Cyber Security and Digital Risk in Jersey’s Construction Sector

A New Legal Era for Cyber Risk in Jersey

On 22 January 2026, the States Assembly approved the Cyber Security (Jersey) Law (the Cyber Security Law), marking one of the most significant regulatory shifts for Jersey’s digital and operational resilience in over a decade.

The law will come into force later in 2026 following Privy Council approval and introduces statutory duties for organisations designated as Operators of Essential Services (OES) across sectors including energy, water, transport, telecommunications, digital services, financial services, health, postal and courier services, food supply and public administration.

Although construction firms may not always be classified as OES, those delivering infrastructure, utilities, public facilities, digital assets, ports, hospitals, coastal defences or large scale housing will be operating within, and contracting with, OES organisations.

This introduces new contractual obligations, increased liability risk and stricter digital security requirements across the supply chain.
‍

What the Cyber Security Law Does

The Cyber Security Law establishes a statutory framework to strengthen Jersey’s cyber resilience through:

Legal recognition of the Jersey Cyber Security Centre

• The Single Point of Contact (SPOC) for cyber security matters.
• Jersey’s Computer Security Incident Response Team.

Mandatory requirements for OES

• Registration with the Centre.
• Implementation of proportionate cyber security measures.
• Reporting significant incidents within 24 hours.
• Co-operation with investigations and guidance.

Enforcement powers

• Civil penalties up to £10,000.
• Potential criminal sanctions.
• Oversight through audits and guidance.

‍

Why the Construction Sector Should Care

Many construction clients are OES

Projects involving hospitals, utilities, telecoms, infrastructure and public buildings will fall within the OES framework.

Construction firms hold sensitive digital information

• BIM models.
• Structural and MEP layouts.
• Site monitoring data.
• Drone footage.
• Digital safety logs.
• Infrastructure schematics.

Contractors form part of the supply chain

Cyber security expectations will extend across architects, engineers and contractors.

Cyber incidents now carry legal risk

• Project disruption.
• Safety system failures.
• Infrastructure risk.
• Confidential data exposure.
  ‍

Interplay with Data Protection (Jersey) Law 2018

The Cyber Security Law focuses on system security, while the Data Protection Law focuses on personal data and privacy. In many cases both will apply.

Examples include:

• Compromised BIM systems containing personal data.
• Hacked site access systems with identity data.
• Ransomware affecting project and HR systems.

This creates dual reporting obligations in certain cases.
‍

Contractual and Operational Implications

Construction firms should expect the following.

Updated contract clauses

• Cyber security warranties.
• Flow-down obligations.
• Secure BIM requirements.
• 24-hour incident reporting.
• Staff vetting and training.

Revised NEC/JCT schedules

• Employer’s Information Requirements.
• Digital management protocols.
• Security standards.

Data protection integration

Contracts must align both data protection and cyber security obligations.

Supply chain due diligence

Dual compliance expectations will apply across supply chains.
‍

Conclusion

The Cyber Security Law represents a significant shift, elevating cyber resilience to a statutory obligation.

For construction firms, this introduces new risks and responsibilities across digital systems, contracts and supply chains.

Businesses that prepare early and integrate cyber security and data protection frameworks will be better positioned to manage risk and compete effectively in Jersey’s evolving construction market. Contact BCR Law today to start your preparations.

‍