1 Introduction

This article examines Bill C‑26, a recent legislative proposal tabled in the first session of the 44th Parliament of Canada that seeks to reform the country’s regulatory approach to cybersecurity of critical cyber systems in federally regulated private sector industries. Introduced on June 14, 2022, Bill C‑26 contains two parts. The first would amend the Telecommunications Act to permit the federal government to “direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” The second would promulgate the Critical Cyber Systems Protections Act (CCSPA), which would create a framework for identifying critical cyber systems and requiring them, “among other things, [to] establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions.”

While the legislation represents a watershed reform, the law is premised on a formal, registration-based approach to regulation. This approach is fundamentally patchwork and should be supplemented with one that embraces continual evolution without formal registration, creating cybersecurity duties that automatically apply when certain criteria are met. In its current form, the proposed law also contains a lack of sufficient oversight of its confidentiality provisions; a weak penalty scheme that focuses solely on compliance; and diluted conduct, reporting, and mitigation obligations. This article proposes addressing these shortcomings by taking inspiration from the Directive Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union (NIS1),Footnote 1 the first cybersecurity legislation applicable across the European Union (EU), as well as its proposed successor, the NIS2 Directive (NIS2).Footnote 2 Where relevant, various other cybersecurity regulations in peer states are discussed. Nourishing an analysis of the CCSPA’s provisions with this comparative methodology reveals the CCSPA’s main deficiency to be its adoption of an approach to cybersecurity regulation that other jurisdictions are already abandoning in favour of a more proactive one. In other words, to borrow a well-known Canadian idiom, the legislation skates where the puck has already been—not where it is going.

This article is not the first criticism of Bill C‑26. During the summer and autumn of 2022, Bill C‑26 gained notable criticism from Canadian civil society. However, this criticism focused heavily on the first part of the bill—the component reforming the Telecommunications Act. For example, Christopher Parsons, a senior research associate at the Citizen Lab, criticised the provisions amending the Telecommunications Act for the overly high degree of secrecy they would provide the federal government in issuing directives to telecommunication service providers, and which would not be subject to public disclosure.Footnote 3 Similarly, the Canadian Civil Liberties Association noted that the amendments to the Telecommunications Act would effectively provide the federal government with the power to “cut off anyone at any time, if the [federal government] thinks it’s necessary to prevent a list of threats that includes, but isn’t limited to, interference, manipulation or disruption of a network.”Footnote 4 Several other Canadian civil society groups raised alarm that such powers would “open the door to imposing surveillance obligations on private companies” by requiring measures such as backdoors and weakened encryption.Footnote 5 This article recognises the importance of these critiques. It does not seek to duplicate them. Instead, the scope of this article focuses exclusively on the second part of Bill C‑26—the CCSPA.

2 Canada’s outdated approach to cybersecurity

In October 2022, the Canadian Centre for Cyber Security (CCCS), the entity operating as the “unified source of expert advice, guidance, services and support on cybersecurity for government, critical infrastructure owners and operations”Footnote 6 in Canada, issued its annual National Cyber Threat Assessment.Footnote 7 The assessment reflected the evolution of cybersecurity as a “top concern” for Canada.Footnote 8 While it noted that “Canadians benefit greatly from living in one of the most Internet-connected nations in the world,” it cautioned that the country needs to bridge the gap in realising better security.Footnote 9 Given its emphasis on surveying the threat landscape and nudging actors towards best practices, the CCCS did not discuss legal requirements in its assessment.Footnote 10 This was typical. Even though Canada often ranks high in measures of cyber defence and security,Footnote 11 the Canadian approach to cybersecurity regulation is decidedly noninterventionist and hands off—generally mirroring its approach to federal privacy and data protection law.

This approach is surprising when one considers that cyberattacks on Canadian critical infrastructure are a growing concern and an increasingly regular occurrence. The surface area for cyberattacks by malicious actors has been broadened by recent dynamics and trends, including the increasing number of mobile devices, wider usage of and reliance on Internet-of-Things (IoT) sensors, and growth of remote work practices. The need for a coordinated and intentional government response is demonstrated by recent notable cyber incidents involving critical infrastructure. For example, a 2020 cyberattack on the revenue service of the Canadian federal government allowed for fraudulent redirection of emergency COVID-19 aid.Footnote 12 Upon discovery of the hack, online taxation services were temporarily disabled, blocking Canadians from applying for or accessing these pandemic benefits.Footnote 13 In 2021, a ransomware attack on the Eastern Health infrastructure resulted in the cancellation of thousands of medical appointments and procedures,Footnote 14 with many adverse knock-on effects in the delivery of other health care services.Footnote 15 The same incident involved the theft of over 200,000 records containing patient health data.Footnote 16 In 2021, Superior Plus Corporation, a leading distributor of propane and distillates in Canada, was subject to a ransomware incident that resulted in disruption of its corporate computer systems.Footnote 17 Global Affairs Canada, which is responsible for managing Canada’s diplomatic relations, promoting international trade, and providing consular assistance,Footnote 18 was the target of a 2022 cyberattack that reduced all of its stations’ access to the internet and internet-based services.Footnote 19 The disruption lasted for 4 weeks after detection.Footnote 20

Such attacks on critical infrastructure have triggered several changes in the Canadian approach to cybersecurity. First, the federal government has reorganised the structure of relevant public sector actors on various occasions. (The next section discusses relevant parts of this history and outlines the current structure.) Second, the federal government has substantially increased funding for cybersecurity programs.Footnote 21 Third, Canadian government agencies have released ample, but mostly nonbinding, cybersecurity guidance, highlighting the need for critical infrastructure actors to enhance their cybersecurity posture. And finally, and most recently, the federal government has sought to codify cybersecurity obligations in legislation.

3 Mapping relevant government actors

Prior to examining the current legislative and policy approach, this section discusses the relevant government actors charged with responsibility for cybersecurity of federal government institutions and private institutions regulated by the federal government. Notably, this section excludes discussion of any cybersecurity regulatory efforts being undertaken at the provincial level in Canada (i.e., critical infrastructure falling under provincial jurisdiction). For ease of grasping the relationships and connections between the various executive branches of the federal government, Fig. 1 provides an at-a-glance view of the relevant actors and institutions.

