NOV 21 2025 - The Cyber Security (Jersey) Law was lodged and will be debated by the States Assembly next year.

The Cyber Security (Jersey) Law has now been lodged, and will be debated by the States Assembly – Jersey's elected parliament next year.

What is the proposed Cyber Security (Jersey) Law, and what will it mean for you?

As part of Jersey’s efforts to be cyber-resilient, the Council of Ministers agreed to establish the Jersey Cyber Security Centre. This was a key recommendation in the Island’s 2017 Cyber Security Strategy. The creation of a cyber emergency response capability was deemed integral to strengthening Jersey’s national cyber resilience and international reputation. It is also considered vital for the continued growth and development of Jersey’s economy.

The goal of the Jersey Cyber Security Centre is to prepare for, protect against, and respond to cyber attacks on Jersey. The Government has stated that Jersey Cyber Security Centre should be able to engage and communicate with industry, public bodies and the third sector as well as develop clear standards, expectations and support for cyber security risk management, control and assurance (protect against) and have the ability to monitor threats to the island and respond to significant incidents (react to). These capabilities will provide the Island with a balanced approach that reduces its cyber risk profile over time, whilst providing a proactive service to address the significant cybersecurity risks Jersey faces.

The legislation also includes provisions to bring Jersey into line with emerging international norms, including requiring Operators of Essential Services (OES) to report significant incidents to JCSC, in line with EU and UK expectations. It also, for the first time, places a general obligation on OES to operate appropriate cybersecurity controls.

To give effect to this, the draft legislation covers the following Parts:

1. Interpretation – notably key definitions
2. Establishment of Director- a statutory post to operate the JCSC
3. Objectives and Functions of the Director – explaining what the Director (and JCSC) can, should or must do.
4. Operators of Essential Services – how OES are identified and managed
5. Security Duties on Operators of Essential Services – explaining what OES need to do
6. Administrative Provisions – dealing with how the Director shares information, and what happens if people provide false information.
7. Closing Provisions – explaining how the law can be changed, and how it should be referred to.

There are then several schedules that address specific matters, such as the appointment of the Director, advisory groups to support the Director, the definition and identification of Operators of Essential Services, and the consequential amendments required to other legislation.

More information on the key sections is provided below.

Beginning section : Establishing JCSC

Parts 2 & 3: Establishing JCSC

The Jersey Cyber Security Centre (JCSC) is responsible for promoting and improving the cyber resilience of the Island’s critical national infrastructure, business communities, and citizens to reduce the risk and impact of significant cyber incidents in Jersey.​

Since 2021, it has operated within the Department for the Economy and has been funded through the Government Plan.

It is the Government’s intention for the Jersey Cyber Security Centre to function at arm’s length from regulators, law enforcement officers and government as a grant-funded body. To clarify the role of the Jersey Cyber Security Centre, legislation is needed to outline the scope of work expected of the Centre and the associated governance.

It is the policy intent that the services and functions provided by the Jersey Cyber Security Centre align with those of globally recognised national cyber emergency centres. The Jersey Cyber Security Centre is now a member of the Forum of Incident Response and Security Teams (FIRST), a global network of cyber security centres and specialists. In addition, the Jersey Cyber Security Centre has become an accredited member of the Task Force Computer Security Incident Response Team (TF-CSIRT) community.

Beginning section Operators of Essential Services

Parts 4 & 5: Operators of Essential Services

In line with many recognised global standards, organisations that meet the threshold requirements and are considered Operators of Essential Services (OES) will be required to report cybersecurity incidents. The rationale behind this is that these services are considered essential to Jersey. Mandating the reporting of cyber incidents will maintain the island's cybersecurity resilience. An Operator of an Essential Service (OES) is defined as a person (including businesses) or any other service that is essential to the infrastructure of Jersey or the maintenance of critical societal or economic activities in Jersey.

The following sectors are included in the definition:

1. Energy Sector
• Electricity subsector
• Oil/Crude oil-based fuel subsector
• Gas subsector
2. Transport Sector
• Sea transport subsector
• Air transport subsector
• Freight handling subsector
• Road transport and freight distribution subsector
3.  Financial Services Sector
• Banking subsector
4. Health Sector
• Medical Services subsector
5. Water Sector
• Drinking water supply subsector
6. Digital Sector
• Public communications subsector
• Digital service subsector
• Operator of the .je domain name subsector
• Domain name service subsector
7. Postal and Courier Service Sector
• Postal services subsector
• Couriers services subsector
• Couriers of necessary supplies subsector
8. Food Sector
• Food production subsector
• Food retail subsector
9. Public Administration
• Parishes and public bodies subsector
• Emergency services subsector

The threshold requirements that determine whether a person (including businesses) is classified as an Operator of Essential Services are set out in Schedule 3 of the law.

