The Strategic Framework for a Cyber Resilient Scotland 2025 - 2030

The Vision and Outcomes

Vision: Scotland thrives by being a digitally secure and resilient nation

Seven outcomes underpin this vision, with underlying principles to guide and maximise delivery. The outcomes are:

1. People recognise the cyber risks and are well prepared to manage them

2. National cyber security and resilience coordination and response arrangements are effective

3. Scotland’s digital public services are cyber resilient

4. Public sector organisations effectively manage their cyber risks

5. Businesses recognise the cyber risks and are well prepared to manage them

6. Third sector organisations recognise the cyber risks and are well prepared to manage them

7. Scotland has a flourishing cyber security industry, research community and a skilled cyber security professional workforce.

A suite of action plans to drive sector-specific initiatives alongside a lifelong learning action plan will be published. They will be regularly reviewed to ensure they remain relevant and responsive to emerging threats and changing environments.

4.2 Principles for delivery

The Framework is underpinned by a set of principles of approach. These are:

• inclusive and ethical
• whole-of-society
• agile leadership
• collaborative partnership
• effective communication
• adaptive and agile programme management
• optimal use of data and evidence of impact
• anticipating change and understanding emerging threats.

See Annex D for a full description of the Principles.

Outcome 1: People recognise the cyber risks and are well prepared to manage them

“Police Scotland’s 2030 Vision outlines our commitment to delivering safer communities, less crime, supported victims and a thriving workforce. The nature of criminality and the threat it poses to communities continues to evolve; therefore, it is critical that our service can proactively manage and reduce threat, risk and harm across Scotland.

“Aligned with this vision, Police Scotland will enhance the integration of science, technology, data and digital innovation within policing. A dedicated Cyber and Fraud Unit will further develop the police response to cybercrime through improved investigations, better support for victims, bespoke training for officers and staff and access to the latest technology. It will also draw on the expertise and resources of partner organisations and other UK forces.”

Chief Constable Jo Farrell, Police Scotland

This outcome is about ensuring that every person in Scotland – regardless of age, background, ability or circumstance – is empowered with the knowledge, skills and tools to navigate the digital world safely, securely and confidently. Cyber resilience is not just a technical necessity: it is a fundamental enabler of inclusion, opportunity and national well-being.

A digitally engaged society

91% of adults in Scotland use the internet for work or personal activities. Digital participation has grown across all age groups, with older adults (60+) showing the most significant increase over the past two decades.^[11] This transformation reflects a broader societal shift, while also bringing new risks.

According to the Scottish Crime and Justice survey,^[12] in 2021/22:

• 3.6% of internet users in Scotland experienced computer viruses
• 4.9% received scam emails
• 4.4% had their card or bank account details stolen online.

For 2023/24, the Scottish Crime and Justice Survey^[13] found that:

• 8.3% of adults were victims of fraud, with around two-fifths (37%) of fraud incidents being cyber-enabled
• 1.4% were victims of computer misuse, including hacking and viruses.

Inclusive cyber resilience

Cyber threats affect everyone, but not equally. Older adults may need tailored support to stay safe and secure online. Young people must develop secure digital habits early. People with disabilities, those in rural areas, people whose first language is not English and individuals with limited digital access all face unique barriers. Our strategy is committed to ensuring no one is left behind.

Since 2015, the Scottish Government and its partners have delivered a range of successful initiatives to build cyber resilience across communities. High proportions of adults are taking proactive steps according to the Scottish Household Survey:

• 75% of adults avoid opening emails or attachments from unknown senders
• 71% avoid sharing personal information online
• Only 10% did not take any of the security measures in the survey.^[14]

There are emerging signs of improvement in the public’s online security behaviours. It will be important to sustain and reinforce this progress by continuing to apply behavioural nudges.

Education and Lifelong Learning

Cyber resilience must be a lifelong and life-wide journey. The Scottish Government is committed to embedding cyber resilience across all stages of formal and non-formal learning. National initiatives include:

• introducing cyber security concepts to early-level learners through storytelling
• integrating cyber resilience into the 3-18 curriculum and reflecting it in a number of learning outcomes, such as digital literacy and internet usage
• increasing the number of CyberFirst^[15] schools, led by Education Scotland, the CyberFirst Regional Partner for Scotland
• building capacity for cyber resilience learning in youth work, adult learning and other community learning and development settings
• including cyber resilience in several sets of national occupational standards
• building the cyber resilience of students through “Cyber Resilience and You!”^[16] – a free training resource for all university and college students in Scotland.

Introducing cyber security concepts through storytelling

Launched in 2023, The Bongles and the Crafty Crows is a unique book which introduces basic concepts of cyber security through storytelling.

Developed in partnership with the Scottish Government, Education Scotland, the Scottish Book Trust and Story Learning Ltd, the book has been issued to all Scotland’s schools (Primary 1) and copies have been placed in all Scotland’s libraries.

The Bongles is available in both English and Gaelic and is supported by learning and teaching resources and animations. www.thebongles.com

Key priorities

To build on progress and realise this outcome, we will focus on:

1.1 Raising awareness

The public better understand cyber risks and know how to protect themselves online, thanks to clear, consistent and inclusive messaging and wide-reaching outreach, both locally and nationally.

