“cyber attack” means malicious or unauthorised activity that attempts to collect, disrupt, deny, degrade, destroy or reduce confidence in network and information systems or operational technology or the information held in or processed through those systems or technology;

“cyber incident” means an event that –

(a) arises from a cyber threat, whether accidental or malicious;

(b) involves unauthorised access or attempted unauthorised access to an organisation’s network and information systems or operational technology, whether accidental or malicious;

(i) network and information systems or operational technology;

(ii) information held in or processed through those systems or that technology;

(iii) the users of those systems or that technology; or

(iv) another person; and

(d) has a negative impact on the cyber security of those systems, that technology, that information or that other person;

“cyber resilience” means the capacity of a person to –

(a) prepare for, protect against, detect, respond to or recover from a cyber threat in order to ensure the confidentiality, integrity, availability, authenticity or non-repudiation of network and information systems or operational technology and information held in or processed through those systems or that technology; and

(b) protect network and information systems or operational technology, the users of those systems or that technology, and other persons from loss, disruption or harm;

“cyber security” means the activity undertaken –

(a) to prepare for, protect against, detect, respond to or recover from a cyber threat in order to ensure the confidentiality, integrity, availability, authenticity or non-repudiation of network and information systems or operational technology and information held in or processed through those systems or that technology; and

(b) to protect network and information systems or operational technology, the users of those systems or that technology, and other persons from loss, disruption or harm;

“cyber threat” means an actual or potential circumstance or event –

(a) involving compromise of the confidentiality, integrity, availability, authenticity or non-repudiation of –

(i) network and information systems or operational technology;

(ii) information held in or processed through those systems or that technology;

(iii) the users of those systems or that technology; or

(iv) another person; and

(b) having the potential to have a negative impact on the cyber security of those systems, that technology, that information or that other person;

“Director” means the person appointed by the Minister as director of the JCSC under Article 2;

“electronic communications network” means –

(a) a transmission system to convey, by the use of electrical, magnetic or electro-magnetic energy, signals of any description;

(b) any of the following that are used, by the person providing the system and in association with it, to convey the signals –

(i) apparatus comprised in the system;

(ii) apparatus used for the switching or routing of the signals;

(iii) software and stored data;

(iv) other resources, including network elements that are not active;

“electronic communications service” means a service of 1 or more of the following types provided by means of an electronic communications network, except so far as it is a content service –

(a) an internet access service;

(b) a number-based interpersonal communications service; and

(c) another service consisting of, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services;

“essential service” means –

(a) the services specified in Schedule 3; or

(b) a service that is essential for –

(i) the infrastructure of Jersey;

(ii) the maintenance of critical societal or economic activities in Jersey; or

(iii) the maintenance of the reputation of Jersey;

“financial year” means the period beginning with the day on which this Law comes into force and ending with 31 December of that year, and each subsequent period of 12 months ending with 31 December;

“government service” means –

(a) a Minister; or

(b) an organisational entity that discharges the functions of a Minister;

“Information Commissioner” means the person appointed under Article 5 of the Data Protection Authority (Jersey) Law 2018;

“JCRA” means the Jersey Competition Regulatory Authority established under Article 2 of the Competition Regulatory Authority (Jersey) Law 2001;

“JCSC” means the Jersey Cyber Security Centre appointed under Article 2;

“JFSC” means the Jersey Financial Services Commission established under Article 2 of the Financial Services Commission (Jersey) Law 1998;

“Minister” means the Minister for Sustainable Economic Development;

“network and information system” means –

(a) an electronic communications network;

(b) a device or group of interconnected or related devices, of which at least 1 performs automatic processing of digital data under a program; or

(c) digital data stored, processed, retrieved or transmitted by the network or device for the purposes of the operation, use, protection and maintenance of the network or device;

“NIS Security Directive” means Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union (OJ L 333, 27.12.2022, p.80);

“OES” means an operator of essential services, as defined in Article 22(1);

“operational technology” means technology that interfaces with the physical world and includes –

(a) industrial control systems;

(b) supervisory control and data acquisition; and

“public administration” means –

(a) a person or body listed in paragraph 20 or 21 of Schedule 3; or

(b) a government service;

“Public Finances Law” means the Public Finances (Jersey) Law 2019;

“publish” means publish in the manner that the Minister considers likely to bring it to the attention of the persons affected;

“SPOC” means a single point of contact for cyber security;

“States of Jersey Police Force” means the police force continued in being by Article 2 of the States of Jersey Police Force Law 2012;

“TAC” means a Technical Advisory Council established under Article 4.

(2) The Minister may by Order amend this Article to make alternative or supplementary provision in relation to the definitions of expressions used in this Law.

Part 2

Jersey Cyber Security Centre

2 Administration of cyber security

(1) The Minister must appoint the JCSC as an authority for cyber security in Jersey.

(2) The Minister must appoint the Director.

(3) The Director and the employees of the JCSC are States’ employees within the meaning of Article 2 of the Employment of States of Jersey Employees (Jersey) Law 2005, and a States’ employee provided to the JCSC under Article 10 of this Law who performs a function under the Director’s direction is treated as an employee of the JCSC.

(4) The Director may delegate a function under this Law to the JCSC, but the delegation does not –

(a) affect the responsibility of the Director for the discharge of the function; or

(b) prevent the discharge of the function by the Director personally.

(5) The Director or the Minister must delegate the Director’s functions under this Law to a specified employee of the JCSC if the Director –

(a) is absent from Jersey; or

(b) is otherwise unable to discharge their functions.

(6) Schedule 1 makes further provision in respect of the Director.

(7) The States may amend Schedule 1 by Regulations made under Article 41.

3 Operational independence of Director

Other than under Article 5(4) or 7, the Director, or a person discharging or performing a function of the Director, must not be directed on how a function of the Director or the JCSC is to be carried out.

4 Technical Advisory Councils (TACs)

(1) The Minister or the Director may establish TACs to advise the Director on matters that relate to –

(a) the Director’s responsibilities or functions under this Law;

(b) cyber security in Jersey; or

(2) The Director must obtain the Minister’s approval in writing before establishing a TAC.

(3) The terms of reference for each TAC must –

(a) contain the specific areas of cyber security for which that TAC is responsible; and

(b) be published on the JCSC website no later than 3 months after the TAC is established.

(4) But the terms of reference for a TAC must not be published if, in the opinion of the Director, their publication would jeopardise national security.

(5) Schedule 2 makes further provision in relation to TACs.

5 Advice provided by TAC

(1) A TAC must provide advice when requested by the Director to do so.

(2) The advice must be provided to the Minister and the Director in accordance with the terms of reference for that TAC.

(3) If the Director decides not to follow the advice –

(a) the Director must give reasons, in writing, to the Minister and the TAC; and

(b) the TAC may provide the advice and the Director’s reasons to the Minister if the TAC considers that the Director’s decision is –

(i) erroneous; and

(ii) not in the interests of Jersey.

(4) After considering the TAC’s advice and the Director’s reasons not to follow that advice, the Minister may order the Director to act in accordance with the advice.

(5) If the Director considers that publication of the advice is in the public interest, the Director may use the advice to produce guidance under Article 17 or 34.

6 Codes of conduct

(1) The Director must, no later than 3 months after the Director’s appointment, produce and publish on the JCSC website –

(a) a code of conduct for employees of the JCSC (the “JCSC code of conduct”); and

(b) a code of conduct for members of a TAC (the “TAC code of conduct”).

(2) The Director and employees of the JCSC must abide by the JCSC code of conduct.

(3) In the event that the JCSC code of conduct is inconsistent with a code of practice issued under Article 8 of the Employment of States of Jersey Employees (Jersey) Law 2005 (a “States code of practice”), the States code of practice takes precedence.

