Cyber Resilient Scotland - strategic framework: action plan 2025-2030

Outcome 2

National cyber security and resilience co-ordination and response arrangements are effective

2.1 National Preparedness

National cyber response capabilities are regularly tested and exercised, supported by strong cross-agency partnerships to ensure a coordinated and effective response.

The Scottish Cyber Coordination Centre (SC3) will:

• review the Scottish cyber incident response arrangements, ensuring alignment with the UK Government’s response arrangements
• continue to raise awareness of the Scottish cyber incident multi-agency co-ordination arrangements to support consistent preparedness
• run an annual national multi‑agency exercise to test response plans against current and emerging cross‑cutting threats
• coordinate multi‑agency responses to cyber incidents affecting the Scottish public sector, working with key partners including Police Scotland and the National Cyber Security Centre (NCSC).

2.2 Testing Readiness at All Levels

SC3 supports the public sector in regularly testing and exercising cyber response capabilities at strategic, tactical and operational levels.

SC3 will:

• facilitate and support the delivery of at least ten cyber exercises each year, helping public bodies across Scotland to test and strengthen their incident response plans
• develop a public sector exercising cadre trained to design, prepare and deliver cyber exercises at a local level
• produce and share a suite of exercising resources, including open‑source materials
• collect annual data on cyber exercising across the Scottish public sector to identify gaps, to increase and to improve uptake.

2.3 Keeping Plans Incident-Ready

National response plans and playbooks are regularly reviewed and updated to reflect the evolving threat landscape.

SC3 will:

• update cyber incident response procedures and playbooks annually, ensuring all materials reflect lessons learned from real incidents and exercises, as well as emerging and evolving cyber threats.

2.4 Delivering Early Warnings and Threat Intelligence

SC3 creates a robust intelligence sharing network to provide and disseminate tailored and curated threat intelligence across sectors in order to enable quicker and more proactive defence and preparedness.

SC3 will:

• continue to produce and disseminate daily and weekly curated threat intelligence reports
• provide tailored public sector intelligence products, including monthly Ransomware reports and quarterly Insight reports
• issue Cyber Resilience Early Warning (CREW) notices and Threat Intelligence Priority Reporting (TIPR) alerts on new and emerging threats, including recommended remediation or preventive actions
• host the CyberShield Scotland Malware Information Sharing Platform (MISP), expand public sector membership and strengthen cross government collaboration

2.5 Enhancing Vulnerability Awareness

The monitoring and detection of, and response to, critical vulnerabilities are strengthened by enhancing vulnerability scanning capabilities and improving centralised vulnerability disclosure and reporting services.

SC3 will

• evolve its approach to vulnerability identification by making use of the domain scanning services provided by Department of Science, Innovation & Technology (DSIT)
• establish a central Vulnerability Disclosure Programme for public sector organisations, building on the UK’s Government Cyber Coordination Centre (GC3)’s existing Vulnerability Disclosure Programme
• monitor open and closed source intelligence on major vulnerabilities as part of SC3’s Vulnerability Coordination Policy and share timely patching advice with public sector organisations.

2.6 Understanding the cyber maturity of the public sector

The Cyber Observatory enhances our ability to understand and measure the cyber maturity of the public sector to improve targeted interventions and support.

SC3 will:

• launch the national Cyber Resilience Assessment (CRA) in 2025 through the Cyber Observatory to gather self-assessed cyber resilience data from Scottish public sector bodies
• from 2026 onwards, require public sector organisations to complete and submit the CRA annually via the Cyber Observatory
• use the enhanced capabilities of the Cyber Observatory to analyse CRA responses alongside other relevant data sources to provide a more accurate picture of current public sector cyber maturity and risk, and to inform decision making and future action
• use these insights to design and deliver targeted interventions that will help strengthen cyber resilience across the Scottish public sector.

2.7 Learning and Improving

Lessons learned from real incidents and exercises are captured, analysed and shared to continuously improve deterrence and response capabilities.

SC3 will:

• publish and disseminate the first annual Scottish Cyber Activity Report (SCAR) in 2026, sharing lessons identified from cyber incidents and exercises to support wider learning and improvement
• deliver lessons learned projects for the Scottish public sector in 2025 and 2026, initially focusing on Legacy Technology and Multi Factor Authentication (MFA) as priority areas for improvement and organisational guidance.

2.8 Strengthening Collaboration

Partnerships between the Scottish Government, SC3, NCSC, Police Scotland, CSP, public sector bodies, academia and the cyber security industry are deepened to enhance incident response, horizon scanning, sharing knowledge and expertise to encourage innovation and solutions.

SG NCRU, alongside SC3, will:

• regularly convene the Public Sector Network as a key channel for sharing knowledge, resources and best practice.

SC3 will:

• engage routinely with SC3 Core Partners, including Scottish Government, Police Scotland, NCSC, Digital Office - Scottish Local Government, NHS National Services Scotland, HEFESTIS and GC3, to share insights and identify solutions that support national cyber resilience in line with the SC3 Strategic Plan
• continue operating as a multi‑agency function, with embedded resources from Police Scotland, NCSC and other partners to strengthen capabilities, collaboration and ensure rapid, co-ordinated responses to emerging threats and incidents.