure digital progress and sustainable economic growth.
  • The Digital Strategy for Scotland (due to be refreshed in the autumn of 2025) articulates a refreshed vision that is jointly shared between local government and the Scottish Government. It acknowledges the transformative power of digital technologies and sets out a vision where digital enriches lives, drives our economy and transforms our public services. The renewed Strategy will provide a long-term focus on delivering better outcomes for people and delivering digital public services that are responsive to people’s needs.
  • Scotland’s AI Strategy[7] aims to ensure Scotland can reap the economic and social benefits of AI by becoming a leader in the development and adoption of trustworthy, ethical and inclusive AI. Achieving this ambition requires that technological developments and infrastructure be secure and resilient to cyber attacks. AI can be used by cyber criminals, but it can also help to protect networks from cyber attacks, through real-time monitoring and analysis of digital traffic to help identify and respond to threats more quickly.

UK cyber policy

The Scottish Government works closely with the UK Government on national security matters, including cyber security. Our Framework aligns with and complements the broader UK Cyber Strategy, ensuring a coordinated approach across devolved and reserved responsibilities. The Scottish Government also regularly engages with other devolved nations to share intelligence, resources and solutions.

The UK Government is introducing a Cyber Security and Resilience Bill which aims to strengthen the resilience of essential and digital services, enhance national security and support economic stability. The Bill will expand regulatory oversight to include managed service providers and critical suppliers to essential and digital services. It will help to improve incident reporting and enable cyber regulators to be more effective, including through expanded and more timely reporting of harmful cyber attacks.

Additionally, the UK Government has issued Codes of Practice[8] to set clear expectations for cyber security across a number of areas including:

Cyber Essentials

The NCSC’s Cyber Essentials[9] (CE) scheme helps organisations reduce cyber risk through five basic security controls. Organisations with CE certification are 92% less likely to make a cyber insurance claim. Data from St James’ Place10 saw an 80% drop in incidents amongst their partners after requiring all to gain a Cyber Essentials Plus certificate. Certification includes limited cyber insurance cover for added protection. Support is also available via a network of NCSC-recognised Cyber Advisors.

Contact

Email: CyberResilience@gov.scot

Back to top