Bill C-26: Advancing towards cybersecurity governance in Canada

On September 19, the Senate commenced its second reading of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, marking a significant step forward in the legislative process since Bill C-26 was initially introduced by the House of Commons in 2022. 

The recent progression of Bill C-26 signals Canada is nearing the establishment of its first-ever legislative framework specifically aiming to bolster cybersecurity across the critical cyber infrastructure sector. Bill C-26, if passed, would establish a new cybersecurity compliance regime by amending the Telecommunications Act and enacting the Critical Cyber Systems Protection Act (CCSPA) (together, the Acts). In addition, Bill C-26 would grant additional powers to the Governor in Council (governor) and the Minister of Industry (minister) and establish an administrative monetary penalty scheme to promote compliance with the Acts.

Bill C-26’s proposed changes will impact certain private-sector organizations in the federally regulated critical infrastructure space. This legal update summarizes Bill C-26’s proposed changes and recommends how organizations can prepare for these potential requirements. 

For a more in-depth discussion on Bill C-26, please read our previous legal update here.

Part I: Amendments to the Telecommunications Act 

Under Bill C-26, the Telecommunications Act will be amended to promote the security of the Canadian telecommunications system. Changes proposed will grant the governor and minister powers to make new orders, inspect, and enforce any actions on telecommunications service providers (TSP) deemed necessary to protect the telecommunications system.

Examples of actions the governor may take include: prohibiting a TSP from using or providing certain products and services that may cause security risks, prohibiting a TSP from providing services to specific persons, including other TSPs, or even suspend services for a specified time. The governor will also have power to make regulations relating to orders given by the minister, including orders that prohibit, suspend or impose conditions on the provision of telecommunication services.

Failure to comply with these orders or regulations may result in administrative money penalties of up to C$10 million for each day of non-compliance, and up to C$15 million each day for subsequent contraventions.

Part II: Introduction of the Critical Cyber Systems Protection Act (CCSPA)

The CCSPA establishes a cybersecurity compliance regime for federally regulated critical cyber infrastructure. If passed, the CCSPA not only requires an operator to implement a cyber-security program meeting the CCSPA's stated purposes, but also gives the governor wide authority to direct operators to comply with any measure for the purpose of protecting a critical cyber system. Additionally, if any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services is identified, the operator must take reasonable steps to mitigate those risks. 

The CCSPA also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems. In the event of a cybersecurity incident, the CCSPA imposes mandatory notification obligations to the Communications Security Establishment (CSE) and the operator’s responsible regulator.

Designated operators should also be prepared to disclose confidential information to the federal government upon request from their regulator, minister or the CSE, should it be pertinent to protecting national security.

Who will Bill C-26 apply to?

Part I of Bill C-26 has a wide scope and applies to TSPs and any transmission facilities of a Canadian carrier, including but not limited to: local voice service providers, voice-over-IP service providers, internet service providers, long distance service providers, and wireless and payphone service providers.

Part II of Bill C-26 applies to a class of designated operators who carry on work in “critical cyber systems” in the federally regulated private sector, and whose work is subject to federal jurisdiction. Per Schedule 1 of the CCSPA, these vital services or systems include: 

• Telecommunications services;
• Interprovincial or international pipeline and power line systems; 
• Nuclear energy systems; 
• Transportation systems under federal jurisdiction; 
• Banking systems; and 
• Clearing and settlement systems.

What should organizations do to prepare for Bill C-26?

As Bill C-26 continues to progress through the Senate, organizations captured by the Acts should start taking the following steps: 

• Assess whether they are an “operator” subject to the CCSPA or similarly, whether any of its customers, clients, vendors or third-party stakeholders are likely to be subject to the CCSPA;
• Assess their current cybersecurity programs against the stated purposes of the CCSPA, ensuring compliance with the CCSPA’s stated requirements within 90 days of being classified as a designated “operator”; 
• Introduce a third-party cyber risk management program that assists in assessing and mitigating supply chain and third-party cyber risks or assess existing third-party cyber risk management programs to ensure such risks are mitigated as much as possible;
• Develop a process to ensure that cybersecurity programs are regularly assessed and stay up-to-date and, if passed, consistent with the Acts’ regulations;
• Implement a program to ensure employees are provided with ongoing cybersecurity training and ensure the training programs are compliant with industry standards;
• Establish a response plan in the event of future cybersecurity incidents; and
• Consult with legal advisors and third-party cybersecurity experts to implement industry best practices. 

Bill C-26 could significantly enhance Canada’s cybersecurity landscape. While not yet in force (Bill C-26 must pass second and third reading in the Senate to become law), organizations captured by Bill C-26 should turn their minds to the upcoming requirements and implement cybersecurity best practices to strengthen their cybersecurity posture and safeguard against third-party threats. 

We will continue to provide further updates as Bill C-26 makes its way through the legislative process.