Cyber Resilient Scotland 2025 to 2030: strategic framework

Annex D

Principles of approach

The Framework is guided by a set of core principles that reflect our commitment to transparency, accountability, reducing inequality and promoting sustainable economic development. These principles align with the Christie Commission’s pillars – Prevention, Partnership, Workforce Development and Performance Improvement – which remain highly relevant more than a decade after their introduction. They also adhere to the “Verity House Agreement” which sets out the way we will work with local government and how we will approach our shared priorities.

Principle 1: an inclusive and ethical approach

The Scottish Government is committed to an inclusive and ethical approach to cyber resilience. This means promoting responsible online behaviour, safeguarding individual rights and increasing participation among disadvantaged groups – particularly in cyber security skills development.

Cyber resilience must be accessible to all. We will ensure that messaging, information, advice, learning and guidance are available in formats that meet diverse needs, including alternative and accessible formats.

Principle 2: a whole-of-society approach

Cyber threats require a collective response. Everyone – government, businesses, communities and individuals – has a role in strengthening Scotland’s cyber resilience.

Digital technologies are central to achieving Scotland’s ambitions, as outlined in the National Performance Framework and our digital strategy. We will work across government to embed cyber resilience into ministerial portfolios and policies, using shared workstreams, outcomes and indicators.

We will deepen partnerships with local authorities, public services, private enterprises, the Third sector, academia and civil society to co-create effective solutions. Public awareness and education are key to empowering digital citizens and building a resilient society.

Principle 3: agile leadership

Scottish Ministers lead the implementation of this Framework, supported by the National Cyber Resilience Advisory Board (NCRAB), which provides strategic advice, guidance and challenge.

Principle 4: collaborative partnership

Collaboration has been key to the success of Scotland’s previous cyber resilience strategies. Continued partnership will be essential to deliver this Framework and drive continuous improvement.

The CyberScotland Partnership ensures access to trusted advice and leads national initiatives such as CyberScotland Week. The Scottish Cyber Coordination Centre plays a leading role in coordinating responses to cyber incidents, issuing early warnings and sharing intelligence.

Principle 5: effective communication

We will maintain open and effective communication with partners, stakeholders and across government to support our shared vision.

We will amplify key messages from the National Cyber Security Centre and other trusted sources through the CyberScotland Partnership and the online portal www.cyberscotland.com

Principle 6: adaptive and agile programme management

Cyber threats evolve rapidly. Our response must be flexible and proactive. We will use agile programme management to ensure that the Framework and Action Plans remain current, responsive and effective in addressing new and unexpected challenges.

The National Cyber Resilience Unit will integrate the Framework’s outcomes into broader digital and resilience governance structures.

Principle 7: optimal use of data and evidence of impact

We will prioritise building an accurate understanding of cyber maturity and resilience across the public sector (technical and procedural controls and gaps). We will adopt data-driven approaches to target capabilities and maximise effectiveness. We will take a rigorous, evidence-based approach to measuring impact, using both qualitative and quantitative data. As new data and indicators become available, we will incorporate them to enhance our understanding and improve delivery.

Principle 8: anticipating change and understanding emerging threats

In our digitally developing landscape, we will continuously scan for technological shifts, evolving threat actors and emerging vulnerabilities. By anticipating change and understanding new threats, we can adapt our defences, update our risk models and stay ahead of our adversaries.