Cybersecurity regulation in Jamaica (2026)

The foundational legislation criminalises unauthorised access, modification, and interception of computer systems, cyberstalking, fraud, malware distribution, and denial-of-service attacks. The Cybercrimes (Amendment) Act 2026, passed by both Houses of Parliament by May 2026, introduced harsher penalties for offences targeting minors (up to 20 years imprisonment), criminalised the manufacture/distribution of cyberattack tools, and expanded victim-compensation provisions.

The Data Protection Act 2020 became fully enforceable on 1 December 2023. Data controllers must notify the Office of the Information Commissioner (OIC) within 72 hours of becoming aware of a security breach that affects or may affect personal data, and must also notify affected data subjects without undue delay. Technical and organisational safeguards against unauthorised or unlawful processing are mandatory.

Established in December 2021 as the independent supervisory authority under the DPA, the OIC receives data-breach notifications from data controllers and oversees compliance with data-protection and security obligations. It is the primary enforcement body for the breach-notification regime.

JaCIRT, a division of the Ministry of Science, Energy and Technology, is the national cybersecurity coordination authority established under the 2015 National Cybersecurity Strategy. It coordinates responses to cyber threats across public and private sectors, develops cybersecurity standards and policies especially for government agencies and critical national infrastructure, and monitors compliance with those standards.

The 2015 National Cybersecurity Strategy remains the overarching policy framework, and Jamaica marked a decade of progress in 2025. The Inter-American Development Bank approved a US$6.5 million loan (plus US$3.5 million counterpart, total US$10 million) to modernise cybersecurity governance, enhance incident-response capabilities, and expand specialised professionals, pointing toward a potential future uplift of the legal framework.

Jamaica does not yet have a dedicated, comprehensive cybersecurity statute imposing sector-wide security obligations, mandatory incident reporting to a cyber authority, or baseline resilience requirements comparable to the EU's NIS2 Directive. Security obligations for non-personal-data incidents and for critical-infrastructure operators rely on JaCIRT guidance rather than binding statutory requirements.