(4) A member of a TAC must abide by the TAC code of conduct and act in accordance with the terms of reference for that TAC.

(5) Before producing the JCSC code of conduct, the Director must consult the Minister and the employees of the JCSC.

(6) Before producing the TAC code of conduct, the Director must consult the Minister and the members of the TACs.

(7) When consulting on a code of conduct under paragraph (5) or (6), the Director must allow 28 days, starting on the day of the consultation, for responses.

7 Powers of Minister in relation to JCSC

(1) The Minister may review, or commission another person to review, the performance of the Director’s functions in relation to the Director’s objectives under Article 12(1).

(2) The Minister may give a direction to the Director if the Minister considers that –

(a) the direction is necessary in the interests of the security of Jersey; and

(b) the requirements imposed by the direction are proportionate to what the direction seeks to achieve.

(3) If the conditions in paragraph (2) are not met, the Minister may give directions or guidance to the Director only if the Minister has consulted with the Director and the other persons that the Minister considers appropriate.

(4) The Director must comply with a direction given under paragraph (2) or (3).

8 Accounts and annual report

(1) The Director must ensure that –

(a) proper accounts and proper records in relation to the accounts are kept;

(b) accounts are prepared in respect of each financial year (“annual accounts”); and

(c) the annual accounts are prepared using the accounting standards by which the accounts of the States are prepared (as set out in the Public Finances Manual issued under Article 31 of the Public Finances Law).

(2) The Director must produce a report on the exercise and performance of the functions of the Director and the JCSC in relation to each financial year (an “annual report”).

(3) The annual report must include –

(a) the annual accounts;

(b) a report on the activities of the Director in the preceding year;

(d) a report from each TAC setting out the advice and reports given to the Director during the preceding year; and

(e) other statements or reports relevant to the exercise of the functions of the Director that the Director considers appropriate.

(4) But the annual report must not include –

(a) confidential information;

(b) information that may prejudice –

(i) the security of those providing information;

(ii) the commercial interests of those providing information;

(iii) the prevention of crime; or

(iv) national security; or

(5) The Director must present the annual report to the Minister no later than 6 months after the end of the financial year to which it relates.

(6) The Minister must present a copy of the annual report to the States Assembly as soon as reasonably practicable after receiving it.

(7) The Director must publish each annual report as soon as reasonably practicable after it has been presented to the Minister.

(8) The Minister may by Order amend this Article to make further or alternative provision with regard to the annual report.

9 Strategic plan

(1) The Director must, in respect of a 3-year period, prepare a plan (a “strategic plan”) setting out how the Director proposes to perform their functions during the 3-year period.

(2) A strategic plan must –

(a) be developed after consultation with the Minister;

(b) reflect Ministerial priorities; and

(i) in the case of the first Director appointed under this Law, no later than 6 months after this Law comes into force; or

(ii) no later than 3 months before the commencement of the 3-year period to which the plan relates.

(3) The Director may, at any time during a 3-year period, review the strategic plan and present to the Minister a revised strategic plan.

(4) Within 3 months of a Director’s appointment, that Director may present to the Minister a new strategic plan but that plan will only have effect until the expiry of the strategic plan that it replaces.

(5) A strategic plan prepared under this Article must be agreed with the Minister and, no more than 2 months later, published in that agreed form.

(6) In this Article, “3-year period” means –

(a) in relation to the first strategic plan prepared under this Article, the period starting with the date the plan is prepared and ending at the end of 31 December in the year that is 3 years after the date the plan is prepared; and

(b) in relation to subsequent strategic plans, the period starting with 1 January of the first year of the plan and ending at the end of 31 December of the third year of the plan.

10 A nnual assessment of funding by Minister

(1) The Minister must make an annual assessment of the funding required by the Director, the JCSC and the TACs.

(2) In making an annual assessment, the Minister must consider the funding required to ensure that the Director has the financial and administrative resources, and other support including staff, services, equipment and accommodation, necessary to enable the Director, the JCSC and the TACs to discharge their functions under this Law effectively and efficiently.

(3) Before the Minister submits an amount in respect of the Director, the JCSC and the TACs to the Council of Ministers under Article 10(1)(d) of the Public Finances Law, the Minister must consult the Director.

(4) The States may amend this Article by Regulations made under Article 41.

11 Independence of JCSC IT systems

The Director and the JCSC must operate independent information technology systems that comply with the requirements set by the Forum of Incident Response and Security Teams Inc (incorporated on 7 August 1995 as a non-profit organisation under section 501(c)(3) of Title 26 of the United States Code).

Part 3

Objectives and functions

12 Objectives of Director

(1) The objectives of the Director are to prepare for, protect from, defend against, and facilitate recovery from, cyber threats or cyber attacks affecting Jersey.

(2) The Director must so far as reasonably practicable administer the operation of this Law and exercise their functions in a way that –

(a) is compatible with the Director’s objectives; and

(b) the Director considers most appropriate to further the objectives.

(3) For the purposes of paragraph (1), a cyber threat or a cyber attack affects Jersey if –

(a) it affects –

(i) the States of Jersey;

(ii) a public administration;

(iii) a relevant person;

(iv) an operator of an essential service not otherwise falling within this sub-paragraph;

(v) an individual not otherwise falling within this sub-paragraph who is present in Jersey, regardless of whether the individual is ordinarily resident in Jersey;

(vi) an Autonomous System Name and associated Internet Protocol address prefix assigned to Jersey by the Réseaux IP Européens Network Coordination Centre;

(viii) the .je country code top-level domain as assigned by the Internet Assigned Numbers Authority; or

(b) it results, or may result, in reputational, political, economic or well-being risk to Jersey.

(4) In this Article –

“external entity” means a person that –

(a) is not an individual;

(b) has a place of business or an address outside Jersey; and

(c) having regard to the extent to which their business is carried on, in and outside Jersey, the Minister considers a cyber attack in respect of the person would not be material to Jersey;

“relevant person” means a person, other than an external entity, having a place of business or address in Jersey.

(5) The Minister may by Order amend paragraphs (3) and (4).

13 Functions of JCSC: SPOC

(1) The JCSC is the SPOC for Jersey.

(2) As the SPOC for Jersey, the JCSC –

(a) must consult and co-operate, as the JCSC considers appropriate, with –

(i) relevant law enforcement authorities; and

(ii) relevant regulatory bodies in Jersey;

(b) must co-operate with a designated competent authority to enable them to fulfil their obligations under this Law;

(i) the relevant authorities in the United Kingdom, a Member State of the European Union, and other countries or territories;

(ii) the group established under Article 14(1) of the NIS Security Directive;

(iii) the Emergency Planning Officer appointed under Article 3 of the Emergency Powers and Planning (Jersey) Law 1990; and

(iv) the CSIRTs network.

(3) Nothing in this Article affects a duty on a person to make a report under another enactment.

(4) In paragraph (2)(b), “designated competent authority” means –

(a) a Minister designated as a competent authority under Article 4 of the Emergency Powers and Planning (Jersey) Law 1990; or

(b) the Information Commissioner.

(5) In paragraph (2)(c), “relevant authority” –

(a) in relation to the United Kingdom and a Member State of the European Union, means its SPOC, CSIRT and national competent authority;

(b) in relation to other countries or territories, means its SPOC, CSIRT and national competent authority, or another body that appears to the JCSC to perform a substantially similar function.

14 Functions of JCSC: CSIRT

(1) The JCSC is the computer security incident response team (the “CSIRT”) for Jersey, and as CSIRT for Jersey has the functions in paragraphs (2) to (6).

(2) The JCSC must, as far as reasonably practicable –

(a) monitor and scan publicly accessible network and information systems to identify malicious activity, vulnerabilities and configuration errors; and

(b) take the action it considers necessary to resolve the vulnerabilities, configuration errors or cyber threats arising from them.

