Cyber Security measures used to protect critical infrastructure: FOI release

Information requested

• Information about your (Scottish Government) department’s operation of the Network and Information Systems Regulations 2018 (“NIS Regs”) under the Freedom of Information Act 2000. For each of the last three calendar years (i.e. 2023, 2022 & 2021) you asked for:

a. The total number of network and information systems incidents notified to your department by relevant OESs/RDSPs under the NIS Regs.

b. For each such notification please provide: (i) the year of the notification, e.g. 2023/202s/2021; and (ii) where you regulate more than one sector, the sub-sector of the entity making the notification(e.g. Electricity/Gas); (iii) whether the notification was made within the 72 hour reporting window; and (iv) whether formal enforcement action was taken.

You also asked for each instance in which formal enforcement action was taken, as set out above, please you could you let me know:

(a) The power exercised, e.g. information notice, use of powers of inspection, service of an enforcement notice or issue of a penalty.

(b) If the power exercised was a fine, the amount of the fine.

Response

Operation of the Network and Information Systems Regulations 2018

There are two competent authorities within Scotland. The Drinking Water Quality Regulator for Scotland is the competent authority for water. Scottish Ministers are the Competent Authority for Health Boards in Scotland who are considered to be operators of essential services, with operational duties provided by a team within the Scottish Governments Digital Health and Care Division.

The Information Commissioner’s Office (ICO) is in charge of regulating Relevant Digital Service Providers (RDSP) in the UK.

The Scottish Health Competent Authority (SHCA) is required by Article 15 of the NIS Regulations 2018 to conduct formal assessments and audits of health boards to obtain compliance assurance. To achieve this, a standardised methodology for both undertaking and reporting the audit has been developed to ensure transparency and consistency across health boards and between auditors.

The NIS Regulations compliance audit is intended to provide an independent, objective evaluation to aid improvement of a health board’s operations and compliance. It is undertaken in a systematic and structured approach to evaluate the effectiveness of risk management, cyber security controls and governance processes as required by the regulations.

The categories and controls defined by the Public Sector Cyber Resilience Framework have been adopted as the framework to which NIS compliance audits shall be conducted against. Cyber resilience: framework and self assessment tool - gov.scot (www.gov.scot) . Please note this framework is currently being revised.

Network and Information Systems incidents notified to the SHCA by relevant OESs under the NIS Regulations.

2021	Sector	Sub-sector	Total number of notified incidents	Incident report submitted within 72 hours	Actions taken
	Health	N/A	12	Yes	No formal enforcement action was taken
2022	Sector	Sub-sector	Total number of notified incidents	Incident report submitted within 72 hours	Actions taken
	Health	N/A	18	Yes=15 No=3	No formal enforcement action was taken
2023	Sector	Sub-sector	Total number of notified incidents	Incident report submitted within 72 hours	Actions taken
	Health	N/A	38	Yes=28 No=10	No formal enforcement action was taken

In response to the second part of your enquiry, no formal action was taken in regards to reported Incidents as noted in the 'Actions taken' column.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.