1.2 Empowering action

People can easily report cyber crime and access trusted support when needed.

1.3 Embedding cyber resilience in learning

Cyber resilience, digital security and responsible online behaviours are integrated into our lifelong and life-wide learning system from the earliest stages through to adulthood.

1.4 Strengthening the workforce

Staff across all roles and sectors can identify and manage cyber risks, supported by a workplace culture that prioritises awareness and resilience.

Outcome 2: National cyber security and resilience coordination and response arrangements are effective

“The Strategic Framework for a Cyber Resilient Scotland provides a unified vision and direction for protecting digital infrastructure, economic interests and Scotland’s national security. Cyber security underpins our digital-dependent lives, and building resilience at scale will support the nation to embrace technological opportunities whilst maintaining robust safeguards.

Leading a coordinated approach enables us to share intelligence and best practice more efficiently across the UK, strengthening our national resilience against adversaries. Working together to secure our nation is key to unlocking economic and societal benefits by creating a safer environment for cross-sector productivity.

In our interconnected world with its constantly evolving threat landscape, a coherent national framework is essential for ensuring Scotland remains prepared, adaptive and competitive. The National Cyber Security Centre encourages all organisations to engage with the Strategic Framework and work with the Scottish Government to bolster Scotland’s cyber resilience.”

Dr Richard Horne, CEO, National Cyber Resilience Centre (NCSC)

This outcome focuses on ensuring that Scotland is fully prepared to respond to national cyber incidents swiftly, effectively and in a coordinated manner.

The importance of a strong national response

Cyber attacks can have wide-ranging and severe consequences to Scotland and its people. When a cyber incident occurs, every minute counts. Rapid response will increase the chances of a timely recovery and help the affected organisation to bounce back quickly. Effective national incident response coordination is critical to protecting essential services and maintain public confidence in Scotland’s cyber resilience.

The SC3 coordinates incidents within Scotland’s public sector, while NCSC handles higher impact incidents. In practice, NCSC and SC3 collaborate closely, especially during serious or multi-impact incidents, with SC3 acting as the local lead and NCSC providing UK-level support and expertise.

The role of the National Cyber Security Centre

The NCSC, a part of Government Communications Headquarters (GCHQ), is the UK’s National Technical Authority for cyber security. It helps protect the UK’s critical services, businesses, and citizens from cyber threats by providing expert guidance, incident response and support to strengthen UK cyber resilience.

The role of the Scottish Cyber Coordination Centre

The SC3 leads the national cyber response coordination for the Scottish public sector. It pools expertise from across Scottish Government, Police Scotland, NCSC, UK Government and other partners to ensure a swift, coordinated and effective response to cyber incidents.

Underpinned by its 2024–2027 Strategic Plan,^[17] SC3 is responsible for:

• the Scottish Cyber Incident Management Procedure
• developing and promoting response plans and playbooks
• coordinating and disseminating threat intelligence and early warnings
• developing standards to assure public sector cyber resilience.

Building on established civil contingency frameworks, the SC3 has developed national cyber incident response processes aligned with UK-wide arrangements. Regular testing and exercising of these processes are essential to ensure readiness for major incidents.

New technologies will improve our capability and capacity to measure public sector cyber maturity, share relevant threat intelligence and best practice at scale. In the Autumn of 2025, SC3 launched the Cyber Observatory, an innovative new capability that will enhance our ability to understand and measure the cyber posture of all organisations across the public sector, to articulate the risk to the sector as a whole and to better target support and drive forward improvements.

Trend data will enable tracking changes over time, measure the efficacy of policy changes and targeted interventions and provide critical insight to strategic leaders and Ministers. The Cyber Observatory will equip SC3 to scale effectively by automating key processes such as sharing cyber threat intelligence and early warnings at speed, whilst also providing public sector organisations a portal to SC3 services, tailored to their own particular needs. The Cyber Observatory will grow and scale incrementally to capture self-assessed data from organisations through the Cyber Resilience Assessment, gradually adding additional data and analytical capability over time.

Key priorities To build on progress and realise this outcome, we will focus on:

2.1 National preparedness

National cyber response capabilities are regularly tested and exercised, supported by strong cross-agency partnerships to ensure a coordinated and effective response.

2.2 Testing readiness at all levels

SC3 supports the public sector in regularly testing and exercising cyber response capabilities at strategic, tactical and operational levels.

2.3 Keeping plans incident-ready

National response plans and playbooks are regularly reviewed and updated to reflect the evolving threat landscape.

2.4 Delivering early warnings and threat intelligence

SC3 creates a robust intelligence sharing network to provide and disseminate tailored and curated threat intelligence across sectors in order to enable quicker and more proactive defence and preparedness.

2.5 Enhancing vulnerability awareness

The monitoring and detection of, and response to, critical vulnerabilities are strengthened by enhancing vulnerability scanning capabilities, improving centralised vulnerability disclosure and reporting services.

2.6 Understanding the cyber maturity of the public sector

The Cyber Observatory enhances our ability to understand and measure the cyber maturity of the public sector so as to improve targeted interventions and support.

