Notifiable Scottish Public Sector Cyber Incidents are defined as cyber incidents or attacks affecting the network and information systems of Scottish public sector organisations which meet one or more of the following criteria:
- Operational Impact: The incident has the potential to disrupt the organisation’s ongoing operations or the delivery of public services.
- Sector‑Wide Risk: There is a likelihood that other public, private, or third‑sector organisations could experience a similar attack, or that the incident may spread to other organisations.
- Reputational Damage: The incident could negatively impact the reputation of the Scottish public sector or the Scottish Government.
- Public or Political Interest: The incident is likely to attract interest from the Scottish Parliament or national‑level media.
Under the NIS Regulations, if your Health Board experiences a significant incident that affects the cyber security or resilience of systems and meets the Thresholds for Incident Reporting, you are required to notify the Scottish Health Competent Authority (SHCA).
This requirement applies not only to cyber‑related incidents but also to non‑cyber events that impact essential services. Examples include:
- Interruptions to power supplies
- Natural disasters, such as flooding
- Any other environmental or technical events that impair system availability or resilience
If such incidents affect systems within the scope of the NIS Regulations and meet reporting thresholds, they must be reported to the SHCA.
Under the UK GDPR and the Data Protection Act 2018, any personal data breach that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data—and which meets the Thresholds for Incident Reporting to the Information Commissioner’s Office (ICO)—must be notified to the Information Governance team within the Scottish Government Digital Health and Care Division (DHAC).
You are required to make both notifications without undue delay, and no later than 72 hours after becoming aware of the breach, where feasible.
Where the personal data breach includes cyber‑related causes or contributing factors, you should also consider notifying the National Cyber Security Centre (NCSC).
If an incident occurs outside core working hours and requires immediate attention, you must complete the incident form and contact the Duty Resilience Officer:
SGoR Duty Officer: 07623 514719
Once the form is completed, submit your NIS Regulations Incident Report to the Scottish Government’s Digital Health & Care Division, who act on behalf of the Scottish Health Competent Authority (SHCA) and carry out operational responsibilities to ensure the resilience of networks and information systems:
📧 HealthCA@gov.scot
For incidents that constitute a UK GDPR / Data Protection Act 2018 personal data breach, send the completed incident form to the Digital Health and Care Information Governance Team:
📧 DHCIG@gov.scot
You may be required to notify two separate regulators about the same incident:
The Information Commissioner’s Office (ICO), if the incident also constitutes a personal data breach under UK GDPR / DPA 2018
The Competent Authority (CA) under the NIS Regulations
Both notifications must be made without undue delay, and within 72 hours of becoming aware of the incident, where feasible. These obligations apply in addition to reporting the incident to your Competent Authority.