Fig. 1
figure 1

Relevant executive government actors. Created by the authors

The four principal departments working on cybersecurity policy are National Defence, Public Safety, Shared Services Canada, and the Treasury Board Secretariat. The chart presented in Fig. 1 also includes Global Affairs Canada and the Privy Council Office. Currently, these latter two institutions do not play a significant role in the development or implementation of cybersecurity regulation in Canada; however, they are discussed later in this paper. Here is a quick description of each of the four main institutions:

  • National Defence supports the armed forces and maintains an overall responsibility for defence, including cyber threats.Footnote 22 It is responsible for the Communication Security Establishment (CSE), the country’s national cryptologic agency. Given the CSE and its ancillary entities’ central role with respect to Canada’s cybersecurity posture, it is discussed in greater detail below.

  • Public Safety was created in the wake of the 9/11 terrorist attacks to ensure coordination between multiple bodies responsible for national security and has a mandate to protect against natural disasters, crime, and terrorism.Footnote 23 It has released several publicly available cyber resilience assessment tools. For example, the Regional Resilience Assessment Program aims to help organisations measure and improve their resilience to all hazards, including cyber threats.Footnote 24 Public Safety also released the Canadian Cyber Security Tool in April 2021Footnote 25—following an original launch date of January 2021,Footnote 26 with an expanded version released in 2022.Footnote 27 These are virtual self-assessment tools to analyse organisational operational resilience. The Insider Risk Assessment Tool was also released in 2022, with the goal of further helping organisations identify, prevent, and respond to insider risks.Footnote 28

  • Shared Services Canada provides digital services to institutions within the federal government, such as network, email, and data centre services.Footnote 29 When Shared Services Canada was established in 2011,Footnote 30 43 departments were required to obtain its services.Footnote 31 Over time, Shared Services Canada has provided services to additional federal institutions, but only a subset receive the full complement of services, resulting in an inconsistent application of Shared Services Canada services and their defence capabilities.Footnote 32

  • Treasury Board Secretariat has a cybersecurity role both by housing the office of the Chief Information Officer, who is responsible for the management of technology and data for the Government of Canada,Footnote 33 and by establishing policies and directives that are applicable to the administration of government institutions.Footnote 34 Among these policies, the Policy on Service and Digital, which took effect in 2020, sets rules on how the Government of Canada manages information technology and sets out basic cybersecurity requirements for government institutions.Footnote 35 The Government of Canada Digital Standards policy also outlines aspirational guidance for government personnel behaviours.Footnote 36 The Government of Canada Cyber Security Event Management Plan provides a framework for the management of Government of Canada cybersecurity events (e.g., data breaches).Footnote 37 These policies are enforced by various government institutions at the level of policy. They are not binding statutes.Footnote 38

Several ancillary institutions within these departments play important roles in Canada’s regulatory approach to cybersecurity. Unquestionably, the most important is CSE, which sits within National Defence; CSE is simultaneously the country’s technical authority on cybersecurity and information assurance as well as the foreign signals intelligence agency.Footnote 39 Leading the development and deployment of cyber defence activities,Footnote 40 CSE’s mandate specifically includes not only federal institutions but also nonfederal institutions that are designated of importance to the Government of Canada.Footnote 41 The enabling legislation of CSE permits the Minister of Natinoal Defence to issue Cyber Security Authorizations to CSE that allow CSE to access federal and designated institutions’ information infrastructures “for the purposes of helping to protect [them].”Footnote 42 Such authorizations must be approved by the Intelligence Commissioner. In such cases, the Minister must also provide a copy of the Cyber Security Authorization to the National Security and Intelligence Review Agency (NSIRA), a review agency that reports to Parliament.Footnote 43 Five such authorizations were issued between 2019 and 2021.Footnote 44 For institutions not using the full complement of SCC services, CSE cybersecurity, communication security, and mitigation tools can also be deployed on the basis of bilateral agreements with the requesting institutions.Footnote 45 Additionally, these tools can be given to private industry actors when they are operating on a government contract.Footnote 46 In addition, CSE has gained a certain celebrity for the development and deployment of mitigation tools such as network-based, cloud-based, and host-based sensors.Footnote 47 For example, CSE’s host-based sensors have been adopted by the government of the United Kingdom, which has deployed at least 100,000 of the Canadian sensors.Footnote 48

In addition to Cyber Security Authorizations and piecemeal assistance to fill gaps with Shared Services Canada, the Minister of National Defence, upon consultation with the Minister of Foreign Affairs, has the authority to issue authorizations for “defensive” and “active” (i.e., offensive) cyber operations.Footnote 49 Defensive Cyber Operations Authorizations are issued to support the performance of defensive activities related to the cyber operations of federal institutions and designated institutions.Footnote 50 Three such authorizations have been issued in the last 3 years.Footnote 51 Active Cyber Operations Authorizations (i.e., offensive cyber operations) are issued to support executing activities “to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”Footnote 52 Four such authorizations have been issued in the last 3 years.Footnote 53 There is little clarity around the use of these powers. They have been critiqued for being exercised in an extrajudicial manner and with transparency and accountability shortcomings.Footnote 54 The issuance of both defensive and active Cyber Operations Authorizations triggers a reporting obligation to NSIRA.Footnote 55

Within CSE, the CCCS was created to provide a “unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations.”Footnote 56 Although CCCS forms parts of CSE and sits within National Defence, it arose from Public Safety’s 2018 National Cyber Security Strategy: Canada’s Vision for Security and Prosperity in the Digital Age.Footnote 57 That policy reiterated that security and resilience were cornerstones of Canada’s national security policy,Footnote 58 and CCCS was given roles and responsibilities previously spread across multiple federal institutions, most notably CSE’s Information Technology Security program, Public Safety’s Canadian Cyber Incident Response Centre, and several functions of Shared Services Canada’s Security Operations Centre.Footnote 59 The CCCS has an evolved reporting tool for organisation-focused cyber incidents (e.g., small and medium businesses, large organisations, infrastructure, and government institutions).Footnote 60 However, it does not process individual reports. Instead, it directs individuals to the Canadian Anti-Fraud Centre, the Competition Bureau, the Spam Reporting Centre, and the Canadian Security Intelligence Service (CSIS).Footnote 61 However, none of these are law enforcement agencies and have, at best, unclear obligations to forward the information they receive to law enforcement.Footnote 62 Law enforcement in Canada has lagged in providing online tools to report cybercrime.Footnote 63 The Royal Canadian Mounted Police’s National Cybercrime Coordination Unit (NC3) only reached initial operating capability in 2020,Footnote 64 but NC3’s public cybercrime reporting system is not scheduled to launch completely until 2023–2024.Footnote 65 The NC3 system, unlike the CCCS cyber incident reporting tool,Footnote 66 will allow for reporting by individuals directly to Canadian law enforcement.

