April 19, 2026 Compliance 12 min read

Cybersecurity Laws in Canada: The 2026 Guide for Businesses

By Cybersecurity Canada Editorial Team | Published April 19, 2026

There is no single "cybersecurity law" in Canada. The obligations that apply to your business are a combination of federal privacy and anti-spam legislation, provincial privacy statutes, sector-specific rules, and — increasingly — new critical-infrastructure legislation. For most Canadian businesses in 2026, this patchwork is confusing, but the underlying obligations are manageable once you know which laws actually apply and what they expect.

This guide maps the Canadian cybersecurity legal landscape as it stands in April 2026, with links to the authoritative sources and practical context for small and medium businesses.

The Federal Laws Every Canadian Business Should Know

PIPEDA — Personal Information Protection and Electronic Documents Act

PIPEDA is the federal private-sector privacy law. It applies to organizations that collect, use, or disclose personal information in the course of commercial activity — with some important provincial exceptions (see below). In force since 2001 for federal works and since 2004 for all commercial activity, PIPEDA is enforced by the Office of the Privacy Commissioner of Canada (OPC).

The core obligations:

• Collect only the personal information you need, for purposes you identify to the individual
• Obtain meaningful consent
• Safeguard personal information with controls appropriate to its sensitivity
• Report breaches of security safeguards that create a "real risk of significant harm" to the OPC and affected individuals, and maintain breach records for at least two years
• Give individuals access to the information you hold about them on request

Failure to report a qualifying breach, or knowingly contravening PIPEDA's breach record-keeping rules, can result in fines of up to $100,000 per violation. We cover the practical implications in depth in New PIPEDA Enforcement: What Changed and What SMBs Must Do Now and in our overview of Canada's privacy landscape.

CASL — Canada's Anti-Spam Legislation

CASL governs commercial electronic messages, the installation of computer programs, and the alteration of transmission data. It is one of the strictest anti-spam and anti-malware laws in the world, and despite its name it is also a cybersecurity law: the provisions on software installation directly target malware, spyware, and unwanted programs.

CASL is jointly enforced by the Canadian Radio-television and Telecommunications Commission (CRTC), the Competition Bureau, and the OPC. Penalties reach up to $10 million per violation for organizations.

The practical implications for most businesses are:

• Obtain consent before sending commercial electronic messages (with narrow exceptions)
• Identify the sender clearly and provide a working unsubscribe mechanism
• Do not install software on a user's device without express consent and clear disclosure

Bill C-26 — The Critical Cyber Systems Protection Act

Bill C-26 is the most significant new cybersecurity legislation in Canadian federal history. It creates two new regimes: amendments to the Telecommunications Act to allow the government to direct security measures on telecommunications providers, and the new Critical Cyber Systems Protection Act (CCSPA).

The CCSPA applies to designated operators in four federally regulated critical infrastructure sectors: telecommunications, finance (federally regulated banks), energy (interprovincial pipelines, nuclear), and transportation (certain federally regulated areas). Designated operators will be required to:

• Establish and maintain a cyber security program
• Report prescribed cyber security incidents to the Communications Security Establishment
• Comply with ministerial directions
• Carry out supply chain risk management

For businesses not in these sectors, Bill C-26 still matters. Its framework is likely to be influential on how other regulators and insurers think about cyber risk, and the supply chain obligations on designated operators will cascade to their suppliers. We cover this in detail in What Canadian Businesses Need to Know About Bill C-26.

Criminal Code — Computer and Cyber Offences

Sections 342.1 and 430(1.1) of the Criminal Code of Canada criminalize unauthorized use of a computer, possession of passwords or device-making equipment for the purpose of committing offences, and mischief in relation to computer data. These are the provisions under which cybercrime is prosecuted in Canada.

For businesses, the Criminal Code matters in three ways:

• It is the legal basis on which police can investigate and prosecute attacks against your business
• It defines the scope of "authorized" versus "unauthorized" access — relevant to penetration testing, security research, and employee monitoring
• Certain activities your own team might perform (such as probing a third party's systems, or acquiring credentials) can cross into criminal territory without proper authorization

Any in-house security testing or response activity should be grounded in clear authorization and legal advice.