(3) The JCSC must take reasonable steps to understand current global cyber threats and how these may affect Jersey, and take the action it considers necessary in response to those threats.

(4) The JCSC must take reasonable steps to –

(a) raise awareness in Jersey of cyber threats, the risks arising from them, responses to them and mitigations against them;

(b) enable and promote the sharing of cyber security information in Jersey;

(d) increase the level of cyber resilience in Jersey to reduce the risk and impact of cyber incidents.

(5) The JCSC must represent Jersey’s cyber security interests in Jersey and internationally, including by participating in international co-operation networks including the CSIRTs network.

(6) The JCSC may advise persons affected or potentially affected by a cyber attack or cyber threat.

(7) In undertaking its function under paragraph (2), the JCSC may –

(a) analyse information received by it relating to cyber incidents affecting Jersey;

(b) take the action it considers necessary to mitigate, or assist in the mitigation of, the effect of those cyber incidents; and

15 Functions of Director: general

(1) The Director has the functions conferred on the Director under this Law or transferred to the Director under another enactment.

(2) The Director may advise the Minister on matters relating to cyber security, whether on request or otherwise.

(3) The Minister may by Order amend this Article to make additional or supplementary provision in relation to the functions of the Director.

16 Discharge of Director’s functions by another person

(1) The Director may fully or partly discharge a function by entering into an agreement with another person, on terms that the Director thinks fit, under which that other person fully or partly discharges the function.

(2) But the Director may not enter into an agreement under paragraph (1) unless the Director is satisfied that –

(a) it is appropriate to do so; and

(b) the other person has the expertise and resources necessary to discharge the function.

(3) If the Director enters into an agreement under paragraph (1) –

(a) that does not affect the responsibility of the Director for the discharge of the function; or

(b) prevent the discharge of the function by the Director personally.

(4) The Director is not required to discharge a function under this Law if another person is required by an enactment to discharge a function that has the same or substantially the same effect.

17 Duty to issue guidance in relation to cyber security

(1) The Director must issue guidance in relation to cyber security, including in relation to the exercise of their functions under this Part, and may revise and re-issue that guidance.

(2) Before issuing or re-issuing guidance under paragraph (1), the Director must, if the Director considers appropriate –

(a) seek advice from a relevant TAC; or

(b) consult –

(i) the regulators;

(ii) any sectoral or subsectoral OES; or

(iii) other persons.

18 Power to set or adopt cyber security standards

(1) The Director may set or adopt standards in relation to cyber security (“cyber security standards”).

(2) The Director must from time to time review cyber security standards set or adopted under paragraph (1).

(3) Before setting or adopting cyber security standards the Director –

(a) must seek advice from a relevant TAC;

(b) must consult –

(i) the Minister; and

(ii) the regulators and any sectoral or subsectoral OES that the Director considers appropriate; and

(4) The Director must publish cyber security standards set or adopted under this Article.

(5) When publishing cyber security standards, the Director must –

(a) specify the persons, or classes of person, to whom the Director considers the cyber security standards apply; and

(b) provide guidance in relation to the cyber security standards set or adopted.

19 Power to assist in investigations

(1) The Director and employees of the JCSC may assist in an investigation into or relating to cyber security being carried out by a person listed in paragraph (2) if –

(a) the person requests the JCSC’s assistance; and

(b) the Director is satisfied that the assistance is necessary to fulfil the Director’s objectives and functions.

(2) The persons are –

(a) the Information Commissioner;

(b) the JFSC;

(d) the JCRA;

(e) other persons that the Director considers appropriate.

20 Power to provide cyber security services to States of Guernsey

(1) The Director may provide cyber security services, analogous to the Director’s functions under this Law, to the States of Guernsey if –

(a) the Director considers it appropriate to do so; and

(b) the Minister consents to the provision of the services.

(2) The Director may provide the services on whatever terms, including as to payment, as the Director thinks fit.

(3) But the Director must not provide services under this Article if doing so would, in the Director’s opinion, have a negative impact on the Director’s ability to perform their functions under this Law.

21 Power to amend this Part by Regulations

The States may, by Regulations made under Article 41, amend provisions of this Part (other than this Article) to make alternative or supplementary provision about the functions of the Director that the States considers appropriate.

Part 4

Operators of essential services

22 Designation of OES

(1) A person is an operator of an essential service (an “OES”) for a sector or subsector specified in Schedule 3 if –

(a) they are –

(i) taken to be designated as an OES under paragraph (2) for that sector or subsector; or

(ii) designated as an OES under paragraph (5) for that sector or subsector; and

(b) that designation has not been revoked under Article 26 or 27.

(2) A person is taken to be designated as an OES for a sector or subsector if –

(a) they provide a service in Jersey of a kind specified in Schedule 3 corresponding to that sector or subsector;

(b) the person resides or has a head office in Jersey;

(d) the person meets the threshold requirements or conditions specified in Schedule 3 in relation to that sector or subsector.

(3) A person who falls within paragraph (2) must give the Minister written notice of that fact and their name, address and contact details (including email address and telephone number).

(4) A notification required under paragraph (3) must be given –

(a) in the case of a person who falls within paragraph (2) on the date on which this Article comes into force, before the end of 28 days beginning with that date;

(b) in other cases, before the end of 28 days beginning with the date on which the person first falls within paragraph (2).

(5) The Minister may designate a person as an OES if the person is not taken to be designated under paragraph (2) but –

(a) they provide a service in Jersey of a kind specified in Schedule 3 corresponding to that sector or subsector;

(b) the person resides or has a head office in Jersey;

(d) in the opinion of the Minister, a cyber incident would have or is likely to have a significant disruptive effect on the provision of that service.

(6) In reaching their opinion in paragraph (5)(d), the Minister must have regard to the following factors –

(a) the number of users relying on the service;

(b) the degree of reliance of other relevant sectors or subsectors in Schedule 3 on the service;

(d) the market share of the service;

(e) the geographical area that may be affected if a cyber incident affects the service;

(f) the importance of the provision of the service for maintaining a sufficient level of that service, taking into account the availability of alternative means of provision of that service;

(g) the likely consequences for the security of Jersey if a cyber incident affects the service; and

(h) other factors that the Minister considers appropriate.

(7) The Minister may in relation to a person to whom paragraph (5) applies –

(a) give the person written notice that the Minister proposes to designate them as an OES, with reasons; and

(b) give them 28 days to submit written representations about the proposed designation.

(8) The Minister must –

(a) have regard to representations received under paragraph (7)(b); and

(b) decide if the person is to be designated as an OES.

(9) The Minister must give the person written notice of their decision, with reasons, no later than 28 days after making the decision.

23 Information notices

(1) The Minister may by notice in writing served on a person (an “information notice”) require the person to provide the Minister with the information the Minister reasonably requires to assist the Minister in determining whether –

(a) the person meets a threshold requirement specified in Schedule 3; or

(b) the person falls within Article 22(5) or 24.

(2) An information notice must –

(a) describe the information that is required by the Minister;

(b) give the Minister’s reasons for requesting the information; and

(3) A person who, without reasonable cause, does not comply with the requirements of an information notice is liable to a penalty under Article 36.

(4) The Minister may withdraw an information notice by giving written notice to the person on whom the information notice was served.

24 Person outside Jersey may be designated as OES

(1) This Article applies if –

(a) the Minister wishes to designate a person as an OES; but

(b) the person has its head office outside Jersey.

(2) Despite Article 22(5)(b), the Minister may designate the person as an OES if –

(a) it provides an essential service for the energy sector (see Schedule 3, Part 1) or the digital sector (see Schedule 3, Part 6); or

(b) it provides an essential service for another sector specified in Schedule 3, and has been notified in writing by the Minister that this Article applies to them.