In addition to these entities within the executive branch of government, the legislative branch has several relevant oversight responsibilities (partly discussed above). Relevant actors in this landscape are identified in the at-a-glance charts in Fig. 2 and 3 (with additional relevant context provided below).

Fig. 2
figure 2

Relevant legislative government actors. Created by the authors

Additionally, two important review bodies and agencies report to both houses of Parliament (Fig. 3).

Fig. 3
figure 3

Relevant review bodies. Created by the authors

The National Security and Intelligence Committee of Parliamentarians (NSICOP) and NSIRA are both entities responsible for reviewing policies and activities relating to national security or intelligence, with the membership of both appointed by the Governor in Council on the recommendation of the Prime Minister.Footnote 67 NSICOP is specifically not a committee of Parliament,Footnote 68 but, rather, a review body comprised of parliamentarians from the Senate or House of Commons who are not members of Cabinet or parliamentary secretaries.Footnote 69 It has a broad mandate to review the “legislative, regulatory, policy, administrative and financial framework for national security and intelligence.”Footnote 70 NSIRA is an independent agency with a mandate to review activities relating to CSIS and CSE as well as complaints relating to various national security and law enforcement institutions.Footnote 71 Both entities have made important contributions in their respective reviews. In its Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack, NSICOP reported that “core elements of the government’s administrative framework for cyber defence do not apply evenly (or in some cases, at all) to all of the Government of Canada’s 169 organizations.”Footnote 72 It also stated that “no government departments are obligated to use one or more of CSE’s cyber defence sensors.”Footnote 73 It concluded that respective institutions responsible for cybersecurity provide their services unevenly. For example, acknowledging budgetary concerns related to Shared Services Canada services, NSICOP found that when the costs for the services are prohibitively expensive, government institutions do not subscribe to them, leaving information technology resources potentially vulnerable to exploitation.Footnote 74 Likewise, it found inconsistent application of Treasury Board Secretariat policies and directives, and it has specifically called for consistent application of policies and directives, as well as the extension of CSE cyber defence sensors and Shared Services Canada internet services to all federal institutions.Footnote 75 For its part, NSIRA has faced notable challenges in executing this task. For example, NSIRA’s 2021 Annual Report noted that “CSE delays in fulfilling NSIRA’s information requests precede the COVID-19 pandemic”Footnote 76 (emphasis added). These delays have led many authorities to critique any further expansion in power to CSE.Footnote 77 Apart from these challenges to robust oversight, NSIRA itself experienced a cyber incident when its own network was hacked in 2021.Footnote 78 Oversight by CSE also includes the Intelligence Commissioner,Footnote 79 who is responsible for reviewing cybersecurity authorizations (as noted above).Footnote 80

3.1 The need for reform

Canadian cybersecurity law is characterised by a complex patchwork framework, with significant elements of the framework having not undergone significant reform in decades. Moreover, existing regulations pertaining to cybersecurity are largely inadequate. The two cornerstone pieces of relevant legislation are the Privacy ActFootnote 81—the main privacy legislation governing the federal government’s collection, retention, and use of personal information—and the Personal Information Protection and Electronic Documents Act (PIPEDA)Footnote 82—the main privacy legislation applying to federally regulated and private sector organisations’ collection, retention, and use of personal information.Footnote 83 First passed in 1985 and subsequently amended several times, the Privacy Act is virtually mute on cybersecurity. However, several provisions within the Privacy Act pertaining to privacy may relate indirectly to cybersecurity, such as the provision relating to providing notice for the purpose of collecting information and the provision regarding maintaining accurate personal information.Footnote 84 However, the Privacy Act lacks significant enforcement power (e.g., there is no private enforcement of the Privacy Act’s provisions), and although the Privacy Commissioner can carry out investigations, this power is advisory.Footnote 85

First passed in 2000, PIPEDA sets a baseline for privacy obligations for private sector actors in the form of principles, which undoubtedly impact these private sector actors’ approaches to cybersecurity. It establishes obligations such as requiring covered organisations to designate a responsible compliance figure; to safeguard information using physical, organisational, and technological measures according to a proportionality standard (i.e., offering more sensitive information a heightened level of protection); and to promote awareness regarding the importance of such measures.Footnote 86 However, like the Privacy Act, PIPEDA lacks significant enforcement power (e.g., there is no private enforcement, and the penalty scheme is weak).Footnote 87 Attempts at reform of PIPEDA stalled in 2010Footnote 88 and 2013,Footnote 89 but a minor reform occurred in 2015 through an omnibus law amending PIPEDA and the Privacy Act.Footnote 90 This reform, among other provisions, required certain private organisationsFootnote 91 to notify the Privacy Commissioner as well as individual citizens about breaches of “security safeguards involving the individual’s personal information under the organisation’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individualFootnote 92 (emphasis added). This obligation mirrors the directive to federal government institutions to notify affected individuals about breaches of systems that safeguard their personal information.Footnote 93 Today, PIPEDA and the Privacy Act continue to undergo reform efforts, as with Bill C-27, which proposes, among other things, requirements that commercial organizations “must protect personal information through physical, organizational, and technological security safeguards” that are “proportionate to the sensitivty of the information.” However, Bill C‑27 has stalled in Parliament.Footnote 94

