Cybersecurity regulation in Jersey (2026)

The Cyber Security (Jersey) Law 202- was approved unanimously by the States Assembly on 22 January 2026. It is Jersey's first dedicated cybersecurity statute and awaits Privy Council approval before formal commencement, expected summer 2026.

The Law grants statutory status to the Jersey Cyber Security Centre (JCSC), creating an operationally independent Director role appointed by the Minister for Sustainable Economic Development, Technical Advisory Councils (TACs), and formalises the JCSC as Jersey's CSIRT and Single Point of Contact (SPOC).

Entities across ten sectors — energy, water, transport, food, postal, health, telecoms, digital, financial services, and public administration — that meet sector-specific thresholds must register with JCSC and implement proportionate, risk-based cybersecurity measures.

OES must report significant cyber incidents to JCSC within 24 hours of becoming aware that an incident qualifies as significant. Non-compliance carries civil penalties of up to £10,000; providing false or misleading information attracts criminal sanctions.

Independent of the new law, the JFSC's Codes of Practice require all registered persons to document and proportionately mitigate cyber risks and to notify the JFSC of any incident that could materially affect their registration or client interests.

The Data Protection (Jersey) Law 2018 separately requires all organisations to notify the Jersey Office of the Information Commissioner in writing of personal data breaches, operating alongside the new OES incident-reporting regime.