25 OES: authorised person to act in Jersey

(1) An OES designated under Article 24 must give written notice to the Minister of a person in Jersey authorised by the OES to act on their behalf under this Law (the “authorised person”).

(2) Written notice under paragraph (1) –

(a) must include –

(i) the name of the OES; and

(ii) the name, address and contact details (including email address and telephone number) of the authorised person; and

(b) must be given no later than the end of the period of 28 days beginning with the date on which the OES became an OES, whether under Article 22(2) or Article 24.

(3) The OES must notify the Minister in writing of changes to the information notified under paragraph (2)(a) as soon as practicable and in any event no later than the end of 28 days beginning with the date of the change.

(4) The Minister or the Director may contact the authorised person instead of or in addition to the OES for the purposes of carrying out the Minister’s or the Director’s responsibilities under this Law.

(5) An authorisation under paragraph (1) does not affect any legal action that could be initiated against the OES.

26 Review and revocation of OES designation

(1) The Minister must maintain a list of OESs.

(2) The Minister may delegate the day-to-day maintenance of the list to the Director.

(3) If a person has reasonable grounds to believe that their designation as an OES is no longer justified under Article 22 or 24, they must notify the Minister in writing as soon as practicable providing evidence supporting that belief.

(4) If the Minister receives a notification under paragraph (3), the Minister must review the person’s designation as an OES within 3 months after the date of receipt.

(5) The Minister may revoke the designation of a person under Article 22(2), by notice in writing, if the Minister decides that a cyber incident affecting the provision of the relevant essential service by that person would not have or is not likely to have significant disruptive effects on the provision of the essential service.

(6) The Minister may revoke the designation of a person under Article 22(5) or 24, by notice in writing, if the conditions mentioned in that Article are no longer met by that person.

(7) Before revoking a person’s designation under paragraph (5) or (6) the Minister must –

(a) notify the person in writing of the proposed revocation, with reasons;

(b) invite the person to submit representations in writing about the proposed revocation, within the time specified by the Minister; and

(8) In order to make the decision mentioned in paragraph (5), the Minister must have regard to the factors mentioned in Article 22(6).

27 Right of appeal in relation to designation as OES

(1) An OES may appeal to the Royal Court against a decision of the Minister –

(a) under Article 22(5) or Article 24 to designate them as an OES;

(b) under Article 26 not to revoke their designation as an OES.

(2) An appeal under this Article must be made by sending the Royal Court a notice of appeal –

(a) in accordance with rules of court; and

(b) no later than 28 days after the day on which the decision is made.

(3) A notice of appeal must set out –

(a) the provision of this Law under which the decision appealed against was taken; and

(b) the grounds of appeal, which must be set out in sufficient detail to indicate –

(i) to what extent the appellant contends that the decision appealed against was based on an error of fact or was wrong in law, or both; and

(ii) to what extent the appellant is appealing against the exercise of a discretion by the Minister.

(4) The Royal Court must decide an appeal under this Article by reference to the grounds of appeal set out in the notice of appeal.

(5) In determining an appeal under this Article, the Royal Court must apply the principles applicable on an application for judicial review.

(6) When it determines an appeal under this Article, the Royal Court may –

(a) confirm the decision appealed against;

(b) quash the decision appealed against in whole or in part;

(i) remit the matter back to the Minister with a direction to reconsider and make a new decision in accordance with the ruling of the Royal Court; or

(ii) substitute for the decision any decision that the Minister could have made.

(7) The Royal Court may make the orders it thinks appropriate, including ancillary orders and orders as to costs.

(8) An appeal under this Article does not suspend the effect of the decision to which the appeal relates, unless the Court orders otherwise.

(9) The Minister must comply with a direction under paragraph (6)(c)(i).

(10) The power of the Royal Court to make rules of court under Article 13 of the Royal Court (Jersey) Law 1948 includes power to make rules dealing generally with all matters of procedure and incidental matters arising in relation to appeals under this Article.

Part 5

Security duties on operators of essential services

28 Interpretation of Articles 29 to 32

For the purposes of the duties contained in Articles 29 to 32, “OES” is to be read as including a government service.

29 Duty to take security measures

(1) An OES must implement measures that are appropriate and proportionate for the purposes of –

(a) identifying cyber threats to the security of the network and information systems or operational technology on which the provision of their essential service relies;

(b) reducing the risk of cyber incidents occurring that affect the security of those network and information systems or operational technology;

(d) ensuring the continuity of their essential service.

(2) The measures implemented under paragraph (1) must ensure a level of security of network and information systems and operational technology appropriate to the cyber threat and risk posed by that threat.

(3) The Director must issue guidance on the operation of this Article, including how to assess the appropriate level of security.

(4) In this Article, “security of network and information systems and operational technology” means the ability of network and information systems or operational technology to resist, at a given level of confidence, an event that may compromise the confidentiality, integrity, availability, authenticity, or non-repudiation of –

(a) information held in or processed though or those network and information systems or operational technology; or

(b) services offered by, or accessible through, those network and information systems or operational technology.

30 Duty to take specified security measures

(1) The Minister may direct an OES to take specified measures, or measures of a specified description, that the Minister considers are appropriate and proportionate for a purpose listed in Article 29(1).

(2) In this Article, “specified” means specified in a direction under paragraph (1).

(3) Before making a direction under paragraph (1), the Minister –

(a) must consult the Director and the regulators that the Minister considers appropriate; and

(b) may consult other persons that the Minister considers appropriate.

(4) Nothing in this Article or a direction under paragraph (1) affects the duty imposed under Article 29.

31 Duty to notify Director of cyber incidents

(1) An OES must notify the Director of a cyber incident that the OES considers has had, or is likely to have, a significant impact on the cyber resilience of the OES or on the essential service that the OES provides.

(2) In determining for the purposes of paragraph (1) whether a cyber incident has a significant impact on an essential service, the OES must have regard (insofar as it is within the OES’s knowledge) to the following matters in particular –

(a) the number of users affected by the disruption of the essential service;

(b) the duration of the cyber incident; and

(3) A notification under paragraph (1) must include all of the following that is within the knowledge of the OES at the time notification is given –

(a) the operator’s name and the essential service it provides;

(b) the time and date the cyber incident occurred;

(d) the duration of the cyber incident;

(e) the threat actor, if known;

(f) information about the nature and impact of the cyber incident;

(g) information about the impact, or likely impact, of the cyber incident outside Jersey; and

(h) other information that the OES considers may be helpful to the Director.

(4) The OES must give the notification required under paragraph (1) as soon as reasonably practicable and no later than 24 hours after the OES becomes aware of the occurrence of a cyber incident that has had or is likely to have a significant impact on the continuity of the essential service.

(5) The Minister may by Order amend paragraph (4) to vary the time within which a notification must be given.

(6) The States may, by Regulations made under Article 41, amend this Article to make further or alternative provision about the notification of cyber incidents.

(7) In this Article, “threat actor” means a person or group of persons who take actions intended to cause harm to network and information systems or operational technology.

32 Duty to take specified security measures in response to cyber incidents

(1) The Minister, having consulted the Director, may direct an OES to take specified measures in response to –

(a) a significant cyber incident or a description of a significant cyber incident that occurs in relation to a network and information system or operational technology on which the provision of an essential service, by the OES, relies;

(b) adverse effects of that cyber incident on that network and information system or operational technology.

(2) A direction under paragraph (1) must –

(a) specify the adverse effects; and

(b) specify the measures, or the description of measures, to be taken –

(i) in response to a cyber incident, for the purpose of preventing the adverse effects on the provision of the essential service arising from that cyber incident;

(ii) in response to an adverse effect, for the purpose of remedying or mitigating that adverse effect.