In addition to PIPEDA and the Privacy Act, there is a patchwork of industry- and function-specific regulations that pertain to cybersecurity best practices. The nuances of this complex body of regulations are only briefly noted here through illustrative examples. For an example of industry-specific regulation, the Office of the Superintendent of Financial Institutions (OSFI), which is intended to “contribute to confidence in the Canadian financial system”Footnote 95 and reports to the Minister of Finance, released in 2013 its Cyber Security Self-Assessment GuidanceFootnote 96 and its Operational Risk Management guidelines.Footnote 97 OSFI provides examples of reportable incidentsFootnote 98 and an Incident Reporting and Resolution Form to be used when reporting incidents.Footnote 99 In November 2021, OSFI published its Technology and Cyber Risk Management guideline outlining cybersecurity expectations for federally regulated financial institutions.Footnote 100 These measures gave rise to the creation of the Investment Industry Regulatory Organization of Canada, which has released a Cybersecurity Best Practices Guide,Footnote 101 along with a Cyber Incident Management Planning Guide.Footnote 102 These guides provide standards, practices, and response plans to industry actors.Footnote 103 Since then, Investment Industry Regulatory Organization of Canada has supplemented these reports.Footnote 104 Few other sectors have issued similar regulations, although the banking industry and securities exchange commissions are notable examples.Footnote 105 For an example of function-specific regulations, Canada’s Anti-Spam Law contains provisions relating to viruses and spyware.Footnote 106

In addition to these cornerstone pieces of Canadian privacy and data protection law, the federal government has published many strategies and nonbinding policies. For example, Public Safety’s Action Plan 2010–2015 for Canada’s Cyber Security Strategy identified several deliverables to bolster cybersecurity, including establishing data breach notification requirements for private sector organisations. The federal government also released its National Cyber Security Action Plan (2019–2024), which reiterated the importance of security and resilience as one of its three core areas.Footnote 107 However, the policy was silent on recommendations for legislation establishing proactive obligations, instead identifying projects such as improved reporting of cybercrime, provision of tools for cyber resilience assessments, and expanded guidance.Footnote 108 The escalating need for cyber resilience was further highlighted in the CCCS’s National Cyber Threat Assessment series, which began annual publication in 2020. The latest version of this report highlighted that cybercrime continues to be the cyber threat most likely to affect Canadian organizations and underscored the likelihood that ransomware would target Canadian critical infrastructure in the future.Footnote 109 Also in 2021, the federal government’s 2021–2023 Action Plan for Critical Infrastructure identified several ongoing projects pertaining to risk management, including the development of further tools, tracking mechanisms, and sectoral and cross-sectoral exercises for preparedness (i.e., drills).Footnote 110 As the foregoing shows, many of these commitments, which lack legislative force, characterise an overall problem with the federal government’s approach to cybersecurity to date: a heavy reliance on nonbinding policies, assessments, reports, frameworks, and strategies. Adding to these non-binding instruments is the broad commitment in the Canada-United States-Mexico agreement by which parties recognize the “evolving nature of cybersecurity threats” and eschew “prescriptive regulation in addressing those threats” in favour of “consensus-based standards and risk management best practices.”

Separate from these nonbinding instruments are the technical guidance documents that CSE and CCCS provide to Canadian private sector actors. As noted above, CSE has a dual mandate to serve as both the foreign signals intelligence agency as well as “the technical authority for cyber security and information assurance.”Footnote 111 It performs this latter role for federal institutions’ electronic information and information infrastructures as well as designated institutions of importance to the federal government.Footnote 112 In fulfilment of this role, CSE, through the CCCS, engages in general knowledge disseminationFootnote 113 and issues public guidance and awareness (especially through its annual National Cyber Threat Assessment reports),Footnote 114 joint advisories,Footnote 115 and free tools.Footnote 116

3.2 The introduction of Bill C-26

In June 2022, the federal government introduced Bill C‑26 in the House of Commons, providing cybersecurity reforms to various statutes, including the Telecommunications Act, which oversees and regulates telecommunications service providers.Footnote 117 The bill also introduced the draft CCSPA. The draft legislation was announced on June 14, 2022, and was presented as an effort to “prepare, prevent, and respond to cyber incidents” and to “serve as a model for provinces, territories, and municipalities to help secure their critical infrastructure in collaboration with the federal government” within the federalist constitutional system.Footnote 118 The bill represented an attempt to codify and download cyber due diligence obligations onto a wide set of federally regulated private sector actors. It was welcomed by many subject matter experts for achieving this purpose.Footnote 119 As the Minister of Public Safety noted at the unveiling of the law:

In the 21st century, cybersecurity is national security—and this new legislation will ensure that Canada’s defences meet the moment. Most importantly, it will help both the public and private sectors better protect themselves against cyberattacks. This bill is one part of our robust strategy to defend Canada and the crucial infrastructure that Canadians rely on.Footnote 120

The bill passed first reading on June 14, 2022. Subsequently, it started second reading on December 1, 2022. Following completion of this stage, it is intended to be referred for review to the Standing Committee on Public Safety and National Security, the standing committee charged with responsibility for reviewing “legislation, policies, programs and expenditure plans of government departments and agencies responsible for public safety and national security.”Footnote 121

3.3 Note on comparative methodology

The following sections discuss key provisions from Bill C‑26, as well as notable areas of cybersecurity regulation in peer states, in particular NIS1 and NIS2. Passed in 2016, and transposed by EU members on May 9, 2018, NIS1 set out best practices, reporting standards, and common approaches for cybersecurity. Subsequently, in December 2020, the EU Commission tabled its proposal for NIS2, the terms of which were agreed upon in May 2022. Falling outside the scope of this comparative analysis is discussion of the provisions in NIS1 and NIS2 concerning the establishment of cybersecurity national strategies by member states and the creation of and coordination between Computer Security Incident Response Teams and their obligations to cooperate.Footnote 122

4 Comparative analysis

4.1 Subject matter and scope

This section discusses the legal definitions that guide the scope and interpretation of CCSPA. As a preliminary matter, the CCSPA does not define security, cybersecurity, or resilience, unlike NIS1 and NIS2. Cybersecurity is generally understood to include the body of technologies, processes, practices and response, and mitigation measures designed to protect networks, computers, programs, and data from attack, damage, or unauthorised access so as to ensure confidentiality, integrity, and availability.Footnote 123 Cyber resilience has been defined as “the ability to continuously deliver the intended outcome despite adverse cyber events.”Footnote 124 At a minimum, it requires an entity to exhibit “system resilience”Footnote 125 and maintain “adequate mission/business function and operational/organizational resilience in the presence of possible adversities that affect cyber resources.”Footnote 126 Instead of defining cybersecurity, the CCSPA simply refers to two scales of cyber systems: “cyber systems” and “critical cyber systems.” Notably, the provisions of the CCSPA are only intended to apply to critical cyber systems. The legislation underscores such in its mandate to protect only “critical cyber systems in order to support the continuity and security of vital services and vital systems”Footnote 127 (emphasis added). This differentiation is not unlike the distinction in NIS1 and NIS2 between “network and information systems” and between entities deemed “essential” or “important.”Footnote 128

