Insights Header image
Insights Header image
Insights Header image

Bill C-26: A New Chapter in Canadian Cybersecurity Regulation

December 24, 2024 Privacy & Data Protection Bulletin 6 minute read

[Editor’s note: prior to the passage of Bill C-26, a drafting error was identified and the bill was remitted to the House of Commons to resolve the error. Progress on the bill was subsequently frozen when Parliament was prorogued on January 6, 2025. This bulletin has been revised to address this development.]

A new era of cybersecurity is on the horizon for federally regulated organizations.  But we will need to wait a little while longer for it to arrive.

Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (“Bill C-26”) was in a position to be passed by Parliament in early December.[1]

As written about by the CBC, a technical drafting error was caught while the bill was in the Senate, causing the bill to be remitted to the House of Commons for another vote. The error was technical in nature; both the House of Commons and Senate have demonstrated approval for the substantive content of the bill. Therefore, Bill C-26 may still pass in close to its current form at a future date. Whether that is when Parliament reconvenes on March 24, or after a federal election, is yet to be seen.

As we wrote about when the bill was first introduced, the primary components of the bill are to (1) amend the Telecommunications Act and (2) enact the Critical Cyber Systems Protection Act (“CCSPA”) which would create a host of new cybersecurity requirements for certain federally regulated organizations. We will summarize these in turn.

PART ONE: AMENDMENTS TO THE TELECOMMUNICATION ACT

Who will be impacted?

Bill C-26’s amendments to the Telecommunications Act would give the federal government legal authority to ban Canadian telecommunications service providers (“TSPs”) from using certain suppliers deemed to be “high-risk.” The amendments would enable the federal government to follow through on its stated intention to ban Huawei and ZTE from participating in 5G networks, and require telecom companies to remove or terminate any existing 4G equipment provided by the companies by the end of 2027.

These amendments would primarily impact TSPs and other companies in the telecommunications supply chain.

What would the amendments actually do?

Bill C-26’s amendments to the Telecommunications Act would introduce a new objective to the Canadian Telecommunications Policy: promoting the security of the Canadian telecommunications system.

To achieve this objective, the amendments would empower the Governor in Council and the Minister of Industry with authority to (a) prohibit TSPs from using products or services provided by specified persons; or (b) direct a TSP to remove all products provided by a specified person from its telecommunications networks or telecommunications facilities.[2] The amendments would also empower the Minister of Industry to make various other types of orders, if the Minister believes on reasonable grounds that such orders are necessary to secure the Canadian telecommunications system.[3]

In terms of enforcement, Bill C-26 would establish an administrative monetary penalty framework for the Telecommunications Act, with fines reaching up to $10 million for organizations for initial violations and $15 million for subsequent breaches.[4] The amendments would also provide guidelines for judicial reviews of these orders.

Importantly, while the bill would grant significant powers to the government to intervene in TSP operations on national security grounds, it explicitly states that no compensation will be provided for financial losses incurred due to these government orders.

What’s new? 

When first introduced, Bill C-26 attracted criticism for giving the government unfettered discretion to impose obligations on TSPs. As the bill progressed through parliament, various conditions were added to ensure the government’s new powers are exercised in a proportionate manner. For example:

  • The Minister of Industry or Governor in Council would only be permitted to make an order (i) on reasonable grounds of belief that such an order is necessary; (ii) after appropriate consultation;[5] (iii) after due consideration of various factors (including the financial and operational impact on the TSP and telecommunications services in general);[6] and (iv) if that order is reasonable to the gravity of the relevant threat.[7]
  • The Minister would not be permitted to order a TSP to intercept private communications.[8]
  • While orders may be made in secret (i.e., with a non-disclosure obligation imposed on the TSP)[9], if the Minister makes such an order, it must notify the National Security and Intelligence Committee of Parliamentarians and the National Security Intelligence Review Agency.[10]
  • The Minister must submit an annual report detailing, among other things, the orders that have been made in the last year.[11]

PART TWO: ENACTMENT OF THE CCSPA

Who will be impacted?

The CCSPA would create new cybersecurity obligations for designated operators managing vital services or systems. Currently, Schedule 1 of the bill lists the following as vital services and vital systems that will be subject to this framework:

  • Telecommunications services;
  • Interprovincial or international pipeline and power line systems;
  • Nuclear energy systems;
  • Transportation systems that are within the legislative authority of Parliament;
  • Banking systems; and
  • Clearing and settlement systems.

The designated operators to which the CCSPA would apply have yet to be specified. Any companies operating in the above-listed industries may be designated in the future, and should be aware of their potential cybersecurity obligations under the CCSPA.

What does the CCSPA actually do?

The CCSPA would create new obligations for designated operators to:

  • establish a cyber security program in accordance with regulations, notify the appropriate regulator and provide a copy of the program to the appropriate regulator within 90 days of becoming a designated operator;[12]
  • take any steps to mitigate supply-chain risks identified by the cyber security program;[13]
  • within a time period to be set by regulation (not to exceed 72 hours), report any cyber security incidents in respect of critical cyber security systems to the Communications Security Establishment, and notify the appropriate regulator of the incident;[14]
  • comply with cyber security orders imposed by the Governor in Council;[15] and
  • maintain certain records in accordance with regulations.[16]

The CCSPA would also empower the Governor in Council to direct designated operators to comply with any measure for the purpose of protecting a critical cyber system.[17]

The CCSPA would also allow for the exchange of information between various government entities for purposes related to a cyber security direction,[18] and prohibit the unauthorized disclosure of sensitive confidential information in respect of a critical cyber system.[19]

In terms of enforcement, the CCSPA would empower certain regulators (including the Office of the Superintendent of Financial Institutions (OSFI), the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, and the Minister of Transport) with the ability to investigate, make orders, and issue significant penalties for non-compliance (up to $1 million for individuals or $15 million in any other case).[20]

What’s new?