2.7 Learning and improving

Lessons learned from real incidents and exercises are captured, analysed and shared to continuously improve deterrence and response capabilities.

2.8 Strengthening collaboration Partnerships between the

Scottish Government, SC3, NCSC, Police Scotland, CyberScotland Partnership, public sector bodies, academia and the cyber security industry are deepened to enhance incident response, horizon scanning, sharing knowledge and expertise to encourage innovation and solutions.

Outcome 3: Scotland’s digital public services are cyber resilient

“Our task is to ensure that Scotland’s digital public services are high quality, ever improving and meeting the needs of people using them. Cyber resilience must be factored into the design and ongoing maintenance of these services. By strengthening our cyber defences, we safeguard the critical public services that the people of Scotland rely on every day and we reaffirm our commitment to delivering safe, secure and trusted services for all.”

Joe Griffin, Permanent Secretary, Scottish Government

This outcome focuses on ensuring that Scotland’s digital public services are resilient, secure, trusted and future-ready. By embedding cyber security and resilience from the outset of our digital transformation journey, our public services and the people who use them are better protected from the cyber threat.

Harnessing innovation

The pace of digital change is unprecedented. Innovation and technological advances are reshaping every sector and aspect of society. These innovations offer immense potential to streamline public services, address complex challenges and improve lives. Scotland is already leveraging data and connectivity to tackle urban and rural challenges like traffic congestion, waste management and pollution. These technologies are also becoming integral to the operation of critical national infrastructure and essential public services.

Building public trust in digital services

As more services move online, public confidence in the cyber security and reliability of digital platforms is paramount. This is especially important for individuals and communities who may be hesitant to adopt digital alternatives. Building trust requires:

• Privacy by design and default^[18]
• Transparency in how services are designed and data is used
• Robust cyber security to protect sensitive information, infrastructure and devices
• User-centric design that encourages wider adoption, supports inclusion and ensures that no one is left behind in the digital age.

Embedding security by design and default

With increased digital integration comes increased risk. To safeguard Scotland’s digital future, it is imperative that cyber security is not treated as an afterthought but is embedded into the design and development of systems from the very beginning. This “secure by design and by default” approach draws on established frameworks such as NCSC’s guidance and the UK Government’s Secure by Design Framework^[19].

By adopting this best practice, Scotland can ensure that digital systems and services are not only resilient to cyber attacks, but also easier to maintain, update and scale.

ScotAccount – the secure and simple way to access public services online

Using one account to sign in to a variety of services and verify personal information.

ScotAccount services (as of 2025) can be used to:

• apply for a Level 1 disclosure with Disclosure Scotland
• apply for or view a disclosure for the Protecting Vulnerable Groups (PVG) scheme – your email from Disclosure Scotland will tell you how to do this
• access the Witness Gateway
• access services under the Debt Arrangement Scheme (DAS)
• access Registers of Scotland’s Moveable Transactions registers such as livestock, machinery, vehicles and stocks and shares
• manage your Tobacco and Nicotine Vapour Product Retailers registration
• manage your Funeral Sector registration

Developed by the Scottish Government, ScotAccount delivers on the Digital Strategy’s commitment to provide a secure and simple way for people to prove who they are and that they are eligible for a public service or benefit online. By following the UK Government’s Secure by Design framework, the Scottish Government has embedded continuous security assurance to keep controls effective and responsive to changes in the services and the evolving threat landscape. This ensures that trust, accessibility and protection are embedded at every stage of the user journey.

Other public services adopting ScotAccount include NHS Scotland for use in their health and social care online app and Social Security Scotland.

Leveraging cross-sector collaboration

There is significant potential in cross-sector collaboration, where best practice and innovation from industry and academia can support the secure delivery of digital public services. Examples include:

• Scottish Wide Area Network (SWAN) – a public private partnership with BT, that provides shared infrastructure to digitally connect the public sector
• Scottish Government Scots Connect Cloud Platform Services – provider of secure, robust and scalable digital services for government and the public sector, serving over 20,000 public services customers
• CyberScotland Shield – a malware-information sharing platform to share automated threat intelligence across the public sector and academia in Scotland.

  Key priorities

  To build on progress and realise this outcome, we will focus on the following priorities:

  3.1 Securing legacy systems and ensuring secure-by-design and default systems

  Appropriate mitigations are in place to secure legacy systems. A secure-by-design and default approach from the outset is embedded across digital public systems, services and infrastructure.

  3.2 Adhering to cyber security standards and regulations

  Digital public services align with the relevant recognised standards and regulations.

  3.3 Securing the supply chain

  Digital public services’ supply chains are secure to protect against evolving cyber threats. This includes regular risk assessments, enforcing security requirements in procurement and monitoring third-party compliance.

  3.4 Enhancing incident response and recovery

  Our national framework for cyber incident response is strengthened, ensuring rapid recovery and continuity of essential digital public services.

  3.5 Enabling safe use of emerging technologies

  Guidance and governance are developed to ensure the secure deployment of AI, automation, machine learning, quantum and IoT technologies in public services.

  3.6 Maximising public-private collaboration

  The Scottish Government and other public bodies deepen engagement with industry and academia to access industry cutting-edge solutions, share threat intelligence and co-develop secure digital platforms.

