Skip to content
World Watch/Jersey/Cybersecurity

Cybersecurity ยท Jersey

Cybersecurity law & regulation in Jersey (2026)

Comprehensive lawCyber Security (Jersey) Law 202- (passed by States Assembly 22 January 2026, pending Privy Council assent, commencement expected summer 2026); Jersey Cyber Security Centre (JCSC) as national authority; Jersey Financial Services Commission (JFSC) Codes of Practice for registered financial-services firmsCountry index 79 ยท B+

Jersey shaded by its cybersecurity status

Cybersecurity in Jersey: comprehensive law, anchored by Cyber Security (Jersey) Law 202- (passed by States Assembly 22 January 2026, pending Privy Council assent, commencement expected summer 2026); Jersey Cyber Security Centre (JCSC) as national authority; Jersey Financial Services Commission (JFSC) Codes of Practice for registered financial-services firms.

Jersey's States Assembly unanimously enacted the Cyber Security (Jersey) Law on 22 January 2026, the island's first standalone cybersecurity statute, establishing the JCSC as the national cybersecurity authority and imposing mandatory obligations on Operators of Essential Services (OES) across ten sectors. The law awaits Privy Council approval before commencement, expected in summer 2026. Pre-existing JFSC Codes of Practice already impose proportionate cyber risk-management duties on all registered financial-services firms.

Key points

Comprehensive cyber law enacted

The Cyber Security (Jersey) Law 202- was approved unanimously by the States Assembly on 22 January 2026. It is Jersey's first dedicated cybersecurity statute and awaits Privy Council approval before formal commencement, expected summer 2026.

JCSC as statutory national authority

The Law grants statutory status to the Jersey Cyber Security Centre (JCSC), creating an operationally independent Director role appointed by the Minister for Sustainable Economic Development, Technical Advisory Councils (TACs), and formalises the JCSC as Jersey's CSIRT and Single Point of Contact (SPOC).

Operators of Essential Services (OES)

Entities across ten sectors, energy, water, transport, food, postal, health, telecoms, digital, financial services, and public administration, that meet sector-specific thresholds must register with JCSC and implement proportionate, risk-based cybersecurity measures.

Mandatory 24-hour incident reporting

OES must report significant cyber incidents to JCSC within 24 hours of becoming aware that an incident qualifies as significant. Non-compliance carries civil penalties of up to ยฃ10,000; providing false or misleading information attracts criminal sanctions.

JFSC sectoral cyber obligations (pre-existing)

Independent of the new law, the JFSC's Codes of Practice require all registered persons to document and proportionately mitigate cyber risks and to notify the JFSC of any incident that could materially affect their registration or client interests.

Data Protection breach notification (parallel regime)

The Data Protection (Jersey) Law 2018 separately requires all organisations to notify the Jersey Office of the Information Commissioner in writing of personal data breaches, operating alongside the new OES incident-reporting regime.

Jersey - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’