(3) But a measure, or description of a measure, may only be specified under paragraph (2)(b) if the Minister considers that taking that measure or a measure of that description would be appropriate and proportionate for the purpose for which it is to be taken.

33 Directions under this Part

If the Minister directs an OES under Article 30 or 32, the Minister must have due regard to any applicable statutory operational independence.

34 Guidance in relation to this Part

(1) The Director must publish guidance about the measures to be taken by an OES under this Part.

(2) The Director may revise and re-publish guidance published under this Article.

(3) Before publishing or re-publishing guidance, the Director may –

(a) seek advice from a TAC; or

(b) consult –

(i) the regulators that the Director considers appropriate;

(ii) any sectoral or subsectoral OES that the Director considers appropriate; or

(iii) the other persons that the Director considers appropriate.

35 Power to amend this Part by Regulations

(1) The States may, by Regulations made under Article 41 –

(a) make alternative or supplementary provision about the duties imposed on an OES under this Part; or

(b) make provision for the enforcement of the duties imposed on an OES under this Part.

(2) Regulations may make the provision referred to in paragraph (1) by amending this Part.

Part 6

Enforcement

36 Power of Minister to impose civil financial penalties on OES

(1) If the Minister is satisfied that an OES has contravened a provision of this Law, the Minister may serve a penalty notice on the OES.

(2) A penalty notice must specify in writing –

(a) the reasons for imposing a penalty;

(b) the amount of the penalty;

(d) the date by which the penalty amount must be paid;

(e) that the payment of the penalty under the notice does not affect the requirements of any existing direction under Article 30 or 32;

(f) how and when the OES may make representations about the content of the notice.

(3) The Minister must consider any representations made under paragraph (2)(f) and –

(a) if the Minister considers it appropriate in the light of the representations, issue a written notice of withdrawal of the penalty notice to the OES; or

(b) if the Minister considers that a penalty is still justified, issue a written confirmation notice to the OES.

(4) A confirmation notice must –

(a) include reasons for the Minister’s final penalty decision;

(b) require the OES to pay –

(i) the amount specified in the penalty notice; or

(ii) the amount that the Minister considers appropriate in the light of the representations made under paragraph (2)(f);

(d) provide details of the appeal process under Article 37; and

(e) specify the consequences of failing to make the payment within the period specified.

(5) The Minister may impose a penalty under paragraph (1) on a person who performs or performed a senior management function in relation to an OES if the Minister is satisfied that the contravention by the OES was –

(a) committed with the consent or connivance of, or was attributable to neglect on the part of that person; or

(b) aided, abetted, counselled or procured by that person.

(6) The amount of a penalty imposed under this Article must –

(a) in the opinion of the Minister, be appropriate and proportionate to the contravention in respect of which it is imposed; and

(b) not exceed £10,000.

(7) The Minister may by Order amend the figure in paragraph (6)(b).

37 Appeal against imposition of penalty

(1) An OES may appeal to the Royal Court if it considers that, having regard to the circumstances of the case –

(a) it was unreasonable for the Minister to impose a penalty; or

(b) the amount of the penalty imposed was excessive.

(2) The appeal must be lodged with the Royal Court no later than 28 days after the date of issue of the confirmation notice under Article 36.

(3) If an appeal is lodged, the Minister must not enforce payment of the penalty until the appeal is determined.

(4) The Royal Court may –

(a) confirm the penalty;

(b) rescind the penalty;

(d) make another interim or final order as it sees fit.

38 Contravention by government service

(1) If the Minister becomes aware that a government service is in breach of its security duties under Articles 29, 30 and 32 or its duty to notify the Director of cyber incidents under Article 31, the Minister must take the steps that the Minister, on the advice of the Director, considers necessary.

(2) Those steps may include directing the government service to remedy the breach with the assistance of the Director.

39 Offence: false or misleading information

(1) A person commits an offence if they knowingly or recklessly provide an entitled person with information that is false or misleading in a material particular –

(a) in purported compliance with a requirement under this Law; or

(b) in circumstances in which the person providing the information intends, or could reasonably be expected to know, that the information would be used by the entitled person for the purpose of carrying out their functions under this Law.

(2) A person who commits an offence under paragraph (1) is liable to imprisonment for a term of 5 years and to a fine.

(3) In this Article, “entitled person” means –

(a) the Minister;

(b) the Director;

(d) other persons entitled to information under this Law.

(4) A reference to an offence under this Article includes a reference to an offence under Article 1 of the Criminal Offences (Jersey) Law 2009 in relation to that offence.

(5) In paragraphs (6) and (7) –

“relevant offence” means an offence under this Article committed by a limited liability partnership, a separate limited partnership, an incorporated limited partnership or another body corporate;

“relevant person” means –

(a) if the relevant offence is committed by a limited liability partnership, a partner of the partnership;

(b) if the relevant offence is committed by a separate limited partnership or an incorporated limited partnership –

(i) a general partner; or

(ii) a limited partner who is participating in the management of the partnership;

(i) a director, manager, secretary or other similar officer of the body corporate; and

(ii) if the affairs of the body corporate are managed by its members, a member who is acting in connection with the member’s functions of management; and

(d) a person purporting to act in any capacity described in sub-paragraphs (a) to (c) in relation to the partnership or body that commits the relevant offence.

(6) If a relevant offence is proved to have been committed with the consent or connivance of a relevant person, that relevant person is also guilty of the offence and liable in the same manner as the partnership or body corporate to the penalty provided for that offence.

(7) A relevant person is guilty of a relevant offence, and liable in the same manner as the partnership or body corporate to the penalty provided for that offence, if the offence –

(a) is an offence that may be committed by neglect; and

(b) is proved to be attributable to neglect on the part of the relevant person.

(8) A fine imposed on an unincorporated association on its conviction of an offence under this Law must be paid out of the funds of the association.

(9) Paragraphs (10) and (11) apply if it is alleged that an offence under this Law has been committed by an unincorporated association (that is, not by a member of the association).

(10) Proceedings for the offence must be brought in the name of the association.

(11) For the purposes of the proceedings, any rules of court relating to the service of documents have effect as if the association were a body corporate (to the extent that those rules do not make specific provision for service on unincorporated associations).

(12) The States may, by Regulations made under Article 41, amend this Article to make alternative or supplementary provision as to liability for offences.

Part 7

Information sharing and Closing provisions

40 Information sharing

(1) A person may disclose information to the Director if the disclosure is made for the purpose of the exercise of a function of the Director.

(2) Information obtained by the Director in connection with the exercise of a function may be used by the Director in connection with the exercise of another function.

(3) The Director may share information with a relevant body if sharing the information is –

(a) necessary –

(i) for the purposes of the Director’s functions under this Law;

(ii) in the interests of the security of Jersey; or

(iii) for purposes related to the prevention or detection of crime, the investigation of an offence or the conduct of a prosecution (whether in Jersey or outside Jersey); and

(b) limited to information that is relevant and proportionate to the purpose for which it is shared.

(4) If information is shared under paragraph (3), the relevant body may share the information with another relevant body if –

(a) the conditions in paragraph (3) apply; and

(b) the Director gives consent.

(5) Disclosure under this Article is not to be treated as a breach of a restriction imposed by contract, enactment or otherwise.