Outcome 4: Public sector organisations effectively manage their cyber risks

“Cyber risk must be a core priority for every public sector organisation in Scotland, including local authorities. The impact of cyber incidents goes far beyond financial loss: they can severely disrupt essential services and erode public trust. Recent events have underscored a critical truth: the likelihood of experiencing a cyber attack has increased. Continuing to strengthen cyber risk management at the heart of our public sector is vital to protecting the services people rely on and safeguarding the security of our communities.”

Jane O’Donnell, CEO Convention of Scottish Local Authorities (COSLA)

This outcome focuses on Scottish public sector organisations continuing to strengthen their cyber security posture and resilience.

Scotland’s public sector plays a vital role in delivering essential services including healthcare, education, justice and national and local government. As a cornerstone of national infrastructure, the public sector is increasingly targeted by cyber threats that are growing in frequency, sophistication and impact. These threats range from financially motivated ransomware attacks to politically driven disruptions, posing risks to public trust, service continuity and national security.

In recent years, several high impact cyber incidents – including ransomware and data breaches – have affected some of our councils, health boards and universities. Additionally, the sector regularly experiences lower-level disruptions such as Distributed Denial of Service (DDoS) attacks, brute force password attempts, phishing and business email compromise. Attacks on suppliers have also had downstream effects on public sector operations.

To support coordinated response, recovery and learning, public sector organisations are strongly encouraged to report incidents via the Scottish Public Sector Cyber Incident Coordination Procedure.^[20]

A maturing public sector

The cyber maturity of Scotland’s public sector has steadily improved, driven by collaboration with the Scottish Government and sector-wide initiatives. Key advancements include:

• recognition of cyber risk as a core business risk, with increasing accountability at board and senior executive level
• enhanced sharing and use of threat intelligence from trusted sources such as SC3 and NCSC, helping to strengthen cyber threat monitoring and defence
• strengthened incident response planning and testing
• more regular staff awareness training.

Despite this progress, the sector remains vulnerable and must continue to treat cyber resilience as a strategic priority.

Strategic challenges

Leadership and accountability

Cyber resilience must be embedded within organisational governance. Senior leaders must take ownership of cyber risk, integrating it into business risk management frameworks and fostering a culture of awareness across all levels of the organisation.

Supply chain risk management

Supply chains represent a significant source of cyber risk in the public sector due to the services they supply and the access to data they can be granted. Additionally, the globalisation of supply chains can add geopolitical dimensions to these risks. A dynamic, proportionate approach to supplier assurance is essential, including regular reviews throughout the lifecycle of contracts to ensure cyber security standards remain robust and appropriate. NCSC provides guidance^[21] and training on understanding the cyber risks in the supply chain and how best to mitigate them.

Innovation in practice

In June 2023, the Scottish Government launched a CivTech^[22] Challenge to develop a technical solution to securing public sector supply chains. Following successful beta testing, wider public sector roll out is anticipated in 2026.

Cyber assurance and regulatory compliance

Public bodies are subject to varying levels of cyber regulation and assurance:

• regulated entities (such as health and water services) are regulated under the Network and Information Systems Regulations 2018, with oversight from Competent Authorities and audited against frameworks like NCSC’s Cyber Assessment Framework (CAF).
• other bodies (e.g. local authorities) must meet cyber and information security standards, such as those of the Public Services Network (PSN) and Department of Work and Pensions (DWP), to ensure continued secure access to information required to deliver their public services.

All public sector organisations should conduct regular cyber risk assessments and implement proportionate assurance mechanisms for internal systems and third-party suppliers.

The Cyber Security and Resilience Bill is set to include powers to make changes to the NIS Regulations in secondary legislation, unlocking the ability for the UK Government to be more agile and responsive to changes in cyber threats and the technological landscape. This could pave the way for updated security requirements for regulated entities in the future, following consultation.

Legacy systems

Legacy technologies and systems continue to pose significant challenges to cyber resilience. Many of these systems were not designed with modern cyber security threats in mind, making them vulnerable to attacks and difficult to update without disrupting services. The complexity of integrating new technologies with older infrastructure can put further strains on resources. Budget challenges can also hinder progress in modernisation and getting access to appropriately skilled staff.

A strategic, phased, risk-based approach is required, which may include:

• prioritising the protection of essential services
• incremental modernisation
• migrating services to cloud infrastructure, ideally designing services for the cloud
• network segmentation, multi-factor authentication, endpoint protection and patch management.

A skilled public sector workforce

A skilled and professional cyber workforce is essential to protect data, maintain public trust and ensure the uninterrupted delivery of public services. As cyber threats become more persistent, cyber security staff must be equipped with up-to-date knowledge and skills to defend against attacks.

Scotland’s public sector is experiencing workforce challenges including:

• talent shortage. Some difficulty attracting and retaining skilled professionals due to competition with the private sector and from other countries.
• professional pathways. Limited progression opportunities within the public sector, both for entry level positions and career progression.
• budget constraints. Limited funding for recruitment and training in some parts of the public sector.
• evolving threats. Continuous development required to stay ahead of evolving threats.
• fragmented professional standards. Inconsistent take-up of professional standards.

