The Cyber Security Law is one step closer

Find out what's changing, and how you'll need to prepare

November 27, 2025 • Estimated Reading Time: 3 minutes

Dear reader,

I’m pleased to let you know that the draft Cyber Security (Jersey) Law has been lodged with the States Assembly, and is due to be debated in January. The Law is being lodged alongside a new Cyber Security Framework, which replaces the 2017 Cyber Security Strategy and sets out what Jersey needs to do to raise its cyber resilience.

If approved by the States Assembly when it is debated, the Law will come into effect in 2026 and will:

  • introduce new requirements for organisations that provide essential services, known as Operators of Essential Services (OES);

  • clarify the relationship between Jersey Cyber Security Centre and the Government of Jersey

Once the Law comes into force, it will require OES to report significant cyber security incidents to JCSC within 24 hours of becoming aware of them. They will also have to register with us as an OES, and put in place proportionate cyber security measures.

What the lodged version of the Law does:

  • provides definitions and thresholds for OES is different subsectors

  • clarifies key terms to make it easier for OES to understand what they need to do under the Law

  • describes the types of incidents that OES must report to JCSC

  • explains what information needs to be included in reports to JCSC

  • gives JCSC power to issue guidance and standards for organisations

The Law also sets out the relationship between JCSC and Government: while we will remain part of Government, we will continue to act at arms’ length, as we are designed to do.

Here’s what the lodged version of the Law does not do:

  • give JCSC powers to act as a regulator

  • give JCSC powers to issue fines or notices

  • merge IT systems and data between JCSC and Government (these will remain segregated)

We’ll be in touch shortly with more information for OES, including when you can join workshops to help us develop the guidance and standards. In the meantime if you think you may be an OES, you can:

  • Check the thresholds listed in Schedule 3 in the lodged version of the Law to see if your organisation is an OES

  • Contact us if you aren’t sure whether your organisation is an OES

  • Stay up to date with our Eventbrite pages and social media channels, where we’ll share the dates and locations of the upcoming guidance workshops

For the full press release visit our website.
You can also visit jcsc.je/cyberlaw for more information on the Law.

Matt