Bill C-26: A strengthening of Canada’s cyber security through mandatory reporting of cyber incidents

June 20, 2022 | David Krebs, Jessica Modafferi

With the continuing threats posed by cyber criminals, state sponsored attacks, and other cybersecurity issues, the Canadian government has taken steps in line with those recently taken by the US government in order to protect and maintain oversight over critical infrastructure. On Tuesday June 14, 2022 Canada’s Minister of Public Safety introduced Bill C-26, An Act respecting cyber security. The proposed legislation amends Canada’s Telecommunications Act and introduces the Critical Cyber Systems Protection Act in an effort to bolster cyber security across federally regulated essential infrastructure.

The proposed amendments are aimed at protecting the continuity and security of the telecommunications, finance, energy and transportation sectors. Operators in these sectors will namely be required to establish a cyber security program in respect of their critical cyber systems. The cyber security programs must implement reasonable steps in detecting and minimizing cyber security incidents, in addition to managing organizational risks, such as risks associated with the supply chain and the use of third-party products and services. Notably, Bill C-26 provides that the Minister may prohibit the use of certain service providers that are deemed to pose a high risk to cyber security.

Bill C-26 also prioritizes the importance of breach reporting requirements. A cyber security incident in respect of any critical cyber system is required to be immediately reported to the Communications Security Establishment. Upon receiving a cyber security incident report, the Communications Security Establishment will verify compliance and may take actions to prevent non-compliance with legislation. Non-compliant operators may then be faced with administrative monetary penalties, summary convictions and convictions on indictment, which further highlights the importance of the Minster of Public Safety’s policy on cyber security.

The mandatory reporting requirements of Bill C-26 are in line with the recent strengthening of provincial amendments to privacy legislation, and in anticipation of Bill C-27 An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Acts, the successor to Bill C-11, which was announced on June 16, 2022. In Quebec, Bill 64 An Act to modernize legislative provisions as regards the protection of personal information requires both private and public entities that experience a confidentiality incident that presents a risk of serious injury to keep registers of the incidents and to provide their reports to the Commission d’accès à l’information.

Key Takeaway

Although Bill C-26 has not yet received royal assent, the Minister of Public Safety has made it clear that businesses in the telecommunications, finance, energy and transportation sectors should be mindful of prioritizing the implementation of recognized cyber security practices, as doing so will ensure that they don’t run afoul data protection legislation. Increasing mandatory breach requirements, both at the federal and provincial levels, further demonstrates the increasing role of Government in the handling of cyber security incidents.

If you have any questions about your organization’s cyber security practices, please reach out to a member of Miller Thomson’s Cybersecurity Group.


This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.