Cyber system

In the CCSPA, a cyber system is defined as “a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information.”Footnote 129 This definition is less expansive than the definition of “network and information systems” used in NIS1 and NIS2, which includes (a) “transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed[;]” (b) any device or group of interconnected or related devices, one or more of which, pursuant to a program, perform automatic processing of digital data; or (c) digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance.Footnote 130

Critical cyber system

In the CCSPA, a critical cyber system is defined as “a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.”Footnote 131 “Vital services” and “vital systems” are specifically identified in an enumerated list of industries in Schedule 1 of the CCSPA. The list can be amended by the Governor in Council.Footnote 132 This list serves as the main registration device for identifying covered entities under the CCSPA. Notably, CCSPA’s list of vital services and vital systems is shorter than those in equivalent sections of NIS1 and NIS2. Under NIS1, an “operator of essential services” is broader than the CCSPA’s list in Schedule 1. NIS2’s list of “sectors of high criticality” and “other critical sectors” is also more expansive. Table 1) identifies sectors in NIS1 and NIS2 that are not covered by the CCSPA (items not included in the CCSPA are bold).

Table 1 Covered entities under CCSPA, NIS1, and NIS2

The CCSPA is limited to those critical cyber systems the Governor in Council specifically identifies in Schedule 1, which the Governor in Council can amend at any time when it “is satisfied that the service or system is vital to national security or public safety.”Footnote 133 This formal registration approach is different from NIS1 and NIS2. Although NIS1 required member states to identify “operators of essential services” pertaining to certain sectors, it also created default obligations for digital service providers (online marketplaces, online search engines, and cloud computing services) that did not require identification or registration.Footnote 134 The definition of “operators of essential services” was intended to include only those entities that met the following criteria—namely, “(a) [the] entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (b) the provision of that service depends on network and information systems; and (c) an incident would have significant disruptive effects on the provision of that service.”Footnote 135 For its part, NIS2 dispels the distinction between operators of essential services and digital service providers, utilising a size-cap approach that automatically triggers its provisions (discussed below).

The foregoing provisions in the CCSPA are only subject to implementation and enforcement through the “designated operator” provisions, which require the Governor in Council specifically to identify the class of operators in respect of a vital system or vital service, as well as the accompanying regulator for that class, and then to designate specific operators.Footnote 136 This provision is similar to the requirement in NIS1 for member states of the EU to identify “operators of essential services” to whom the provisions will apply, but it differs from NIS1’s default application to digital service providers.Footnote 137 EU members are also required to update this list every 2 years at a minimum.Footnote 138 The CCSPA contains no requirement for the federal government to review its list at regular intervals.

NIS2 highlights problems with the identification procedure in NIS1 that made member states responsible for the identification of operators of essential services. NIS2 adopts a size-cap rule establishing that its obligations apply to all “essential entities” from Annex I (“sectors of high criticality”) that employ more than 250 persons and which have an annual turnover exceeding € 50 million and/or an annual balance sheet total exceeding € 43 million.Footnote 139 Additionally, certain entities in industries covered by the “sectors of high criticality” and “other critical sectors” are covered by the obligations of NIS2, regardless of their size. These include (1) certain digital infrastructure entities; (2) entities that are the sole providers of services in a member state and whose service “is essential for the maintenance of critical societal or economic activities”; (3) entities whose service disruption would cause “a significant impact on public safety, public security or public health”; (4) entities whose service disruption would cause “a significant systemic risks, in particular for the sectors where such disruption could have a cross-border impact”; and (5) entities that are “critical because of [their] specific importance at regional or national level for the particular sector or type of service.”Footnote 140 Additionally, NIS2’s provisions will apply to entities regardless of size that are identified as critical entities under the Directive on the Resilience of Critical Entities, which was agreed upon in summer 2022.Footnote 141 That directive will require parties to identify critical entities within a set time period.Footnote 142 Furthermore, NIS2’s “essential entity” designation applies to various other entities, such as public administration. All entities noted in Annexes I and II that do not fall into the designation of “essential entity” are designated “important entities.”


  • The CCSPA should be amended with respect to the identification of regulated entities, so that entities of a certain size automatically fall within its scope. The CCSPA should follow NIS2 in utilising a size-cap approach, so that provisions of the law apply automatically to entities of a certain size—not merely entities that are identified as “designated operators” by the Governor in Council through formal registration. This approach would embrace continuous evolution and automatic application without formal registration—creating cybersecurity obligations that take effect when certain criteria arise or are in place, not when a Minister or their delegate makes the necessary designation. This size-cap approach could possibly include requiring such entities to self-register with the relevant regulator for the purposes of registration in Schedule 2.

  • The CCSPA should be amended to include vital services and vital systems in federally regulated sectors identified in NIS1 and NIS2 that the CCSPA currently excludes, such as space and digital infrastructure. The CCSPA should also consider tiering entities, as NIS2 does, for the purpose of establishing different levels of responsibility and obligations (i.e., rather than one tier of critical cyber systems for all designated operators, the CCSPA could provide multiple tiers with different levels of obligations). At a minimum, the entities currently identified should remain at the highest tier.

