Overview

The Enhancing Digital Security and Trust Act, 2024 (EDSTA) is the Government of Ontario's response to the rapidly evolving digital and technological landscape.

Starting July 1, 2026, new regulations under EDSTA will take effect. These regulations strengthen cyber security protections for select public sector organizations and improve transparency in how school boards manage children’s data.

Why we are taking action

Ontario needs to:

  • safeguard people and public sector organizations from cyberattacks that threaten critical services like health care
  • address emerging risks from powerful technologies like artificial intelligence (AI)
  • strengthen cyber security protections for select public sector organizations
  • improve transparency around how school boards disclose and manage children’s information

Cyber security requirements (O. Reg. 51/26)

This regulation applies to:

  • hospitals graded as Group A, B or C as defined in the Public Hospitals Act as well as the University of Ottawa Heart Institute
  • colleges and universities as defined in the Freedom of Information and Protection of Privacy Act
  • school boards as defined in the Education Act
  • children’s aid societies as defined in the Child, Youth and Family Services Act, 2017, including Indigenous child and family well-being agencies

These organizations will be required to:

  • designate a primary point of contact and alternate for cyber security and submit their contact information to the Chief Information Security Officer (CISO) of the Ministry of Public and Business Service Delivery and Procurement (MPBSDP)
  • conduct cyber security maturity assessments (CMAs) every two years and submit a summary of the CMA to the CISO of MPBSDP
  • report critical cyber security incidents to the CISO of MPBSDP within 72 hours after confirmation of the incident

 Implementation supports for cyber security

This guidance is directed at helping in-scope organizations comply with the cyber security regulation (O. Reg. 51/26) under the Enhancing Digital Security and Trust Act.

Digital technology affecting individuals under 18 (O. Reg. 52/26)

The regulation applies to school boards only.

School boards as defined in the Education Act should consult the implementation guidance and the Enhancing Digital Trust and Security Act to understand which regulations under EDSTA apply to them.

School boards must provide a plain-language written notice when the student’s personal digital information is shared with a third-party software application.

They must give the notice to:

  • parents
  • caregivers or guardians
  • the student (depending on their age)

Implementation supports for digital technology affecting individuals under 18

This guidance is directed at helping school boards comply with the digital technology affecting individuals under 18 regulation (O. Reg. 52/26) under the Enhancing Digital Security and Trust Act.

Resources

Best practices for age-appropriate use of digital technology

Guidance for public sector organizations that support children and youth in safely using digital technology. The practices can also be applied by anyone.

Learn more about cyber security

Information on how to strengthen cyber security and protect your personal or your organization’s information to keep it safe and secure.

The Ministry of Public and Business Service Delivery and Procurement provides security advice, guidance, information and services to broader public sector (BPS) organizations through the Cyber Security Ontario website.

Responsible Use of Artificial Intelligence Directive

The Responsible Use of AI Directive sets requirements and guiding principles for the transparent, responsible and accountable use of AI by Ontario ministries and provincial agencies. Organizations can use these principles to develop or update internal AI policies and guidelines.

Privacy guidance for organizations

Resources from the Information and Privacy Commissioner (IPC) of Ontario to help organizations understand and apply Ontario’s privacy laws.

Contact us

For questions or feedback, email AI@ontario.ca