Publication
Airline Economics Growth Frontiers, Dublin
We are delighted to be participating in the 2025 Airline Economics Growth Frontiers, Dublin conference one of the landmark events for the global aviation finance and leasing community.
Canada | Publication | October 4, 2024
On September 19, the Senate commenced its second reading of Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, marking a significant step forward in the legislative process since Bill C-26 was initially introduced by the House of Commons in 2022.
The recent progression of Bill C-26 signals Canada is nearing the establishment of its first-ever legislative framework specifically aiming to bolster cybersecurity across the critical cyber infrastructure sector. Bill C-26, if passed, would establish a new cybersecurity compliance regime by amending the Telecommunications Act and enacting the Critical Cyber Systems Protection Act (CCSPA) (together, the Acts). In addition, Bill C-26 would grant additional powers to the Governor in Council (governor) and the Minister of Industry (minister) and establish an administrative monetary penalty scheme to promote compliance with the Acts.
Bill C-26’s proposed changes will impact certain private-sector organizations in the federally regulated critical infrastructure space. This legal update summarizes Bill C-26’s proposed changes and recommends how organizations can prepare for these potential requirements.
For a more in-depth discussion on Bill C-26, please read our previous legal update here.
Under Bill C-26, the Telecommunications Act will be amended to promote the security of the Canadian telecommunications system. Changes proposed will grant the governor and minister powers to make new orders, inspect, and enforce any actions on telecommunications service providers (TSP) deemed necessary to protect the telecommunications system.
Examples of actions the governor may take include: prohibiting a TSP from using or providing certain products and services that may cause security risks, prohibiting a TSP from providing services to specific persons, including other TSPs, or even suspend services for a specified time. The governor will also have power to make regulations relating to orders given by the minister, including orders that prohibit, suspend or impose conditions on the provision of telecommunication services.
Failure to comply with these orders or regulations may result in administrative money penalties of up to C$10 million for each day of non-compliance, and up to C$15 million each day for subsequent contraventions.
The CCSPA establishes a cybersecurity compliance regime for federally regulated critical cyber infrastructure. If passed, the CCSPA not only requires an operator to implement a cyber-security program meeting the CCSPA's stated purposes, but also gives the governor wide authority to direct operators to comply with any measure for the purpose of protecting a critical cyber system. Additionally, if any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services is identified, the operator must take reasonable steps to mitigate those risks.
The CCSPA also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems. In the event of a cybersecurity incident, the CCSPA imposes mandatory notification obligations to the Communications Security Establishment (CSE) and the operator’s responsible regulator.
Designated operators should also be prepared to disclose confidential information to the federal government upon request from their regulator, minister or the CSE, should it be pertinent to protecting national security.
Part I of Bill C-26 has a wide scope and applies to TSPs and any transmission facilities of a Canadian carrier, including but not limited to: local voice service providers, voice-over-IP service providers, internet service providers, long distance service providers, and wireless and payphone service providers.
Part II of Bill C-26 applies to a class of designated operators who carry on work in “critical cyber systems” in the federally regulated private sector, and whose work is subject to federal jurisdiction. Per Schedule 1 of the CCSPA, these vital services or systems include:
As Bill C-26 continues to progress through the Senate, organizations captured by the Acts should start taking the following steps:
Bill C-26 could significantly enhance Canada’s cybersecurity landscape. While not yet in force (Bill C-26 must pass second and third reading in the Senate to become law), organizations captured by Bill C-26 should turn their minds to the upcoming requirements and implement cybersecurity best practices to strengthen their cybersecurity posture and safeguard against third-party threats.
We will continue to provide further updates as Bill C-26 makes its way through the legislative process.
Publication
We are delighted to be participating in the 2025 Airline Economics Growth Frontiers, Dublin conference one of the landmark events for the global aviation finance and leasing community.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023