Addressing these challenges requires coordinated investment in professional development opportunities and the creation of clear career progression pathways.

Public-Private-Third Sector collaboration

Cross-sector collaboration offers opportunities to share tools, infrastructure and expertise, thus reducing costs and duplication of effort. Sharing examples of good practice and lessons learned can help raise standards and awareness across sectors. A coordinated approach could lead to common actions and solutions that benefit all sectors. For example, Hefestis^[23] delivers cyber security services to many of our academic institutions and some public sector organisations, offering a scalable model for efficient protection.

Cyber Security for NHS Scotland

The National Security Operations Centre (SOC) for NHS Scotland provides a range of security monitoring and response capabilities for our national health services and across health boards in Scotland. It offers services including:

• security monitoring and response
• alert investigation
• security collaboration
• incident handling.

National Security Operations Centre | National Services Scotland

Key priorities

To build on progress and realise this outcome, we will focus on:

4.1 Positioning cyber risk and assurance as a leadership priority

Public sector leaders ensure that cyber risk and assurance are embedded in strategic planning and at board level and that they drive a culture of accountability and resilience throughout the organisation.

4.2 Embedding cyber resilience into governance

Organisations integrate relevant cyber security standards, regulations and compliance into governance, business risk management, planning and daily operations.

4.3 Ensuring incident readiness

Organisations have robust incident response capabilities and regularly test and exercise.

4.4 Securing legacy systems and introducing secure by design and default systems

Organisations plan to migrate to modern “secure by design and default” systems and/or to put in place appropriate mitigations to secure legacy systems.

4.5 Using trusted tools

Organisations use proven security solutions, including NCSC’s Active Cyber Defence services.

4.6 Securing the supply chain

Organisations actively manage third-party risks with confidence and throughout the life cycle of contracts.

4.7 Building professional capability

Organisations develop their professional cyber security workforce, through inclusive recruitment, training, professional development and career progression. Cyber security staff will be encouraged to register with the UK Cyber Security Council, with a view to gaining a relevant professional standard.

4.8 Raising workforce awareness

The public sector workforce demonstrates strong cyber resilient behaviours.

4.9 Reporting cyber incidents

Organisations report cyber incidents to Police Scotland, NCSC, SC3, ICO, where appropriate.

4.10 Strengthening cross-sector collaboration

The public sector, government, academia and industry continue to build stronger partnerships to improve incident response, share knowledge and threat intelligence, innovation and expertise.

Outcome 5: Businesses recognise the cyber risks and are well prepared to manage them

“Data protection isn’t just about systems and regulations – it’s about people. That principle drives everything we do. In Scotland’s dynamic business landscape, safeguarding data is not the job of one individual or department – it’s a collective responsibility. From the boardroom to front of house, every part of the organisation must stay alert to the threat. Cyber resilience is not optional – it’s essential for protecting trust, reputation and the future of Scotland’s businesses.”

John Edwards, UK Information Commissioner

Scotland’s business community must be equipped to understand, manage and mitigate cyber risks. This outcome focuses on ensuring that businesses are aware of the cyber risks they face and have access to up-to-date information, expert advice and guidance to help them withstand, respond to and recover quickly from cyber incidents.

Small and medium enterprises (SMEs) play a vital role in Scotland’s economy. However, many report challenges in dedicating time, resources and expertise to improve their cyber resilience.

Larger businesses, while often better resourced, are not immune to cyber threats. They face increasingly sophisticated attacks that can have significant and reputational consequences.

The Cyber Breaches Survey 2025^[24] found that 43% of businesses experienced a cyber breach or attack in the previous twelve months, with phishing attacks remaining the most prevalent and disruptive threat.

Cyber resilience is good for business

Cyber resilience is not just good practice - it is good for business. Businesses that demonstrate strong cyber practices build trust with customers, partners and investors. By getting the basic rights through achieving Cyber Essentials, it can enhance brand reputation, reduce downtime and create a competitive edge.

While not every SME will have a dedicated IT team, many can benefit from working with (Cyber Essentials) certified Managed Services Providers^[25] in Scotland, who can help them build and maintain stronger cyber defences.

Strategic challenges

Leadership and accountability

Cyber resilience must be recognised as a strategic business risk, not just a technical issue. Yet only 27% of businesses report having board level responsibility for cyber resilience. While larger firms are more likely to assign this responsibility to the Board (66%), cyber threats do not discriminate by size. SMEs, which form the backbone of Scotland’s economy, are often under-resourced and under-informed, making them attractive targets for cyber criminals. Despite their size, they can also be a vital part of the wider supply chain across sectors.

Sector-specific risk awareness

Cyber resilience priorities vary significantly across sectors. While 97% of finance and insurance firms and 89% of utilities companies prioritise cyber security, only 44% of retail and wholesale business do the same^[26]. This highlights the need for sector-specific engagement strategies that reflect unique risk profiles and operational realities. For example, the retail industry has fallen victim to a number of high-profile cyber attacks, causing far-reaching consequences on the business, supply chain, customers and communities. No sector is immune to the threat.

