Government Bill C-26 for an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts was introduced, on 14 June 2022, to the House of Commons of Canada, and passed its first reading on the same date. In particular, the bill is divided into two parts, with the first focusing on amendments to the Telecommunications Act 1993 ('Telecommunications Act'), and the second focusing on enacting the Critical Cyber Systems Protection Act.

Specifically, the first part of the bill would amend, among other things, the Telecommunications Act by adding security as a policy objective, and providing the Government with the legal authority to mandate action to secure Canada's telecommunications system. The bill would also establish an administrative monetary penalty scheme to promote compliance with orders and regulations made to secure the Canadian telecommunications system, as well as rules for judicial review of those orders and regulations.

The second part of the bill would enact the Critical Cyber Systems Protection Act which would provide a framework for the protection of the critical cyber systems of services and systems vital to national security or public safety. Additionally, this part of the bill would, among other things:

• authorise the Governor in Council to: 
  • designate any service or system as a vital service or system; and
  • establish classes of operators in respect of a vital service or system;
• require designated operators to: 
  • establish and implement cybersecurity programs; 
  • mitigate supply-chain and third-party risks; 
  • report cybersecurity incidents; and
  • comply with cybersecurity directions;
• provide for the exchange of information between relevant parties; and
• authorise the enforcement of obligations under the Critical Cyber Systems Protection Act and impose consequences for non-compliance.

This bill will apply to designated operators of federally regulated services and systems in four priority sectors: finance, energy, telecommunications, and transport, which currently includes telecommunication services, nuclear energy systems, and banking systems.

You can read the press release here, as well as read the bill and track its progress here.

UPDATE (30 March 2023)

Bill passes second reading in House of Commons and proceeds to Committee

The bill passed, on 27 March 2023, its second reading in the House of Commons, and was thereafter referred, on the same date, to the Standing Committee on Public Safety and National Security.

You can read the bill here and track its progress here.

UPDATE (22 APRIL 2024)

Bill passes Committee consideration

On 19 April 2024, the bill passed the Standing Committee on Public Safety and National Security consideration. In particular, the Committee presented its report with proposed amendments to the bill. 

In particular, the Committee proposed, under the definition of confidential information, to add the following: 'de-identify means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. Personal information has the same meaning as in Section 3 of the Privacy Act.'

You can read the bill here, the Committee report here, and track the bill's progress here.

UPDATE (24 JUNE 2024)

Bill passes first reading in Senate

On 19 June 2024, the bill completed its first reading in the Senate after passing its third reading in the House of Commons on the same date.

You can read the bill here and track its progress here.