O. Reg. 51/26: CYBER SECURITY, Enhancing Digital Security and Trust Act, 2024
Enhancing Digital Security and Trust Act, 2024
CYBER SECURITY
Consolidation Period: From March 23, 2026 to the e-Laws currency date.
Note: THIS REGULATION IS NOT YET IN FORCE. It comes into force on July 1, 2026.
No amendments.
This is the English version of a bilingual regulation.
Interpretation
1. In this Regulation,
“cyber security maturity assessment” means an assessment or evaluation, carried out in accordance with industry standards or best practices endorsed by the Chief Information Security Officer of the Ministry, of a prescribed public sector entity’s status or progress with respect to cyber security; (“évaluation de la maturité en matière de cybersécurité”)
“Ministry” means the ministry of the Minister; (“ministère”)
“prescribed public sector entity” means a public sector entity prescribed under section 2. (“entité du secteur public prescrite”)
Prescribed public sector entities
2. The following public sector entities are prescribed for the purpose of section 2 of the Act:
1. An educational institution as defined in subsection 2 (1) of the Freedom of Information and Protection of Privacy Act.
2. A public hospital graded as a Group A, B or C hospital under the Public Hospitals Act.
3. The University of Ottawa Heart Institute.
4. A children’s aid society.
5. A school board.
Program
3. Every prescribed public sector entity shall develop and implement a program for ensuring cyber security that satisfies, at a minimum, the requirements set out in this Regulation.
Primary point of contact and alternate
4. (1) Each prescribed public sector entity shall designate one of its employees as its primary point of contact for ensuring cyber security and another employee as an alternate.
(2) An employee designated as a primary point of contact or alternate must satisfy the following criteria:
1. The employee must hold a senior management position at the prescribed public sector entity.
2. The employee must have decision-making authority with respect to cyber security at the prescribed public sector entity.
(3) The prescribed public sector entity shall assign responsibilities to the primary point of contact and alternate as follows:
1. The primary point of contact shall be responsible for,
i. communicating with the Ministry regarding cyber security matters, including any communication required as part of complying with this Regulation, and
ii. approving summaries of the entity’s cyber security maturity assessments.
2. The alternate shall be responsible for fulfilling the responsibilities set out in paragraph 1 in circumstances where the primary point of contact is unable to do so.
(4) The prescribed public sector entity shall provide the Chief Information Security Officer of the Ministry with the name, title and contact information, including the phone number and email address, of the primary point of contact and alternate and shall provide notice of any change in that information as soon as reasonably practical but no later than 10 business days following the change.
Cyber security maturity assessment
5. (1) A prescribed public sector entity shall,
(a) subject to subsection (2), complete an initial cyber security maturity assessment no later than one year after the day this Regulation first applies to the entity; and
(b) complete a cyber security maturity assessment no later than the second anniversary of the day the initial assessment is completed by the entity and at least once within every subsequent two-year period.
(2) If a prescribed public sector entity completed a cyber security maturity assessment within one year before the day this Regulation first applies to the entity,
(a) the entity may, instead of complying with clause (1) (a), elect to consider the assessment to be the initial cyber security maturity assessment for the entity; and
(b) if the entity makes an election under clause (a), the initial assessment is deemed, for the purposes of clause (1) (b) and section 6, to have been completed on the day the Regulation first applies to the entity.
Cyber security maturity assessment summary
6. No later than 30 business days after the completion of a cyber security maturity assessment, the prescribed public sector entity shall submit a summary of the assessment that satisfies the following requirements to the Chief Information Security Officer of the Ministry:
1. The summary must include, at a minimum, the following information:
i. A brief description of the method used to conduct the assessment.
ii. The name of the model or framework used.
iii. A score representing the entity’s overall cyber security maturity and a summary of any other scores from the assessment.
iv. A summary of any areas for future improvement regarding the entity’s cyber security maturity.
2. The summary must be approved by the entity’s primary point of contact.
Critical cyber security incident, report
7. (1) In this section,
“critical cyber security incident” means, with respect to a prescribed public sector entity, an incident that,
(a) has impacted,
(i) the security, continuity, confidentiality, integrity or availability of digital information collected, used, retained or disclosed by the entity, or
(ii) the infrastructure housing or transmitting digital information collected, used, retained or disclosed by the entity, and
(b) satisfies at least one of the criteria set out in subsection (2).
(2) For the purposes of clause (b) of the definition of “critical cyber security incident” in subsection (1), at least one of the following criteria must be satisfied:
1. The incident results in a significant adverse impact to the delivery of public services by the entity.
2. The incident poses a risk to public safety.
3. The incident requires or results in significant efforts to recover digital information or related infrastructure or activation of cyber security incident response plans by the entity.
4. The incident poses a significant risk of harm to the reputation of and public confidence in the entity.
(3) If a critical cyber security incident with respect to a prescribed public sector entity occurs, the entity shall report it to the Chief Information Security Officer of the Ministry as soon as reasonably practical but no later than 72 hours after the entity has confirmed that it occurred.
(4) A report of a critical cyber security incident shall include, but is not limited to, the following information:
1. The names of the primary point of contact and alternate.
2. The name of the prescribed public sector entity.
3. The name of the ministry responsible for overseeing the entity.
4. The date and time that the incident occurred.
5. The date and time of confirmation mentioned in subsection (3).
6. A general description of the incident, including an explanation of why the incident constitutes a critical cyber security incident.
7. A general description of the type of information impacted or stolen by the incident, if applicable.
(5) For greater certainty, nothing in this section affects other legal obligations a prescribed public sector entity may have in respect of a critical cyber security incident, including any obligations under the Freedom of Information and Protection of Privacy Act.
8. Omitted (provides for coming into force of provisions of this Regulation).