Legacy systems

Legacy systems, particularly in health, manufacturing and production, pose significant cyber risks. These systems often run on outdated, unsupported software and lack modern security controls. Budget constraints and operational dependencies make replacement difficult.

Mitigation strategies must include robust security measures such as network segmentation, application control and regular security audits, alongside exploring options for updating or replacing these systems where feasible.

Skills and workforce development

Scotland’s private sector is diverse. While some larger companies have internal cyber security teams, many SMEs lack in-house cyber expertise. Building capability across all levels is essential and will require a range of innovative methods such as expanding pathways into cyber roles, including apprenticeships, promoting continuous learning, upskilling and retraining.

Support and tools

There is a wealth of free and affordable cyber support resources, including:

• NCSC’s Small Business Guide,^[27] 10 Steps to Cyber Security^[28] and Active Cyber Defence services
• Cyber Essentials^[29] certification
• Cyber and Fraud Centre Scotland^[30] resources and services
• CyberScotland ^[31] resources.

The Scottish Government will continue to work closely with the NCSC and other strategic partners to provide Scotland’s business community with authoritative advice, tailored guidance and practical support to strengthen their cyber resilience and safeguard economic growth.

Key priorities

To build on progress and realise this outcome, we will focus on:

5.1 Positioning cyber risk and assurance as a leadership priority

Business leaders ensure that cyber risk and assurance are embedded in strategic planning and at board level and that they drive a culture of cyber resilience throughout the business.

5.2 Embedding cyber resilience into governance

Businesses integrate relevant cyber security standards, regulations and compliance into governance, business risk management, planning and operations.

5.3 Ensuring incident readiness

Businesses regularly test and exercise incident response plans and recovery capabilities.

5.4 Addressing legacy systems

Businesses identify and manage risks associated with legacy systems. Where feasible, implementing mitigation measures or planning for system upgrades to reduce exposure to cyber threats.

5.5. Using trusted tools

Businesses use proven security solutions, including NCSC’s Active Cyber Defence services.

5.6 Raising workforce awareness

All staff, at every level, demonstrate strong cyber resilient behaviours and know where to go to access the appropriate advice, guidance and support.

5.7 Reporting cyber incidents

Businesses report cyber incidents to Police Scotland, the NCSC and the ICO, where appropriate.

5.8 Securing the supply chain

Businesses manage and actively monitor third-party risks.

5.9 Building professional capability

Businesses develop their professional cyber security capabilities through clear entry points, training and career progression pathways.

5.10 Strengthening cross-sector collaboration

Businesses, government, academia and industry continue to build stronger partnerships to improve incident response and share knowledge, innovation and expertise.

Outcome 6: Third sector organisations recognise the cyber risks and are well prepared to manage them

“Scotland’s third sector organisations play a central role in our communities, delivering a huge range of services and support to our diverse communities. While our increasing reliance on digital systems can have huge benefits for charities and their beneficiaries, it’s vital that charities also understand the risks that this can bring. Building cyber resilience is about ensuring that charities, indeed all third sector organisations, can continue their work safely and securely. It’s the responsibility of every trustee in Scotland to act in their organisation’s best interests and that must include ensuring that their organisation treats cyber security as a key part of their work, not as an optional extra.”

Marieke Dwarshuis, Chair of the Office of the Scottish Charity Regulator (OSCR)

This outcome is about ensuring that third sector organisations in Scotland are aware of the cyber risks they face, are well prepared and can respond to and quickly recover from a cyber attack when it happens.

As of 2025, there are around 46,000 third sector organisations operating in Scotland. These include charities, voluntary groups and social enterprises working in diverse areas such as social care, health, education, arts, environment and community. The sector employs around 136,000 paid staff, in addition to a significant number of volunteers, making it a vital part of Scotland’s social and economic fabric.

According to the UK Cyber Breaches Survey 2025, 30% of charities experienced a cyber incident in the previous 12 months, with nearly two thirds of high income charities affected. Phishing was the most common and disruptive threat.

Strategic challenges

The third sector in Scotland faces several distinct cyber resilience challenges including:

• digital adoption. The rapid shift to digital services during the pandemic increased exposure to cyber threats, without a corresponding increase in cyber security preparedness.
• legacy systems. Many third sector organisations continue to rely on legacy systems, due to underfunding and limited access to technical expertise, increasing vulnerability and complicating integration with newer digital services.
• limited cyber security expertise and understanding of risk at leadership level. Board members or senior leaders often lack cyber awareness, hindering strategic decision-making and investment in cyber resilience.
• limited operational capability. Many third sector organisations lack cyber security expertise, often relying on external support.
• limited awareness of available support. Many organisations are not fully aware of, or make use of, available guidance tools and support to improve cyber resilience.
• technical jargon as a barrier. Complex cyber security terminology can alienate non-technical staff and volunteers, making it harder to build a culture of cyber awareness and resilience.
• funding constraints. Tight budgets limit investment in cyber security and resilience tools, training and specialist staff.

To help address these challenges, NCSC provides support and guidance^[32] for third sector organisations, to help with:

• improving staff and volunteer cyber awareness by using NCSC’s staff training resources
• using NCSC’s Active Cyber Defence services, which provide a range of automated protections, free of charge
• making sure the board understands its responsibility regarding cyber resilience
• using Cyber Essentials to help protect organisations from cyber attacks (and convince potential donors that you take cyber security seriously).

