Summary#

This federal bill (C-26) creates new cyber security rules for key services and gives the government tools to manage urgent threats. Part 1 amends the Telecommunications Act to let the government order telecom companies to remove or stop using risky products and to follow security directions. Part 2 creates the Critical Cyber Systems Protection Act (CCSPA), which sets baseline cyber rules for operators of vital services and systems and allows binding cyber directions in emergencies.

• New power to order telecom providers to ban or remove specified vendors or products to protect networks (Bill Part 1, s.15.1(1), s.15.2(2)).
• Mandatory cyber programs, supply‑chain risk controls, and 72‑hour incident reporting for “designated operators” in vital sectors (CCSPA s.9, s.12, s.15).
• Large penalties for non‑compliance, including up to $15,000,000 for companies (Telecommunications Act AMPs; CCSPA AMPs).
• Some orders can be secret and are exempt from the usual prepublication rules, with annual reporting to Parliament and notification to review bodies (Bill Part 1, s.15.1(2), s.15.2(3), s.15.3, s.15.8; CCSPA s.20(4), s.93).
• No federal compensation for losses that telecom providers incur from security orders (Bill Part 1, s.15.1(6), s.15.2(7)).

What it means for you#

• Households and consumers

  • Your telecom, banking, energy, or transport providers may change systems or vendors to meet new security orders or directions; the government must consider service impacts on consumers before issuing CCSPA directions (Bill Part 1, s.15.1(2.1), s.15.2(3.1); CCSPA s.20(2.1)(d)).
  • You will not receive incident reports directly; reports go to the Communications Security Establishment (CSE) and regulators (CCSPA s.15–16).

• Workers at covered companies

  • Your employer may roll out a cyber security program within 90 days of designation, with ongoing reviews, audits, and record‑keeping (CCSPA s.9–11, s.34–35).
  • Staff may have to support inspections, internal audits, and provide information to regulators (CCSPA s.37–38, s.43–45, s.59–60, s.67–71, s.76–82).

• Businesses (telecoms; banks; pipelines and power lines; nuclear; federally regulated transport; clearing and settlement)

  • Telecom providers can be ordered to stop using, remove, or avoid upgrading specified products and services, terminate contracts, or submit plans and reviews (Bill Part 1, s.15.1(1), s.15.2(2)(a)–(n)).
  • “Designated operators” must establish, implement, and maintain a cyber program; mitigate supply‑chain and third‑party risks; report cyber incidents to CSE within a period set by regulation (no more than 72 hours); and notify their regulator (CCSPA s.9, s.12, s.15–16).
  • You must keep certain records in Canada and provide information on request to verify compliance (CCSPA s.34–35, s.33).
  • Directors and officers can be personally liable for violations or offences they direct or allow (CCSPA s.64; Bill Part 1, s.73(3.2)).

• Vendors and third‑party service providers to covered sectors

  • Customers may impose stricter security terms, audits, or terminate agreements to meet supply‑chain mitigation duties or government directions (CCSPA s.12; Bill Part 1, s.15.2(2)(e)–(f)).

• Government and oversight

  • Some orders may be confidential; the Minister must report annually to Parliament and notify the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency (Bill Part 1, s.15.3, s.15.8; CCSPA s.20(4), s.93).
  • Judicial review is allowed but can rely on secret evidence, with summaries provided to the applicant (Bill Part 1, s.15.9; CCSPA s.92).

• Timing

  • Many details (who is a “designated operator,” reporting timelines within the 72‑hour cap, program standards) will be set later by regulation or order‑in‑council (CCSPA s.6–7, s.10, s.86; Bill Part 1, s.15.7, s.15.10).
  • Part 2 (CCSPA) comes into force on dates set by the Governor in Council (CCSPA “Coming into Force”).

Expenses#

Estimated net cost: Data unavailable.

• Fiscal note or departmental costing: Data unavailable.
• Explicit appropriations in the bill text: None. The bill carries a Royal Recommendation for appropriations but does not state dollar amounts (Recommendation; Bill preamble).
• Cost recovery and fees:
  • OSFI must include CCSPA administration in its annual expense assessments, which are recovered from regulated financial institutions (Office of the Superintendent of Financial Institutions Act s.23(1) as amended).
  • CNSC is authorized to charge and spend fees for services under other Acts, which can include CCSPA activities (Nuclear Safety and Control Act s.21(1.1)–(3) as amended).
• Penalties and revenues:
  • Telecom AMPs: up to $10,000,000 per violation for companies; $15,000,000 for subsequent violations; individuals up to $25,000 then $50,000 (Bill Part 1, AMPs section).
  • CCSPA AMPs: up to $1,000,000 for individuals; up to $15,000,000 for others; proceeds payable to the Receiver General (CCSPA s.56–57, s.62(3)).
• Mandated private‑sector costs (unfunded):
  • Establishing and maintaining cyber programs within 90 days of designation; recurring reviews; supply‑chain risk mitigation; reporting; audits; record‑keeping; potential equipment removal (CCSPA s.9–12, s.15–16, s.28–35; Bill Part 1, s.15.1–15.2).
  • No Crown compensation for telecom providers’ financial losses from security orders (Bill Part 1, s.15.1(6), s.15.2(7)).

Proponents' View#

• Sets baseline cyber hygiene across vital sectors by requiring risk management, supply‑chain controls, incident detection, and rapid reporting (within a regulated period capped at 72 hours) (CCSPA s.9, s.12, s.15).
• Enables fast, targeted intervention against high‑risk vendors or products in telecom networks, reducing threats of interference or disruption (Bill Part 1, s.15.1(1), s.15.2(2)).
• Aligns enforcement with strong deterrents: high administrative penalties and director/officer liability to promote compliance (Bill Part 1 AMPs; CCSPA s.56–57, s.64).
• Improves coordination by allowing secure information sharing among security agencies and regulators, while preserving the Privacy Act and confidentiality rules (Bill Part 1, s.15.6–15.7; “Privacy Act not affected”; CCSPA s.25–33).
• Builds in oversight: annual ministerial reports to Parliament, and notification to NSICOP and NSIRA for confidential orders or directions (Bill Part 1, s.15.3, s.15.8; CCSPA s.20(4), s.93).
• Requires decision‑makers to weigh operational, financial, and consumer service impacts before issuing orders or directions (Bill Part 1, s.15.1(2.1), s.15.2(3.1); CCSPA s.20(2.1)).

Opponents' View#

• Grants broad, discretionary powers to order companies to “do anything” or stop doing anything deemed necessary, with gag orders and exemption from normal regulatory publication; risks overreach and weak transparency (Bill Part 1, s.15.2(2)(m), s.15.1(2), s.15.2(3), s.15.5; CCSPA s.22–24).
• Imposes potentially large, immediate compliance costs (90‑day setup of cyber programs; mandatory mitigations) without federal compensation, especially for telecom equipment removals (CCSPA s.9–12; Bill Part 1, s.15.1(6), s.15.2(7)). Net cost to firms and possible knock‑on effects on prices are not quantified (Data unavailable).
• Uses secret evidence in judicial review, which may limit an applicant’s ability to challenge orders effectively (Bill Part 1, s.15.9; CCSPA s.92).
• Scope and burden are uncertain until regulators designate classes of operators and set detailed rules, creating planning risk for affected industries and suppliers (CCSPA Schedules 1–2; s.6–7, s.86).
• Expands information sharing across multiple agencies and with foreign partners; despite confidentiality provisions, mistakes or over‑collection could expose sensitive commercial data (Bill Part 1, s.15.6–15.7; CCSPA s.25–33).