Scottish Cyber Resilient Framework 2025 - 2030
The Scottish government recently released their strategic vision for cyber resilience for the next 5 years.
Such strategies of course are used for a multitude of functions - from enablement and awareness, funding, risk identification but also public awareness and partnership generation.
The Scottish approach is no different and amplifies the need that such country-wide approaches require a broad spectrum of stakeholders - as well as public/private integration.
Image Source: Scottish Cyber Strategic Plan on a Page
Key questions remain around how to measure resilience success? Speedy response to attack? Faster detection? An improved ability to defend?
The vision statement is clear however : “Scotland thrives by being a digitally secure and resilient nation.” Cyber resilience is framed as a whole-of-society responsibility, not just a technical activity - which could be difficult to attain and also measure. The plan aligns with Scotland’s wider goals—economic growth, reducing child poverty, public-service improvement, and climate action. So essentially a force multiplier or extension of general governmental aims.
However, cyber crime in Scotland has doubled since 2019–20, reaching ~14,000 cases in 2024–25.
To work towards this cyber-resilience aim requires a village. The broad ecosystem consists of:
Scottish Cyber Coordination Centre (SC3) – 24/7 threat intelligence, incident coordination.
Police Scotland (Cyber and Fraud Unit) – operational response and victim support.
National Cyber Security Centre (NCSC) – technical authority for cyber security.
CyberScotland Partnership – cross-sector awareness, education, public engagement.
National Cyber Resilience Advisory Board (NCRAB) – strategic guidance.
If “success” is being earmarked as being “strong, capable and resilient” how will that be acheived?
The Seven Strategic Outcomes
1. People recognise cyber risks and are prepared to manage them
Public awareness campaigns.
Cyber resilience embedded across lifelong learning—from early years to adult education.
Targeted support for vulnerable groups (rural, disabled, older adults, non-English speakers).
2. National cyber coordination and incident response are effective
SC3 leads multi-agency response.
Stronger early-warning systems and national incident management.
3. Digital public services are secure and resilient
Protective controls, secure-by-design architecture, and resilience built into critical services such as health and education.
4. Public sector organisations manage cyber risk effectively
Consistent standards across government bodies.
Regular testing, assurance, and cyber maturity improvement.
5. Businesses recognise cyber risks and manage them
SMEs supported with guidance, toolkits, and Cyber Essentials adoption.
Large organisations encouraged to lead on supply-chain security.
6. Third-sector organisations are prepared and protected
Tailored guidance for charities and voluntary organisations, which often have limited resources but hold sensitive data.
7. Scotland has a strong cyber security industry and skilled workforce
Growth of the cyber security sector.
Enhanced research, innovation, and talent pipelines.
Support for CyberFirst schools and national cyber skills initiatives.