Most organisations we speak to are still thinking about cybersecurity in terms of perimeters: firewalls, network access, keeping the wrong people out. The problem is that attackers stopped thinking that way a long time ago.
Today, the primary route into an organisation is not through a vulnerability in your infrastructure. It is through a credential. Stolen logins, abused service accounts, and over privileged identities that nobody is actively watching are behind roughly 30% of all intrusions globally. Once an attacker has valid credentials, they do not look like an attacker. They look like a user. That is what makes identity-based attacks so difficult to catch, and why the average breach takes over 200 days to identify.
Scotland has felt this directly. Ransomware groups have repeatedly hit healthcare, local government and public services, and the playbook is consistent every time: gain a foothold through a compromised credential, escalate privileges, move laterally, then encrypt or exfiltrate. Disrupt the Paths to Privilege and the story ends very differently.
The Scottish Government’s refreshed Cyber Resilient Scotland Strategy 2025–2030 recognises this reality. Police Scotland recorded over 14,000 cyber-crimes in 2024–25, nearly double the figure from five years ago. The strategy identifies ransomware, supply chain vulnerabilities and identity-based threats as defining risks. The regulatory environment has now caught up with the threat.
The Regulatory Landscape: What Is in Force and What Is Coming
A significant amount of regulation is landing at once, and it is important to understand what applies to whom. The scope is broader than many organisations realise.
Scotland’s public sector framework
From 2026, public sector bodies must complete annual Cyber Resilience Assessments. Public procurement now requires Cyber Essentials Plus or ISO 27001. Enforceable security requirements are being built into supplier contracts. If you work with councils, health boards or government bodies, this is already affecting you.
The UK Cyber Security and Resilience Bill
Expected to receive Royal Assent in mid 2026. This is the most significant reform of UK cyber legislation since NIS 2018. MSPs, data centres and critical suppliers come into scope for the first time. Incident reporting tightens to 24 hours for initial notification and 72 hours for a full report, submitted simultaneously to your regulator and the NCSC. Maximum fines rise to £17 million or 4% of worldwide turnover. If you are waiting for Royal Assent to begin preparing, you are already behind.
EU NIS2
Applies to Scottish organisations serving European markets across energy, transport, health, water, digital infrastructure, public administration, manufacturing and food production. It introduces board level personal accountability and fines of up to €10 million or 2% of global annual turnover.
The EU AI Act
High risk AI obligations become fully enforceable on 2 August 2026. Many organisations are unprepared. If you deploy AI in employment decisions, credit scoring, biometric identification or critical infrastructure management and your systems touch the EU market, you are in scope regardless of where you are based. High risk AI systems must demonstrate cybersecurity protections throughout their lifecycle, with incident reporting to the AI Office within 72 hours.
Penalties can reach €35 million or 7% of global annual revenue. Any AI system accessing privileged data or systems is considered a non-human identity and requires the same visibility and control as any other privileged access pathway.
This applies now.
DORA
In force since January 2025. For Scottish financial services firms with EU operations or clients, this is not upcoming. It is enforceable today. It includes prescriptive requirements on ICT risk management, third party vendor oversight and privileged access controls. Your PAM programme is a compliance requirement.
The common thread across all regulation: You must demonstrate visibility and control over who and what can access your critical systems, detect and report incidents quickly, and evidence that your controls work. This is privilege centric identity security. It is the focus of BeyondTrust Field CTO James Maude’s session at Scot-Secure on 26 March: Beyond the Login: A Privilege Centric Playbook for Identity Security.
Scotland’s Specific Challenges
Generic cyber security guidance is often written for large enterprises in financial services or tech. Scotland’s economy looks different, and so do the risks.
Energy and utilities
Scotland is a major energy producer across North Sea operations, offshore wind and hydro. Much of the operational technology running this infrastructure predates modern cyber threats. It is now deeply interconnected with corporate IT, cloud platforms and remote access systems. State sponsored actors specifically target critical energy infrastructure, and the attack surface is expanding as distributed renewable assets come online.
Managing privileged access across converged IT and OT environments is one of the hardest security challenges in the sector.
Healthcare and public services
NHS Scotland operates across multiple health boards, each with legacy systems, third party connections and constrained security teams. The attack surface is large and difficult to manage. Least privilege access control is not a stretch goal. It is the most practical risk reduction measure available.
Food and drink manufacturing
Scotland’s food and drink sector is worth around £14 billion annually and represents one in five manufacturing jobs. It is increasingly connected through smart manufacturing, digital supply chains and process control systems, and increasingly targeted. Food and agriculture supply chains recorded 84 significant ransomware attacks in a single three-month period in 2025. A compromised account with access to production systems can cause shutdowns, spoiled inventory and supply chain failures.
Recommended reading
Financial services
DORA is already in force, and many Scottish financial institutions face a significant gap between current maturity and regulatory expectations. Evidencing privileged access controls and third party ICT oversight is a substantial undertaking. Regulators are paying attention.
The Root Cause: Privilege Sprawl
Across all sectors, a common issue emerges: privilege sprawl. Accounts accumulate access far beyond what they need. Service accounts created for old projects remain active. Developers receive standing admin rights that are never reviewed. Cloud workloads, automation pipelines and AI agents generate thousands of non-human identities with elevated permissions that no one is monitoring.
Attackers do not seek the most privileged account. They seek the least monitored one. One forgotten service account, one stale credential or one over permissioned API can provide a path to everything that matters. Under the EU AI Act, AI agents and automated systems generating these identities are regulated entities. Securing them is both a security requirement and a legal obligation.
At this year’s Scot-Secure, BeyondTrust’s Field CTO James Maude will explore why fragmented tools and siloed teams make this problem difficult to solve, how visibility and control over privileged access changes the nature of a breach, and what the practical journey from point PAM to a true identity security foundation looks like across human and non-human identities, on premises and in the cloud.
Come and Talk to Us at Scot-Secure!
The regulations are live, the threat landscape in Scotland is more demanding than ever, and 26 March is an ideal opportunity to speak with people who understand your environment.
The BeyondTrust team will be at the EICC in Edinburgh. Whether you are in financial services navigating DORA, in energy managing a converged IT and OT estate, in food and drink manufacturing protecting connected production systems, or in the public sector working through new procurement and compliance requirements, we have worked with organisations of all sizes across Scotland. We understand that the answer must fit your reality, not a textbook framework.
Come and find us. No pitch decks. No generic demos. Just an honest conversation about where you are today and what your path to Secure Identity Maturity looks like.
Book a meeting with us at the show.
