Skip Navigation

House of Commons Introduces Bill C-26: Proposed Federal Cybersecurity Legislation

June 21, 2022

On June 14, 2022, the House of Commons of Canada introduced Bill C-26, which would impose a series of cybersecurity-related obligations on designated organizations in four key federally regulated sectors: telecommunications, finance, energy and transportation. At a high level, the bill would enact the Critical Cyber Systems Protection Act (CCSPA), which aims to protect critical cyber systems considered integral to Canadian infrastructure and public safety.

APPLICABILITY TO DESIGNATED OPERATORS

If passed as currently drafted, the CCSPA would require “designated operators” (the classes of organizations who would be subject to this legislation have not yet been identified) to protect their “critical cyber systems” – those systems that, if their confidentiality, integrity or availability were compromised, could affect the continuity or security of one of the vital services or systems identified below. The CCSPA would be overseen by the Communications Security Establishment (CSE), Canada’s national cryptologic agency, along with the following sector-specific regulators:

Vital Service or System

Responsible Regulator

Telecommunications services

Minister of Industry

Banking systems

Office of the Superintendent of Financial Institutions (OSFI)

Clearing and settlement systems

Bank of Canada

Interprovincial or international pipeline and power line systems

Canadian Energy Regulator (CER)

Nuclear energy systems

Canadian Nuclear Safety Commission

Federally regulated transportation systems

Minister of Transport

LEGISLATIVE HIGHLIGHTS

Designated operators would be required to, among other things:

  • Establish, implement and regularly review a cybersecurity program, which must include steps to identify and manage organizational cyber security risk;

  • Mitigate any cybersecurity risk associated with its supply chain or third party products and services that it identifies;

  • Notify the appropriate regulator of any material change of ownership or control, or any material change in the designated operator’s supply chain or use of third-party products and services;

  • Comply with a cybersecurity direction issued by either the Federal Cabinet or the appropriate regulator and not disclose the direction’s existence or content; and

  • Keep records regarding the implementation of its cybersecurity program and any cybersecurity incident, and such records must be stored within Canada.

Designated operators will also be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a cybersecurity incident to the CSE in the manner that will be set out in CCSPA’s regulations. Second, a designated operator must also notify its responsible regulator “immediately after reporting a cybersecurity incident” to the CSE.

Responsible regulators are granted broad inspection and audit powers, which are not limited to the premises of the designated operator. Responsible regulators may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with CCSPA.

Enforcement of the CCSPA includes an administrative monetary penalties regime for noncompliance with the legislation. Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation. The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment.

SECTOR-SPECIFIC COMMENTARY

Telecommunications

In addition to enacting the CCSPA, Bill C-26 would amend the Telecommunications Act by introducing security as a policy objective, and providing the Governor in Council and Minister of Industry with a series of powers that are largely directed at Canada’s 5G infrastructure and equipment. Among other things, the federal government may:

  • prohibit a telecommunications service provider from using all products and services provided by a specified person in, or in relation to, its telecommunications network or telecommunications facilities, or remove any such products;

  • direct a telecommunications service provider to do anything or refrain from doing anything necessary to secure the Canadian telecommunications system;

  • require that a telecommunications service provider develop a security plan;

  • require that assessments be conducted to identify any vulnerability in its services, network or facilities; and

  • require that a telecommunications service provider take steps to mitigate any vulnerability in its services, network or facilities.

While some of the proposed modifications are primarily directed at Canadian carriers, both facilities-based providers and resellers of telecommunications services should review their cybersecurity posture.

For more detail on how the CCSPA applies to the telecommunications sector, please see this table in the Appendix.

Banking and Clearing and Settlement Systems

The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of “banking systems” and “clearing and settlement systems” which are vital to national security or public safety. While no such classes have yet been identified, a class of operators could include Canada’s systemically important banks or the clearing and settlement systems already designated by the Bank of Canada under the Payment Clearing and Settlement Act (PCSA), though the CCSPA does not limit the designation power to these entities. The use of the term “banking system” in the legislation also suggests that other federal financial institutions, such as insurers, are outside the scope of the designation power.