(6) In this Article, “relevant body” means –

(a) the States of Jersey Police Force;

(b) the Honorary Police within the meaning of the Honorary Police (Jersey) Law 1974;

(d) a public authority not falling within sub-paragraphs (a) to (c) with functions in part of the British Islands that consist of or include the investigation of crimes or the charging of offenders;

(e) a person with functions in a country or territory outside Jersey that –

(i) correspond to those of a police force; or

(ii) otherwise consist of or include the investigation of conduct contrary to the law of that country or territory, or the apprehension of persons guilty of that conduct; and

(f) a person with functions under an international agreement that consist of or include the investigation of conduct, or the apprehension of persons guilty of conduct, that is –

(i) unlawful under the law of 1 or more places;

(ii) prohibited by an international agreement; or

(iii) contrary to international law;

(g) the CSIRT or SPOC for other countries or territories; or

(h) other persons that the Director considers appropriate.

41 Power to amend this Law by Regulations

(1) The States may, by Regulations, amend this Law (other than this Article) to make alternative or supplementary provision that appears to the States to be appropriate.

(2) This Article does not limit other powers to amend this Law by Regulations or Order.

42 Transitional provisions

(1) The Director of the JCSC on the date of commencement of this Law continues in that position and is treated as having been employed by the States in that capacity beginning with the date of the Director’s employment.

(2) A person, other than the Director, employed by or engaged to work for the JCSC before the commencement of this Law is, on its commencement, treated as having been employed or engaged by the States to work in the same capacity beginning with the date of their employment or engagement.

43 Consequential amendments

(1) Schedule 4 contains consequential amendments.

(2) The States may, by Regulations, amend an enactment (other than this Law) to make provisions the States consider necessary or expedient in consequence of the coming into force of this Law, or of an amendment to this Law.

44 C itation and commencement

This Law may be cited as the Cyber Security (Jersey) Law 202- and comes into force on a day to be specified by the Minister by Order.

Schedule 1

(Article 2)

Director of Jersey Cyber Security Centre

1 Appointment and tenure of Director

(1) Other than as set out in this Schedule, the Director holds and vacates office as Director in accordance with the terms and conditions of their appointment.

(2) The Minister must appoint as Director a person who has the appropriate qualifications and experience to fulfil the objectives, carry out the duties and exercise the powers in Part 3.

(3) Before appointing a person as Director the Minister must consult and take into account the views of the Jersey Appointments Commission established under Article 17 of the Employment of States of Jersey Employees (Jersey) Law 2005.

(4) Article 2 of the States of Jersey (Appointment Procedures) (Jersey) Law 2018 applies to the appointment of the Director.

2 Termination of appointment of Director

(1) The Director ceases to hold office –

(a) if the Director resigns by giving notice in writing to the Minister as required under the terms and conditions of their appointment; or

(b) if the Director’s appointment is terminated under sub-paragraph (3).

(2) If the Director resigns from office under sub-paragraph (1)(a), the Minister must, as soon as practicable after receiving that notice of resignation, report it to the States Assembly.

(3) The appointment of the Director may be terminated by the Minister if the Director –

(a) is incapacitated physically or mentally from carrying out their functions or is otherwise unable or unfit to discharge their functions;

(b) has been absent from the Director’s office for more than 3 months without due cause;

(d) is disqualified from holding the office of Director under paragraph 3.

(4) Before terminating the appointment the Minister must give notice to the Director.

(5) Article 3 of the States of Jersey (Appointment Procedures) (Jersey) Law 2018 applies to the termination of the Director.

3 Disqualification for appointment, restrictions and exceptions

A person cannot hold the office of Director if the person –

(a) does not hold an appropriate level of security vetting, in the opinion of the Minister;

(b) is not habitually resident in Jersey;

(c) has been convicted of a criminal offence that is sufficiently serious to cast doubt on the Director’s suitability to carry out the office; or

(d) has been subject to a finding of gross misconduct at work, whether as Director or in previous employment.

Schedule 2

(Article 4)

Constitution of TAC

1 Application of Schedule 2

This Schedule applies to a TAC established under Article 4.

2 Constitution of TAC

(1) The Director must agree with the Minister terms of reference for each TAC.

(2) The Director and the Minister must review the terms of reference at least once every 4 years.

(3) A TAC must consist of at least 3 and no more than 9 members.

(4) A person may be a member of more than 1 TAC.

3 Appointment of members

(1) The Minister must, having received advice from the Director, appoint as members of a TAC people who –

(a) possess the qualifications, skill and experience necessary to perform the functions of a member that are set out in the TAC’s terms of reference;

(b) demonstrate a high degree of integrity; and

(2) Before appointing a person –

(a) the Minister must take advice from the Director about the suitability of the person for the role; and

(b) the Minister may require the person to provide information or references that the Minister reasonably requires to determine the person’s suitability for the role.

(3) Each member must be appointed for a term of a minimum of 1 year and a maximum of 3 years, and is eligible for reappointment for a maximum cumulative period of 9 years.

(4) The Director must appoint a chair from among the members.

(5) When appointing a chair the Director must determine the period of the appointment, which must expire before or on the same date as the person’s appointment as a member expires.

(6) Unless different provision is made under this Law, a person appointed as chair holds and vacates office in accordance with the terms of their appointment.

(7) The chair must appoint a member as deputy chair, and that person is to be treated as the chair for the purposes of this Law if –

(a) the chair is unable to act through incapacity or absence; or

(b) there is a vacancy in the office of chair.

4 Disqualification for appointment

A person cannot be a member of a TAC if the person does not pass or maintain appropriate security vetting, as set by the Director.

5 Code of conduct

The Minister may suspend a member who, in the Minister’s opinion, has failed to uphold the code of conduct, and investigate the matter.

6 Revocation of appointment

(1) The appointment of a member may be revoked by the Minister if –

(a) the member is disqualified for appointment under paragraph 4;

(b) the member has been convicted of a criminal offence that is sufficiently serious to cast doubt on their suitability to carry out the role;

(c) is incapacitated physically or mentally from carrying out their functions or is otherwise unable or unfit to discharge their functions;

(d) the Minister determines, following an investigation under paragraph 5, that the member has failed to uphold the code of conduct; or

(e) the member has been unavailable for contact by any member of the TAC for more than 3 months without due cause.

(2) Before revoking the appointment of a member, the Minister must –

(a) give the Director and the member notice of the Minister’s intention to revoke the appointment; and

(b) give the member an opportunity to make representations to the Minister regarding the proposed revocation (except for revocation under sub-paragraph (1)(a)).

(3) If the Minister revokes the appointment of a member, the Minister must inform the Director and the relevant TAC as soon as practicable.

7 Remuneration of members

The Minister must determine the remuneration, if any, of the members.

Schedule 3

(Article 22)

Essential services, threshold requirements and conditions

Part 1

Energy sector

1 Electricity subsector

(1) For the essential service of importing electricity, the threshold requirement is that the person imported 150 megawatt hours of electricity into Jersey in the previous financial year, for delivery to final customers.

(2) For the essential service of generating electricity, the threshold requirement is that the person generated 150 megawatt hours of electricity in the previous financial year, for delivery to final customers.

(3) For the essential services of transmitting and distributing electricity, the threshold requirement is that the person operates a transmission system or a distribution system that –

(a) served at least 10,000 final customers in the previous financial year; or

(b) has the potential to disrupt delivery to at least 10,000 final customers.

(4) For the essential service of selling electricity, the threshold requirement is that the person sold electricity to at least 10,000 final customers in the previous financial year.

(5) In this paragraph –

“distribution system” means a system that consists wholly or mainly of low-voltage lines and electrical plant used for conveying electricity for delivery to final customers;

“final customer” means a person in Jersey purchasing electricity for their own use;

“transmission system” means a system that consists wholly or mainly of high-voltage lines and electrical plant used for conveying electricity for delivery to final customers or distributors.

2 Crude oil based fuel subsector

(1) For the essential service of importing crude oil based fuel, the threshold requirement is that the person imported at least 5,000,000 litres of crude oil based fuel into Jersey in the previous financial year.