Beginning section Reporting an Incident as an OES

Reporting a Cyber Security Incident to the Jersey Cyber Security Centre as an OES

Suppose an organisation falls within the definition of an Operator of Essential Services. In that case, it is expected to report significant cybersecurity incidents (as defined in the Law) to the Jersey Cyber Security Centre. As a minimum, the information to be reported to the Jersey Cyber Security Centre within the first 24 hours of becoming aware of the cyber security incident must include the following:

1. The operator’s name and the essential services it provides;
2. The time and date the incident occurred;
3. The current status of the incident;
4. The threat actor, if known;
5. The duration of the incident;
6. Information about the nature and impact of the incident;
7. Information concerning any, or any likely, impact of the incident outside Jersey; and
8. Any other information that the OES considers may be helpful to Jersey Cyber Security Centre.

The Jersey Cyber Security Centre will issue detailed guidance on this before the mandatory reporting requirement comes into force.

Beginning section: Register as an OES.

Registering as an OES

When the law comes into effect, OES will be required to register. There are several benefits to being registered as an OES, including:

• Enhanced support and engagement from JCSC
• Inclusion of your cybersecurity lead in our CISO forum
• Priority access to the Jersey Cyber Shield
• Stronger engagement with the Government on Cyber Security matters
• Opportunities to participate in incident readiness exercises run by JCSC & the GoJ Emergency Planning team

In the meantime, please pre-register with JCSC here to identify yourself as a likely OES so we can consult with and engage you as the Law progresses. This also ensures you are registered for the Jersey Cyber Shield and able to access help and support from JCSC when you need it.

Beginning section Next steps

What happens next?

The next steps are as follows:

1. Law Drafters will complete a technical review of the draft legislation – completed
2. The Law will be lodged with the State's Assembly – completed 21/11/2025
3. The State Assembly will decide if they support the legislation
4. If they do, the Law will go to the Privy Council for approval
5. The Law will then be brought into effect on a date to be determined by Ministers.

Once the Law is lodged, it becomes a public document.

That will allow JCSC to consult on the implementation of the Law, and to draft and consult on supporting Guidance.

Beginning section Implementation Guidance

Implementation Guidance

As we develop advice and guidance to support implementation of the Law, we will make this available here:

• Reporting incidents to JCSC
• What to expect from JCSC
• Best Practices for Embedding Reporting to JCSC in your Incident Management Process

If you have other questions that are not answered in the current guidance, please let us know, as we are seeking to be led by the needs of industry and islanders in the guidance we produce.

Beginning section Registration, Reporting & Contact forms

OES Registration

You can tell us you expect to be an OES by completing the Cyber Shield registration here and selecting ‘yes – we expect to be an OES’. This will enrol your organisation for cyber incident support and let us know when to talk to you about OES requirements as the Law is rolled out. Please note that this does not determine whether you will be an OES. Nor does it discharge any future obligations. It simply ensures you have access to JCSC’s support when you need it, and flags that we should include you in discussions as we progress.

• Register for Jersey Cyber Shield as a potential OES.

Sharing incident information with JCSC

You can now share incidents with JCSC, and you do not need to be an OES to do so. The best way to report an incident is to complete the reporting form, but you can also email us, call us, or talk to a member of the team. If you need help, we recommend calling us on 01534 500 050 and completing the incident form with the key details. This will help us to respond quickly.

• Incident reporting form

Obtaining guidance and support from JCSC

As we develop advice and guidance to support implementation of the Law, we will make this available here. However, we recognise that organisations will have different questions and support needs. If you would like to talk to us about the Cyber Law, or obtain  support and guidance on any aspect of cyber security, you can arrange a meeting with us here:

• Arrange an advice or support meeting

SOURCE

https://www.linkedin.com/posts/certjersey_were-pleased-to-announce-that-the-cyber-activity-7397685653309784064-VXP8?utm_source=share&utm_medium=member_ios&rcm=ACoAAAA_6EIB0wPAWyjQcuq_XiD3asUV8xpMeZ0