For designated operators of banking systems, the CCSPA obligations supplement OSFI’s growing list of expectations respecting cyber risk management, third-party risk management, and incident reporting. These include the requirements of Guideline B-13: Technology and Cyber Risk Management, which will soon be published in final form, as well as the new Guideline B-10: Third-Party Risk Management published for consultation in April 2022. The CCSPA reporting requirements supplement OSFI’s current Technology and Cyber Security Incident Reporting Advisory for federal financial institutions to report a technology or cybersecurity incident to OSFI.

For designated operators of clearing and settlement systems, the requirements of the CCSPA will complement the Bank of Canada’s Expectations for Cyber Resilience of Financial Market Infrastructures published in October 2021.

Federal financial institutions are already subject to change of control approval requirements, and clearing and settlement systems must comply with broad notice and approval requirements under the PCSA; however, the CCSPA introduces a remarkably broad notice requirement to report changes in control, or supply chain or third-party products and services. This is because of the use of the “material change” standard. It remains to be seen how OSFI and the Bank of Canada will practically administer this requirement while keeping the flow of information manageable.

For more detail on how the CCSPA applies to banking systems and clearing and settlement systems, please see this table in the Appendix.

Energy Systems

The CCSPA grants additional powers to the CER in addition to its current powers under the Canadian Energy Regulator Act. The CER regulates pipelines that cross provincial boundaries or the Canada-U.S. border. The CCSPA also only applies to these pipelines and not pipelines solely within one province.

The CER currently can assess whether pipeline projects meet engineering, safety and environmental requirements. The CCSPA further allows the CER to inspect and audit whether operators are in compliance with the CCSPA. The Canadian Energy Regulator Act allows the CER to establish regulations regarding cybersecurity matters for interprovincial and international pipelines, though no such regulations have been established to date. Accordingly, the inspection, audit, and administrative monetary penalties regime for noncompliance with the legislation powers granted to the CER are an expansion of its role.

The CCSPA also supplements the pre-existing obligations for operators of nuclear power systems under the General Nuclear Safety and Control Regulations (GNSCR). Operators will already be familiar with the obligations for prescribed information, and the obligations to take all necessary precautions to prevent the transfer or disclosure of prescribed information that is not authorized by law. The GNSCR also sets out specific recordkeeping obligations, although the requirements under the CCSPA are more stringent. The Canadian Nuclear Safety Commission (CNSC) already oversees these obligations, and the CCSPA adds to the oversight powers that the CNSC currently possesses.

For more detail on how the CCSPA applies to energy systems, please see this table in the Appendix.

Transportation Systems

Operators in federally regulated transportation sectors, including aviation, railways and marine transport, will be familiar with the oversight powers exercised by the Minister of Transport. Whether the pre-existing obligations of these operators specifically included mitigating cybersecurity related risks through safety management systems or otherwise, the CCSPA is a clear direction to these operators to understand and manage cyber risk for their enterprises.

For more detail on how the CCSPA applies to transportation systems, please see this table in the Appendix.

CONCLUSION

Bill C-26 has only completed a first reading and may be amended as it continues through the legislative process. It remains to be seen whether any provinces will enact similar laws that would apply to provincially regulated sectors.

For more information, please contact:

Sahil Kesar                 +1-416-863-2450
John Lenz                   +1-514-982-6308
Vladimir Shatiryan   +1-416-863-4154

or any other member of our Cybersecurity group.

APPENDIX

Telecommunications Services
Scope Telecommunications services have been identified in the legislation as services that are vital to national security and/or public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation.

