This story has been updated. Please see the most recent update below.

Government Bill C-26 for an Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts was introduced, on 14 June 2022, to the House of Commons of Canada, and passed its first reading on the same date. In particular, the bill is divided into two parts, with the first focusing on amendments to the Telecommunications Act 1993 ('Telecommunications Act'), and the second focusing on enacting the Critical Cyber Systems Protection Act.

Specifically, the first part of the bill would amend, among other things, the Telecommunications Act by adding security as a policy objective, and providing the Government with the legal authority to mandate action to secure Canada's telecommunications system. The bill would also establish an administrative monetary penalty scheme to promote compliance with orders and regulations made to secure the Canadian telecommunications system, as well as rules for judicial review of those orders and regulations.

The second part of the bill would enact the Critical Cyber Systems Protection Act which would provide a framework for the protection of the critical cyber systems of services and systems vital to national security or public safety. Additionally, this part of the bill would, among other things:

• authorise the Governor in Council to: 
  • designate any service or system as a vital service or system; and
  • establish classes of operators in respect of a vital service or system;
• require designated operators to: 
  • establish and implement cybersecurity programs; 
  • mitigate supply-chain and third-party risks; 
  • report cybersecurity incidents; and
  • comply with cybersecurity directions;
• provide for the exchange of information between relevant parties; and
• authorise the enforcement of obligations under the Critical Cyber Systems Protection Act and impose consequences for non-compliance.

This bill will apply to designated operators of federally regulated services and systems in four priority sectors: finance, energy, telecommunications, and transport, which currently includes telecommunication services, nuclear energy systems, and banking systems.

You can read the press release here, as well as read the bill and track its progress here.

Updated: March 30, 2023

Bill passes second reading in House of Commons and proceeds to Committee

The bill passed, on 27 March 2023, its second reading in the House of Commons, and was thereafter referred, on the same date, to the Standing Committee on Public Safety and National Security.

You can read the bill here and track its progress here.

Updated: April, 22 2024

Bill passes Committee consideration

On 19 April 2024, the bill passed the Standing Committee on Public Safety and National Security consideration. In particular, the Committee presented its report with proposed amendments to the bill. 

In particular, the Committee proposed, under the definition of confidential information, to add the following: 'de-identify means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. Personal information has the same meaning as in Section 3 of the Privacy Act.'

You can read the bill here, the Committee report here, and track the bill's progress here.

Updated: June 24, 2024

Bill passes first reading in Senate

On 19 June 2024, the bill completed its first reading in the Senate after passing its third reading in the House of Commons on the same date.

You can read the bill here and track its progress here.

Updated: October 1, 2024

Bill proceeds to second reading in Senate 

On 19 September 2024, the bill proceeded to the second reading in the Senate.

You can read the bill as passed by the House of Commons here and track its progress here.

Updated: October 25, 2024

Bill completes second reading in Senate

On 23 October 2024, the bill completed its second reading in the Senate.

You can read the bill as passed by the House of Commons here and track its progress here.

Updated: October 31, 2024

Bill completes second reading in Senate

On 28 October 2024, the bill proceeded to the committee consideration stage with the Standing Senate Committee on National Security, Defence and Veterans Affairs.

You can read the bill as passed by the House of Commons here and track its progress here.

Updated: November, 19 2024

OPC appears before Senate Committee

On 19 November 2024, the Office of the Privacy Commissioner (OPC) announced that the OPC appeared before the Standing Senate Committee on National Security, Defence and Veterans Affairs to assist the Committee in its study of the bill. The OPC noted, among other things, that stronger cybersecurity protections promote privacy by reducing the likelihood and impact of data breaches.

You can read the press release here, the bill as passed by the House of Commons here, and track its progress here.