HealthCA

Scottish Health Competent Authority

The Network and Information Systems Regulations 2018 (NIS Regulations) came into force on 10 May 2018.

Legislative requirements—including the UK General Data Protection Regulation (UK GDPR)—oblige all public‑sector organisations to ensure that appropriate technical and organisational measures are in place when suppliers process personal data on their behalf. The NIS Regulations are intended to address threats to network and information systems, ensure that essential service sectors maintain robust cyber security, and support the effective functioning of the digital economy.

(Please note that data loss falls under the UK GDPR, tailored by the Data Protection Act 2018.)

Competent Authority for Health in Scotland

The NIS Regulations require a Competent Authority for the health sector. In Scotland, Scottish Ministers fulfil this role and therefore hold regulatory responsibility for oversight and enforcement of the NIS Regulations.

All NHS Scotland Health Boards are designated as Operators of Essential Services (OES). As such, they must comply with the standards set out in the NIS Regulations. These standards include:

Managing security risk
Protecting systems against cyber‑attacks
Detecting cyber security events
Minimising the impact of cyber security incidents

Functions of the Scottish Health Competent Authority (SHCA)

The SHCA is responsible for:

Providing support, training, and guidance on compliance requirements
Delivering regulatory oversight, monitoring, and enforcement of the NIS Regulations
Issuing penalties for non‑compliance

Support Materials

We have produced a range of materials to support compliance with the NIS Regulations, including guidance documents and template reporting forms. These resources are updated on an ongoing basis, and we welcome feedback to help shape future versions.

For enquiries or comments, please contact us at: HealthCA@gov.scot

Further Information

The National Cyber Security Centre (NCSC) is the UK’s independent authority on cyber security. Additional information on the NIS Regulations can be found on their website:

What we do at the NCSC | National Cyber Security Centre – NCSC.GOV.UK

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.