Bill C-26, An Act Respecting Cyber Security, has made ponderous progress through the legislature; having had its first reading in the House of Commons in June 2022, took over two years to reach first reading in the Senate. Along the way, it has been altered to address the newly topically concern of foreign interference in Canadian affairs.

From the start, Bill C-26 has proposed amendments to the Telecommunications Act (with an eye to ensuring the security of Canada's telecommunications infrastructure) and tabled the Critical Cyber Systems Protection Act (the CCSPA, aimed at requiring operators of critical infrastructure in certain key sectors to reach a base level of cyber security preparedness).

The CCSPA in particular faced criticisms from many sides for imposing compliance costs considered high for small operators and unnecessary for larger, more mature organizations, and for a lack of transparency in the manner and fairness in which the law would be enforced.

Bill C-70's amendments to Bill C-26

While the Bill has made its slow journey through the legislative process, new security concerns have emerged following revelations about attempts by foreign governments to interfere with Canadian policy and lawmaking.

The federal government responded by tabling Bill C-70, the Countering Foreign Interference Act. C-70 was rushed through Parliament, having been tabled in early May 2024 and come into force in less than two months. One of the less reported effects of C-70 has been its amendments to the still-in-Senate Bill C-26. Among other things, Bill C-70 introduces the new Secure Administrative Review Proceedings (SARP) regime under the Canada Evidence Act, replacing the current judicial review process under the Telecommunications Act.

This new regime, which will also apply to compliance orders under the CCSPA, introduces special counsel to handle sensitive information during judicial reviews or appeals. These changes address due process concerns raised by critics of Bill C-26.

In sum, this change increases transparency for organizations affected by orders under the CCSPA, and allows for legal challenges to orders while at the same time protecting the sensitive information organizations are required to disclose to government under the CCSPA.

What's stayed the same?

The core goals and requirements implemented by the CCSPA remain unchanged.

In brief, the law aims to strengthen the resilience of Canada's critical infrastructure by ensuring that cyber security risks are effectively identified and managed. This includes addressing risks associated with supply chains and the use of third-party products and services. The CCSPA mandates that critical cyber systems be safeguarded against potential compromises, with mechanisms in place to detect cyber security incidents that could affect or threaten these systems.

Additionally, the CCSPA emphasizes minimizing the impacts of any cyber security incidents. The CCSPA is designed to strengthen cyber security within 'vital services and vital systems' listed in Schedule 1:

  • Telecommunications services
  • Interprovincial or international pipeline or power line systems
  • Nuclear energy systems
  • Transportation systems within the legislative authority of federal parliament
  • Banking systems
  • Clearing and settlement systems

Bill C-26 impacts Canadian businesses designated as operators of critical cyber systems. These operators must comply with new obligations, which are detailed below, and will pass on many of these obligations to their supply chains and third-party suppliers.

Cyber security program

Designated operators under the CCSPA are required to establish a cyber security program within 90 days of being designated. In compliance with applicable regulations, this program must include measures to:

  • Identify and manage organizational cyber security risks, including those arising from the supply chain and third-party products and services
  • Protect critical cyber systems from unauthorized access or disruptions
  • Detect cyber security incidents that affect or could affect critical cyber systems
  • Establish response plans to minimize the impact of cyber security incidents
  • Fulfill any additional requirements prescribed by regulation

Designated operators must submit cyber security programs to their regulator, conduct annual reviews, and notify the regulator of any amendments. They are also required to report material changes, including changes in ownership, control, supply chain, or the use of third-party products and services.

Mitigation of third-party risk

Designated operators must assess and mitigate risks from in its supply chain and third-party products and services. Operators must conduct risk assessments, ensure compliance with cyber security standards through contractual obligations and monitoring third-party practices.

Cyber security incident reporting

Operators must report cyber security incidents to the Communications Security Establishment (CSE) within 72 hours, and notify the appropriate regulator after reporting to the CSE including:

  • The Minister of Industry
  • The Minister of Transport
  • The Superintendent of Financial Institutions
  • The Bank of Canada
  • The Canadian Energy Regulator
  • The Canadian Nuclear Safety Commission

The CCSPA defines a cyber security incident as an incident, including an act, omission or circumstance, that interferes or may interfere with (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity or availability of the critical cyber system.

These reporting obligations are on top of other reporting requirements. For example, the Office of the Privacy Commissioner of Canada requires regulated organizations to notify them as soon as feasible if a breach involving personal information poses a real risk of significant harm. The Office of the Superintendent of Financial Institutions mandates that federally regulated financial institutions report any technology or cyber security incidents within 24 hours or sooner if possible.

Cyber security direction

The CCSPA allows for the issuance of cyber security directions, which mandate operators or groups of operators to implement measures that protect critical cyber systems. These directions may compel designated operators to take specific measures and conditions for the purpose of protecting critical cyber systems.

Additionally, the CCSPA permits information sharing between government agencies, regulators, and law enforcement for purposes related to issuing, amending, or revoking a cyber security direction for a designated operator.

Maintaining records

Designated operators must keep the following records:

  • Any steps taken to implement the designated operator's cyber security program
  • Every cyber security incident that the designated operator reported under the CCSPA
  • Any steps taken by the designated operator under section 15 of the CCSPA to mitigate any supply-chain or third-party risks
  • Any measures taken by the designated operator to implement a cyber security direction
  • Any matter prescribed by the regulations

Enforcement and penalties

Regulators will oversee compliance, reviewing organizations' cyber security practices and issuing penalties for non-compliance, including administrative monetary penalties of up to C$15 million for operators and C$1 million for directors. Regulators are also empowered to compel information and conduct inspections. Regulators may also order an operator to stop contravening the CCSPA or take any measure necessary to comply with requirements or mitigate the effects of non-compliance.

Breach of certain provisions of the CCSPA is punishable offense. Both individuals and corporations may face fines determined at the court's discretion. Additionally, individuals may be sentenced to up to two years for a summary conviction or up to five years for a conviction on indictment.

What's next?

Having been slow-walked through Parliament despites its ostensible (and, obviously, actual) importance to national security in an age of increasing threats and vulnerabilities, Bill C-26 may be shelved, at least in its current form, as opposition parties seek to bring down the Trudeau government and to prevent it from achieving any legislative "wins" before an election is called.

It is difficult to overstate how unfortunate this is, given how vulnerable Canada's critical infrastructure remains to cyber attacks from criminals and hostile nations alike. One can only hope the next government, however constituted, makes this law or one like it a legislative priority.