New Cyber Rules for Critical Infrastructure

Summary#

This bill gives the federal government new powers to protect Canada’s telecom networks and other critical cyber systems. Part 1 amends the Telecommunications Act to let Cabinet and the Minister of Industry order telecom companies to block, remove, or limit risky equipment and services. Part 2 creates the Critical Cyber Systems Protection Act (CCSPA), which requires operators in key sectors to run cybersecurity programs, report incidents, and follow binding “cyber security directions.”

• Adds “security of the Canadian telecommunications system” as a policy goal and authorizes binding orders to carriers, including secret orders (Part 1).
• Requires critical operators to set up cybersecurity programs within 90 days, review them every year, and report cyber incidents within 72 hours (Part 2 — Cyber Security Program; Reporting of Cyber Security Incidents).
• Mandates supply‑chain and third‑party risk mitigation and allows government directions to designated operators (Part 2 — Mitigation; Cyber Security Directions).
• Sets high administrative monetary penalties (AMPs): up to CAD $10,000,000 for telecom violations and up to CAD $15,000,000 for CCSPA violations by corporations (Part 1 — AMPs; Part 2 — AMPs).
• Allows information‑sharing among federal security and regulatory bodies; protects confidential information; Privacy Act continues to apply (Part 1 — Information provisions; Part 2 — Disclosure and Use of Information).
• No compensation from the federal government for telecom providers’ financial losses from security orders (Part 1 — No compensation).

What it means for you#

• Households and service users

  • You will not have new duties. Your provider may change equipment or services to follow government orders or directions (Part 1 — s.15.1–15.2; Part 2 — Cyber Security Directions).
  • Some orders can be confidential. Providers may be barred from disclosing that an order exists (Part 1 — Non‑disclosure; Part 2 — Prohibition against disclosure).
  • The goal is fewer and shorter cyber disruptions. Orders must consider impacts on service and operations (Part 1 — Factors; Part 2 — s.20(3)).

• Workers in covered sectors

  • Employers must establish, maintain, and review cybersecurity programs; expect new procedures, training, and audits (Part 2 — Cyber Security Program; Internal Audit).
  • Incident reporting within a period set by regulation, not to exceed 72 hours (Part 2 — Reporting of Cyber Security Incidents).
  • Records must be kept in Canada and produced to regulators on request (Part 2 — Records; Request for information).

• Businesses

  • Telecommunications service providers:
    • May be ordered to stop using specified vendors, remove equipment, suspend services to specified persons, impose security standards, or run backups (Part 1 — s.15.1–15.2).
    • Non‑compliance can trigger AMPs up to CAD $10,000,000 (first) or $15,000,000 (subsequent) for corporations; up to CAD $25,000/$50,000 for individuals (Part 1 — AMPs).
    • Summary offence penalties can include fines at the court’s discretion and up to two years less a day imprisonment for individuals; officers/directors can be liable (Part 1 — s.73(3.1)–(3.4)).
    • No federal compensation for financial losses caused by these orders (Part 1 — No compensation).
  • Designated operators in vital sectors (telecom, pipelines and power lines, nuclear, federally regulated transportation, banking, and clearing/settlement systems):
    • Must establish a cybersecurity program within 90 days of being designated; provide it to the regulator; review annually; notify of material changes (Part 2 — Cyber Security Program).
    • Must mitigate supply‑chain and third‑party risks once identified (Part 2 — Mitigation).
    • Must report cyber incidents to the Communications Security Establishment within the prescribed period (max 72 hours), then notify their regulator (Part 2 — Reporting of Cyber Security Incidents).
    • May receive binding “cyber security directions” requiring specific measures; disclosure of directions is restricted (Part 2 — Cyber Security Directions; Prohibition against disclosure).
    • Subject to inspections, internal audits, compliance orders, and AMPs up to CAD $1,000,000 (individuals) and $15,000,000 (others); some offences carry fines and up to five years’ imprisonment on indictment (Part 2 — Administration and Enforcement; AMPs; Offences).
    • Directors/officers can be personally liable for violations or offences they direct or allow (Part 2 — Liability of directors or officers; Offences).
  • Vendors and third‑party providers to covered operators:
    • Customers may tighten contract terms, require audits, or terminate use to mitigate supply‑chain risk (Part 2 — Mitigation; Part 1 — orders may require terminating service agreements, s.15.2(2)(f)).