Additionally, the Scottish Government has invested in a dedicated Third Sector Cyber Resilience Coordinator based within the Scottish Council of Voluntary Organisations (SCVO), who works closely with third sector organisations to guide them on prioritising cyber risks, protecting against common threats and increasing preparedness to respond to cyber incidents. The Third Sector Cyber Catalyst Network connects individuals interested in keeping organisations safe and secure online across the sector. Members help shape future cyber resilience initiatives, raise awareness and share best practice. Organisations may wish to consider using shared services or an accredited Managed Service Provider.

Free tools and resources^[33] from SCVO

• Digital Check-up Tool: helps organisations assess their digital maturity and identify areas for improvement, including cyber security and resilience
• Incident Response Template: a simple, downloadable guide to help smaller organisations prepare for cyber incidents
• Quarterly Hints and Tips: helps staff and volunteers spot cyber risks and take appropriate action
• Regular Bulletins: provides information on common threats, recent incidents and lessons learned and awareness/guidance for the sector.

The Third sector in Scotland remains at significant risk from cyber threat. The Scottish Government will continue to work with national intermediary and regulatory bodies including SCVO, Charity Leadership Scotland and Office of the Scottish Charity Regulator (OSCR), to strengthen cyber resilience across the sector and ensure organisations are supported to protect the communities they serve.

Key priorities

To build on progress and realise this outcome, we will focus on:

6.1 Positioning cyber risk and assurance as a leadership priority

Third sector leaders ensure that cyber risk and assurance are embedded in strategic planning and at board level and that they drive a culture of accountability and resilience throughout the organisation.

6.2 Embedding cyber resilience into governance

Third sector organisations integrate relevant cyber security and resilience standards, regulations and compliance into governance, business risk management, planning and daily operations.

6.3 Ensuring incident readiness

Third sector organisations have robust incident response capabilities and regularly test and exercise.

6.4 Addressing legacy systems

Third sector organisations identify and manage risks associated with legacy systems. Where feasible, they implement mitigation measures or planning for system upgrades to reduce exposure to cyber threats.

6.5 Using trusted tools

Third sector organisations use proven security solutions, including NCSC’s Active Cyber Defence services.

6.6 Raising workforce and volunteers’ awareness

The third sector workforce, including volunteers, demonstrate strong, cyber-resilient behaviours.

6.7 Reporting cyber incidents

Third sector organisations report cyber incidents to Police Scotland, SG, NCSC, OSCR and the ICO, where appropriate.

6.8 Securing the supply chain

Third sector organisations actively manage third-party risks with confidence and throughout the life cycle of contracts.

6.9 Building professional capability

Third sector organisations develop their professional cyber security capabilities, through inclusive recruitment, training, professional development and career progression, including volunteers.

6.10 Strengthening cross-sector collaboration

The third sector, government, academia and industry continue to build stronger partnerships to improve incident response, share knowledge and threat intelligence, innovation and expertise.

Outcome 7: Scotland has a flourishing cyber security industry, research community and a skilled cyber security professional workforce

“Scotland’s cyber security sector is thriving, but to keep that momentum, we must build a resilient, future-ready pipeline of talent. Investing in local skills is critical. Cyber expertise isn’t just for tech companies, it’s essential across every industry, from whisky and logistics to social care and public services. It’s the backbone of a secure, modern society and plays a vital role in safeguarding Scotland’s infrastructure and national resilience.”

Karen Meechan, Chair of the CyberScotland Partnership and CEO, ScotlandIS

A thriving cyber security sector is essential to Scotland’s digital resilience, economic prosperity and global competitiveness. Continued growth in cyber goods, services and professional talent will underpin our ability to respond to evolving threats and seize emerging opportunities. This outcome reinforces the need for a dynamic cyber security industry, an innovative research community and a skilled, diverse workforce that can adapt to the demands of a rapidly changing digital world.

Scotland’s cyber security industry

Over the past eight years, Scotland has experienced significant growth in its cyber security goods and services sector, generating new jobs and contributing to Scotland’s economy. A vibrant cyber cluster has emerged, with growth in start-ups, SMEs and established firms contributing to Scotland’s track record on innovation, resilience and economic development.

Over 400 cyber security goods and services businesses operate in Scotland, which is almost three times as many as there were in 2018. ScotlandIS^[34], the cluster management organisation, plays a pivotal role in accelerating this growth by fostering innovation, promoting our companies both at home and abroad and supporting the skills pipeline and workforce challenges.

This development is underpinned by strong collaboration between industry, government and academia. ScotlandIS works with partners including the Scottish Government, Scottish Enterprise, Highlands and Islands Enterprise, Scotland Development International (SDI), Skills Development Scotland (SDS), CENSIS and the Abertay cyberQuarter. At a UK level, it collaborates closely with the Department of Business and Trade (DBT) and the Department for Science, Innovation and Technology (DSIT) to identify opportunities for growth and internalisation.

UK Government’s Cyber Security Growth Action Plan^[35] aims to accelerate growth in the UK’s cyber sector. The Scottish Government, ScotlandIS and other partners will continue to engage to ensure alignment and maximise opportunities for Scotland’s cyber industry.

