Jersey Cyber Security Law Passed: What Organisations Need to Know and How to Prepare

Jersey’s new Cyber Security Law has now been approved by the States Assembly, introducing new legal obligations for organisations providing essential services across the island.

The legislation is designed to strengthen Jersey’s cyber resilience and improve the reporting and management of cyber security incidents. With the law expected to come into force later this year, affected organisations should begin preparing now.

This article outlines who the law applies to, what it requires, and how we support organisations in taking practical steps towards compliance.

What is the Jersey Cyber Security Law?

The Cyber Security Law establishes a formal framework for managing cyber risk in Jersey. It makes the Jersey Cyber Security Centre (JCSC) the national authority responsible for issuing cyber security guidance, standards, and oversight.

Under the law, organisations deemed critical to the island’s infrastructure must implement proportionate cyber security measures and report significant incidents within a defined timeframe.

Who does the law apply to?

The law applies to organisations classified as Operators of Essential Services (OES). These are organisations that deliver services critical to the functioning of the island, including:

• Financial services and digital service providers

• Healthcare organisations, including GP practices

• Energy, water, and utility providers

• Transport, food production, and retail supply chains

• Telecommunications and public communications providers

If your organisation operates in one of these sectors, the Cyber Security Law is likely to apply to you.

While not all businesses fall directly within scope, the law sets a clear benchmark for cyber security best practice across Jersey and is relevant to organisations of all sizes.

What are the key requirements?

1. Implementing appropriate and proportionate cyber security measures

Organisations must take steps that are appropriate and proportionate to their size, risk profile, and the services they provide.

In practical terms, this includes:

• Identifying and assessing cyber security risks

• Implementing controls to reduce those risks

• Maintaining secure and resilient systems

• Regularly reviewing and updating security measures

This is not about adopting the most complex tools, but about demonstrating a clear, documented, and risk-based approach to cyber security.

2. Reporting significant cyber security incidents

Under the law, organisations must report any significant cyber security incident to the JCSC within 24 hours of becoming aware of it.

Having a defined incident response plan in place is essential to meeting this requirement. Without clear roles, processes, and escalation paths, organisations may struggle to respond effectively during an incident.

Why the Jersey Cyber Security Law matters

Cyber threats continue to increase in frequency and sophistication. As highlighted during the States debate, a single vulnerability can lead to serious operational disruption, financial loss, and reputational damage.

Once in force, organisations that fail to comply with the law may face financial penalties of up to £10,000. However, the greater risk is often the impact of an unmanaged or poorly handled cyber incident.

Preparing early allows organisations to reduce risk, improve resilience, and avoid reactive decision-making under pressure.

How OneCollab can help organisations prepare

At OneCollab, we support organisations in understanding and applying cyber security in a practical, business-focused way.

Our cyber security services include:

• Assessing current systems and processes against JCSC guidance

• Identifying gaps and prioritising remediation actions

• Developing and testing incident response plans

• Training staff to reduce human-related cyber risks

Our approach focuses on building cyber resilience that works in day-to-day operations — not just compliance on paper.

Preparing for the law coming into force

With the Cyber Security Law expected to come into force later this year, now is the right time to assess your organisation’s readiness.

Whether you are directly impacted as an Operator of Essential Services or want to align with Jersey cyber security best practice, early preparation will put you in a stronger position.

If you would like to sense-check your current approach or discuss how the law applies to your organisation, please contact OneCollab today.