Skip to main content

Cyber Security (Jersey) Law: An overview

Jun 4, 2026

Advisory
Shades of blue —light, medium, and dark—displayed curves and waves

On 22 January 2026, the States Assembly adopted the Cyber Security (Jersey) Law (the Law), marking a significant step in formalising Jersey’s cyber resilience framework. The Law received Privy Council approval on 3 June 2026 and, once in force, will introduce mandatory cyber security obligations for certain organisations operating in the Island. 

In particular, the Law establishes the statutory role of the Jersey Cyber Security Centre (JCSC) as both an advisory body and an incident response authority, while introducing a regulatory framework for operators of essential services (OES), broadly aligned with equivalent regimes in the UK and EU. 

This briefing outlines the key features of the Law and its practical implications. 

Scope and application 

The Law applies to entities designated as OES. An “essential service” is defined by reference to Schedule 3 of the Law and includes certain financial services activities.

Within the financial services sector, those undertaking deposit-taking business requiring registration under Part 2 of the Banking Business (Jersey) Law 1991 (BBJL) will be designated as an OES. 

Importantly, there is no additional threshold test. Where an entity is registered with the Jersey Financial Services Commission under the BBJL, it will automatically fall within scope as an OES. 

As a result, all registered banks operating in or from within Jersey will be subject to the new regime. 

Core obligations for operators of essential services 

The Law introduces a series of ongoing obligations for OES, focused on cyber risk management, incident reporting and regulatory oversight. 

Notification requirements 

OES must notify the Minister that they are in scope of the regime, including providing key contact details. This obligation arises once the relevant provisions of the Law come into force. 

Duty to implement cyber security measures 

OES are required to take appropriate and proportionate measures to manage cyber risk across systems supporting their essential services. This includes ensuring the ability to: 

  • identify cyber threats 
  • reduce the likelihood of incidents 
  • prepare for and mitigate the impact of incidents 
  • maintain continuity of services 

These measures must achieve a level of security of network and information systems commensurate with the risks faced. 

In practice, this concept extends to maintaining the confidentiality, integrity, availability, authenticity and non-repudiation of systems and data. 

Guidance on the application of these requirements is expected to be issued by the Director of the JCSC. 

Ministerial powers to require specific measures 

The Minister is empowered to direct an OES to implement specific cyber security measures where considered appropriate and proportionate.

Any such direction will follow consultation with the JCSC and relevant regulators. Importantly, these directions supplement rather than replace the underlying obligation to maintain appropriate cyber security controls. 

Incident notification obligations 

OES must notify the Director of the JCSC of any cyber incident that has had, or is likely to have, a significant impact on: 

  • the resilience of their systems, or 
  • the essential service they provide 

In determining whether an incident is significant, OES must take into account factors such as the number of users affected, duration and geographical scope. 

Notifications must be made as soon as reasonably practicable and, in any event, within 24 hours of the OES becoming aware of the incident. Reports must include key details relating to the nature, timing and impact of the incident, including any cross-border effects. 

Direction following cyber incidents 

Following a significant incident, the Minister may direct an OES to take specific remedial or mitigating measures. Any such direction must be proportionate and targeted at preventing or addressing the impact on essential services. 

Enforcement 

Non-compliance with the Law may result in: 

  • civil penalties of up to approximately £10,000, and 
  • potential criminal liability where false or misleading information is provided 

Practical impact for banks 

For many EU or UK-headquartered banks, the core principles underpinning the Law will be familiar. 

Existing EU or UK regulatory frameworks already require firms to identify critical services, test resilience and embed governance around operational disruption. As a result, many institutions will already have a strong baseline in place. 

However, the Jersey regime introduces some additional considerations: 

  • a formal statutory requirement to maintain cyber security controls aligned with the specific definition of 'security of network and information systems' 
  • mandatory reporting of significant cyber incidents within a defined timeframe 
  • the potential for direct intervention by the Minister or JCSC, including prescribed technical or operational measures

Banks will therefore need to ensure that their existing cyber resilience frameworks can be clearly mapped against the statutory requirements of the Law and adapted where necessary to reflect local regulatory expectations. 

Next steps 

Although the Law is not yet in force, in-scope entities should begin preparing now. In particular, firms may wish to:

  • confirm whether they fall within the definition of an OES 
  • review existing cyber security frameworks against the statutory requirements 
  • assess incident detection and reporting procedures, including the ability to meet the 24-hour notification requirement 
  • consider governance arrangements and escalation pathways in a Jersey context 

Authors

Key contacts

Get in touch with our team

Get the latest insights and expertise in your inbox 

Sign up