Academic research and innovation

Scotland’s universities are internationally recognised for their excellence in cyber security research and innovation. Abertay and Edinburgh Napier universities are Academic Centres of Excellence in Cyber Security Education and Edinburgh and Strathclyde universities are Academic Centres of Excellence in Cyber Security Research.

Our academic institutions contribute to:

• cutting-edge research in areas such as cryptography, secure AI and threat intelligence
• collaboration with industry to commercialise research and develop new technologies
• the development of cyber security curricula that align with evolving industry needs.

In 2025, the UKRI Engineering and Physical Sciences Research Council launched the Cyber Security Research and Networking Environment (CRANE) NetworkPlus, with Abertay University playing a lead role for Scotland. This initiative aims to strengthen national research in cyber resilience and security and emerging technologies.

Continued investment in research and innovation is essential to maintaining Scotland’s competitive edge and ensuring that academic excellence translates into real-world impact.

Cyber security profession

Scotland, like many nations, faces persistent cyber security skills gaps and a shortage of cyber security professionals. This is caused by a number of workforce pressures, including:

• global and private sector competition which can make recruitment and retention difficult, particularly for the public sector
• emerging technologies such as AI which are reshaping cyber roles, requiring new skillsets and continuous upskilling
• graduate work-readiness with many employers reporting the need for graduates often requiring extensive on-the-job training
• inconsistent professional standards leading to variability in competence and complication in workforce recruitment and development
• underrepresentation of women and individuals from diverse backgrounds.

Diversity and Inclusion in the cyber security workforce

Improving diversity is not only a matter of fairness – it is a strategic imperative. A cyber security team with varied experiences and perspectives is better equipped to tackle complex cyber threats.

In the UK’s cyber security workforce:

• Only 17% are women^[36]
• 19% are from ethnic minority backgrounds
• 16% are neurodivergent
• 8% are disabled.

These figures have remained largely static for a number of years, highlighting the need for sustained and targeted action to improve representation and inclusion.

There are also inconsistencies in professional standards. The UK Cyber Security Council supports Scotland’s cyber resilience ambitions by setting professional standards, promoting ethical practice and developing inclusive career pathways that help build a skilled and trusted cyber workforce.

Building the talent pipelineThe Scottish Government committed to developing a robust and inclusive cyber security talent pipeline and we are doing this from an early age at school. We have already taken steps to encourage people from diverse backgrounds to consider cyber security careers; from promoting cyber careers to people living in disadvantaged communities and supporting neurodivergent people through training, to offering mentoring to women to continue to thrive as confident cyber security leaders.

Key developments in Scotland include:

• a coherent cyber security qualifications pathway spanning schools, colleges and universities
• the CyberFirst Programme in our schools (56 schools as of Oct 2025), inspiring and supporting young people to pursue cyber security careers
• graduate, Modern and Foundation Apprenticeships in Cyber Security offered at a number of organisations and universities in Scotland
• vocational learning, widening access and supporting career changers
• workplace learning, upskilling and reskilling existing staff.

The Abertay cyberQuarter is a cyber security research and development centre housed within Abertay University.

This initiative brings together students, academics and organisations to help solve global cyber security challenges. The Abertay cyberQuarter aims to:

• increase technical problem solving for industry
• increase industry-academia interaction and collaboration
• increase access to cyber employment opportunities in the area.

The centre works with businesses across all sectors, raising awareness of cyber security and developing fit for purpose cyber security solutions while continuously developing the skills of students and professionals.

Scotland’s Cyber Security Qualifications Pathway

Cyber Security qualifications	Scottish Credit & Qualifications Framework
PhD	Level 12
Masters & Graduate Apprenticeship	Level 11
Honours Degree & Graduate Apprenticeship	Level 10
Ordinary Degree & Professional Development Award (PDA)	Level 9
HND & Modern Apprenticeship & PDA	Level 8
HNC & PDA	Level 7
National Progression Award (NPA) & Modern Apprenticeship	Level 6
NPA in Cyber Security	Level 5
NPA & Internet Safety & Cyber Security Fundamentals	Level 4

Key priorities

To build on progress and realise this outcome, we will focus on:

7.1 Growing a globally competitive industry

The Scottish cyber security industry will be seen as an attractive provider of goods and services both domestically and internationally.

7.2 Strengthening research and innovation

Academic excellence in research and innovation across our universities continues to help map future cyber challenges and opportunities for government, industry and academia.

7.3 Understanding and mitigating cyber risks from emerging technologies

Government, academic and industry partners build understanding and mitigation of the cyber threats associated with emerging technologies such as AI, quantum computing and machine learning.

7.4 Strengthening the Talent Pipeline

Schools, colleges and universities increase the uptake of cyber security learning and qualifications, expanding access to apprenticeships and vocational routes and promoting diversity and inclusion at all levels. Young people will be encouraged to pursue cyber security careers.

7.5 Encouraging and promoting professional standards

The Scottish Government will work with industry, the UK Cyber Security Council and the UK Government to enhance efforts to professionalise the cyber security workforce and promote continuous development.