Key Takeaways
- The States Assembly has approved the draft Cyber Security (Jersey) Law, which aims to increase the Island’s protection against cyber security threats.
- The Law establishes new requirements for Operators of Essential Services (OES) to protect themselves against cyber security incidents and report significant incidents to the Jersey Cyber Security Centre (JCSC).
- The Law sets out a requirement for JCSC to operate at arm’s length from regulators, law enforcement, and Government, and to produce annual reports on its activity.
- Organisations that meet specific thresholds for their sector will be required to register as an OES, put in place cyber security measures, and report significant cyber incidents to JCSC.
- JCSC will work with OES to develop standards and guidance ahead of the Law coming into force, and will hold sector-specific workshops to support OES.
Introduction to the Cyber Security Law
The States Assembly has recently approved legislation that will enhance the Island’s protection against cyber security threats. The draft Cyber Security (Jersey) Law, which is expected to come into effect in 2026 pending Privy Council approval, places new requirements on Operators of Essential Services (OES) to protect themselves against cyber security incidents. This Law is a significant step towards improving the Island’s cyber resilience and ensuring the security of its essential services. The Law will have a major impact on organisations that are classed as OES in a range of sectors, including energy, water, transport, food production and retail, postal and courier services, health, telecommunications, public communications, financial services, and public administration.
Requirements for Operators of Essential Services
Organisations that meet specific thresholds for their sector will be required to register as an OES with the Jersey Cyber Security Centre (JCSC), put in place appropriate cyber security measures, and report any significant cyber incidents to JCSC within 24 hours of becoming aware of them. This will include providing key information about the incident, which will help JCSC to respond effectively and mitigate the impact of the incident. The Law also sets out a requirement for JCSC to operate at arm’s length from regulators, law enforcement, and Government, and to produce annual reports on its activity. This will ensure that JCSC can operate independently and effectively, while also providing transparency and accountability.
Role of the Jersey Cyber Security Centre
The Jersey Cyber Security Centre (JCSC) will play a crucial role in supporting OES to develop standards and guidance ahead of the Law coming into force. JCSC will work with OES to help shape these standards at a series of sector-specific workshops, which will take place between 6 February and 26 February. These workshops will provide an opportunity for OES to engage with JCSC and provide input on the development of standards and guidance that are appropriate for Jersey organisations. The Director of JCSC, Matt Palmer, has encouraged organisations that believe they may be an OES to check the thresholds in the Law and attend a workshop for their sector. This will ensure that OES are well-prepared for the implementation of the Law and can take steps to protect themselves against cyber security threats.
Development of the Law
The draft Cyber Security (Jersey) Law has been developed over some time, which has allowed the Government to work in partnership with affected sectors and ensure that the Law reflects the existing regulatory landscape. Deputy Moz Scott, Assistant Minister for Sustainable Economic Development, who led on the development of the Law, has expressed his pleasure that the States Assembly has approved the draft Law. He believes that the Law sets a good direction of travel and improves safeguards for the Island’s services and community. The approval of the Law is a significant landmark for the Island, and for JCSC, and will help to improve the cyber resilience of the Island’s key services.
Implementation and Next Steps
The implementation of the Law will require OES to take steps to protect themselves against cyber security threats and to report significant incidents to JCSC. JCSC will work closely with OES to support them in this process and to develop standards and guidance that are appropriate for Jersey organisations. The sector-specific workshops will provide an opportunity for OES to engage with JCSC and to provide input on the development of standards and guidance. The Law is expected to come into effect in 2026, pending Privy Council approval, and will provide a significant boost to the Island’s cyber security capabilities. Overall, the approval of the draft Cyber Security (Jersey) Law is a positive step towards improving the Island’s cyber resilience and protecting its essential services from cyber security threats.