Draft Cyber Law consultation results released

Draft Cyber Law consultation results released

The results of the second consultation on the draft Cyber Security (Jersey) Law 202- have been released. The consultation responses have been used to inform the final draft of the Law, which should be debated by the States Assembly later this year.

If it is approved, the Cyber Security (Jersey) Law will enhance the Island’s cyber resilience by establishing Jersey Cyber Security Centre (JCSC) as an organisation accountable to the Minister for Sustainable Economic Development, Deputy Kirsten Morel.

The Law will define the remit and functions of JCSC, including:

  • monitoring and scanning public information systems and networks to identify threats and vulnerabilities
  • taking necessary action to resolve threats and vulnerabilities
  • raising awareness of cyber threats and how to respond to them
  • promoting the sharing of cyber security information in Jersey
  • representing the Island internationally on cyber security issues

The Law will also require organisations defined as Operators of Essential Services (OES) to report significant cyber incidents to JCSC.

Several changes have been introduced to the Law following the consultation, which took place between March and April 2024. The definition of OES has been updated and now includes the following sectors: energy, transport, banking, health, water, digital, postal and courier services, food and public administration.

The financial services subsector is no longer defined as an OES: the Government of Jersey and JCSC will work with the financial services subsector on an updated definition before it is defined in the Law as an OES.

In addition, reporting requirements have been amended in line with consultation feedback. Organisations will now be required to report a significant cyber incident 48 hours after they establish that it is significant: this has been reduced from 72 hours in earlier drafts of the Law. However, OES will no longer be required to notify their service or network users if they are affected by a cyber incident.

The planned rollout of the Law has also been revised. The parts of the Law that place extra requirements on OES will come into force up to three months after the Law comes into effect. In addition, JCSC will develop additional guidance for OES to help them meet their new legal requirements. This will be developed in consultation with the affected sectors.

Minister for Sustainable Economic Development, Deputy Kirsten Morel, said: “There was a fantastic response to the consultation, and I sincerely thank all those who took time to attend a briefing or respond.

“Cyber security is simply not an issue that Jersey can ignore: recently we have seen this clearly, where a global IT outage led to significant disruption for GP surgeries, pharmacies and retailers.

“The draft Law clearly sets out how Jersey will identify and address cyber risks, through JCSC. It also identifies areas of greatest financial and reputational risk for the Island and introduces requirements to address these risks.

“Alongside the planned review of the 2017 Cyber Security Strategy, the Law will improve Jersey’s overall cyber resilience and help protect the Island against ever-increasing threats.”

Matt Palmer, Director of Jersey Cyber Security Centre said: “We are delighted with the support we have received and the clear recognition by industry that this legislation is essential to protect Islanders, our services, and our economy. We received responses from a wide range of industries and organisations, and the feedback we received was incisive and thorough.

“Over the last three months, we have been working closely with Government of Jersey to collate the feedback we received, and integrate it into the final draft of Cyber (Jersey) Law. Our aim is that the Law will come into force in 2025, and provide Island organisations with clarity on their obligations, and reporting requirements.”

To read the consultation response in full, visit the Government of Jersey website.