1 The evolving landscape — four regulatory forces reshaping compliance

Canadian businesses face four converging regulatory forces that fundamentally change cyber compliance in 2025–26. Understanding each one is no longer optional; it is a board-level accountability.

PIPEDA Modernisation

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s primary federal privacy law, governing how organisations collect, use, and protect personal information. For years, PIPEDA enforcement was lenient — penalties capped at $15 million, sparse enforcement, light regulatory presence. That is changing.

Bill C-27, the Digital Charter Implementation Act, proposes amendments that strengthen PIPEDA significantly. Penalties climb to $27 million or 5% of global annual revenue (whichever is higher). Private individuals can now sue organisations directly for privacy breaches — removing the regulator gatekeeping function and opening class-action pathways. The regulator must investigate complaints within 12 months and issue determinations that are now publishable. Consent mechanisms tighten. Data portability rights expand.

What this means: If you hold personal data on Canadian residents — and if you operate in Canada, you almost certainly do — PIPEDA now carries meaningful financial and reputational risk. Organisations that treated PIPEDA as a checkbox item now face shareholder and client backlash when breaches occur.

Bill C-26: Critical Cyber Systems Protection Act

Canada’s new Critical Cyber Systems Protection Act (Bill C-26) targets operators of critical infrastructure sectors: telecommunications, energy, finance, transportation, water, and health. The Act requires these operators to implement and maintain prescribed cybersecurity standards, conduct risk assessments, and report breaches to regulators within specific timeframes.

The timeline is compressed. Regulations were expected by late 2024; compliance deadlines are expected 18 months from regulation publication. For telecommunications operators, the first compliance window is already active. For other sectors, it is coming fast.

What this means: If your business operates critical infrastructure, your cyber programme must shift from internal best-practice alignment to regulatory compliance. This is not ISO 27001 certification level work — it is statutory obligation. Non-compliance carries legal consequences, potential director liability, and operational restrictions.

Bill C-27: Digital Charter Implementation Act

Beyond PIPEDA amendments, Bill C-27 introduces the Digital Charter — a set of rights for Canadian digital users. These include the right to privacy, data security, and transparency about algorithmic decision-making. For businesses, this translates to strict consent requirements, data subject access obligations, and algorithmic accountability.

The Digital Charter also establishes an Office of the Digital Commissioner — a new regulatory body with investigation and enforcement authority. Unlike the Privacy Commissioner, this body can issue binding orders and civil penalties.

What this means: If you process personal data, use algorithms to make decisions about users, or collect data for analytics, the Digital Charter will force operational changes. Expect new consent flows, data access requests, and documentation requirements.

OSFI B-13 Cybersecurity Guidelines

The Office of the Superintendent of Financial Institutions (OSFI) has published B-13, a comprehensive cybersecurity guideline for federally regulated financial institutions. Unlike PIPEDA, OSFI B-13 is regulatory — it is a requirement, not guidance.

B-13 requires banks, insurance companies, and lending institutions to implement incident response plans, conduct regular stress tests, maintain resilience frameworks, and report cyber incidents to OSFI. The guideline explicitly mandates board-level cyber risk oversight and CISO-equivalent authority.

What this means: If you are a federally regulated financial institution, B-13 compliance is now mandatory. Non-compliance risks supervisory action, enforcement orders, and capital requirement penalties.

2 Key compliance obligations — what you must do right now

Data Minimisation and Consent

Under modernised PIPEDA, organisations must justify every piece of personal data collected. The consent standard tightens: pre-ticked consent boxes are no longer acceptable. Consent must be informed, specific, and freely given. Dark patterns that nudge users toward sharing data are expressly prohibited.

Action: Audit what personal data you collect, why, and on what legal basis. If consent was obtained under loose standards, you may need to recollect it. Document consent with timestamps and explicit opt-in evidence. Remove unnecessary data.

Breach Notification Timelines

Regulators across Canadian provinces are tightening breach notification requirements. Organisations must notify affected individuals and authorities without unreasonable delay — increasingly interpreted as within 30 days. Some provinces (such as British Columbia) push toward 7–15 days for material breaches.

Action: Establish a formal incident response protocol that includes breach assessment, notification decision trees, and regulator communication templates. Test this protocol quarterly. Ensure you have legal counsel contact information pre-vetted. Train the incident response team on notification triggers.

Data Subject Access Requests

PIPEDA now requires organisations to fulfill data subject access requests (the right to know what personal data the organisation holds about the individual) within 45 days. The Digital Charter tightens this further, with some provisions pushing toward 30-day response times.

Action: Conduct a data inventory: where are personal data stored, in what systems, under what access controls? Build a process for fulfilling access requests within 45 days. This is not trivial; many organisations discover fragmented data stores that make rapid response impossible.

Cross-Border Data Transfers

PIPEDA modernisation will include stricter rules on transferring personal data outside Canada. The EU’s adequacy decision for Canada is under review; if it lapses, transfers to European subsidiaries become legally complicated. The US presents different challenges: under the US CLOUD Act, US law enforcement can demand data held by US companies — even Canadian subsidiaries of US parent companies must comply with US law, creating conflict with Canadian privacy obligations.

Action: Map all cross-border data flows. Identify where Canadian personal data is transferred. Understand the legal basis (adequacy decisions, binding corporate rules, standard contractual clauses). If you transfer to the US, document the legal risk and consider Standard Contractual Clauses or Data Transfer Impact Assessments.

Mandatory Cyber Hygiene and Risk Assessment

Bill C-26 and OSFI B-13 both require documented cyber risk assessments, with specific control requirements (encryption, access management, incident response, threat monitoring). This is not aspirational; this is prescriptive.