A class of operators could include facilities-based telecommunications service providers as well as resellers of telecommunications services.
Responsible Regulator The Minister of Industry is the regulator charged with administering the CCSPA in respect of telecommunications services. Bill C-26 would also would amend the Telecommunications Act by introducing security as a policy objective, and providing the Federal Cabinet and the Minister of Industry with a series of powers that are largely directed at Canada’s 5G infrastructure and equipment.

The Communications Security Establishment (CSE), Canada's national cryptologic agency.
Cybersecurity Programs Designated operators will be required to establish a cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must include reasonable steps to identify and manage organizational cybersecurity risks:
  1. include reasonable steps to protect critical cyber systems from being compromised, detect cybersecurity incidents and minimize related impacts;
  2. be reviewed and updated annually, or more frequently if specified by regulation; and
  3. be filed with the Minister of Industry including notices of any updates to the CSP following periodic reviews.
Supply Chain Management Designated operators must take reasonable steps to mitigate any identified cyber security risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP.
Change of Control Reporting Designated operators are required to notify the Minister of Industry of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services.
Cybersecurity Incident Reporting Designated operators will be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system.

First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify the Minister of Industry “immediately after reporting a cybersecurity incident” to the CSE.
Recordkeeping Designated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with additional guidance that may be established by the Minister of Industry or regulations.
Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system.

The Minister of Industry is also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA.

In relation to telecommunications services, networks and equipment, the Minister of Industry may, among other things:
  • prohibit a telecommunications service provider from using all products and services provided by a specified person in, or in relation to, its telecommunications network or telecommunications facilities, or remove any such products;
  • direct a telecommunications service provider to do anything or refrain from doing anything necessary to secure the Canadian telecommunications system;
  • require that a telecommunications service provider develop a security plan;
  • require that assessments be conducted to identify any vulnerability in its services, network or facilities; and
  • require that a telecommunications service provider take steps to mitigate any vulnerability in its services, network or facilities.
Disclosure Restrictions on Confidential Information The CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the Minister of Industry under the CCSPA is also generally prohibited.
Inspections and Audits The Minister of Industry is granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. 

The Minister of Industry may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA.
Enforcement Enforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation.

Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation.

The CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers.

Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment.

The CCSPA also authorizes the Minister of Industry, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA.
 
Banking Systems and Clearing and Settlement Systems
Scope Banking Systems and Clearing and Settlement Systems have been identified in the legislation as systems that are vital to national security and/or public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation.

The use of the term “banking system” in the legislation suggests that other federal financial institutions, such as insurers, are outside the scope of the designation power.
Responsible Regulator OSFI in respect of banking systems:

The Bank of Canada in respect of clearing and settlement systems.

The Communications Security Establishment (CSE), Canada's national cryptologic agency.
Cybersecurity Programs Designated operators will be required to establish a cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must:
  1. include reasonable steps to identify and manage organizational cybersecurity risks;
  2. include reasonable steps to protect critical cyber systems from being compromised, detect cyber security incidents and minimize related impacts;
  3. be reviewed and updated annually, or more frequently if specified by regulation; and
  4. be filed with OSFI/Bank of Canada including notices of any updates to the CSP following periodic reviews.
For banking systems operators, the CSP requirements of the CCSPA will be in addition to the technology and cyber risk management requirements for financial institutions under OSFI’s draft Guideline B-13: Technology and Cyber Risk Management, which OSFI announced earlier this month will soon be published in final form.

For clearing and settlement systems operators, the requirements of the CCSPA will complement the Bank of Canada’s Expectations for Cyber Resilience of Financial Market Infrastructures published in October 2021.
Supply Chain Management Designated operators must take reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP.

While the CCSPA introduces obligations to mitigate cyber risks related to a designated operator’s supply chain, federal financial institutions are already subject to OSFI’s expectations in respect of third-party risk management, as set out in OSFI’s recently updated draft Guideline B-10: Third-Party Risk Management.
Change of Control Reporting Designated operators are required to notify OSFI or the Bank of Canada, as applicable, of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services.

