NJ A3283

Bill

NJ A3283

Requires businesses in financial, essential infrastructure, and health care industries to develop cybersecurity plans.

Introduced
01/13/2026

In Committee
01/13/2026

Crossed Over

Passed

Dead

Introduced Session

2026-2027 Regular Session

Bill Summary

This bill would require a sensitive business, defined as a business engaged in the financial, essential infrastructure, or healthcare industries to develop cybersecurity programs based on regulations to be adopted by the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) in the Office of Homeland Security and Preparedness. These requirements include updating cybersecurity programs to apply to all of the sensitive business' industrial control systems if applicable, reasonably conforming these programs to the most recent version of certain industry-recognized cybersecurity frameworks, and annually certifying compliance with these requirements. The bill would require sensitive businesses to submit their cybersecurity plans and revisions to the NJCCIC. The NJCCIC would be directed to audit any sensitive business that fails to submit a cybersecurity plan.

AI Summary

This bill requires businesses in the financial, essential infrastructure, and healthcare industries, referred to as "sensitive businesses," to develop and implement comprehensive cybersecurity programs. These programs must address industrial control systems, if applicable, and reasonably align with recognized cybersecurity frameworks like those from the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), or the International Organization for Standardization (ISO). Sensitive businesses will need to identify a responsible individual for cyber risk management, conduct risk assessments, implement controls, and maintain awareness of cyber threats. They must submit their cybersecurity plans and any revisions to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), a state entity within the Office of Homeland Security and Preparedness responsible for cybersecurity. Furthermore, these businesses must annually certify their compliance with these requirements, and the NJCCIC is empowered to audit any business that fails to submit a plan or certification, with the audits conducted at the business's expense. The bill defines key terms such as "cybersecurity incident," "industrial control system," and "information system" to clarify the scope of these new regulations.

Committee Categories

Business and Industry

Sponsors (1)

William Sampson (D)*,

Last Action

Introduced, Referred to Assembly Science, Innovation and Technology Committee (on 01/13/2026)

Official Document

https://www.njleg.state.nj.us/bill-search/2026/A3283

(2 Companion Bills)

Version:

Document Type	Source Location
State Bill Page	https://www.njleg.state.nj.us/bill-search/2026/A3283
BillText	https://pub.njleg.gov/Bills/2026/A3500/3283_I1.HTM

Bill	Bill Name	Last Action	Type
A2200	Requires businesses in financial, essential infrastructure, and health care industries to develop cybersecurity plans.	Introduced, Referred to Assembly Science, Innovation and Technology Committee	Carry Over
S3100	Requires businesses in financial essential infrastructure, and health care industries to develop cybersecurity plans and report cybersecurity incidents.	Referred to Senate Budget and Appropriations Committee	Carry Over

Bill > A3283

summary

Introduced Session

Bill Summary

AI Summary

Committee Categories

Sponsors (1)

Last Action

Official Document

bill text

bill summary

bill summary

bill summary