Cyber Security measures used to protect critical infrastructure: FOI release
- Published
- 4 March 2024
- Directorate
- Digital Health and Care Directorate
- FOI reference
- FOI/202400396282
- Date received
- 30 January 2024
- Date responded
- 12 February 2024
Information request and response under the Freedom of Information (Scotland) Act 2002.
Information requested
- Information about your (Scottish Government) department’s operation of the Network and Information Systems Regulations 2018 (“NIS Regs”) under the Freedom of Information Act 2000. For each of the last three calendar years (i.e. 2023, 2022 & 2021) you asked for:
a. The total number of network and information systems incidents notified to your department by relevant OESs/RDSPs under the NIS Regs.
b. For each such notification please provide: (i) the year of the notification, e.g. 2023/202s/2021; and (ii) where you regulate more than one sector, the sub-sector of the entity making the notification(e.g. Electricity/Gas); (iii) whether the notification was made within the 72 hour reporting window; and (iv) whether formal enforcement action was taken.
You also asked for each instance in which formal enforcement action was taken, as set out above, please you could you let me know:
(a) The power exercised, e.g. information notice, use of powers of inspection, service of an enforcement notice or issue of a penalty.
(b) If the power exercised was a fine, the amount of the fine.
Response
Operation of the Network and Information Systems Regulations 2018
There are two competent authorities within Scotland. The Drinking Water Quality Regulator for Scotland is the competent authority for water. Scottish Ministers are the Competent Authority for Health Boards in Scotland who are considered to be operators of essential services, with operational duties provided by a team within the Scottish Governments Digital Health and Care Division.
The Information Commissioner’s Office (ICO) is in charge of regulating Relevant Digital Service Providers (RDSP) in the UK.
The Scottish Health Competent Authority (SHCA) is required by Article 15 of the NIS Regulations 2018 to conduct formal assessments and audits of health boards to obtain compliance assurance. To achieve this, a standardised methodology for both undertaking and reporting the audit has been developed to ensure transparency and consistency across health boards and between auditors.
The NIS Regulations compliance audit is intended to provide an independent, objective evaluation to aid improvement of a health board’s operations and compliance. It is undertaken in a systematic and structured approach to evaluate the effectiveness of risk management, cyber security controls and governance processes as required by the regulations.
The categories and controls defined by the Public Sector Cyber Resilience Framework have been adopted as the framework to which NIS compliance audits shall be conducted against. Cyber resilience: framework and self assessment tool - gov.scot (www.gov.scot) . Please note this framework is currently being revised.
Network and Information Systems incidents notified to the SHCA by relevant OESs under the NIS Regulations.
2021 | Sector | Sub-sector | Total number of notified incidents | Incident report submitted within 72 hours | Actions taken |
Health | N/A | 12 | Yes | No formal enforcement action was taken | |
2022 | Sector | Sub-sector | Total number of notified incidents | Incident report submitted within 72 hours | Actions taken |
Health | N/A | 18 | Yes=15 No=3 | No formal enforcement action was taken | |
2023 | Sector | Sub-sector | Total number of notified incidents | Incident report submitted within 72 hours | Actions taken |
Health | N/A | 38 | Yes=28 No=10 | No formal enforcement action was taken |
In response to the second part of your enquiry, no formal action was taken in regards to reported Incidents as noted in the 'Actions taken' column.
About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.
Contact
Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000
The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG
There is a problem
Thanks for your feedback