Competition Act — Misleading Privacy and Security Claims

The Competition Act prohibits false or misleading representations to the public. Recent Competition Bureau activity, both in Canada and from U.S. counterparts such as the FTC, has focused on businesses that misrepresent their cybersecurity posture — for example, claiming "bank-grade encryption" or "fully secure" when the underlying practices fall short. In 2026, your public cybersecurity claims are a compliance surface, not just a marketing surface.

Provincial Privacy and Cybersecurity Legislation

PIPEDA includes an exception: where a province has enacted private-sector privacy legislation that is deemed "substantially similar" to PIPEDA, that provincial law applies within the province. Four provinces have done so.

Quebec — Law 25 (formerly Bill 64)

Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25, is now the strictest private-sector privacy law in Canada. Rolled out in phases from 2022 to 2024, it introduced:

• Mandatory privacy impact assessments for certain projects
• The requirement to designate a Privacy Officer
• Breach notification to Quebec's access to information commission (CAI) and to affected individuals
• Default privacy settings for technology products
• A right to data portability
• Restrictions on automated decision-making
• Administrative monetary penalties up to the greater of $10 million or 2% of worldwide turnover, and criminal fines up to $25 million or 4% of worldwide turnover

Any business operating in Quebec, or handling the personal information of Quebec residents, is subject to Law 25.

British Columbia — PIPA (Personal Information Protection Act)

BC's PIPA applies to private-sector organizations operating in BC. It is generally aligned with PIPEDA but includes a limited right of access to personal employee information and distinct breach notification guidance. Enforcement is by the Office of the Information and Privacy Commissioner for BC.

Alberta — PIPA

Alberta's PIPA is similar to BC's, with a mandatory breach notification requirement to the Alberta Information and Privacy Commissioner when there is a "real risk of significant harm." Alberta was the first Canadian jurisdiction to require mandatory breach notification in the private sector.

Ontario — Sector-Specific Rather Than General

Ontario does not have a general private-sector privacy law; PIPEDA applies to Ontario businesses. However, Ontario has important sector-specific statutes:

• PHIPA — Personal Health Information Protection Act: governs custodians of personal health information (hospitals, clinics, pharmacies, many MSPs serving healthcare). Mandatory breach notification to the Information and Privacy Commissioner of Ontario.
• FIPPA / MFIPPA: public-sector and municipal-sector privacy laws.

If your business serves Ontario healthcare organizations as a service provider, PHIPA obligations often flow through your contracts and you are treated as an "agent" of the health information custodian.

Other Provincial Regimes

Other provinces (Saskatchewan, Manitoba, New Brunswick, Nova Scotia, Newfoundland and Labrador, PEI) rely on PIPEDA for private-sector privacy and have their own public-sector freedom-of-information and privacy statutes. Some have sector-specific health privacy laws (e.g., Manitoba's PHIA, New Brunswick's PHIPAA).

Sector-Specific Cybersecurity Obligations

Even within PIPEDA or provincial privacy legislation, certain sectors have additional cybersecurity obligations imposed by their regulators.

Financial Services

The Office of the Superintendent of Financial Institutions (OSFI) regulates federally regulated financial institutions. OSFI's Guideline B-13 (Technology and Cyber Risk Management) and Technology and Cyber Security Incident Reporting Advisory set cyber risk management expectations and require prompt incident reporting.

Provincial credit unions, securities firms, and insurance companies have parallel obligations through the Financial Services Regulatory Authority of Ontario (FSRA), the Autorité des marchés financiers (AMF) in Quebec, the Canadian Investment Regulatory Organization (CIRO), and other bodies.

Healthcare

Provincial health privacy statutes (PHIPA in Ontario, HIA in Alberta, PHIA in Manitoba, and similar laws in other provinces) impose specific safeguard, breach notification, and audit requirements on health information custodians and their agents.

Public Sector and Government Contractors

Federal government contractors may be subject to Contract Security Manual obligations under the Canadian Industrial Security Program, and IT contractors supplying the federal government are increasingly subject to specific cyber security requirements under Innovation, Science and Economic Development Canada (ISED) and Shared Services Canada contracts.

Telecommunications

The Telecommunications Act (as amended by Bill C-26) and CRTC orders can compel telecommunications service providers to take specific security measures, including removing or not using specified products and services.

How These Laws Connect — And Where Businesses Actually Start

For most Canadian SMBs, the practical picture is less overwhelming than the list above suggests. The overlap between these laws is substantial: they all require you to protect personal information with reasonable safeguards, and the controls that meet one generally meet the others.

The Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations are the most practical starting point. Implementing the 13 baseline control areas — from incident response to authentication to backup and recovery — directly supports compliance with PIPEDA's safeguard requirement, Quebec Law 25's security obligations, OSFI expectations, and the security program obligations under Bill C-26.

If you are not sure where your business stands, our free cybersecurity assessment evaluates your organization against all 13 Baseline Control areas and produces a plain-language report that maps directly to the obligations above.

What's Likely to Change in 2026–2027

Several developments are worth watching:

• CPPA / Bill C-27 — The Consumer Privacy Protection Act, proposed to replace PIPEDA, has been in legislative development through multiple Parliaments. It would introduce significantly higher fines (up to the greater of $25 million or 5% of global turnover), a private right of action, and a data protection tribunal. Its legislative status has shifted multiple times; businesses should track its progress but continue to operate under PIPEDA in the meantime.
• AI governance — The proposed Artificial Intelligence and Data Act (AIDA), part of the C-27 package, would create obligations around "high-impact" AI systems. Quebec's Law 25 already covers some of the same ground through its automated decision-making provisions.
• Expansion of CCSPA designated sectors — Bill C-26's critical cyber systems regime starts with four sectors, but the framework allows additional sectors to be added by regulation.
• Provincial modernization — Expect further amendments to BC's and Alberta's PIPAs, and continued evolution of Quebec's Law 25 through guidance and enforcement.

Frequently Asked Questions

Which cybersecurity law applies to my Canadian small business?

At minimum, PIPEDA applies to any Canadian private-sector business that handles personal information in the course of commercial activity — unless you operate only within Quebec, BC, or Alberta, where the provincial statute applies instead. CASL applies if you send commercial electronic messages or install software on customer devices. Sector-specific laws (OSFI, PHIPA, Bill C-26's CCSPA) add further obligations for regulated industries. Most small businesses are covered by PIPEDA plus CASL, with provincial law layered on where applicable.

Does my business have to report a cyber incident to the government?

It depends on what happened and what sector you are in. Under PIPEDA, you must report breaches of security safeguards involving personal information to the OPC and affected individuals when there is a "real risk of significant harm." Under Quebec Law 25 and Alberta PIPA, similar thresholds apply to the provincial commissioners. Under OSFI guidance, federally regulated financial institutions must report technology and cyber security incidents promptly. Under Bill C-26's CCSPA, designated operators must report prescribed incidents to the CSE. Healthcare custodians report under provincial health privacy legislation. Outside these regimes, reporting is generally voluntary but strongly recommended to the Canadian Centre for Cyber Security and the Canadian Anti-Fraud Centre.

How does Quebec's Law 25 differ from PIPEDA?

Quebec Law 25 imposes obligations that go beyond PIPEDA in several ways: mandatory privacy impact assessments, a designated Privacy Officer, higher penalties, data portability rights, default privacy settings, stricter consent rules for minors, and explicit rules around automated decision-making. Businesses handling personal information of Quebec residents must comply with Law 25 regardless of where the business is located.

Does Bill C-26 apply to my small business?

Directly, only if your business is a "designated operator" under the Critical Cyber Systems Protection Act — which, at launch, covers federally regulated telecommunications, finance, energy, and transportation entities. Most Canadian SMBs are not designated operators. Indirectly, Bill C-26 matters if you supply services to designated operators: their supply chain obligations are likely to flow down to you contractually.

What is the maximum fine for violating Canadian cybersecurity laws?

It varies by law. PIPEDA tops out at $100,000 per violation. CASL reaches $10 million per violation for organizations. Quebec Law 25 reaches the greater of $25 million or 4% of worldwide turnover for criminal offences. The proposed CPPA would bring federal fines to the greater of $25 million or 5% of global turnover. Bill C-26's CCSPA includes administrative monetary penalties and criminal fines for designated operators. In practice, the largest financial impact for most businesses comes not from direct regulatory fines but from incident response costs, remediation, and reputational damage.

Do I need a lawyer to be compliant?

Most small businesses can meet their baseline obligations without a standing legal relationship, by implementing the CCCS Baseline Controls, maintaining a privacy policy, documenting consent practices, and establishing a basic breach response process. Legal advice becomes important when you expand into regulated sectors, handle particularly sensitive data, respond to a breach, or structure contracts with customers or suppliers. The cost of a one-time legal review of your privacy and incident response documentation is typically modest and well worth it.