Although federal financial institutions are already subject to approval requirements in respect of change of control, and clearing and settlement systems must comply with broad notice and approval requirements under the PCSA, the notice requirement under the CCSPA is remarkably broad, given that it uses a material change as the threshold for notice. It remains to be seen how OSFI and the Bank of Canada will practically administer this requirement so that the flow of information remains manageable both for the designated operators and the regulators themselves.
Cybersecurity Incident Reporting Designated operators will be required to report a “cybersecurity incident” in a two-step process. A “cyber security incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system.

First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify OSFI or the Bank of Canada, as applicable, “immediately after reporting a cybersecurity incident” to the CSE.

The reporting requirement under the CCSPA will be in addition to the current obligation for federal financial institutions to report a technology or cyber security incident to OSFI under OSFI’s Technology and Cyber Security Incident Reporting Advisory. The definition of a reportable incident under these two regimes is similar but not identical.
Recordkeeping Designated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with additional guidance that may be established by OSFI/Bank of Canada or regulations.
Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system.

OSFI and the Bank of Canada are also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA.
Disclosure Restrictions on Confidential Information The CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or OSFI/Bank of Canada under the CCSPA is also generally prohibited.

Both financial institutions and clearing and settlement systems will be familiar with restrictions on disclosure of supervisory information under their governing legislation although the CCSPA regime is somewhat more nuanced and several exceptions apply.
Inspections and Audits OSFI and the Bank of Canada, as applicable, are granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. 

OSFI and the Bank of Canada, as applicable, may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA.
Enforcement Enforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation.

Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation.

Similar to other financial institutions legislation, the CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers.

Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment.

The CCSPA also authorizes OSFI and the Bank of Canada, as applicable, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA.
 
Interprovincial or International Pipeline and Power Line Systems, and Nuclear Energy Systems
Scope Interprovincial or International Pipeline and Power Line Systems, and Nuclear Energy Systems have been identified in the legislation as systems that are vital to national security and/or public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation.

A class of operators could include interprovincial pipelines that cross provincial borders and international pipelines that cross the Canada-U.S. border.
Responsible Regulator The Canadian Energy Regulator (CER) is the regulator charged with administering the CCSPA in respect of interprovincial or international pipeline and power line systems.

The Canadian Nuclear Safety Commission (CNSC) is the regulator charged with administering the CCSPA in respect of nuclear energy systems.

The legislation also imposes a reporting obligation to the Communications Security Establishment (CSE), Canada's national cryptologic agency.
Cybersecurity Programs Designated operators will be required to establish a cyber security program (CSP) within 90 days of being designated under the CCSPA. The CSP must:
  1. include reasonable steps to identify and manage organizational cybersecurity risks;
  2. include reasonable steps to protect critical cyber systems from being compromised, detect cybersecurity incidents and minimize related impacts;
  3. be reviewed and updated annually, or more frequently if specified by regulation; and
  4. be filed with CER/CNSC of Canada including notices of any updates to the CSP following periodic reviews.
Supply Chain Management Designated operators must take reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP.
Change of Control Reporting Designated operators are required to notify the CER or the CNSC, as applicable, of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services.
Cybersecurity Incident Reporting Designated operators will be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system.

First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify the CER or the CNSC, as applicable, “immediately after reporting a cybersecurity incident” to the CSE.

For nuclear energy operators, the obligations to report a cybersecurity incident complement their obligations under the General Nuclear Safety and Control Regulations (CNSCR) to report any theft or loss of prescribed information to the CNSC.
Recordkeeping Designated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with additional guidance that may be established by the CER/CNSC or regulations.

Nuclear energy companies will be familiar with the recordkeeping requirements under the CNSCR, and the obligations to notify the CNSC of any proposed disposal of records. However, the CCSPA obligations go above and beyond these established recordkeeping requirements.

