On June 14, 2022, the Government of Canada introduced Bill C-26, An Act Respecting Cyber Security, which would enact the Critical Cyber Systems Protection Act (the CCSPA) to establish a regulatory cyber security framework and improve baseline security for vital public systems and services.

The CCSPA will apply to certain classes of federally regulated entities (Designated Operators) that are involved in four priority sectors: finance, energy, telecommunications, and transport. It is proposed to address outstanding gaps in the current regulatory environment by allowing the Government to (i) designate critical Canadian services and systems and the parties responsible for their protection; (ii) ensure regulated parties are adequately protecting cyber systems and compel action in response to cyber threats; (iii) mandate the reporting of select cyber incidents; and (iv) ensure a cross-sectoral approach to cyber security.

To accomplish the Government’s goals, the CCSPA will impose new compliance and reporting duties on Designated Operators which, among other things, require them to:

  • establish a cyber security program that documents the protection plan for a critical cyber system;
  • mitigate supply chain and third-party service or product risks;
  • report cyber security incidents to regulators; and
  • keep compliance records.

The CCSPA provides the Governor in Council with enforcement powers to issue Cyber Security Directions (CSDs) that require Designated Operators to take certain suggested actions regarding the protection of a critical cyber system.  CSDs may be accompanied by specific deadlines and failure to comply may lead to administrative monetary penalties or regulatory offences resulting in fines or imprisonment.

Summary By: Imtiaz Karamat


22 06 29

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.