Mahnoor Khalid, a 1L law student at the University of Calgary and writing contributor for the Tech and Law Association addresses the implications of ARCS on protecting Canada’s cyber security
On June 14, 2022, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, which proposed cybersecurity requirements that protect Canada’s security and public safety. The objective of the bill is to enhance security in industries that are essential, more effectively minimise cyber risk across industries subject to federal regulation and provide the Canadian government additional legal authority to react to threats.[1] The bill is split into two parts. The first part of the bill amends the Telecommunications Act to ensure the security of the Canadian telecommunications system is up to date. The second part enacts the Critical Cyber Systems Protection Act (CCSPA).[2]
Not only does the first part of the bill add the security of the Canadian telecommunications system as an objective of the Canadian telecommunication policy, it also gives new powers to the Governor in Council and the Minister of Industry. Section 15 of the Telecommunications Act is amended drastically to provide these powers. Whereas most general powers granted under the application of the bill will be undertaken by the minister, the governor is given broad powers under Part I to intervene directly on any matters essential in maintaining the security of the country. This may be especially beneficial in a situation that warrants an emergency response.[3]
Amendments made to the Telecommunications Act will impact and prohibit the use of certain products and services provided by specific telecommunications providers. Section 15.1(1) gives the Governor in Council broad powers in securing the Canadian telecommunications systems “against the threat of interference, manipulation or disruption.”[4]Additionally, s. 15.2(2) states that “the Minister may, by order, direct a telecommunications service provider to do anything or refrain from doing anything.”[5]
Part I also amends the Telecommunications Act to implement monetary penalties in cases of contravention to provisions made under section 15.1 or 15.2. For each instance of non-compliance, telecommunication service providers may be liable for administrative monetary penalties (AMPs) of up to $10 million, and up to $15 million for any subsequent contraventions.
Part II of the bill introduces the Critical Cyber Systems Protection Act (CCSPA). The purpose of the CCSPA is to protect “critical cyber systems”, which is essentially a system that would drastically impact the continuity or security of a vital service if compromised. These critical cyber systems exist in the federally regulated private sector. Schedule 1 to the Act then goes on to list what the vital services and systems are. Each vital service is assigned a relevant regulator. If passed, the CCSPA would apply to a class of “designated operators”, which are listed in Schedule 2 of the Act and will carry on work subject to federal jurisdiction and the regulator for that service.
There are certain things that come into play if the CCSPA is passed. Firstly, if an operator is not granted an extension by the regulator, they have 90 days to establish a cybersecurity system that meets the four purposes outlined in s. 5 of the Act and notify the regulator of this system. Each program should be annually reviewed, and the regulator should be informed to any changes. Secondly, the CCSPA gives authority to the governor to direct operators in complying with the Act and meeting the purpose of protecting a critical cyber system. The operator should also take any reasonable steps to identify and mitigate risks associated with their supply chain. The Act goes on to discuss cybersecurity incidents that can interfere with the continuity and security of “critical cyber systems”, in the event of which an operator must report the incident immediately.
The following is a chart that shows the list of vital services listed in Schedule 1 of the Act and the relevant government regulator for each.[6]
| Vital Service or System | Regulator |
| Telecommunications services | Minister of Industry |
| Transportation systems within the legislative authority of the Parliament | Minister of Transport |
| Interprovincial or international pipeline and power line systems | Canada Energy Regulator |
| Nuclear energy systems | Canadian Nuclear Safety Commission |
| Banking systems | Office of the Superintendent of Financial Institutions |
| Clearing and settlement systems | Bank of Canada |
While it is evident that changes to cybersecurity are inevitable, Bill C-26 depicts how the Canadian government is adapting to this evolving landscape. Cybersecurity is a rapidly changing field and as Bill C-26 goes through subsequent readings and amendments, it will be interesting to see the progressing jurisdictions regarding the country’s cybersecurity risks. The second reading of Bill C-26 is currently in progress, and we will continue to see how it is perceived and changed.
[1] “Cybersecurity and Bill C-26: How to Comply with Confidence.” BDO Canada, 29 Aug. 2022, online: <https://www.bdo.ca/en-ca/insights/advisory/cybersecurity/cybersecurity-and-bill-c-26-how-to-comply-with-confidence/>.
[2] Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, 1st Sess, 44th Parl, 2022.
[3] Ahmad, Imran, et al. “Bill C-26: The Increased Importance of Canadian Cybersecurity.” Norton Rose Fulbright, 22 June 2022, online: <https://www.nortonrosefulbright.com/en-ca/knowledge/publications/42944ded/bill-c26-the-increased-importance-of-canadian-cybersecurity>.
[4] Supra note 2.
[5] Ibid.
[6] Supra note 1.
UCalgary Technology and Law Club 