(2) For the essential service of storing crude oil based fuel, the threshold requirement is that the person operates a facility or facilities with a total capacity of at least 5,000,000 litres of crude oil based fuel.

(3) For the essential service of supplying crude oil based fuel, the threshold requirement is that the person delivered at least 5,000,000 litres of crude oil based fuel to final customers, or to retail sites for delivery to final customers, in the previous financial year.

(4) For the essential service of supplying crude oil based fuel, the threshold requirement is that the person supplied at least 5,000,000 litres of crude oil based fuel to final customers in the previous financial year.

(5) In this paragraph –

“crude oil” means liquid hydrocarbon mixture occurring naturally in the earth whether or not treated to render it suitable for transportation, and includes –

(a) crude oils from which distillate fractions have been removed; and

(b) crude oils to which distillate fractions have been added;

“crude oil based fuel” means fuel wholly or mainly made up of crude oil or substances derived from crude oil;

“final customer” means a person in Jersey purchasing crude oil based fuel for their own use.

3 Gas subsector

(1) For the essential service of importing liquid petroleum gas (“LPG”), the threshold requirement is that the person imported 900,000 cubic metres of LPG into Jersey in the previous financial year, for delivery to final customers.

(2) For the essential service of storing LPG, the threshold requirement is that the person operates a facility with a total capacity of at least 3,000 cubic metres of LPG.

(3) For the essential service of distributing mains gas, the threshold requirement is that the person delivered gas, by the mains gas network –

(a) to at least 2,000 final customers in the previous financial year; or

(b) with a potential to disrupt delivery to at least 2,000 final customers.

(4) For the essential service of distributing LPG, the threshold requirement is that the person delivered LPG to at least 2,000 final customers in the previous financial year.

(5) For the essential service of selling mains gas or LPG, the threshold requirement is that the person sold mains gas or LPG to at least 2,000 final customers in the previous financial year.

(6) In this paragraph –

“final customer” means a person in Jersey purchasing LPG or mains gas for their own use;

“mains gas” means gas suitable to be delivered by the mains gas network;

“mains gas network” means the mains, pipes and other apparatus by which mains gas may be delivered to final customers.

Part 2

Transport sector

4 Sea transport subsector

(1) For the essential service of carrying out harbour operations, the condition is that the person is licensed under Part 3 of the Air and Sea Ports (Incorporation) (Jersey) Law 2015 to carry out harbour operations.

(2) In this paragraph, “harbour operations” has the meaning given in Article 2(3) of the Air and Sea Ports (Incorporation) (Jersey) Law 2015.

5 Air transport subsector

(1) For the essential service of carrying out airport operations, the condition is that the person is licensed under Part 3 of the Air and Sea Ports (Incorporation) (Jersey) Law 2015 to carry out airport operations.

(2) In this paragraph “airport operations” has the meaning given in Article 2(2) of the Air and Sea Ports (Incorporation) (Jersey) Law 2015.

6 Freight handling subsector

For the essential service of freight handling, the threshold requirement is that the person loaded or unloaded a total of at least 100,000 tonnes of freight at Jersey ports in the previous financial year.

7 Road transport and freight distribution subsector

For the essential service of transporting freight by road to and from Jersey ports, the threshold requirement is that the person transported at least 100,000 tonnes of freight in the previous financial year.

Part 3

Financial services sector

8 Banking subsector

For the essential service of providing banking services, the condition is that the person is registered under Part 2 of the Banking Business (Jersey) Law 1991 and regulated by the JFSC.

Part 4

Health sector

9 Medical services subsector

The following are essential services –

(a) Health services carried on at, or operating out of, a hospital;

(b) “Hospital” means premises, other than at the prison (as defined in Article 1 of the Prison (Jersey) Law 1957) –

(i) used for the reception and inpatient treatment of people suffering from illness or injury;

(ii) used for the reception and inpatient treatment of people during convalescence or people requiring medical rehabilitation; or

(iii) maintained in connection with premises described in clauses (a) or (b) and used as –

(A) a clinic;

(B) a dispensary; or

Part 5

Water sector

10 Drinking water supply subsector

(1) For the essential service of supplying drinking water, the threshold requirement is that the person supplied mains water to at least 10,000 final customers in the previous financial year.

(2) In this paragraph –

“final customer” means a person in Jersey purchasing mains water for their own use;

“mains water” means drinking water supplied to final customers via a main (as defined in Article 1 of the Water (Jersey) Law 1972).

Part 6

Digital sector

11 Public communications subsector

(1) For the essential service of providing public communications, the condition is that the person –

(a) is a public communications provider;

(b) provides a service to customers in Jersey;

(c) holds a licence under the Telecommunications (Jersey) Law 2002 that is designated as a Class II or Class III licence by the JCRA; and

(d) has a place of business, office or staff in Jersey.

(2) In this paragraph –

“public communications provider” means –

(a) a provider of a public electronic communications network;

(b) a provider of a public electronic communications service; or

(c) a person who makes available facilities that are associated facilities by reference to a public electronic communications network or a public electronic communications service;

“public electronic communications network” means an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public;

“public electronic communications service” means an electronic communications service that is provided to be available for use by members of the public.

12 Digital services subsector

(1) For the essential service of providing information and communications technology services, the condition is that the person, by providing assistance or active administration carried out either on customers’ premises or remotely, provides services –

(a) related to the installation, management, operation or maintenance of information and communications technology products, networks, infrastructure, applications or other network and information systems; and

(b) to another OES in Jersey.

(2) For the essential service of providing a managed security service provider, the condition is that the person –

(a) provides a managed service that carries out or assists with activities relating to cyber security risk management; and

(b) is based in Jersey.

(3) For the essential service of providing cloud computing services, the condition is that the person is based in Jersey.

(4) For the essential service of providing a data centre service, the condition is that the person is based in Jersey.

(5) In this paragraph –

“cloud computing service” means a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including situations in which those resources are distributed across more than 1 location;

“digital service” means a service that is provided –

(a) for remuneration;

(b) at a distance;

(d) at the request of the recipient of the service.

13 Operator of the .je domain name subsector

The person assigned as the designated manager for the .je domain name by the Internet Assigned Numbers authority or a successor organisation is an operator of an essential service.

14 Domain name services subsector

(1) For the essential service of providing domain name registration services, the threshold requirement is that the person registers domain names on behalf of other people operating in Jersey, if –

(a) 100 or more domain names are registered and in active use; or

(b) a domain name is registered by an OES and is in active use.

(2) For the essential service of providing DNS services, the threshold requirement is that the person provides authoritative DNS for domain names used by other people operating in Jersey, if those services –

(a) are provided for 100 or more domain names in active use; or

(b) are provided for a domain name in active use by an OES.

(3) In this paragraph –

“authoritative DNS” means a service for holding and distributing the definitive records of a particular domain name;

“in active use” means the domain name is used other than for indicating that it is registered and may be available for sale.

Part 7

Postal and courier services sector

15 Postal service subsector

A postal service (as defined in Article 1(1) of the Postal Services (Jersey) Law 2004) provided by Jersey Post International Limited or a subsidiary of that company is an essential service.

16 Courier services subsector

(1) For the essential service of providing courier services, the threshold requirement is that the person delivered at least 10,000 items of mail in the previous financial year.

(2) In this paragraph, “mail” has the meaning given in Article 1(1) of the Postal Services (Jersey) Law 2004.

17 Couriers of necessary supplies subsector

(1) For the essential service of courier of necessary supplies, the threshold requirement is that the person delivered necessary supplies to or within Jersey in the previous financial year.

(2) “Necessary supplies” are –

(a) medical supplies (as defined in Article 8A of the Emergency Powers and Planning (Jersey) Law 1990);

(b) other supplies prescribed by the Minister by Order.