  • The CCSPA’s scope should be broadened—likely in a separate section—to include provisions pertaining to all federal government institutions, including Crown corporations. In light of inconsistent use of Shared Services Canada resources and inconsistent application of Treasury Board Secretariat policies, the cybersecurity requirements of public administration institutions should be further developed and tailored to address the recommendations in NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack. At a minimum, all federal government institutions should be required to use Shared Services Canada’s cyber defence services and CSE’s cyber defence sensorsFootnote 143

4.1.1 Proactive cybersecurity obligations

This section examines the proactive obligations and security requirements contained in the CCSPA (i.e., affirmative obligations for ongoing commitments to security and vigilance). The CCSPA sets out that, upon designation as an operator of a critical cyber system, those operators must develop a cybersecurity program to “identify and manage any organisational cyber security risks,” protect them from being compromised, detect cybersecurity incidents that affect or have the potential to affect their critical cyber systems, minimize their impact, and undertake all other measures prescribed by the regulations.Footnote 144 This cybersecurity program must be provided to the regulator within 90 days of designation.Footnote 145 The program must be reviewed annually, and the regulator must be notified about changes resulting from the review.Footnote 146 Furthermore, designated operators must notify regulators about the following: “(a) any material change in the designated operator’s ownership or control; (b) any material change in the designated operator’s supply chain or in its use of third-party products and services; and (c) any circumstances that are prescribed by the regulations.”Footnote 147 Finally, upon the identification of a cybersecurity risk, the CCSPA obligates designated operators to “take reasonable steps, including any steps that are prescribed by the regulations, to mitigate those risks.”Footnote 148 Notably, regulators responsible for designated operators may share any information about these steps—including confidential information—with CSE.Footnote 149

These provisions generally surpass the requirements set out in NIS1, which only establish that member states must ensure that operators of essential services “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations.”Footnote 150 This requirement was informed by a principle of proportionality, as the security measures are required to be “appropriate to the risk posed.”Footnote 151 NIS1 also establishes security requirements for digital service providers, requiring them to “identify and take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services.”Footnote 152 Again, the goal of this principle is to “ensure a level of security of network and information systems appropriate to the risk posed.”Footnote 153 The United Kingdom’s Network and Information Systems Regulations 2018 is even more specific than the broad proportionality principle upon which NIS1 relies. It directs operators of essential services to “have regard to any relevant guidance issued by the relevant competent authority when carrying out their duties imposed.”Footnote 154

NIS2 requires essential and important entities to “take appropriate and proportional technical, operational, and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services.”Footnote 155 This obligation requires essential and important entities to have regard to “relevant European and international standards, as well as the cost of implementation.”Footnote 156 In other words, NIS2 requires parties to stay abreast of cybersecurity guidance from specific authorities, all while respecting the application of a proportionality principle. NIS2 also goes on to enunciate specific types of activity that would form a baseline for respecting these obligations. Such activity includes implementation of the following: risk analysis and information security systems policies; incident handling; business continuity and crisis management planning, including backup management and disaster recovery; supply chain security; security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure; policies and procedures to assess the effectiveness of cybersecurity risk management measures; basic computer hygiene practices and cybersecurity training; policies regarding the use of cryptography and, where appropriate, encryption; human resources security, access control policies and asset management; and the use of multifactor authentication procedures.Footnote 157

Finally, NIS1 requires that EU members “shall ensure that operators of essential services take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of those services”Footnote 158 (emphasis added). Likewise, NIS2 requires “essential and important entities […] to prevent or minimise the impact of incidents on recipients of their services or other services”Footnote 159 (emphasis added).


  • The CCSPA should mirror the UK Regulations and NIS2 to require designated operators to have regard to any specific relevant guidance issued by the relevant competent authority (i.e., CSE, CCCS, or possibly the Standards Council of Canada) when carrying out their imposed duties. This approach would bolster CSE’s awareness and standard-setting power.

  • The CCSPA should mirror NIS2 in enunciating specific activities that form a baseline for the conduct actors must take to perform their proactive cybersecurity obligations as part of their cybersecurity programs. It should also include an attestation requirement in their annual review of their cybersecurity programs, affirming they have undertaken such programs.

  • The CCSPA should consider creating an affirmative obligation to disclose vulnerabilities to CSE (e.g., zero day exploits). In its current form, the CCSPA defines a “vulnerability of any designated operator’s critical cyber system” as confidential information.Footnote 160 This language should be revised to omit the categorisation of vulnerabilities as such and create an affirmative reporting obligation attendant with penalties for noncompliance.

4.2 Reporting obligations

This section discusses the reporting obligations (i.e., the requirement to report cybersecurity incidents) contained in the CCSPA. As a preliminary matter, the CCSPA’s definition of a cybersecurity incident varies little from those definitions found in NIS1 and NIS2. Table 2) shows the definitions utilised in the respective regulations.

Table 2 Definition of “incident” under CCSPA, NIS1, and NIS2

The CCSPA requires designated operators to “immediately” report cybersecurity incidents in respect of any of its critical cyber systems to CSE.Footnote 161 Upon notifying CSE, the designated operator must then notify the regulator identified in Schedule 2.Footnote 162 The CCSPA also permits regulators to request incident reports from the CSE “for the purpose of verifying compliance with any provision of the [CCSPA].”Footnote 163 This obligation varies little from NIS1. For incidents having a “substantial impact” on the provision of essential services, EU members are required to ensure that both operators of essential services and digital service providers “notify the competent authority or the [Computer Security Incident Response Teams] without undue delayFootnote 164 (emphasis added). This incident notification requirement is context specific, depending on factors such as, but not limited to, the number of users affected, the incident’s duration, the geographic spread, and the impact on economic and societal activities.Footnote 165 When the operator of an essential service relies on the services of a digital service provider whose services suffer an incident with a substantial impact, notification must also be given by the digital service provider to that operator.Footnote 166 When public awareness is “necessary in order to prevent an incident or to deal with an ongoing incident,” the public may also be informed, with the permission of the Computer Security Incident Response Team.Footnote 167

NIS2 continues the requirement for essential and important entities to report incidents considered “significant” in a timeframe that is “without undue delay.”Footnote 168 In this respect, NIS2 alters the definition of incidents having a “substantial impact” for a “significance” test, where the incident is considered significant when it “is capable of causing severe operational disruption of the service or financial losses for the entity concerned” or “the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material losses.”Footnote 169 However, NIS2 provides specific ceilings for the time window in which essential and important entities must provide notification. When the incident is caused by unlawful or malicious conduct or could have a cross-border effect, parties must notify the relevant Computer Security Incident Response Team “without undue delay and in any event no later than 24 h[ours] after having become aware of the incident.”Footnote 170 Other notifications must be given “without undue delay and in any event no later than 72 h[ours] after having become aware of the incident.”Footnote 171 Moreover, NIS2 broadens the requirement to notify the public in addition. It states the following:

“Where applicable, Member States shall ensure that essential and important entities are required to communicate, without undue delay, to the recipients of their services that are potentially affected by a significant cyber threat any measures or remedies that those recipients are able to take in response to that threat. Where appropriate, the entities shall also inform those recipients of the threat itself.”Footnote 172

Both NIS1 and NIS2 also explicitly state that the mere act of notification shall not subject the notifying entity to increased liability.Footnote 173


  • The CCSPA should include a notification requirement for the public similar to the one contained in NIS2, which lets recipients of services know they are potentially affected and makes them aware of potential measures or remedies. This notification should be made without undue delay and no later than in a prescribed period. The current framework that requires notification only to the CSE and then the regulator provides insufficient transparency about cybersecurity incidents.

  • The CCSPA should be revised to include an explicit mention that notification will not increase liability. For example, sections 92 or 135(c) should be amended to highlight, in an abundance of clarity, that notification itself will not lead to increased liability.

4.3 Cybersecurity directions

This section discusses the cybersecurity directions provisions contained in the CCSPA. The statute permits the Governor in Council to issue cybersecurity directions to specific designated operators or entire classes of operators that are intended to protect critical cyber systems.Footnote 174 As the federal government noted in a press release upon introducing this measure, the tool was designed to ensure “that a broad range of relevant factors—including national security, economic priorities, trade, competitiveness, international agreements and commitments—are considered when making decisions that have an impact across sectors.”Footnote 175 Information pertaining to the making, amending, or revoking of cybersecurity directions may circulate to the responsible Minister (i.e., the Minister to whom the regulator is responsible) and regulator, as well as the Ministers of Foreign Affairs and National Defence, the Chief of the Defence Staff, and any employee in CSE or CSIS, as well as anyone prescribed by regulation.Footnote 176 The issuance of cybersecurity directions is subject to judicial review in camera in federal court.Footnote 177 Significantly, and sweepingly, the CCSPA prohibits the disclosure of cybersecurity directions by designated operators, including the fact that it was issued, as well as the content of the direction.Footnote 178 This widespread embrace of secrecy appears to contradict the federal government’s National Security Transparency Commitment.Footnote 179 Moreover, considering the value of engagement and awareness from private organisations and the general public, it seems unhelpful to deprive such actors of more information about the causes, actors involved, and effects of cyberattacks. There is nothing similar to the cybersecurity direction provision from CCSPA in NIS1 or NIS2.


  • The CCSPA should provide better oversight regarding cybersecurity directions at the issuance stage. One way to redress the lack of oversight is to involve the Intelligence Commissioner in the authorisation process for issuing cybersecurity directions. For example, the CCSPA could include a provision that “an authorization issued under subsection 20(1) is valid when—if it is approved by the Commissioner under [insert revised authority under the Intelligence Commissioner Act]—the Commissioner provides the Minister with the written decision approving the authorisation.” A further provision could clarify: “No activity that is specified in an authorisation issued under subsection 20(1) is authorised until the authorisation is valid under [the foregoing subsection].” Ideally, notice of issuance of these cybersecurity directions should be given to at least one review agency when the issuance occurs.

4.4 Record-keeping provisions

This section discusses the confidentiality provisions contained in the CCSPA. The CCSPA requires parties to maintain records pertaining to cybersecurity programs, cybersecurity incidents, mitigation efforts, cybersecurity direction implementation, and other matters.Footnote 180 However, the statute does not identify a specific time period for record retention, making it regulator specific.Footnote 181


A uniform record-keeping retention period should be set in the statute, including a record retention period for CSE. CSE’s enabling legislation and the Privacy Act are otherwise silent on how long such records will need to be retained. Given that the CCSPA would permit regulators to share designated operators’ confidential information with CSE, the CCSPA should clarify these timelines with a uniform time period.Footnote 182

4.5 Enforcement and penalties

This section discusses the enforcement and penalty provisions contained in the CCSPA. The CCSPA creates an administrative monetary penalty scheme in which contravention or failure to comply with a provision in the statute will constitute a violation liable to penalty, with penalties established by the Governor in Council of no more than $1,000,000 for individuals and $15,000,000 in any other case.Footnote 183 Specific amounts are not set for specific offences. The penalty scheme is intended to “promote compliance with this Act and not to punish”Footnote 184 (emphasis added). Factors to be considered in issuing penalties are not outlined.

NIS1 is silent on both specific penalties and factors that should be used to determine penalty amounts. It notes only that penalties should be “effective, proportionate, and dissuasive.”Footnote 185 By contrast, NIS2 specifically provides for its penalty scheme to be informed by the seriousness and duration of the infringement; previous infringements; the scope of damages (e.g., financial loss); the intentional or negligent character of the infringement; measures taken by the entity towards mitigation; adherence to approved codes of conduct and certification measures; and cooperation with relevant authorities.Footnote 186 Although NIS2 reprises the use of penalties that are “effective, proportionate, and dissuasive,” it adopts a percentage-based scheme.Footnote 187 For essential entities contravening obligations regarding cybersecurity risk management measures (e.g., proactive cybersecurity obligations) or reporting obligations, NIS2 sets an administrative fine of € 10 million or 2% of “the worldwide annual turnover of the undertaking to which the entity belongs in the preceding year.”Footnote 188 For important entities, the penalties are € 7 million or 1.4%.Footnote 189 The UK Network and Information Systems Regulations 2018 also sets value amounts as ceilings for penalties. For contraventions that could not cause a network or information system incident, the penalty amount must not exceed £1,000,000.Footnote 190 However, the penalty amount can be up to £17,000,000 for a material contravention that caused or could cause an incident resulting in an immediate threat to life or a significant adverse impact on the UK economy.Footnote 191


  • The CCSPA should elaborate its penalty scheme to identify factors that will inform enforcement of its provisions and accompanying penalties for noncompliance. Currently, the CCSPA merely states, “Due diligence is a defence in a proceeding in relation to a violation.”Footnote 192 The CCSPA should mirror the NIS2’s factor list. Moreover, the purpose of the penalty should be amended to include deterrence—not merely encourage compliance.

  • The CCSPA should adopt a percentage-based penalty scheme similar to the one used in NIS2.

