Canada: Introduced Critical Cyber Systems Protection Act (C-26)

On 14 June 2022, the "Critical Cyber Systems Protection Act" (C-26) was introduced to the Canadian House of Commons. This bill aims to create a national regulatory cybersecurity framework around institutions, entities and systems that are imperative to national security. The bill intends to outline the services, obligations, reporting, and oversight mechanisms of operators and designated cyber-threat response teams. The Governor in Council (GIC) is empowered to create Cyber Security Directions (CSDs) which are directed to cybersecurity operators that include specific, limited measures to eliminate or reduce a cyberthreat or to sustain a security system. The violation of CSDs can lead to administrative penalties or imprisonment. Operators will also be obligated to evaluate and reduce risks associated with supply chain or third-party services and report all cyber-related incidents to the Communications Security Establishment.