• Local and provincial governments

  • Direct obligations apply to operators within federal jurisdiction and to classes listed in schedules; most municipal services are not designated unless operating a federally regulated work or business (Part 2 — Application; Schedules 1–2).

• Timing

  • Many provisions take effect on a date set by Order in Council; timelines for programs and reporting start after designation and publication (Part 2 — Coming into Force; Cyber Security Program timing).

Expenses#

Estimated net cost: Data unavailable.

• No fiscal impact statement was provided in the bill text. Data unavailable.
• Administrative monetary penalties are payable to the Receiver General (Part 1 — Debts to His Majesty; Part 2 — Debts to His Majesty).
• The Office of the Superintendent of Financial Institutions (OSFI) must ascertain expenses for administering the CCSPA and can recover costs from regulated financial institutions under existing assessment authorities (Consequential Amendments — OSFI Act s.23(1)).
• The Canadian Nuclear Safety Commission may charge and spend fees for services it provides under other Acts, which could offset administration costs (Consequential Amendments — Nuclear Safety and Control Act s.21(1.1)–(3)).
• The bill bars federal compensation for telecom providers’ financial losses from Part 1 orders (Part 1 — No compensation).

Proponents' View#

• Strengthens national security by allowing fast orders to block or remove high‑risk telecom gear and services, reducing chances of interference or disruption (Part 1 — s.15.1–15.2).
• Creates common, enforceable cybersecurity duties across vital sectors, including mandatory programs within 90 days and annual reviews (Part 2 — Cyber Security Program).
• Speeds incident response with required reporting to the Communications Security Establishment within 72 hours and regulator notification (Part 2 — Reporting of Cyber Security Incidents).
• Addresses supply‑chain risk by requiring operators to identify and mitigate third‑party and vendor risks (Part 2 — Mitigation).
• Provides strong enforcement tools (AMPs up to CAD $15,000,000; director/officer liability; compliance orders), which proponents say drive compliance and resilience (Part 1 — AMPs; Part 2 — AMPs; Offences).
• Includes oversight and transparency measures: annual reports to Parliament on orders and directions, and notifications to the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency (Part 1 — Report on orders; Part 2 — Report to Parliament; Notifications).

Opponents' View#

• Grants broad, possibly secret powers to order service suspensions, equipment removals, and standards, with exemptions from the Statutory Instruments Act and limits on disclosure, which may reduce transparency and due process (Part 1 — Non‑disclosure; Statutory Instruments Act not applying; Part 2 — Exemption; Prohibition against disclosure).
• Imposes significant compliance and replacement costs on operators, including backups and program build‑outs, without federal compensation for telecom orders; smaller providers may face greater burden (Part 1 — s.15.2(2)(n); No compensation; Part 2 — Cyber Security Program).
• Risk of service disruption if orders require rapid suspension or equipment removal, despite required consideration of operational and service impacts (Part 1 — s.15.1(4), 15.2(6); Part 2 — s.20(3)).
• Expands information‑sharing among security and regulatory bodies and with foreign partners, raising privacy and commercial confidentiality concerns, even though confidentiality rules and the Privacy Act still apply (Part 1 — Exchange of information; Disclosure of information; Part 2 — Disclosure and Use of Information).
• Complex, multi‑regulator enforcement (Industry, Transport, OSFI, Bank of Canada, Canadian Energy Regulator, Canadian Nuclear Safety Commission) may create overlap, uneven application, and higher legal and administrative costs (Part 2 — Appropriate regulators; AMPs frameworks).
• High penalties and personal liability for officers/directors could deter market entry or vendor relationships, with unintended effects on competition and innovation (Part 1 — AMPs; s.73(3.2); Part 2 — AMPs; Liability of directors or officers).