Part 8

Food sector

18 Food production subsector

Jersey Dairy Limited is an essential service.

19 Food retail subsector

(1) For the essential service of food retail, the threshold requirement is that the person –

(a) places food on the market; and

(b) operates a shop –

(i) that is a single premises with a retail sales area of 700 square metres or more; and

(ii) in which at least 50% of the retail sales area is given over to the sale of food.

(2) In this paragraph –

“food” means a substance or product, whether processed, partially processed or unprocessed that is intended to be, or reasonably expected to be, ingested by humans; and includes –

(a) drink;

(b) chewing gum;

(c) a substance, including water, intentionally incorporated into the food during its manufacture, preparation or treatment; and

(d) water that –

(i) in the case of water supplied from a distribution network, is after the point within premises at which it emerges from the taps that are normally used for human consumption;

(ii) in the case of water supplied from a tanker, is after the point at which it emerges from the tanker;

(iii) in the case of water put into bottles or containers intended for placing on the market, is after the point at which the water is put into the bottles or containers; or

(iv) in the case of water used in a food production undertaking, is after the point where the water is used in the undertaking;

but “food” does not include –

(a) a substance or product, including additives, whether processed, partially processed or unprocessed, intended to be used for oral feeding to animals;

(b) live animals, unless they are prepared for placing on the market for human consumption;

(d) medicinal products within the meaning of Article 2 of the Medicines (Jersey) Law 1995;

(e) cosmetic products, being a substance or mixture intended to be placed in contact with the external parts of the human body or with the teeth and the mucous membranes of the oral cavity with a view exclusively or mainly to cleaning them, perfuming them, changing their appearance, protecting them, keeping them in good condition or correcting body odours;

(f) tobacco and tobacco products within the meaning of Article A1 of the Restriction on Smoking (Jersey) Law 1973;

(g) narcotic substances within the meaning of the United Nations Single Convention on Narcotic Drugs signed at New York on 30 March 1961, or psychotropic substances within the meaning of the United Nations Convention on Psychotropic Substances, 1971;

(h) residues or contaminants in or on food;

“places on the market” in relation to food means –

(a) the holding of food for the purpose of sale, including offering for sale or another form of transfer, whether on payment of money or not; or

(b) the sale, distribution or other form of transfer of food;

“retail sales area” has the meaning given in Article 2 of the Shops (Regulation of Opening) (Jersey) Regulations 2011.

Part 9

Public administration sector

20 Parishes and public bodies subsector

The following are essential services –

(a) a parish of Jersey;

(b) an organisation specified in Schedule 2 to the Public Finances Law;

(d) the JCRA;

(e) the Data Protection Authority established under Article 2 of the Data Protection Authority (Jersey) Law 2018; and

(f) the Jersey Heritage Trust incorporated by an Act of Incorporation granted by the States by the Loi accordant un Acte d’Incorporation à l’Association dite “The Jersey Heritage Trust” registered on 3 June 1983.

21 Emergency services subsector

The following are essential services –

(a) States of Jersey Police Force;

(b) Ambulance service carried out by people employed under the Employment of States of Jersey Employees (Jersey) Law 2005 for that purpose;

(d) Airport Rescue and Firefighting Service, as defined in Article 1 of the Fire and Rescue Service (Jersey) Law 2011.

Schedule 4

(Article 43)

Consequential amendments

1 Computer Misuse (Jersey) Law 1995

After Article 5A of the Computer Misuse (Jersey) Law 1995 there is inserted –

5B Exemption for cyber security

Articles 2, 5 and 5A do not apply to –

(a) the Director of the Jersey Cyber Security Centre appointed under Article 2 of the Cyber Security (Jersey) Law 202- or a person employed by and working under the full operational control of the Director, if the conduct in question was undertaken –

(i) in good faith; and

(ii) in the course of the person’s employment duties;

(b) the Minister for Sustainable Economic Development, to the extent that the Minister is discharging a function under the Cyber Security (Jersey) Law 202-.

2 Data Protection (Jersey) Law 2018

(1) This paragraph amends the Data Protection (Jersey) Law 2018.

(2) In Article 41 –

(a) in paragraphs (2), (5) and (9), “for Justice and Home Affairs” is deleted;

(b) after paragraph (1) there is inserted –

(11) In this Article, “Minister” means –

(a) the Minister for Sustainable Economic Development, if the matter relates to the discharge of that Minister’s functions under the Cyber Security (Jersey) Law 202-;

(b) in any other case, the Minister for Justice and Home Affairs.

(3) In Schedule 1, paragraph 1, after “Jersey Customs & Immigration Service” there is inserted “Jersey Cyber Security Centre”.

3 Emergency Powers and Planning (Jersey) Law 1990

For Article 6 of the Emergency Powers and Planning (Jersey) Law 1990 there is substituted –

6 Powers of competent authority in relation to telecommunications, cyber security and cyber resilience

(1) A competent authority may by Order provide for securing, regulating or prohibiting 1 or more of the following –

(a) telecommunication services, telecommunication systems and apparatus, cyber network and information systems and operational technology;

(b) the use of those services, systems, networks, apparatus and technology.

(2) A competent authority may by Order provide for regulating the price at which those services, systems, networks, apparatus and technology may be supplied.

(3) A provision made by Order under this Article may –

(a) be made either –

(i) in relation to telecommunication services, telecommunication systems and apparatus, cyber network and information systems and operational technology in general; or

(ii) in relation to a particular description of those services, systems, networks, apparatus and technology; and

(b) be made –

(i) with respect to the supply, distribution, acquisition or use of the things referred to in sub-paragraph (a)(i) or described in sub-paragraph (a)(ii);

(ii) for a particular purpose specified in the Order; or

(iii) for all purposes.

(4) An Order under this Article may empower a competent authority to give directions to –

(a) persons carrying on business as a provider of telecommunication services, telecommunication systems or apparatus, or cyber network and information systems or operational technology, about the provision of those things;

(b) a person carrying on business involving the use of those things, about the person’s use of those things for the purposes of that business.

(5) A competent authority may by Order make provision for suspending, modifying or excluding a contractual obligation, or an obligation or restriction imposed by or under an enactment, that directly or indirectly affects the provision or use of telecommunication services, telecommunication systems or apparatus, or cyber network and information systems or operational technology, or for extending a power conferred by such an enactment.

(6) In this Article –

“apparatus”, “telecommunication service” and “telecommunication system” have the same meanings as in the Telecommunications (Jersey) Law 2002;

“cyber network and information system” has the same meaning as “network and information system” as defined in Article 1 of the Cyber Security (Jersey) Law 202-;

“operational technology” has the same meaning as in Article 1 of the Cyber Security (Jersey) Law 202-.

4 Freedom of Information (Jersey) Law 2011

In Article 26A(2) of the Freedom of Information (Jersey) Law 2011, after sub-paragraph (o) there is inserted –

(p) the Director appointed under Article 2 of the Cyber Security (Jersey) Law 202-;

(q) an employee of the JCSC employed under that Article;

(r) the Minister for Sustainable Economic Development, to the extent that the Minister is discharging a function under that Law.

5 Telecommunications (Jersey) Law 2002

In the Telecommunications (Jersey) Law 2002 –

(a) in Article 24U(4), before sub-paragraph (a) there is inserted –

(aa) the JCSC appointed under Article 2 of the Cyber Security (Jersey) Law 202-;

(ab) the Director of the JCSC appointed under that Article;

(ac) the Minister for Sustainable Economic Development, to the extent that the Minister is discharging a function under the Cyber Security (Jersey) Law 202-;

Page Last Updated: 22 Jan 2026

Jersey Legal Information Board

Promoting access to justice in Jersey

Search this site

Cyber Security (Jersey) Law 202-