Since Bill-26 was first introduced, various conditions were added to ensure the government’s new powers under the CCSPA are exercised in a proportionate manner. Many of these are similar to those added under Part 1 of the bill. For example:

  • Orders from the Governor in Council would only be permitted (i) on reasonable grounds of belief that such an order is necessary;[21] (ii) with due consideration to various factors (including operational and financial impact on designated operators, impact on public safety, and impact on delivery of vital services and systems);[22] and (iii) with notice provided to the National Security and Intelligence Committee and National Security and Intelligence Review Agency.[23]
  • The Governor in Council would not be permitted to order a designated operator to intercept private communications.[24]
  • New protections for confidential information of designated operators.[25]

Conclusion and Takeaways

Given the general support for the substantive content of Bill C-26 among Canada’s political parties, it will likely be passed in the future in close to its current form. This could occur when Parliament reconvenes in late March, or during the next parliamentary session. For the time being, we cannot be sure.

The passage of Bill C-26 would mark a significant shift in Canada’s cybersecurity landscape, introducing substantial new powers and obligations across two main pillars. First, through amendments to the Telecommunications Act, the government gains authority to intervene in telecommunications infrastructure on national security grounds, including the ability to ban high-risk suppliers and mandate equipment removal – though with new safeguards to ensure proportionate exercise of these powers. Second, through the CCSPA, designated operators in vital sectors like banking, telecommunications, and transportation will face new cybersecurity program requirements and incident reporting obligations, backed by significant penalties for non-compliance.

For businesses operating in the affected sectors, the implications are substantial and require careful attention. Organizations should begin preparing for compliance by reviewing their cybersecurity programs, incident response procedures, and supply chain relationships. While Bill C-26 includes important checks and balances on governmental authority and protections for confidential information, the potential for substantial financial penalties (up to $15 million) and the lack of compensation for losses resulting from government orders underscore the need for proactive risk management. As we await the bill’s formal passage and implementation, affected organizations would be wise to start mapping out their compliance strategy and considering how these new requirements will integrate with their existing security and risk management frameworks.

[1] Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, full text available here. [Bill C-26]
[2] Telecommunications Act, sections 15.1 (1) and 15.2 (1), as amended by Bill C-26.
[3] Telecommunications Act, section 15.2 (2), as amended by Bill C-26.
[4] Telecommunications Act, section 72.131, as amended by Bill C-26.
[5] Telecommunications Act, sections 15.1 (1) and 15.2 (1) and (2), as amended by Bill C-26.
[6] Telecommunications Act, sections 15.1 (2.1) and 15.2 (3.1), as amended by Bill C-26.
[7] Telecommunications Act, sections 15.1 (1.1) and 15.2 (2.1), as amended by Bill C-26.
[8] Telecommunications Act, sections 15.2 (2.2), as amended by Bill C-26.
[9] Telecommunications Act, sections 15.1 (2) and 15.2 (3), as amended by Bill C-26.
[10] Telecommunications Act, section 15.22, as amended by Bill C-26.
[11] Telecommunications Act, section 15.21, as amended by Bill C-26.
[12] Critical Cyber Systems Protection Act, section 9(1), as enacted by Bill C-26. [CCSPA]
[13] CCSPA, section 15.
[14] CCSPA, section 17 – 19.
[15] CCSPA, section 20.
[16] CCSPA, section 30.
[17] CCSPA, section 20.
[18] CCSPA, section 23.
[19] CCSPA, section 26.
[20] CCSPA, sections 32-85; 88-134.
[21] CCSPA, section 20.
[22] CCSPA, section 20 (2.1).
[23] CCSPA, section 20 (4).
[24] CCSPA, section 20 (5).
[25] CCSPA, sections 23(2), 26(3), 28(2),

by Robbie Grant

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024

Insights (5 Posts)View More

Featured Insight

Reminder: New Lower Criminal Interest Rate Now in Effect

As of January 1, 2025, the criminal interest rate was reduced to a cap of 35% annual percentage rate (APR).

Read More
Jan 14, 2025
Featured Insight

Alberta Rate Filing Requirements for Motor Vehicle Protection Products

Overview of the Alberta Insurance Rate Board's bulletin outlining rate filing requirements for automobile insurance on vehicle protection products in Alberta.

Read More
Jan 14, 2025
Featured Insight

Alberta’s Captive Insurers Gain Reinsurance Flexibility for Third-Party Risks

Overview of Alberta's updated rules for captive insurance companies.

Read More
Jan 14, 2025
Featured Insight

CSSB Releases Final Canadian Sustainability Disclosure Standards: Mandatory Disclosure Rules are on the Horizon

The CSSB has released the final Canadian Sustainability Disclosure Standards, with sustainability-related disclosure and climate-specific requirements.

Read More
Jan 14, 2025