Cybersecurity · Canada
Cybersecurity regulation in Canada (2026)
Canada shaded by its cybersecurity status
As of May 2026, Canada has no single comprehensive cybersecurity statute in force; cybersecurity duties arise from sector-specific instruments and the privacy-breach regime under PIPEDA. A comprehensive framework — the Critical Cyber Systems Protection Act, enacted via Bill C-8 (the successor to the lapsed Bill C-26) — is before the Senate but has not received Royal Assent. Until C-8 is law, regulated entities rely on PIPEDA breach reporting, OSFI's technology/cyber guidance for financial institutions, and telecommunications security measures.
Key points
Bill C-8 enacts the Critical Cyber Systems Protection Act, imposing mandatory cyber programs and incident reporting on designated operators in telecom, finance, energy and transport, plus Telecommunications Act amendments. It passed Third Reading in the House on March 26, 2026 and is before the Senate; it has not yet received Royal Assent, so the CCSPA is not in force.
The near-identical Bill C-26 passed both chambers in late 2024 but died on prorogation in January 2025; the government reintroduced it as Bill C-8 on June 18, 2025.
Since November 1, 2018, organizations subject to PIPEDA must report to the OPC and notify affected individuals of any breach of security safeguards posing a 'real risk of significant harm,' as soon as feasible, and must keep records of all breaches for 24 months. Knowing contravention is an offence subject to fines.
Guideline B-13 (Technology and Cyber Risk Management) took effect January 1, 2024 for federally regulated financial institutions, covering governance, operations/resilience, cyber security, and third-party/cloud risk. FRFIs must report cyber incidents to OSFI under its Technology and Cyber Security Incident Reporting Advisory.
Bill C-8's Telecommunications Act amendments would give the government formal authority to direct telecom providers to secure networks against threats; pending enactment, telecom security relies on existing measures and the prior policy direction barring high-risk vendors.
The Canadian Centre for Cyber Security (Cyber Centre), part of the Communications Security Establishment, is the national technical authority that issues guidance and would receive CCSPA incident reports once Bill C-8 is in force.
Timeline - major decisions & events
After substantive committee amendments, the cyber security bill (which enacts the Critical Cyber Systems Protection Act and amends the Telecommunications Act) cleared Third Reading in the House and proceeded to the Senate, the final step before Canada's first mandatory critical-infrastructure cyber regime becomes law.
Parliament of Canada (LEGISinfo) ↗The Carney government re-tabled the lapsed C-26 provisions as Bill C-8, enacting the Critical Cyber Systems Protection Act to require designated operators in telecom, finance, energy, transport and nuclear to run cyber programs, mitigate supply-chain risk, and report incidents.
Parliament of Canada ↗Public Safety Canada launched a new NCSS with a whole-of-society approach, backed by an initial $37.8M over six years and a new Canadian Cyber Defence Collective, replacing the 2018 strategy as the framework for protecting critical infrastructure.
Public Safety Canada ↗Parliament was prorogued, causing the cyber-security bill C-26 (CCSPA) and the privacy/AI bill C-27 (CPPA, AIDA) to die on the Order Paper, leaving Canada operating under PIPEDA (2000) with no enacted critical-infrastructure cyber law.
Parliament of Canada (LEGISinfo) ↗The OPC tabled a special report to Parliament finding CRA and ESDC failed to adequately safeguard personal information during the 2020 credential-stuffing attacks, sharpening expectations for federal cyber safeguards and breach handling.
Office of the Privacy Commissioner of Canada ↗Canada's banking and insurance regulator issued binding expectations for federally regulated financial institutions across governance, technology resilience and cyber security (effective Jan 1, 2024), establishing the sector's core cyber obligations.
OSFI ↗Credential-stuffing attacks compromised tens of thousands of Government of Canada online accounts via GCKey and CRA portals, enabling CERB fraud and exposing weaknesses that drove later reforms and an $8.7M class-action settlement.
CBC News ↗Part of the National Security Act 2017, the CSE Act gave Canada's signals-intelligence agency explicit cyber-security, defensive and active cyber-operations mandates, the statutory backbone for federal cyber defence.
Communications Security Establishment ↗Under the Breach of Security Safeguards Regulations (SOR/2018-64), private-sector organizations must report breaches posing a real risk of significant harm to the Privacy Commissioner, notify affected individuals, and keep breach records for 24 months.
Canada Gazette ↗Under the 2018 National Cyber Security Strategy, Canada consolidated federal cyber operations into a single Cyber Centre within CSE, creating the national authoritative source for cyber guidance, advisories and incident response.
Canadian Centre for Cyber Security ↗The Personal Information Protection and Electronic Documents Act became Canada's foundational private-sector privacy law, requiring organizations to protect personal information with safeguards appropriate to its sensitivity, the bedrock cyber obligation still in force.
Justice Laws Website ↗Canada - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →