On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Security in an effort to “protect Canada’s critical infrastructure”. While Part 1 of Bill C-26 amends the Telecommunications Act and Canada Evidence Act, Part 2 enacts the Critical Cyber Systems Protection Act (“CCSPA” or the “Act”), which would provide a new framework for the protection of critical cyber systems for services and systems vital to national security or public safety.
As parliamentary business will resume in September 2022 in Ottawa, many stages of the legislative process remain before Bill C-26 is passed and the CCPSA is enacted. Until then, we can expect that a number of provisions will be added, modified or removed. Nevertheless, considering the scope of the regulatory framework to be established and the multiple requirements it entails, impacted organizations should closely monitor the Bill’s progression.
We provide a few of the key highlights of the proposed CCSPA below.
- Applicability
The Preamble to the proposed CCSPA establishes that the Act serves to impose obligations on organizations that have cyber systems that “are critically important to vital services and vital systems” such that their “disruption could have serious consequences for national security or public safety”.
Once enacted, the CCSPA will apply to federally regulated persons, partnerships or unincorporated organizations belonging to a class of operators that will be listed in Schedule 2 of the Act,[1] i.e., designated operators, that own, control or operate a critical cyber system.[2] Schedule 2 will also include a list of regulators corresponding to each class of operators.[3]
While a cyber system is broadly defined as “a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information”,[4] the definition of “critical cyber system” further delineates the proposed legislation’s scope:
critical cyber system means a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.[5]
“Vital services” and “vital systems” are set out under Schedule I of the CCSPA, and the Governor in Council may add a “service that is delivered, or a system that is operated” within the legislative authority of Parliament, if the Governor in Council is satisfied that the service or system is vital to national security or public safety. In this first version of Bill C-26, the following services or systems are referred to under Schedule 1:
- Telecommunications services;
- Interprovincial or international pipeline or power line systems;
- Nuclear energy systems;
- Transportation systems (federally regulated);
- Banking systems; and
- Clearing and settlement systems.
This assessment and the resulting qualification as a “critical cyber system” triggers several new requirements for designated operators. Additional guidance on how to assess whether the compromise of a given cyber system could affect the “continuity” or “security” of those services or systems would be useful.
- Establishment of a cyber security program
The proposed CCSPA provides that a…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
