Jersey - The results of the second consultation on the draft Cyber Security (Jersey) Law have been published.

The consultation responses have been used to inform the final draft of the Law, which should be debated by the States Assembly later this year. If approved, the Cyber Security (Jersey) Law will enhance the Island’s cyber resilience by establishing Jersey Cyber Security Centre (JCSC) as an organisation accountable to the Minister for Sustainable Economic Development [currently:- Deputy Kirsten Morel]

Examples of amendments to the Cyber Security (Jersey) Law 202[-] because of feedback are as follows:-

1. Updated definitions in Part 1, to include revised ‘cyber’ definitions and refined definitions of ‘public administration’;
2. The definition of OES has been updated and now includes the following sectors:
• Energy, transport, banking, health, water, digital, postal and courier services, food, and public administration.
3. The financial services subsector is no longer defined as an OES:
• The Government of Jersey and JCSC will work with the financial services subsector on an updated definition before it is defined in the Law as an OES.
4. Incident reporting timeframe to be a maximum of 48 hours after determining the incident is significant.
• Reporting requirements have been amended in line with consultation feedback. Organisations will now be required to report a significant cyber incident 48 hours after they establish that it is significant: this has been reduced from 72 hours in earlier drafts of the Law.
• However, OES will no longer be required to notify their service or network users if they are affected by a cyber incident.
5. Refinement of the definition of Operator of Essential Service used in Article 24;
6. Removal of the financial services subsector from Operators of Essential Services, to work with industry on a suitable definition and threshold limits before being included.
7. Key Regulators explicitly included as Operators of Essential Services.
8. Removal of Article 32 which required the Operators of Essential Services to notify all impacted service users or network users of incidents.
• The Law will require organisations defined as Operators of Essential Services (OES) to report significant cyber incidents to JCSC.
9. Clarification of governance arrangements to ensure effectiveness and to be appropriate and proportionate to the size and scale of the Office of the Commissioner for Cyber Security.
10. Information sharing gateways have been clarified to ensure reporting to Jersey Cyber Security Centre does not contravene any other legal obligations an organisation may have.

GUIDANCE

• JCSC will develop additional guidance for OES to help them meet their new legal requirements. This will be developed in consultation with the affected sectors.

The Law will define the remit and functions of JCSC, including:

1. Monitoring and scanning public information systems and networks to identify threats and vulnerabilities.
2. Taking necessary action to resolve threats and vulnerabilities.
3. Raising awareness of cyber threats and how to respond to them.
4. Promoting the sharing of cyber security information in Jersey
5. Representing the Island internationally on cyber security issues

The planned rollout of the Law has also been revised.

• The parts of the Law that place extra requirements on OES will come into force up to three months after the Law comes into effect.

To read the consultation response in full, visit the Government of Jersey website.

• https://www.gov.je/md/MDAttachments/Economic%20Development,%20Tourism,%20Sport%20and%20Culture/Decisions%20in%202024/MD-SED-2024-541%20Cyber%20Security%20Law%20-%20consultation%20response.pdf

Sources

• https://jcsc.je/latest/news/draft-cyber-law-consultation-results-released/
• https://www.gov.je/md/MDAttachments/Economic%20Development,%20Tourism,%20Sport%20and%20Culture/Decisions%20in%202024/MD-SED-2024-541%20Cyber%20Security%20Law%20-%20consultation%20response.pdf
• https://www.linkedin.com/posts/certjersey_draft-cyber-law-consultation-results-released-activity-7222177724067373056-VV5a?utm_source=share&utm_medium=member_ios