Action: Conduct a gap analysis against Bill C-26 and/or OSFI B-13 requirements (depending on sector). Identify missing controls. Prioritise remediation by risk. Create a compliance roadmap with timelines, owners, and budget. Report progress quarterly to the board.

3 Critical timeline — regulatory deadlines you cannot miss

The next 18 months are compressed with regulatory deadlines. Boards must track these carefully.

4 Cross-border implications — US, EU, and adequacy decisions

Canadian data protection law does not exist in isolation. Two critical cross-border issues affect Canadian businesses right now.

EU Adequacy Decision Under Review

The European Union made an adequacy determination in 2023, treating Canadian data protection as equivalent to European standards. This allows Canadian companies to receive personal data from the EU without additional safeguards. But this decision is under review in 2026. If the EU withdraws adequacy, Canadian companies with European customers or operations will need Standard Contractual Clauses (SCCs) or other transfer mechanisms — adding legal complexity and cost.

Action: Monitor EU reviews (expected Q2 2026). If you process EU resident data, document your transfer mechanism. Have legal counsel on standby. Consider supplementary safeguards (encryption, data residency) in case adequacy lapses.

US CLOUD Act and Subsidiary Exposure

US law enforcement can compel US companies to disclose data, even if that data is held outside the US or belongs to non-US citizens. If your organisation is a subsidiary of a US parent company or uses US-based cloud providers, US government demands for data could technically conflict with Canadian privacy law.

Action: Understand your data residency and cloud provider jurisdiction. If you use US-based infrastructure, assess the risk under the CLOUD Act. Consider Data Transfer Impact Assessments (DTIA). Document the legal basis for any US data transfers. Inform your board and counsel of this exposure.

5 Penalties and enforcement — regulators are watching

The enforcement landscape is hardening. Regulators are moving from education to enforcement, and penalties are severe.

PIPEDA: From $15M to $27M

The penalty increase reflects regulator intent. But penalties are only the start. Bill C-27 introduces private right of action, allowing individuals to sue organisations directly. A single breach affecting thousands of customers could trigger hundreds of civil lawsuits, each seeking damages plus legal costs. The Financial Consumer Agency of Canada has already issued penalty notices to several companies under current PIPEDA; under amended PIPEDA, these penalties will escalate.

Bill C-26: Regulatory Orders and Operational Restrictions

Non-compliance with Bill C-26 is not just a fine. Regulators can issue binding orders requiring corrective action within specified timeframes. Failure to comply risks operational restrictions — effectively forcing you to change how you operate critical infrastructure.

OSFI: Supervisory Action

OSFI does not wait for breaches to enforce. If your cyber controls fall below OSFI standards, OSFI can issue Supervisory Letters (warnings), Compliance Orders, or Capital Requirement Penalties — forcing higher capital reserves to compensate for cyber risk. This directly impacts earnings and investor confidence.

Private Civil Litigation

Under Bill C-27, individuals harmed by privacy breaches can sue. In Canada, class actions are common; a single breach of a million records could become a single class action representing all affected individuals. Canadian courts have awarded damages in privacy cases; expect this to accelerate.

Board implication: All of this points to one thing: D&O liability insurance must explicitly cover cyber risk and privacy violations. Standard policies often exclude these. Review your D&O coverage now.

6 What boards must do now — immediate action items

1. Determine Your Regulatory Scope

The first step is clarity: which regulations actually apply to your organisation? Are you processing personal data on Canadian residents (PIPEDA)? Are you a critical infrastructure operator (Bill C-26)? Are you federally regulated financial services (OSFI B-13)? Each applies different obligations. You cannot be compliant if you do not know the rules.

2. Conduct a Compliance Gap Analysis

For each applicable regulation, document what controls and processes you have, and what is missing. This is not an internal exercise — hire external counsel or a compliance firm. They will be more objective and will provide defensibility in a future audit.

3. Assign Executive Accountability

Designate a single executive (typically the CISO, if you have one, or a General Counsel) as responsible for compliance with each regulation. Tie compensation to compliance milestones. Make it clear that this is board-level priority, not a nice-to-have.

4. Build a Roadmap with Timelines and Budget

Create a detailed compliance roadmap for each applicable regulation. Specify: what gaps need to close, by when, at what cost, with what owner. Present this to the board. Commit budget. Avoid vague commitments like \”we will implement compliance controls.\” Instead: \”We will achieve Bill C-26 compliance by Q2 2026. Gap analysis costs £150k. Remediation (infrastructure, training, tools) costs £600k. Owner: CISO. Quarterly board updates required.\”

5. Update Data Inventory and Consent Records

You cannot know if you are compliant with data protection regulations if you do not know what personal data you hold, where it is, why you have it, and on what legal basis. Start here. This is foundational.

6. Establish Incident Response and Breach Notification Protocol

Create a formal, tested incident response plan that includes breach assessment, notification decision-making, regulator communication, and individual notification. Test it quarterly. Keep it up-to-date. Train staff annually. This is non-negotiable.

7. Review and Update D&O Insurance

Your current D&O policy may not cover cyber and privacy breach liability. Engage your insurance broker. Explicitly add cyber liability and privacy liability coverage. Document what is covered and what is excluded. Budget for higher premiums — these risks are now priced into insurance.

8. Establish Board Reporting Cadence

The board must receive regular updates on regulatory compliance progress. This should be a standing agenda item: quarterly progress on each applicable regulation, risks identified, remediation status, upcoming deadlines. This demonstrates board-level oversight, which regulators now expect.

7 Five critical questions every director should ask