4.6 Note on IoT cybersecurity

Internet-of-Things cybersecurity is not discussed in the CCSPA. However, efforts to bolster legal cybersecurity requirements increasingly target the resilience of hardware and software products with digital elements. Technologies such as IoT devices connect, collect, and exchange information through an increased range of access points. The use of IoT technologies in critical infrastructure (e.g., government, transportation, and health care), business sectors (e.g., retail and manufacturing), and personal and residential use drives opportunities for interconnectivity and automation. The use of such technologies has increased during the COVID-19 pandemic.Footnote 193 By expanding the surface area of access points, these technologies broaden the attack vectors open to malicious cyber actors. As noted by the CCCS in its National Cyber Threat Assessment, such connectivity presents clear benefits for data collection, real-time monitoring, and looped feedback, but “it also increases critical infrastructure providers’ vulnerability to cyber threat activity.”Footnote 194

Canada has no stand-alone statute or policy regarding IoT cybersecurity obligations, including no legislation resembling the EU Cyber Resilience Act or the UK Product Security and Telecommunications Infrastructure Bill (discussed below). Despite this absence of guidance, Canada has acknowledged the rapid growth in the use of these devices even as “many of these devices lack basic security features,” which “could have serious consequences for individuals, our economies and national security.”Footnote 195 Given the division of powers in Canadian federalism, private contract and tort disputes arising over product design fall under provincial jurisdiction and are adjudicated under the common law or Québec civil law principles.Footnote 196 Because of the nexus between product safety and international trade, the federal government has utilised its constitutional authority to promulgate the Canada Consumer Product Safety Act, which addresses “dangers to human health or safety that are posed by consumer products.”Footnote 197 The Act, however, does not address cybersecurity, the internet, data, privacy, or personal information, and its provisions pertain to a high threshold of health and safety. The Act itself is enforced through the Minister of Health. It is unlikely it could be used to articulate proactive or retroactive obligations pertaining to the cybersecurity shortcomings of products with digital elements. The Office of the Privacy Commissioner has issued manufacturer guidance, but this guidance is aimed exclusively at ensuring compliance with PIPEDA.Footnote 198 Apart from these pieces of legislation and this guidance, various governmental entities have published guidance identifying risks to IoT devices and the potential impact on critical infrastructure,Footnote 199 as well as the cybersecurity risks for the business sectorFootnote 200 and residential environmentsFootnote 201 in particular. For example, the CCCS has published a management memorandum on the top 10 measures to protect such devices,Footnote 202 as well as guidance documents for small and midsized businesses.Footnote 203 Yet these guidelines focus on best practices, without enshrining any proactive or binding obligations. On balance, these materials speak to a Canadian approach to IoT cybersecurity characterised by a distinctly noninterventionist and hands-off nature.

As with privacy and data policy measures, the EU remains a leader in the development of early policy efforts to regulate IoT cybersecurity. The proposed EU Cyber Resilience Act (CRA) continues the shift towards security by design that is also being undertaken in other jurisdictions.Footnote 204 The CRA applies to objects including “a direct or indirect logical or physical data connection to a device or network”Footnote 205 (“products with digital elements”),Footnote 206 and it includes enhanced obligations for the category of “critical product with digital elements.”Footnote 207 Respecting existing measures promulgated by the EU to regulate digital technologies, such as the Artificial Intelligence Act,Footnote 208 the CRA enshrines obligations for manufacturers that include undertaking conformity assessments, verifying general product safety, exercising due diligence in design, and conducting cybersecurity risk assessments confirmed in the technical documentation accompanying the product.Footnote 209 In addition to these obligations, manufacturers who become aware of “any actively exploited vulnerability contained in the product with digital elements” must report the issue within 24 hours to the European Union Agency for Cybersecurity, including corrective and mitigating measures taken in regard to the product with digital elements,Footnote 210 as well as notify users (and also notify users about corrective measures the users can undertake to mitigate adverse cybersecurity effects).Footnote 211 Moreover, similar but less extensive obligations apply to importers and distributors of products with digital elements.Footnote 212 These measures are coupled with very high penalties for noncompliance. The obligations of importers and distributors include administrative fines of up to 15,000,000 € or 2.5% of “total worldwide annual turnover for the preceding financial year,”Footnote 213 while all other obligations in the CRA can incur penalties of up to 10,000,000 € or 2% of “total worldwide annual turnover for the preceding financial year.”Footnote 214 While having overlap with other EU efforts to regulate digital technologies, artificial intelligence, and automated decision-making, the CRA has been criticised for “its complex interplay with other [EU] policies, including obligations on the processing of personal data under the (General Data Protection Regulation (GDPR)),”Footnote 215 along with the burden of detecting and analysing aspects of products that will trigger the act’s provisions.

Canada’s “hands-off” approach to IoT cybersecurity creates a strong contrast with its peers taking an increasingly proactive obligatory approach. However, Canada is likely to reap the benefit of the manufacturer obligations created and imposed by peer states. Along with its Five Eyes partners (i.e., the intelligence alliance including members Australia, Canada, New Zealand, the United Kingdom, and the United States), Canada is a signatory to a robust statement of intent to collaborate on industry standards, seek opportunities to raise awareness of security shortcomings, and aid in the overall improvement of IoT devices.Footnote 216 However, the lack of made-in-Canada obligations suggests that the approach will be defined and characterised by the importation of standards from allies, such as the labelling systems currently being developed by allies such as the United StatesFootnote 217 or even those standards being proposed by industry.Footnote 218


The House of Commons Standing Committee on Public Safety and National Security should engage in a study of the desirability and viability of a made-in-Canada IoT regulatory scheme, including a cybersecurity certification scheme.

5 Conclusion

As the foregoing illustrates, the CCSPA is a watershed development in Canadian cybersecurity regulation, representing a major overhaul of this area by the federal government. In this respect, it also represents a much-needed shift from largely aspirational and nonbinding policies to enforceable, binding, and codified obligations. On balance, the CCSPA is a welcome first step. At the same time, the CCSPA has several shortcomings, which Parliament can and should repair prior to the passage of the bill. Falling outside the scope of the CCSPA in its current form are the cybersecurity practices of federal government institutions themselves, which, as noted by NSICOP, need significant attention. As Parliament continues its study of the CCSPA, it will need to address gaps in the law. There are self-evident limits to the regulatory power of Parliament for cybersecurity, in particular in light of the division of powers between the federal and provincial governments. But as representatives of the federal government repeatedly intones, “cyber security is national security.”Footnote 219 So far, Canadian law does not reflect this assertion.