Federally regulated pipeline operators will also be familiar with the recordkeeping requirements under the Canadian Energy Regulator Onshore Pipeline Regulations (CEROPR). However, the CCSPA obligations supplement these obligations and add additional recordkeeping requirements.
Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system.

The CER or the CNSC are also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA.
Disclosure Restrictions on Confidential Information The CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the CER/CNSC under the CCSPA is also generally prohibited.
Inspections and Audits The CER and the CNSC, as applicable, are granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. 

The CER and the CNSC, as applicable, may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA.

These broad inspection powers are in addition to those previously provided to the CER under the CEROPR and the CNSC under the Nuclear Safety and Control Act (NSCA).
Enforcement Enforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation. Of course, operators in the nuclear energy sector will be familiar with the administrative penalties regime under the Administrative Monetary Penalties Regulations (Canadian Nuclear Safety Commission) (AMPR CNSC) as will operators with federally regulated pipelines under the Administrative Monetary Penalties Regulations (National Energy Board) (AMPR NEB).

Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation. This is not dissimilar to the liability under the NSCA or the Canadian Energy Regulator Act.

The CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. These are significantly higher than the penalties prescribed under the AMPR CNSC and the AMPR NEB.

Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment.

The CCSPA also authorizes the CER and the CNSC, as applicable, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA.
 
Federally Regulated Transportation Systems
Scope Federally regulated transportation systems have been identified in the legislation as systems that are vital to national security and/or public safety.

The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation.
Responsible Regulator The Minister of Transport is the regulator charged with administering the CCSPA in respect of federally regulated transportation systems.

The legislation also imposes a reporting obligation to the Communications Security Establishment (CSE), Canada's national cryptologic agency.
Cybersecurity Programs Designated operators will be required to establish a cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must:
  1. include reasonable steps to identify and manage organizational cybersecurity risks;
  2. include reasonable steps to protect critical cyber systems from being compromised, detect cybersecurity incidents and minimize related impacts;
  3. be reviewed and updated annually, or more frequently if specified by regulation; and
  4. be filed with the Minister of Transport including notices of any updates to the CSP following periodic reviews.
For railway and aircraft operators, these obligations will supplement the safety management system obligations under the Railway Safety Management System Regulations and the Canadian Aviation Regulations, respectively.
Supply Chain Management Designated operators must take reasonable steps to mitigate any identified cybersecurity risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP.
Change of Control Reporting Designated operators are required to notify the Minister of Transport of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services.
Cybersecurity Incident Reporting Designated operators will be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system.

First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify the Minister of Transport “immediately after reporting a cybersecurity incident” to the CSE.
Recordkeeping Designated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA.

These required records must be kept in Canada in accordance with additional guidance that may be established by the Minister of Transport or regulations.
Compliance with Directions The CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system.

The Minister of Industry is also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA.

These powers are similar to those already granted to the Minister of Transport under the Aeronautics Act and the Railway Safety Act (RSA).
Disclosure Restrictions on Confidential Information The CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the Minister of Transport under the CCSPA is also generally prohibited.
Inspections and Audits The Minister of Transport is granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. 

The Minister of Transport may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA.

Aircraft operators will be familiar with the similarly broad inspection powers granted to the Minister of Transport under the Canadian Aviation Regulations, as will railway operators in respect of the RSA and marine transport operators under the Canada Shipping Act, 2001 (CSA).
Enforcement Enforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation. Railway operators will be familiar with the regime under the Railway Safety Administrative Monetary Penalties Regulations (RSAMPR) as will marine transport operators under the Administrative Monetary Penalties and Notices (CSA 2001) Regulations (AMPNR).

Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation.

The CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding.

The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. These are significantly higher than the penalties prescribed by the RSAMPR for railway operators and marine transport operators under the AMPNR.

Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment.

The CCSPA also authorizes the Minister of Transport, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA.
 
 
More insights