Canadian Cybersecurity Law Update: Bill C-26 Gains Momentum in the House of Commons

On February 1, 2024, the Standing Committee on Public Safety and National Security (Committee) began its study of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26 or Bill), nearly one year after it completed its second reading in the House of Commons.

On June 14, 2022, the government tabled Bill C-26. If it passes, it would enact the Critical Cyber Systems Protection Act (CCSPA or Act). The CCSPA imposes a series of cybersecurity-related obligations on private-sector entities in four federally regulated sectors: telecommunications, finance, energy and transportation. The Act would apply to industries providing “vital services” or “vital systems” as set out in Schedule 1 and classes of designated operators identified in Schedule 2 of the CCSPA.

The vital services and systems currently set out in Schedule 1 are:

The CCSPA would provide the Governor in Council (i.e., Federal Cabinet) with powers to add or remove sector-specific services and systems from Schedule 1.

The CCSPA would impose five key cybersecurity compliance obligations on designated operators:

  1. The CCSPA requires that designated operators implement a cybersecurity program with risk mitigation measures and a governance framework to identify and manage organizational risk in respect of its critical cyber systems. Critical cyber systems are defined in the CCSPA as cyber systems that, if their confidentiality, integrity or availability were compromised, could affect the continuity or security of one of the vital services or systems set out in Schedule 1.
  2. Designated operators would be obligated to identify cybersecurity risks in their supply chain or use of third-party products and services, and take reasonable steps to mitigate that risk, including steps prescribed by future regulation.
  3. Designated operators would also be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a cybersecurity incident to the Canadian Security Establishment (CSE) in the manner prescribed by future regulation. Second, a designated operator must also notify its responsible regulator, such as the Minister of Industry or the Bank of Canada, “immediately after reporting a cybersecurity incident” to the CSE.
  4. Designated operators would be required to comply with any measure to protect a critical cyber system set out in a binding direction from the Governor in Council. Designated operators cannot disclose the contents or existence of such a direction.
  5. Designated operators would be required to keep records demonstrating the implementation of their cybersecurity program and reports of any cybersecurity incident. These records must be maintained within Canada.

The CCSPA would be enforced through an administrative monetary penalty scheme, to be developed further in regulation. The CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. Non-compliance with certain provisions of the CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment. Furthermore, industry regulators will have expanded powers to compel information, conduct inspections of the premises of designated operators and issue notices of non-compliance to ensure compliance with the CCSPA.

In order to become law, Bill C-26 must complete its Committee study, pass a third reading in the House of Commons and three readings in the Senate. Although its future is uncertain, the compliance obligations required by the CCSPA represent cybersecurity best practices that most organizations should implement to strengthen their cybersecurity posture, protect critical assets and guard against third-party risk.

For more information, please contact: