45th Parliament · Session 1
Bill C-8: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts
Introduced
June 18, 2025
Current Stage
SenateInCommittee
Last Updated
April 23, 2026
Sponsor
Gary Anandasangaree
Community Support
Community Vote
0% Support
0 votes
Support
Undecided/Abstain
Oppose
Cast Your Vote
Your vote helps inform others
Engagement
Votes
0
Comments
0
Follows
0
Parliamentary Votes
0
Statements
274
Bill C-8
Thu Apr 23 2026
An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts
Impact Rating
4/5
Short Summary
This bill gives the government broad powers to force telecom, finance, energy, and transport companies to upgrade their cybersecurity and bans high-risk equipment from Canada's critical infrastructure.
This bill significantly strengthens the federal government's authority to protect Canada's vital infrastructure from cyber threats. It gives the government new powers to order telecommunications companies to remove high-risk equipment from their networks. It also creates a brand new law, the Critical Cyber Systems Protection Act, which forces major federally regulated industries, such as banks, airlines, and energy pipelines, to establish strict cybersecurity programs and immediately report any cyber attacks.
Why does this bill exist?
Origin (Public Outcry/Event)
This bill is a direct response to increasing global cyber attacks, ransomware threats against critical infrastructure, and intelligence concerns regarding foreign-made telecommunications equipment.
Allows the government to ban specific high-risk products, services, or vendors from being used in Canada's telecommunications networks.
Creates the Critical Cyber Systems Protection Act, requiring federally regulated industries (finance, energy, transport, telecom) to implement strict cyber security programs.
Mandates that critical infrastructure operators report major cyber security incidents to the federal government within 72 hours.
Grants the government the power to issue binding 'cyber security directions' to companies to protect against imminent threats.
Allows the government to issue non-disclosure orders (gag orders), preventing companies from revealing they have been targeted by a government security directive.
Imposes massive financial penalties for non-compliance, with fines reaching up to $15 million for corporations.
Authorizes government inspectors to enter facilities, examine cyber systems, and conduct internal audits to ensure companies are following the rules.
Business owners (Large Infrastructure)
(More Expensive)
Will face strict new federal audits, mandatory cyber incident reporting within 72 hours, and potential orders to replace expensive equipment at their own cost.
Everyday citizens
(Neutral)
While citizens will not have to do anything new, they benefit from safer systems, though their bills could increase if companies pass on compliance costs.
Tech Vendors and Suppliers
(Harder)
Could be arbitrarily banned from selling their products to Canadian critical infrastructure providers by a secret government order.
Provincial Impact
Provincial Impact
The bill primarily targets federally regulated sectors like banks, airlines, telecom, and interprovincial pipelines. It allows the federal government to enter into information-sharing agreements with provincial regulators regarding cyber threats.
Benefits & Pros
Protects essential services that Canadians rely on daily, like banking, internet, and electricity, from devastating cyber attacks.
Ensures that high-risk foreign equipment can be legally and permanently purged from Canadian networks to prevent espionage.
Forces massive corporations to take cybersecurity seriously rather than treating it as an afterthought, backed by heavy financial penalties.
Beneficiaries
Risks & Cons
Grants the government sweeping powers to issue secret orders to companies, reducing public transparency about vulnerabilities.
Telecom and infrastructure companies will face significant costs to upgrade systems and replace banned equipment, which will likely be passed on to consumers.
Grants government inspectors broad powers to access private corporate data and systems without a traditional warrant in some non-residential cases.
Affected Groups
Before & After
Currently, the government has limited legal authority to force private telecom companies to remove insecure equipment, and cyber incident reporting is largely voluntary. Under this bill, the government can legally order the removal of risky equipment, and critical industries like banks and airlines face multi-million dollar fines if they fail to report hacks within 72 hours.
Real World Scenario
Currently: A major Canadian pipeline operator suffers a ransomware attack but chooses to keep it quiet for weeks to protect its public image. Under this Bill: The operator would be legally forced to report the breach to the government within 72 hours and could be hit with a $15 million fine if they fail to maintain a proper cyber security program.
Frequently Asked Questions
No. The bill explicitly bans the government from ordering telecommunications companies to intercept private communications or decode encrypted messages.
No. The bill explicitly states that if the government orders a telecom company to rip out equipment, the company will not receive any financial compensation from the government.
Under this new law, they will be legally required to report the cyber attack to the government within 72 hours, or face massive fines.
Sponsor
Member of Parliament
House of Commons
First reading
Completed on June 18, 2025
Second reading
Completed on October 3, 2025
Consideration in committee
Completed on March 11, 2026
Report stage
Completed on March 26, 2026
Third reading
Completed on March 26, 2026
Senate
First reading
Completed on March 26, 2026
Second reading
Completed on April 23, 2026
Consideration in committee
In Progress
Report stage
Not yet started
Third reading
Not yet started
Abuse Potential
This bill contains significant abuse potential due to the extraordinary secrecy and broad discretionary powers it grants to the government. The Minister can issue binding 'cyber security directions' to private companies and simultaneously issue a 'gag order' prohibiting the company from telling the public that they are being forced to alter their systems or hand over information. Furthermore, the bill allows the government to mandate the removal of specific vendors' equipment without providing financial compensation to the affected companies. While there are clauses protecting 'lawful expression' and preventing the interception of private communications, the ability of the government to secretly dictate the technological architecture of Canada's communications networks creates a massive concentration of opaque executive power that could be misused to target disfavored tech companies.
Creates potential for massive corporate fines (up to $15 million per violation), but also imposes heavy compliance and equipment replacement costs on private businesses without government compensation.
Implementation Risk
There is a high risk of friction between the government and private industry, particularly over the cost of replacing banned equipment and the tight 72-hour window to report complex cyber incidents while an attack is still actively unfolding.
Broad Economic Impact
Indirect
Everyday Life
Minimal impact
Admin Burden
None for citizens, but enormous new compliance, auditing, and reporting paperwork for designated businesses.
Timeline
Phased in over time, coming into force on days set by the Governor in Council.
Bill Text Versions
View different versions of the bill text or compare changes between versions
Summary
Part 1 amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system. It also establishes an administrative monetary penalty scheme to promote compliance with orders and regulations made by the Governor in Council and the Minister of Industry to secure the Canadian telecommunications system as well as rules for judicial review of those orders and regulations. Part 2 enacts the Critical Cyber Systems Protection Act to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament. It also, among other things, (a) authorizes the Governor in Council to designate any service or system as a vital service or vital system; (b) authorizes the Governor in Council to establish classes of operators in respect of a vital service or vital system; (c) requires designated operators to, among other things, establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions; (d) provides for the exchange of information between relevant parties and the disposal of personal information; and (e) authorizes the enforcement of the obligations under the Act and imposes consequences for non-compliance. This Part also makes consequential amendments to certain Acts. Part 3 provides for a five-year review of the provisions enacted or amended by this Act.
Full Text
PART 1 1993, c. 38 Telecommunications Act 1 Section 7 of the Telecommunications Act is amended by striking out “and” at the end of paragraph (h), by adding “and” at the end of paragraph (i) and by adding the following after paragraph (i): (j) to promote the security of the Canadian telecommunications system. 2 The Act is amended by adding the following after section 15: For greater certainty 15.01 For greater certainty, in sections 15.1, 15.2, 15.5 and 15.7, interference with or manipulation, disruption or degradation of a telecommunications system include actions of a technical nature that impede the operation of the telecommunications system but do not include the effect of lawful expression, persuasion or political debate. Security of Canadian telecommunications system — Order in Council 15.1 (1) If the Governor in Council believes on reasonable grounds that it is necessary to do so to secure the Canadian telecommunications system against any threat, including that of interference, manipulation, disruption or degradation, and that it is reasonable in relation to the gravity of that threat, the Governor in Council may, by order and after consultation with the persons the Governor in Council considers appropriate, (a) prohibit a telecommunications service provider from using all products and services provided by a specified person in, or in relation to, its telecommunications network or telecommunications facilities, or any part of those networks or facilities; or (b) direct a telecommunications service provider to remove all products provided by a specified person from its telecommunications networks or telecommunications facilities, or any part of those networks or facilities. Scope and substance (2) The provisions of the order must, in scope and substance, be necessary and reasonable in relation to the gravity of the threat, including that of interference, manipulation, disruption or degradation. Non-disclosure (3) The order may also include a provision prohibiting the disclosure of its existence, or some or all of its contents, by any person. Non-disclosure — factors (3.1) Before including in the order a provision to prohibit the disclosure of its existence, or some or all of its contents, the Governor in Council must consider (a) the extent to which the disclosure could, in the Governor in Council’s opinion, compromise the objective of the order; (b) the necessity of including such a provision in light of the nature of the threat; (c) the possibility of limiting the scope of the prohibition; (d) the impact of non-disclosure on the principles of transparency and accountability of the Government of Canada; (e) any representations made by the affected telecommunications service providers; and (f) any other factor that the Governor in Council considers relevant. Factors (4) Before making the order, the Governor in Council must consider (a) its operational impact on the affected telecommunications service providers; (b) its financial impact on the affected telecommunications service providers; (c) its effect on the provision of telecommunications services in Canada, including on the confidentiality and security of telecommunications; (c.1) its potential impacts on the privacy of Canadians; and (d) any other factor that the Governor in Council considers relevant. Prepublication (5) The Governor in Council may cause a draft order to be published in the Canada Gazette . Publication (6) Any order made under subsection (1) must be published in the Canada Gazette within 90 days after the day on which it is made, unless the Governor in Council directs otherwise in the order. Conflict (7) In the event of any inconsistency between an order made under subsection (1) and a decision of the Commission made under this Act or an order made or an authorization issued by the Minister under this Act or the Radiocommunication Act , the order made under subsection (1) prevails to the extent of the inconsistency. No compensation (8) No one is entitled to any compensation from His Majesty in right of Canada for any financial losses resulting from the making of an order under subsection (1). Security of Canadian telecommunications system — Minister’s order 15.2 (1) If there are reasonable grounds to believe that it is necessary to do so to secure the Canadian telecommunications system against any threat, including that of interference, manipulation, disruption or degradation, and that it is reasonable in relation to the gravity of that threat, the Minister may, by order and after consultation with the Minister of Public Safety and Emergency Preparedness and with the persons the Minister considers appropriate, (a) prohibit a telecommunications service provider from providing any service to any specified person, including a telecommunications service provider; and (b) direct a telecommunications service provider to suspend providing for a specified period any service to any specified person, including a telecommunications service provider. Exception (1.1) Despite paragraph (1)(b), no order may be made directing the suspension of service to an individual, unless the order is necessary to secure the Canadian telecommunications system against any specified threat of a technical nature. Order (2) If the Minister believes on reasonable grounds that it is necessary to do so to secure the Canadian telecommunications system against any threat, including that of interference, manipulation, disruption or degradation, and that it is reasonable to do so in relation to the gravity of that threat, the Minister may, by order, (a) prohibit a telecommunications service provider from using any specified product or service in, or in relation to, its telecommunications network or telecommunications facilities, or any part of those networks or facilities; (b) direct a telecommunications service provider to remove any specified product from its telecommunications networks or telecommunications facilities, or any part of those networks or facilities; (c) impose conditions on a telecommunications service provider’s use of any product or service, or any product or service provided by a specified person, including a telecommunications service provider; (d) impose conditions on a telecommunications service provider’s provision of services to a specified person, including a telecommunications service provider; (e) prohibit a telecommunications service provider from entering into a service agreement for any product or service used in, or in relation to, its telecommunications network or telecommunications facilities, or any part of those networks or facilities; (f) require that a telecommunications service provider terminate a service agreement referred to in paragraph (e); (g) prohibit a telecommunications service provider from upgrading any specified product or service; (h) require that a telecommunications service provider’s telecommunications networks or telecommunications facilities, as well as its procurement plans for those networks or facilities, be subject to specified review processes; (i) require that a telecommunications service provider develop a security plan in relation to its telecommunications services, telecommunications networks or telecommunications facilities; (j) require that assessments be conducted to identify any vulnerability in a telecommunications service provider’s telecommunications services, telecommunications networks or telecommunications facilities or its security plan referred to in paragraph (i); (k) require that a telecommunications service provider take steps to mitigate any vulnerability in its telecommunications services, telecommunications networks or telecommunications facilities or its security plan referred to in paragraph (i); (l) require that a telecommunications service provider implement specified standards in relation to its telecommunications services, telecommunications networks or telecommunications facilities; (m) direct a telecommunications service provider to do a specified thing or refrain from doing a specified thing, other than a thing specified in subsection (1) or 15.1(1); or (n) require that a telecommunications service provider use a backup system for telecommunications facilities. Private communication (2.1) Despite subsection (2), the Minister must not order the decoding of an encrypted private communication , as defined in section 183 of the Criminal Code . Scope and substance (3) The provisions of an order made under subsection (1) or (2) must, in scope and substance, be necessary and reasonable in relation to the gravity of the threat, including that of interference, manipulation, disruption or degradation. For greater certainty (4) For greater certainty, despite subsection (2), the Minister is not permitted to order a telecommunications service provider to intercept a private communication or a radio-based telephone communication , as those terms are defined in section 183 of the Criminal Code . Non-disclosure (5) An order made under subsection (1) or (2) may also include a provision prohibiting the disclosure of its existence, or some or all of its contents, by any person. Non-disclosure — factors (5.1) Before including in an order made under subsection (1) or (2) a provision to prohibit the disclosure of its existence, or some or all of its contents, the Minister must consider (a) the extent to which disclosure could, in the Minister’s opinion, compromise the objective of the order; (b) the necessity of including such a provision in light of the nature of the threat; (c) the possibility of limiting the scope of the prohibition; (d) the impact of non-disclosure on the principles of transparency and accountability of the Government of Canada; (e) any representations made by the affected telecommunications service providers; and (f) any other factor that the Minister considers relevant. Factors (6) Before making an order under subsection (1) or (2), the Minister must consider (a) its operational impact on the affected telecommunications service providers; (b) its financial impact on the affected telecommunications service providers; (c) its effect on the provision of telecommunications services in Canada, including on the confidentiality and security of telecommunications; (c.1) its potential impacts on the privacy of Canadians; and (d) any other factor that the Minister considers relevant. Prepublication (7) The Minister may cause a draft order to be published in the Canada Gazette . Publication (8) Any order made under subsection (1) or (2) must be published in the Canada Gazette within 90 days after the day on which it is made, unless the Minister directs otherwise in the order. Conflict (9) In the event of any inconsistency between an order made under subsection (1) or (2) and a decision of the Commission made under this Act or another order made, or any authorization issued, by the Minister under this Act or the Radiocommunication Act , the order made under subsection (1) or (2), as the case may be, prevails to the extent of the inconsistency. No compensation (10) No one is entitled to any compensation from His Majesty in right of Canada for any financial losses resulting from the making of an order under subsection (1) or (2). Report on orders 15.21 (1) The Minister shall cause to be tabled in each House of Parliament, within three months after the end of each fiscal year or, if either House is not then sitting, on any of the first 15 days of the next sitting of that House, a report on the orders made under subsection 15.1(1) and subsections 15.2(1) and (2). Contents of report (2) The Minister shall include in the report, for the fiscal year covered by the report, the following information: (a) the number of orders made and the nature of the orders; (b) the number of orders that were revoked; (c) the number of telecommunications service providers affected by an order; (d) a description of compliance of telecommunications service providers that partially complied with an order; (e) a description of compliance of telecommunications service providers that fully complied with an order; and (f) an explanation of the necessity, reasonableness and utility of the orders. Contents of report — conflicts (3) The report shall state the number of times that an order prevailed over a decision of the Commission made under this Act during previous fiscal year. Notice by Minister 15.211 The Minister must, within seven days after an order is made under section 15.1 or 15.2 — other than an order that includes a provision prohibiting the disclosure of its existence, or some or all of its contents — give a notice containing the order to any person specified in that order. Obligation to notify 15.22 The Minister must, within 90 days after an order that includes a provision prohibiting the disclosure of its existence, or some or all of its contents, is made under section 15.1 or 15.2 , notify the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency of the making of the order. Contravention of unpublished order 15.3 (1) No person shall be convicted of an offence consisting of a contravention of an order made under section 15.1 or 15.2 unless it is proved that, at the time of the alleged contravention, the person had been notified of the order. Certificate (2) A certificate appearing to have been signed by the Minister and stating that a notice containing the order made under section 15.1 or 15.2 was given to persons likely to be affected by it is, in the absence of evidence to the contrary, proof that notice was given to those persons. Statutory Instruments Act (3) The Statutory Instruments Act does not apply to an order made under section 15.1 or 15.2 . Incorporation by reference (4) An order made under section 15.1 or 15.2 may incorporate any document by reference, in whole or in part, regardless of its source and as it exists on a particular date or as it is amended from time to time. Provision of information 15.4 The Minister may require any person to provide to the Minister or any person designated by the Minister, within any time and subject to any conditions that the Minister may specify, any information that the Minister believes on reasonable grounds is reasonable to provide in relation to the gravity of the threat and necessary for the purpose of making, amending or revoking an order under section 15.1 or 15.2 or a regulation under paragraph 15.8 (1)(a), or of verifying compliance or preventing non-compliance with such an order or regulation. Confidential information — designation 15.5 (1) A person who provides any of the following information under section 15.4 may designate it as confidential: (a) information that is a trade secret; (b) financial, commercial, scientific or technical information that is confidential and that is treated consistently in a confidential manner by the person who provided it; (c) information the disclosure of which could reasonably be expected to (i) result in material financial loss or gain to any person, (ii) prejudice the competitive position of any person, or (iii) affect contractual or other negotiations of any person; or (d) personal information and de-identified information. Definitions (2) The following definitions apply in paragraph (1)(d). de-identify means to modify personal information so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. ( dépersonnaliser ) personal information has the same meaning as in section 3 of the Privacy Act . ( renseignements personnels ) Information deemed confidential (2.1) Personal information and de-identified information that is not designated as confidential under subsection (1) is deemed, for the purposes of this Part, to be designated as such. Prohibition (3) Subject to subsections (4) and (5), no person shall knowingly disclose or knowingly permit to be disclosed any information that is designated as confidential. Exception (4) Information referred to in any of paragraphs (1)(a) to (c) that is designated as confidential may be disclosed, or be permitted to be disclosed, if (a) the disclosure is authorized or required by law; (b) the person who designated the information as confidential consents to its disclosure; (c) the disclosure is necessary, in the Minister’s opinion, given the gravity of the threat, to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption; or (d) in the case of information referred to in paragraph (1)(d), the person to whom the information relates consents to its disclosure. Exception — paragraph (1)(d) (5) Information referred to in paragraph (1)(d) that is designated as confidential may be disclosed, or be permitted to be disclosed, if (a) the disclosure is required by law; or (b) in the Minister’s opinion, the disclosure is necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption, and the information, in scope and substance, is reasonable in relation to the gravity of any threat. Exchange of information 15.6 (1) Despite section 15.5, to the extent that is reasonable in relation to the gravity of the threat and necessary for any purpose related to the making, amending or revoking of an order under section 15.1 or 15.2 or a regulation under paragraph 15.8 (1)(a) — or to verifying compliance or preventing non-compliance with such an order or regulation — the following persons and entities may collect information from and disclose information to each other, including confidential information: (a) the Minister; (b) the Minister of Public Safety and Emergency Preparedness; (c) the Minister of Foreign Affairs; (d) the Minister of National Defence; (e) the Chief of the Defence Staff; (f) the Chief or an employee of the Communications Security Establishment; (g) the Director or an employee of the Canadian Security Intelligence Service; (h) the Chairperson or an employee of the Commission; (i) a person designated under section 15.4 ; and (j) any other prescribed person or entity. Limitation (1.1) For the purposes of subsection (1), information referred to in paragraph 15.5(1)(d) must not be collected or disclosed unless its scope and substance is reasonable in relation to the gravity of the threat. Confidential information (2) Any confidential information that is collected under subsection (1) must be treated as confidential. Disclosure of information 15.7 (1) Any information collected or obtained under this Act, other than information designated as confidential under subsection 15.5 (1), may be disclosed by the Minister under an agreement, a memorandum of understanding or an arrangement in writing between the Government of Canada and the government of a province or of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, if (a) the Minister believes that the information may be relevant to securing the Canadian telecommunications system or the telecommunications system of a foreign state, including against the threat of interference, manipulation or disruption; and (b) the agreement, memorandum of understanding or arrangement provides for the disposal of that information once it is no longer necessary for the purpose for which it was disclosed. Restriction — use (2) If the agreement, memorandum of understanding or arrangement allows for the sharing of information that may be relevant to an investigation or proceeding in respect of a contravention of this Act, an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a) — or a law of a foreign state that addresses conduct that is substantially similar to conduct that would be in contravention of this Act, of an order made under section 15.1 or 15.2 or of a regulation made under paragraph 15.8 (1)(a) — the agreement, memorandum of understanding or arrangement must restrict the use of that information to purposes relevant to contraventions of the laws of a foreign state that have consequences that would not be considered penal under Canadian law. Disposal of information 15.701 Any person who collects or obtains information referred to in paragraph 15.5(1)(d) under this Part, with the exception of section 15.7, must dispose of that information if it is no longer necessary for any purpose related to the making, amending or revoking of an order under section 15.1 or 15.2 or a regulation under paragraph 15.8(1)(a) — or to verifying compliance or preventing non-compliance with such an order or regulation — or in accordance with any requirement under the Privacy Act that applies to that information. Privacy Act not affected 15.71 For greater certainty, nothing in sections 15.1, 15.2 and 15.4 to 15.7 affects the provisions of the Privacy Act . Prohibition 15.72 A person who performs or has performed duties or functions in the administration or enforcement of this Act must not disclose or permit to be disclosed to any other person, except to a Canadian law enforcement agency or for the purposes of the administration or enforcement of this Act, the identity of any individual who provided information on their own initiative to the Minister to achieve the objectives of this Act that relate to securing the Canadian telecommunications system and who has requested confidentiality. Regulations 15.8 (1) The Governor in Council may make regulations (a) containing any provision that may be contained in an order made under section 15.2 ; and (b) prescribing persons and entities for the purposes of paragraph 15.6 (1)(j). Conflict (2) In the event of any inconsistency between a regulation made under paragraph (1)(a) and a decision of the Commission made under this Act or an order made or an authorization issued by the Minister under this Act or the Radiocommunication Act , the regulation prevails to the extent of the inconsistency. Annual report 15.81 (1) The Minister must, within three months after the end of each fiscal year, prepare a report respecting any orders referred to in sections 15.1 and 15.2 that were made during that fiscal year and must cause the report to be laid before each House of Parliament within the first 15 days on which that House is sitting after the report is completed. Contents (2) The report must include the number of orders that were made in that fiscal year. Contents of report — conflicts (3) The report must also state the number of times that an order prevailed over a decision of the Commission made under this Act during the previous fiscal year. Publication of summary (4) The Minister must publish a summary of the report on the website of the Department of Industry within 10 days after the day on which it is tabled in both Houses of Parliament. Judicial Review Rules 15.9 (1) The following rules apply to judicial review proceedings in respect of an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a): (a) if the judge determines that evidence or other information provided by the Minister is not relevant or if the Minister withdraws the evidence or other information, the decision of the judge must not be based on that evidence or other information and the judge must return it to the Minister; and (b) the judge must ensure the confidentiality of all evidence and other information that the Minister withdraws. Definition of judge (2) In this section, judge means the Chief Justice of the Federal Court or a judge of that Court designated by the Chief Justice. Protection of information on appeal 15.91 Section 15.9 applies to any appeal of a decision made by the judge in relation to the judicial review proceedings referred to in that section and to any further appeal, with any necessary modifications. 3 Section 47 of the Act is replaced by the following: Commission subject to orders and standards 47 The Commission must exercise its powers and perform its duties under this Act and any special Act — in accordance with any orders made by the Governor in Council under section 8 or any standards prescribed by the Minister under section 15, and taking into account any orders made under section 15.1 or 15.2 and any regulation made under paragraph 15.8 (1)(a) — with a view to implementing the Canadian telecommunications policy objectives and ensuring that Canadian carriers provide telecommunications services and charge rates in accordance with section 27. 2014, c. 39, s. 200(1) 4 (1) Subsection 71(2) of the Act is replaced by the following: Designation of inspectors (2) The Minister may designate any qualified person as an inspector for the purpose of verifying compliance or preventing non-compliance with the provisions of this Act for which the Minister is responsible or with orders made under sections 15.1 and 15.2 or regulations made under paragraph 15.8 (1)(a). 2019, c. 10, s. 164(2) (2) Paragraph 71(4)(a) of the Act is replaced by the following: (a) enter, at any reasonable time, any place in which they believe on reasonable grounds there is any document, information or thing relevant to the purpose of verifying compliance or preventing non-compliance with this Act, an order made under section 15.1 or 15.2 , a regulation made under paragraph 15.8 (1)(a), any special Act, Division 1.1 of Part 16.1 of the Canada Elections Act or sections 51 to 53 of the Accessible Canada Act , and examine the document, information or thing or remove it for examination or reproduction; 2014, c. 39, s. 209(6) (3) Paragraph 71(6)(b) of the Act is replaced by the following: (b) entry to the dwelling-house is necessary for the purpose of verifying compliance or preventing non-compliance with this Act, an order made under section 15.1 or 15.2 , a regulation made under paragraph 15.8 (1)(a), any special Act, or Division 1.1 of Part 16.1 of the Canada Elections Act ; and 2019, c. 10, s. 164(3) (4) Subsection 71(9) of the Act is replaced by the following: Information requirement (9) An inspector who believes that a person is in possession of information that the inspector considers necessary for the purpose of verifying compliance or preventing non-compliance with this Act, an order made under section 15.1 or 15.2 , a regulation made under paragraph 15.8 (1)(a), any special Act, Division 1.1 of Part 16.1 of the Canada Elections Act or sections 51 to 53 of the Accessible Canada Act may, by notice, require that person to submit the information to the inspector in the form and manner and within the reasonable time that is stipulated in the notice. 5 Subsection 72(3) of the Act is replaced by the following: Exception (3) Nothing in subsection (1) or (2) applies to an act or omission that is contrary to an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a), to any action for breach of a contract to provide telecommunications services or to any action for damages in relation to a rate charged by a Canadian carrier. 2019, c. 10, s. 165 6 The portion of section 72.001 of the Act before paragraph (a) is replaced by the following: Commission of violation 72.001 Every contravention of a provision of this Act, other than section 17 or 69.2, or the regulations, other than a provision of an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a), every contravention of a decision made by the Commission under this Act, other than a prohibition or a requirement of the Commission made under section 41, and every contravention of any of subsections 51(1) to (4) and (7), 52(1) to (3) and 53(1) to (3) and (6) of the Accessible Canada Act constitutes a violation and the person who commits the violation is liable 7 The Act is amended by adding the following after section 72.13: Administrative Monetary Penalties — Security of the Canadian Telecommunications System Commission of violation 72.131 Every contravention of a provision of an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a) constitutes a violation and the person who commits the violation is liable to an administrative monetary penalty of an amount (a) in the case of an individual, not exceeding $25,000 and, for a subsequent contravention, not exceeding $50,000; or (b) in any other case, not exceeding $10,000,000 and, for a subsequent contravention, not exceeding $15,000,000. Continuing violation 72.132 A violation that is continued on more than one day constitutes a separate violation in respect of each day during which it is continued. Determination of penalty amount 72.133 (1) The amount of the administrative monetary penalty is to be determined by taking into account the following factors: (a) the nature and scope of the violation; (b) the history of compliance with orders made under section 15.1 or 15.2 or regulations made under paragraph 15.8 (1)(a) by the person who committed the violation; (c) any benefit that the person obtained from the commission of the violation; (d) the person’s ability to pay the penalty; (e) any factors established by any regulations; and (f) any other relevant factor. Purpose of penalty (2) The purpose of the penalty is to promote compliance with orders made under section 15.1 and 15.2 and regulations made under paragraph 15.8 (1)(a), and not to punish. Power of Minister — violation 72.134 The Minister may (a) designate a person, or class of persons, that is authorized to issue notices of violation or enter into a compliance agreement; and (b) establish, in respect of each violation, a short-form description to be used in notices of violation. Issuance and service 72.135 (1) A person who is designated to issue notices of violation and who believes, on reasonable grounds, that a person has committed a violation may issue and cause to be served on the person, a notice of violation. Contents of notice (2) The notice of violation must name the person believed to have committed the violation, identify the violation and include (a) the amount of the penalty for which the person is liable; (b) a statement as to the right of the person, within 30 days after the day on which the notice is served, or within any longer period that the Minister specifies, to pay the penalty or to make representations to the Minister with respect to the violation and the penalty, and the manner for doing so; and (c) a statement indicating that if the person does not pay the penalty or make representations in accordance with the notice, the person will be deemed to have committed the violation and the penalty may be imposed. Correction or cancellation of notice of violation (3) At any time before a request to make representations in respect of the notice of violation is received by the Minister, the designated person may cancel the notice or correct an error in it. Payment 72.136 (1) If a person who is served with a notice of violation pays the penalty set out in the notice, the person is deemed to have committed the violation and the proceedings in respect of it are ended. Representations (2) If a person who is served with a notice of violation makes representations in accordance with the notice, the Minister must decide, on a balance of probabilities, after considering those representations, whether the person committed the violation and, if the Minister so decides, the Minister may impose the penalty set out in the notice, a lesser penalty or no penalty. Failure to pay or make representations (3) If a person who is served with a notice of violation neither pays the penalty nor makes representations in accordance with the notice, the person is deemed to have committed the violation and the Minister may impose the penalty set out in the notice. Copy of decision (4) The Minister must cause a copy of any decision made under subsection (2) or (3) to be issued and served on the person. Compliance agreements 72.137 (1) If a person designated under paragraph 72.134 (a) offers to enter into a compliance agreement with the person believed to have committed the violation, the agreement is subject to any terms that the designated person considers appropriate, including the reduction, in whole or in part, of the penalty set out in the notice of violation. Representations (2) If a compliance agreement is entered into, the person who entered into it cannot make any representations under paragraph 72.135 (2)(b). Deeming (3) A person who enters into a compliance agreement with a designated person is deemed to have committed the violation in respect of which the compliance agreement was entered into. Notice of compliance (4) If the designated person is of the opinion that a person who has entered into a compliance agreement has complied with it, the designated person must serve a notice to that effect on the person and, on the service of that notice, the proceedings in respect of the violation are ended. Notice of default (5) If the designated person is of the opinion that a person who has entered into a compliance agreement has not complied with it, the designated person must cause the person to be served with a notice of default informing them that they are liable to pay, within the time and in the manner set out in the notice of default, the penalty set out in the notice of violation in respect of which the compliance agreement was entered into, less any amount they paid under the compliance agreement. Payment (6) If a person pays the penalty in accordance with the notice of default, the proceedings in respect of the violation are ended. Officer, director or agent or mandatary of corporations 72.138 An officer, director or agent or mandatary of a corporation that commits a violation is liable for the violation if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation, whether or not the corporation is proceeded against. Debt due to His Majesty 72.139 (1) A penalty and any interest due in respect of the penalty constitute a debt due to His Majesty in right of Canada and may be recovered in the Federal Court or any other court of competent jurisdiction. Limitation period or prescription (2) A proceeding to recover such a debt may not be commenced later than five years after the day on which the debt becomes payable. Receiver General (3) A penalty paid or recovered in relation to a violation is payable to the Receiver General. Certificate of default (4) The Minister may issue a certificate for the unpaid amount of any debt referred to in subsection (1). Registration in Federal Court (5) Registration in the Federal Court of a certificate issued under subsection (4) has the same effect as a judgment of that Court for a debt of the amount specified in the certificate and all related registration costs. Limitation period or prescription 72.1391 (1) A proceeding in respect of a violation may not be commenced later than three years after the day on which the subject-matter of the proceeding becomes known to the Minister. Minister — certificate (2) A document appearing to have been issued by the Minister, certifying the day on which the subject-matter became known to the Minister, is admissible in evidence without proof of the signature or official character of the person appearing to have signed the document and is, in the absence of evidence to the contrary, proof of the matter asserted in it. Publication 72.1392 The Minister may make public (a) the name of a person who enters into a compliance agreement, the nature of the agreement, the conditions included in that agreement and, if applicable, the scope of any non-compliance with the compliance agreement and the amount of the penalty; and (b) the name of a person who committed a violation, the nature of the violation, including the acts or omissions and provisions or decisions at issue, and the amount of the penalty. Regulations 72.1393 The Governor in Council may make regulations (a) exempting from the application of section 72.131 any provision of an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a); (b) for the purpose of paragraph 72.133 (1)(e), establishing other factors to be considered in determining the amount of the penalty; and (c) respecting compliance agreements entered into under subsection 72.137 (1). 2014, c. 39, s. 207 8 The heading before section 72.14 of the English version of the Act is replaced by the following: Provisions Common to Administrative Monetary Penalties Schemes 2014, c. 39, s. 207 9 Section 72.14 of the Act is replaced by the following: Evidence 72.14 In a proceeding in respect of a violation, a notice appearing to be served under subsection 72.005(1), 72.07(1) or 72.135(1) or a copy of a decision appearing to be served under subsection 72.007(4), 72.08(4) or 72.136(4) is admissible in evidence without proof of the signature or official character of the person appearing to have signed it. 10 (1) Paragraph 73(3)(a) of the Act is replaced by the following: (a) contravenes any other provision of this Act or any special Act or any regulation or decision made under this Act, other than a regulation made under paragraph 15.8 (1)(a), or (2) Section 73 of the Act is amended by adding the following after subsection (3): Idem (3.1) Every person who contravenes an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a) is guilty of an offence punishable on summary conviction and liable, (a) in the case of an individual, to a fine in an amount that is at the discretion of the court or to imprisonment for a term of not more than two years less a day or to both; and (b) in the case of a corporation, to a fine in an amount that is at the discretion of the court. Officer, director or agent or mandatary (3.2) An officer, director or agent or mandatary of a person who commits an offence under subsection (3.1) is a party to and guilty of the offence and is liable to the punishment provided for that offence in respect of an individual if they directed, authorized, assented to, acquiesced in or participated in the commission of the offence, whether or not the person has been prosecuted or convicted. Offence by employee or agent or mandatary (3.3) In a prosecution for an offence under subsection (3.1), it is sufficient proof of the offence to establish that it was committed by an employee, acting within the scope of their employment, or by an agent or a mandatary of the accused, acting within the scope of their authority, whether or not the employee or agent or mandatary is identified or proceeded against. Defence of due diligence (3.4) No person shall be convicted of an offence under any of subsections (1) to (3.1), other than for a contravention of paragraph (2)(d), if the person establishes that they exercised all due diligence to prevent the commission of the offence. Consent not required (3.5) No consent is required to prosecute an offence under subsection (3.1). 1998, c. 8, s. 9(4) (3) Subsection 73(7) of the Act is replaced by the following: Injunctions (7) If a court of competent jurisdiction is satisfied, on application by the Minister, that a contravention of an order made under section 15.1 or 15.2 or a regulation made under paragraph 15.8 (1)(a) or a contravention of section 69.2 is being or is likely to be committed, the court may grant an injunction, subject to any conditions that the court considers appropriate, ordering any person to cease or refrain from any activity related to that offence. PART 2 Critical Cyber Systems Protection Act Enactment of Act Enactment 11 The Critical Cyber Systems Protection Act , whose text is as follows and whose Schedules 1 and 2 are set out in the schedule to this Act, is enacted as follows: An Act respecting the protection of critical cyber systems in the federally regulated sector Preamble Whereas the Government of Canada has a fundamental responsibility to protect Canada’s national security and the safety of Canadians; Whereas the Government of Canada acknowledges that because some cyber systems are critically important to vital services and vital systems their disruption could have serious consequences for national security or public safety; Whereas the Government of Canada, through its national cyber security strategy, is committed to enhancing the security and resilience of the critical cyber systems of the federally regulated sector and to exercising leadership in cyber security to foster collaboration across Canada, with the provinces and territories and around the world; Whereas the Government of Canada is committed to working with various stakeholders, including the federally regulated sector, to help protect those systems and to encourage information sharing among the stakeholders; And whereas the Government of Canada acknowledges the necessity to protect the privacy of Canadians with respect to their personal information in accordance with the Privacy Act ; His Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows: Short Title Short title 1 This Act may be cited as the Critical Cyber Systems Protection Act . Definitions Definitions 2 The following definitions apply in this Act. appropriate regulator means, in respect of a designated operator, the regulator set out in column 2 of Schedule 2 that corresponds to the class of operators to which the designated operator belongs. ( organisme réglementaire compétent ) Bank means the Bank of Canada established by subsection 3(1) of the Bank of Canada Act . ( Banque ) Canadian Energy Regulator means the Canadian Energy Regulator established by subsection 10(1) of the Canadian Energy Regulator Act . ( Régie canadienne de l’énergie ) Canadian Nuclear Safety Commission means the Commission established by subsection 8(1) of the Nuclear Safety and Control Act . ( Commission canadienne de sûreté nucléaire ). Chief Executive Officer has the same meaning as in section 2 of the Canadian Energy Regulator Act . ( président-directeur général ) Commission means the Commission referred to in subsection 26(1) of the Canadian Energy Regulator Act . ( Commission ) confidential information means any information obtained under this Act in respect of a critical cyber system that (a) concerns a vulnerability of any designated operator’s critical cyber system or the methods used to protect that system and that is consistently treated as confidential by the designated operator; (b) if disclosed could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a designated operator; or (c) if disclosed could reasonably be expected to interfere with contractual or other negotiations of a designated operator. ( renseignements confidentiels ) critical cyber system means a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system. ( cybersystème essentiel ) cyber security incident , in respect of a critical cyber system, means an incident, including an act, omission or circumstance, that interferes or may interfere with (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity or availability of the critical cyber system. ( incident de cybersécurité ) cyber system means a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information. ( cybersystème ) designated operator means a person, partnership or unincorporated organization that belongs to any class of operators referred to in Schedule 2. ( exploitant désigné ) Governor has the same meaning as in section 2 of the Bank of Canada Act . ( gouverneur ) internal audit means an independent and objective assurance and advisory review conducted in accordance with any internationally recognized guidance on professional practices respecting internal auditing and specified in Treasury Board policies, such as the International Professional Practices Framework of the Institute of Internal Auditors. ( vérification interne ) Minister means the Minister of Public Safety and Emergency Preparedness or, if another federal minister is designated under section 4 , that minister. ( ministre ) personal information has the same meaning as in section 3 of the Privacy Act . ( renseignements personnels ) regulator means (a) the Minister of Industry; (b) the Minister of Transport; (c) the Superintendent; (d) the Bank; (e) the Canadian Energy Regulator; or (f) the Canadian Nuclear Safety Commission. ( organisme réglementaire ) responsible minister means the minister responsible for an Act that is ordinarily administered by an appropriate regulator with respect to any class of operators set out in Schedule 2. ( ministre compétent ) Superintendent means the Superintendent of Financial Institutions appointed under subsection 5(1) of the Office of the Superintendent of Financial Institutions Act . ( surintendant ) Tribunal means the Transportation Appeal Tribunal of Canada that is established under subsection 2(1) of the Transportation Appeal Tribunal of Canada Act . ( Tribunal ) vital service means a service that is referred to in Schedule 1. ( service critique ) vital system means a system that is referred to in Schedule 1. ( système critique ) Application Binding on His Majesty 3 This Act is binding on His Majesty in right of Canada. Designation of Minister 4 The Governor in Council may, by order, designate any federal minister to be the Minister referred to in this Act. Purpose Purpose 5 The purpose of this Act is to help to protect critical cyber systems in order to support the continuity and security of vital services and vital systems by ensuring that, among other things, (a) any cyber security risks in respect of critical cyber systems are identified and managed, including risks associated with supply chains and the use of third-party products and services; (b) critical cyber systems are protected from being compromised; (c) any cyber security incidents affecting, or having the potential to affect, critical cyber systems are detected; and (d) the impacts of cyber security incidents affecting critical cyber systems are minimized. Vital Services and Vital Systems Addition to Schedule 1 6 (1) The Governor in Council may, by order, add to Schedule 1 a service that is delivered, or a system that is operated, as part of a work, undertaking or business that is within the legislative authority of Parliament, if the Governor in Council is satisfied that the service or system is vital to national security or public safety. Amendment to Schedule 1 (2) The Governor in Council may, by order, amend or delete any service or system set out in Schedule 1 . Designated Operators of Critical Cyber Systems Class of operators and corresponding regulator 7 The Governor in Council may, by order, amend Schedule 2 by (a) adding (i) a class of operators — consisting of persons, partnerships or unincorporated organizations that operate a work or carry on an undertaking or business that is within the legislative authority of Parliament — in respect of a vital service or vital system, and (ii) the regulator for that class; or (b) amending or deleting a class of operators or the regulator for that class. Critical cyber system — obligation of designated operator 8 A designated operator that owns, controls or operates a critical cyber system must comply with the requirements of this Act and the regulations with respect to that critical cyber system. Cyber Security Program Establishing cyber security program 9 (1) After an order that is made under section 7 is published in the Canada Gazette , Part II, a designated operator that belongs to a class of operators set out in Schedule 2 must, within 90 days after the day on which the designated operator becomes a member of that class, establish a cyber security program in respect of its critical cyber systems and include in the program steps to, in accordance with any regulations, (a) identify and manage any organizational cyber security risks, including risks associated with the designated operator’s supply chain and its use of third-party products and services; (b) protect its critical cyber systems from being compromised; (c) detect any cyber security incidents affecting, or having the potential to affect, its critical cyber systems; (d) minimize the impact of cyber security incidents affecting critical cyber systems; and (e) do anything that is prescribed by the regulations. Notice (2) Immediately after the program has been established, the designated operator must notify the appropriate regulator in writing that the program has been established. Providing program to appropriate regulator 10 The designated operator must, within 90 days after the day on which the designated operator becomes a member of a class of operators that is set out in Schedule 2, provide the cyber security program or make it available to the appropriate regulator in the manner prescribed by the regulations or, if no manner is so prescribed, in the manner that the appropriate regulator considers appropriate. Extension of 90-day period 11 The appropriate regulator may, at the designated operator’s written request, extend the 90-day period for complying with either subsection 9 (1) or section 10 , or both. The 90-day period may be extended more than once at the discretion of the appropriate regulator. Implementation and maintenance of program 12 After a cyber security program is established, the designated operator must implement that program by taking the steps that are included in the program under section 9 and maintain the program. Review of cyber security program — commencement 13 (1) A designated operator must commence a review of its cyber security program on each date that is prescribed by the regulations or, if no dates are prescribed, on every anniversary of the day on which its cyber security program was established under section 9 . Completion of review (2) The designated operator must complete the review within 60 days after the day on which the review was commenced under subsection (1), unless another period is prescribed by the regulations, and amend the program as a result of the review if needed. Notification — changes to program (3) The designated operator must, within 30 days after the day on which the review is completed, unless another period is prescribed by the regulations, notify the appropriate regulator of whether or not any changes were made to the program after the previous review. Notification — other changes 14 (1) A designated operator must, within a period prescribed by the regulations, notify the appropriate regulator of (a) any material change in the designated operator’s ownership or control; (b) any material change in the designated operator’s supply chain or in its use of third-party products and services; and (c) any circumstances that are prescribed by the regulations. Further notification — changes to program (2) The designated operator must, within 90 days after the day on which a notification was provided under subsection (1), also notify the appropriate regulator whether or not any changes were made to the program as a result of any material changes or any circumstances described in paragraph (1)(a), (b) or (c) and, if changes were made, the nature of those changes. Extension of 90-day period (3) The appropriate regulator may, at the designated operator’s written request, extend the 90-day period for complying with subsection (2). The 90-day period may be extended more than once at the discretion of the appropriate regulator. Mitigation of Supply-Chain and Third-Party Risks Mitigation — supply-chain or third-party 15 As soon as any cyber security risk associated with the designated operator’s supply chain or its use of third-party products and services has been identified under paragraph 9(1)(a), the designated operator must mitigate those risks. Guidelines on mitigation of risks 15.1 The Communications Security Establishment may, in consultation with relevant industry stakeholders, develop guidelines on the mitigation of risks associated with supply chains and the use of third-party products and services, taking into consideration internationally recognized frameworks such as those developed by the International Organization for Standardization on cybersecurity in supplier relationships. Guidance from Communications Security Establishment 16 An appropriate regulator may provide to the Communications Security Establishment any information, including any confidential information, respecting a designated operator’s cyber security program or any steps taken under section 15 , for the purpose of requesting advice, guidance or services from the Communications Security Establishment in accordance with the mandate of the Communications Security Establishment, in respect of the exercise of the appropriate regulator’s powers or the performance of its duties and functions under this Act. Reporting of Cyber Security Incidents Report — cyber security incident 17 A designated operator must, within a period prescribed by the regulations, not to exceed 72 hours, report a cyber security incident in respect of any of its critical cyber systems to the Communications Security Establishment in accordance with the regulations, for the purpose of enabling the Communications Security Establishment to exercise its powers or perform its duties and functions. Notify 18 Immediately after reporting a cyber security incident, the designated operator must (a) notify the appropriate regulator, in the form and manner prescribed by the regulations that the report was made; and (b) give a copy of the report to the appropriate regulator. For greater certainty 18.1 For greater certainty, nothing in sections 17 and 18 affects the provisions of the Personal Information Protection and Electronic Documents Act . Communications Security Establishment — provision of incident report 19 The Communications Security Establishment must, without delay, at the request of a regulator, give that regulator a copy of any incident report or any portion of it that relates to a designated operator in respect of which that regulator is the appropriate regulator, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations. Cyber Security Directions Direction 20 (1) The Governor in Council may, by order, direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system, if the Governor in Council believes on reasonable grounds that it is necessary to make the order for that purpose. Private communication (1.1) Despite subsection (1), the Governor in Council must not order the decoding of an encrypted private communication , as defined in section 183 of the Criminal Code . Amend or revoke (2) The Governor in Council may, by order, amend or revoke a direction in whole or in part. Factors (3) Before making an order under subsection (1), the Governor in Council must consider (a) its operational impacts on affected designated operators; (b) its impact on public safety of Canadians; (b.1) its impact on the privacy of Canadians; (c) its financial impacts on affected designated operators; (d) its impact on the delivery of vital services and vital systems to consumers; and (e) any other factor that the Governor in Council considers to be relevant. Scope and substance (3.1) The provisions of the direction must, in scope and substance, be reasonable in relation to the purpose of protecting a critical cyber system. Compliance with direction (4) Every designated operator that is subject to a direction must comply with it. Notification by Minister (5) The Minister must, within 90 days after an order is made under subsection (1), notify the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency of the making of the order. For greater certainty (6) For greater certainty, despite subsection (1), the Governor in Council is not permitted to order any designated operator or class of operators to intercept a private communication or a radio-based telephone communication , as those terms are defined in section 183 of the Criminal Code . Contents of direction 21 (1) A direction made under section 20 must set out (a) the name of the designated operator or the class of operators in respect of which the direction applies; (b) the measures to be taken by the designated operator along with any conditions; and (c) the period within which those measures are to be taken. Condition (2) In addition to any conditions referred to in paragraph (1)(b), the Governor in Council may impose other conditions in a direction. Exemption from Statutory Instruments Act 22 (1) An order made under section 20 is exempt from the application of sections 3, 5 and 11 of the Statutory Instruments Act . Precondition for contravention (2) A designated operator must not be found to have contravened a direction made under section 20 unless it is proved that, at the time of the alleged contravention, the designated operator had been notified of the direction or reasonable steps had been taken to bring the purport of the notice to those designated operators likely to be affected by it. Certificate (3) A certificate purporting to be signed by the Minister or responsible minister and stating that a notice containing the order was given to designated operators likely to be affected by it is, in the absence of evidence to the contrary, proof that notice was given to those designated operators. Exchange of information 23 (1) To the extent necessary, for any purpose related to the making, amending or revoking of a cyber security direction in respect of a designated operator, the following persons or entities may collect information from and disclose information, including confidential information, to each other: (a) the Minister; (b) the responsible minister; (c) the appropriate regulator; (d) the Minister of Foreign Affairs; (e) the Minister of National Defence; (f) the Chief of the Defence Staff; (g) the Chief or an employee of the Communications Security Establishment; (h) the Director or an employee of the Canadian Security Intelligence Service; and (i) any other person or entity that is prescribed by the regulations. Confidential information (2) Any confidential information, within the meaning of this Act or any other Act of Parliament that applies to or is administered by a person or entity referred to in subsection (1), that is collected or disclosed under that subsection must be treated as confidential. Prohibition against disclosure 24 Every designated operator that is subject to a cyber security direction is prohibited from disclosing, or allowing to be disclosed, the fact that a cyber security direction was issued and the content of that direction, except in accordance with section 25 . Disclosure — when allowed 25 (1) A designated operator that is subject to a cyber security direction may disclose the fact that the direction was issued and its content only to the extent necessary to comply with the direction. Prohibition — further disclosure (2) A person must not, without the authorization of the designated operator, disclose or allow the disclosure of any information obtained by them under subsection (1). Disclosure and Use of Information Prohibition 26 (1) Subject to subsection (2), a person must not knowingly disclose confidential information or allow it to be disclosed to any agency, body or other person or allow any other agency, body or other person to have access to the information, except if (a) the disclosure is required by law; (b) the information to be disclosed is publicly available; (c) the designated operator to which the information relates consents to its disclosure; (d) the disclosure is necessary for the protection of vital services, vital systems or critical cyber systems; (e) the disclosure is made in accordance with any provision of this Act; or (f) the disclosure is made in accordance with the Security of Canada Information Disclosure Act . Right to disclose information preserved (2) Nothing in this section precludes a person from disclosing confidential information to a law enforcement agency or the Canadian Security Intelligence Service if the disclosure of the information is otherwise lawful. Confidential information (3) Any confidential information that is disclosed or allowed to be accessed under subsection (1) must be treated as confidential. For greater certainty 26.1 For greater certainty, nothing in this Act affects the provisions of the Privacy Act in relation to the protection of personal information. Agreements and arrangements — exchange of information 27 (1) Subject to subsection (2), the Minister, a responsible minister or a regulator may enter into an agreement or arrangement, in writing, with the government of a province or of a foreign state, or with an international organization established by the governments of foreign states, for the exchange of information, other than confidential information, relating to the protection of critical cyber systems (a) between the Minister, the responsible minister or the regulator, as the case may be, and any institution or agency of that government; or (b) between the Minister, the responsible minister or the regulator, as the case may be, and the international organization. Confidential information — government of province (2) Confidential information may be disclosed to any institution or agency of the government of the province only if (a) it is disclosed under the agreement or arrangement; and (b) the Minister, the responsible minister or the regulator, as the case may be, is satisfied that the information will be treated in a confidential manner and not be further disclosed without their express consent. Exchange of information by appropriate regulator 28 (1) If it is necessary for the protection of vital services, vital systems or critical cyber systems, the appropriate regulator for a class of operators may provide the Minister or the responsible minister with any information, including any confidential information, that is related to the exercise of the appropriate regulator’s powers or the performance of its duties and functions under this Act or the regulations. However, if for the same reason the Minister or the responsible minister makes a request for the information, the appropriate regulator must provide the information so requested. Confidential information (2) Any confidential information, within the meaning of this Act or any other Act of Parliament that applies to or is administered by the appropriate regulator, that is provided under subsection (1) must be treated as confidential. Request for information 29 For the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, a regulator may request that a person, partnership or unincorporated organization provide it with any information, and the person, partnership or unincorporated organization, as the case may be, must provide the requested information within the time and in the manner set out in the request. Disposal of personal information 29.1 Any personal information , as defined in section 3 of the Privacy Act , that is collected or obtained under this Act must be disposed of if it is no longer necessary for the purposes for which it was collected or obtained or for verifying compliance or preventing non-compliance with this Act, and in accordance with any requirement under the Privacy Act that applies to it. For greater certainty 29.2 For greater certainty, nothing in this Act affects the provisions of the Communications Security Establishment Act in relation to the protection of personal information. Record Keeping Records 30 (1) Every designated operator must keep records respecting (a) any steps taken to implement the designated operator’s cyber security program; (b) every cyber security incident that the designated operator reported under section 17 ; (c) any steps taken by the designated operator under section 15 to mitigate any supply-chain or third-party risks; (d) any measures taken by the designated operator to implement a cyber security direction; and (e) any matter prescribed by the regulations. Place (2) The records must be kept in Canada by the designated operator at any place that is prescribed by the regulations — or, if no place is prescribed, at the designated operator’s place of business — and in the manner and for the period determined by the appropriate regulator unless another manner or period is prescribed by the regulations. Administration and Enforcement Limitation on Liability No liability 31 (1) A person who exercises powers or performs duties or functions under this Act is not liable in respect of anything done or omitted to be done in good faith in the exercise of those powers or the performance of those duties or functions. Immunity — accompanying persons (2) A person referred to in subsection 32 (5), 41 (5), 50 (5), 59 (5), 68 (5) or 78 (5) is not liable for anything done or omitted to be done in good faith while helping any other person in the exercise of their powers or the performance of their duties and functions under this Act. Powers Superintendent of Financial Institutions General Provisions Authority to enter place — Superintendent 32 (1) Subject to section 33 , the Superintendent may, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, enter a place, including a conveyance, in which the Superintendent has reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located. Powers of entry (2) For the purpose referred to in subsection (1), the Superintendent may (a) examine anything in the place; (b) use any cyber system, or cause it to be used, for the purpose of examining, among other things, any information contained in or available to it; (c) prepare a document, or cause one to be prepared, based on the information; (d) examine any record, report, data or other document and make copies of it or take extracts from it; (e) use any copying equipment in the place or cause it to be used; and (f) remove any document, record or cyber system, or a portion of it, from the place for the purpose of examining it or copying it. Return of document, record or cyber system (3) If the Superintendent removes any document, record or cyber system under paragraph (2)(f), the Superintendent must return it to its owner or the person in charge of it, on completion of the examination or copying. Duty to assist (4) Every owner or person in charge of a place that is entered by the Superintendent and every person found in the place must give the Superintendent all reasonable assistance to enable the Superintendent to exercise the Superintendent’s powers or perform the Superintendent’s duties and functions under this Act and provide the Superintendent with any document or information, or access to any data, that the Superintendent may reasonably require. Persons accompanying (5) The Superintendent may be accompanied by any other person that the Superintendent believes is necessary to help the Superintendent exercise the Superintendent’s powers or perform the Superintendent’s duties and functions under this section. Entering private property (6) The Superintendent and any person accompanying the Superintendent may enter and pass through private property, other than a dwelling-house on that property, in order to gain entry to a place referred to in subsection (1). Dwelling-house 33 (1) In the case of a dwelling-house, the Superintendent is not authorized to enter it without the occupant’s consent except under the authority of a warrant issued under subsection (2). Authority to issue warrant (2) A justice of the peace may, on ex parte application, issue a warrant authorizing the Superintendent to enter a dwelling-house, subject to any conditions specified in the warrant, if the justice of the peace is satisfied by information on oath that (a) the dwelling-house is a place referred to in subsection 32 (1); (b) entry to the dwelling-house is necessary for a purpose referred to in subsection 32 (1); and (c) entry to the dwelling-house was refused by the occupant or there are reasonable grounds to believe that it will be refused or to believe that consent to entry cannot be obtained from the occupant. Use of force (3) In executing the warrant, the Superintendent is not entitled to use force unless the use of force has been specifically authorized in the warrant and the Superintendent is accompanied by a peace officer. Internal Audit Internal audit order 34 (1) Subject to any regulations, the Superintendent may, in writing, order a designated operator to, within a specified period and in accordance with the order, conduct an internal audit of its practices, books and other records to determine whether the designated operator is in compliance with any provision of this Act or the regulations. Exemption from Statutory Instruments Act (2) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Report 35 The designated operator must comply with the order and provide to the Superintendent, within the period specified in the order, a report of the results of the audit, including, if the designated operator determines that there is non-compliance with any provision of this Act or the regulations, the nature of the non-compliance and any measures that have been taken or will be taken by the designated operator to comply with the provision. Compliance Order Power to order termination of contravention 36 (1) If the Superintendent believes on reasonable grounds that there is or is likely to be a contravention of any provision of this Act or the regulations, the Superintendent may order a designated operator to (a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or (b) take any measure that is necessary in order to comply with the requirements of that provision or to mitigate the effects of non-compliance. Time and manner (2) The order must specify the time within which and the manner in which the designated operator may request a review of the order by the Superintendent. Exemption from Statutory Instruments Act (3) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Compliance with order 37 (1) A designated operator that is subject to an order made under section 36 must comply with it. Notification of compliance (2) Once the designated operator complies with the order, it must notify the Superintendent, without delay, of its compliance. Request for review 38 (1) An order that is made under section 36 must be reviewed by the Superintendent at the written request of the designated operator that is subject to the order. Contents and time for making request (2) The request must be made within the time and in the manner specified in the order and state the grounds for review and set out the evidence that supports those grounds. Order in effect (3) The order continues to apply during a review unless the Superintendent decides otherwise. Decision on completion of review 39 (1) On completion of a review, the Superintendent must confirm, amend, revoke or cancel the order and provide notice of the decision to the designated operator and the reasons for it. Deemed decision (2) If the Superintendent does not make a decision in respect of the request within 90 days after the day on which the request is received, or within any further period that is agreed on by the Superintendent and the designated operator, the Superintendent is deemed to have confirmed the order. Minister of Industry General Provisions Designation of inspectors 40 (1) The Minister of Industry may designate persons or classes of persons as inspectors for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations. Certificate of designation (2) Each inspector must be provided with a certificate of designation in a form established by the Minister of Industry and, when entering any place under subsection 41 (1), must, on request, produce the certificate to the person in charge of the place. Authority to enter place — inspector 41 (1) Subject to subsection 42 (1), the inspector may, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, enter a place, including a conveyance, in which they have reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located. Powers of entry (2) For the purpose referred to in subsection (1), the inspector may (a) examine anything in the place; (b) use any cyber system, or cause it to be used, for the purpose of examining, among other things, any information contained in or available to it; (c) prepare a document, or cause one to be prepared, based on the information; (d) examine any record, report, data or other document and make copies of it or take extracts from it; (e) use any copying equipment in the place or cause it to be used; and (f) remove any document, record or cyber system, or a portion of it, from the place for the purpose of examining it or copying it. Return of document, record or cyber system (3) If the inspector removes any document, record or cyber system referred to in paragraph (2)(f), the inspector must return it to its owner or the person in charge of it, on completion of the examination or copying. Duty to assist (4) Every owner or person in charge of a place that is entered by the inspector and every person found in the place must give the inspector all reasonable assistance to enable the inspector to exercise the inspector’s powers or perform the inspector’s duties and functions under this Act and provide that inspector with any document or information, or access to any data, that the inspector may reasonably require. Persons accompanying (5) The inspector may be accompanied by any other person that the inspector believes is necessary to help the inspector exercise the inspector’s powers or perform the inspector’s duties and functions under this section. Entering private property (6) The inspector and any person accompanying the inspector may enter and pass through private property, other than a dwelling-house on that property, in order to gain entry to a place referred to in subsection (1). Dwelling-house 42 (1) In the case of a dwelling-house, the inspector is not authorized to enter it without the occupant’s consent except under the authority of a warrant issued under subsection (2). Authority to issue warrant (2) A justice of the peace may, on ex parte application, issue a warrant authorizing the inspector named in it to enter a dwelling-house, subject to any conditions specified in the warrant, if the justice of the peace is satisfied by information on oath that (a) the dwelling-house is a place referred to in subsection 41 (1); (b) entry to the dwelling-house is necessary for a purpose referred to in subsection 41 (1); and (c) entry to the dwelling-house was refused by the occupant or there are reasonable grounds to believe that it will be refused or to believe that consent to entry cannot be obtained from the occupant. Use of force (3) In executing the warrant, the inspector is not entitled to use force unless the use of force has been specifically authorized in the warrant and they are accompanied by a peace officer. Internal Audit Internal audit order 43 (1) Subject to any regulations, the Minister of Industry or a person designated by that Minister may, in writing, order a designated operator to, within a specified period and in accordance with the order, conduct an internal audit of its practices, books and other records to determine whether the designated operator is in compliance with any provision of this Act or the regulations. Exemption from Statutory Instruments Act (2) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Report 44 The designated operator must comply with the order and provide to the Minister of Industry or the person designated by that Minister, within the period specified in the order, a report of the results of the audit, including, if the designated operator determines that there is non-compliance with any provision of this Act or the regulations, the nature of the non-compliance and any measures that have been taken or will be taken by the designated operator to comply with the provision. Compliance Order Power to order termination of contravention 45 (1) If the Minister of Industry or a person designated by that Minister believes on reasonable grounds that there is or is likely to be a contravention of any provision of this Act or the regulations, they may order a designated operator to (a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or (b) take any measure that is necessary in order to comply with the requirements of that provision or to mitigate the effects of non-compliance. Time and manner (2) The order must specify the time within which and the manner in which the designated operator may request a review of the order by the Minister of Industry. Exemption from Statutory Instruments Act (3) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Compliance with order 46 (1) A designated operator that is subject to an order made under section 45 must comply with it. Notification of compliance (2) Once the designated operator complies with the order, it must notify the Minister of Industry or the person designated by that Minister, without delay, of its compliance. Request for review 47 (1) An order that is made under section 45 must be reviewed by the Minister of Industry at the written request of the designated operator that is subject to the order. Contents and time for making request (2) The request must be made within the time and in the manner specified in the order and state the grounds for review and set out the evidence that supports those grounds. Order in effect (3) The order continues to apply during a review unless the Minister of Industry decides otherwise. Decision on completion of review 48 (1) On completion of a review, the Minister of Industry must confirm, amend, revoke or cancel the order and provide notice of the decision to the designated operator and the reasons for it. Deemed decision (2) If the Minister of Industry does not make a decision in respect of the request within 90 days after the day on which the request is received, or within any further period that is agreed on by the Minister of Industry and the designated operator, the Minister of Industry is deemed to have confirmed the order. Bank of Canada General Provisions Designation 49 (1) The Bank may designate persons or classes of persons for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations. Certificate of designation (2) Each person designated under subsection (1) must be provided with a certificate of designation in a form established by the Bank and, when entering any place under subsection 50 (1), must, on request, produce the certificate to the person in charge of the place. Authority to enter place — designated person 50 (1) Subject to section 51 , the person designated under subsection 49 (1) may, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, enter a place, including a conveyance, in which they have reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located. Powers of entry (2) For the purpose referred to in subsection (1), the person designated under subsection 49 (1) may (a) examine anything in the place; (b) use any cyber system, or cause it to be used, for the purpose of examining, among other things, any information contained in or available to it; (c) prepare a document, or cause one to be prepared, based on the information; (d) examine any record, report, data or other document and make copies of it or take extracts from it; (e) use any copying equipment in the place or cause it to be used; and (f) remove any document, record or cyber system, or a portion of it, from the place for the purpose of examining it or copying it. Return of document, record or cyber system (3) If the person designated under subsection 49 (1) removes any document, record or cyber system referred to in paragraph (2)(f), the person so designated must return it to its owner or the person in charge of it, on completion of the examination or copying. Duty to assist (4) Every owner or person in charge of a place that is entered by the person designated under subsection 49 (1) and every person found in the place must give the person designated under subsection 49 (1) all reasonable assistance to enable them to exercise their powers or perform their duties and functions under this Act and provide that person designated under subsection 49 (1) with any document or information, or access to any data, that they may reasonably require. Persons accompanying (5) The person designated under subsection 49 (1) may be accompanied by any other person that they believe is necessary to help them exercise their powers or perform their duties and functions under this section. Entering private property (6) The person designated under subsection 49 (1) and any person accompanying the person so designated may enter and pass through private property, other than a dwelling-house on that property, in order to gain entry to a place referred to in subsection (1). Dwelling-house 51 (1) In the case of a dwelling-house, the person designated under subsection 49 (1) is not authorized to enter it without the occupant’s consent except under the authority of a warrant issued under subsection (2). Authority to issue warrant (2) A justice of the peace may, on ex parte application, issue a warrant authorizing the person designated under subsection 49 (1) and named in the warrant to enter a dwelling-house, subject to any conditions specified in the warrant, if the justice of the peace is satisfied by information on oath that (a) the dwelling-house is a place referred to in subsection 50 (1); (b) entry to the dwelling-house is necessary for a purpose referred to in subsection 50 (1); and (c) entry to the dwelling-house was refused by the occupant or there are reasonable grounds to believe that it will be refused or to believe that consent to entry cannot be obtained from the occupant. Use of force (3) In executing the warrant, the person designated under subsection 49 (1) is not entitled to use force unless the use of force has been specifically authorized in the warrant and they are accompanied by a peace officer. Internal Audit Internal audit order 52 (1) Subject to any regulations, the Bank may, in writing, order a designated operator to, within a specified period and in accordance with the order, conduct an internal audit of its practices, books and other records to determine whether the designated operator is in compliance with any provision of this Act or the regulations. Exemption from Statutory Instruments Act (2) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Report 53 The designated operator must comply with the order and provide to the Bank, within the period specified in the order, a report of the results of the audit, including, if the designated operator determines that there is non-compliance with any provision of this Act or the regulations, the nature of the non-compliance and any measures that have been taken or will be taken by the designated operator to comply with the provision. Compliance Order Power to order termination of contravention 54 (1) If a person designated by the Bank believes on reasonable grounds that there is or is likely to be a contravention of any provision of this Act or the regulations, the person so designated may order a designated operator to (a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or (b) take any measure that is necessary in order to comply with the requirements of that provision or to mitigate the effects of non-compliance. Time and manner (2) The order must specify the time within which and manner in which the designated operator may request a review of the order by the person designated by the Bank. Exemption from Statutory Instruments Act (3) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Compliance with order 55 (1) A designated operator that is subject to an order made under section 54 must comply with it. Notification of compliance (2) Once the designated operator complies with the order, it must notify the person designated by the Bank referred to in subsection 54 (1), without delay, of its compliance. Request for review 56 (1) An order that is made under section 54 must be reviewed by the Governor at the written request of the designated operator that is subject to the order. Contents and time for making request (2) The request must be made within the time and in the manner specified in the order and state the grounds for review and set out the evidence that supports those grounds. Order in effect (3) The order continues to apply during a review unless the Governor decides otherwise. Decision on completion of review 57 (1) On completion of a review, the Governor must confirm, amend, revoke or cancel the order and provide notice of the decision to the designated operator and the reasons for it. Deemed decision (2) If the Governor does not make a decision in respect of the request within 90 days after the day on which the request is received, or within any further period that is agreed on by the Governor and the designated operator, the Governor is deemed to have confirmed the order. Canadian Nuclear Safety Commission General Provisions Designation 58 (1) The Canadian Nuclear Safety Commission may designate persons or classes of persons for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations. Certificate of designation (2) Each person designated under subsection (1) must be provided with a certificate of designation in a form established by the Canadian Nuclear Safety Commission and, when entering any place under subsection 59 (1), must, on request, produce the certificate to the person in charge of the place. Authority to enter place — designated person 59 (1) Subject to subsection 60 (1), the person designated under subsection 58 (1) may, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, enter a place, including a conveyance, in which they have reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located. Powers of entry (2) For the purpose referred to in subsection (1), the person designated under subsection 58 (1) may (a) examine anything in the place; (b) use any cyber system, or cause it to be used, for the purpose of examining, among other things, any information contained in or available to it; (c) prepare a document, or cause one to be prepared, based on the information; (d) examine any record, report, data or other document and make copies of it or take extracts from it; (e) use any copying equipment in the place or cause it to be used; and (f) remove any document, record or cyber system, or a portion of it, from the place for the purpose of examining it or copying it. Return of document, record or cyber system (3) If the person designated under subsection 58 (1) removes any document, record or cyber system referred to in paragraph (2)(f), the person so designated must return it to its owner or the person in charge of it, on completion of the examination or copying. Duty to assist (4) Every owner or person in charge of a place that is entered by the person designated under subsection 58 (1) and every person found in the place must give the person designated under subsection 58 (1) all reasonable assistance to enable them to exercise their powers or perform their duties and functions under this Act and provide them with any document or information, or access to any data, that they may reasonably require. Persons accompanying (5) The person designated under subsection 58 (1) may be accompanied by any other person that they believe is necessary to help them exercise their powers or perform their duties and functions under this section. Entering private property (6) The person designated under subsection 58 (1) and any person accompanying the person so designated may enter and pass through private property, other than a dwelling-house on that property, in order to gain entry to a place referred to in subsection (1). Dwelling-house 60 (1) In the case of a dwelling-house, the person designated under subsection 58 (1) is not authorized to enter it without the occupant’s consent except under the authority of a warrant issued under subsection (2). Authority to issue warrant (2) A justice of the peace may, on ex parte application, issue a warrant authorizing the person designated under subsection 58 (1) and named in the warrant to enter a dwelling-house, subject to any conditions specified in the warrant, if the justice of the peace is satisfied by information on oath that (a) the dwelling-house is a place referred to in subsection 59 (1); (b) entry to the dwelling-house is necessary for a purpose referred to in subsection 59 (1); and (c) entry to the dwelling-house was refused by the occupant or there are reasonable grounds to believe that it will be refused or to believe that consent to entry cannot be obtained from the occupant. Use of force (3) In executing the warrant, the person designated under subsection 58 (1) is not entitled to use force unless the use of force has been specifically authorized in the warrant and they are accompanied by a peace officer. Internal Audit Internal audit order 61 (1) Subject to any regulations, the person designated under subsection 58 (1) may, by order in writing, require a designated operator to, within a specified period and in accordance with the order, conduct an internal audit of its practices, books and other records to determine whether the designated operator is in compliance with any provision of this Act or the regulations. Exemption from Statutory Instruments Act (2) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Review (3) A person designated under subsection 58 (1) must refer any order made under this section to the Canadian Nuclear Safety Commission for review and the Canadian Nuclear Safety Commission must confirm, amend or revoke the order. Report 62 The designated operator must comply with the order and provide to the person designated under subsection 58 (1), within the period specified in the order, a report of the results of the audit, including, if the designated operator determines that there is non-compliance with any provision of this Act or the regulations, the nature of the non-compliance and any measures that have been taken or will be taken by the designated operator to comply with the provision. Compliance Order Power to order termination of contravention 63 (1) If the person designated under subsection 58 (1) believes on reasonable grounds that there is or is likely to be a contravention of any provision of this Act or the regulations, the person so designated may, by order, require a designated operator to (a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or (b) take any measure that is necessary in order to comply with the requirements of that provision or to mitigate the effects of non-compliance. Time and manner (2) The order must specify the time within which and manner in which the designated operator may request a review of the order by the Canadian Nuclear Safety Commission. Exemption from Statutory Instruments Act (3) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Review (4) A person designated under subsection 58 (1) must refer any order made under this section to the Canadian Nuclear Safety Commission for review and the Canadian Nuclear Safety Commission must confirm, amend or revoke the order. Compliance with order 64 (1) A designated operator that is subject to an order made under section 63 must comply with it. Notification of compliance (2) Once the designated operator complies with the order, it must notify the person designated under subsection 58 (1), without delay, of its compliance. Request for review 65 (1) An order that is made under section 63 must be reviewed by the Canadian Nuclear Safety Commission at the written request of the designated operator that is subject to the order. Contents and time for making request (2) The request must be made within the time and in the manner specified in the order and state the grounds for review and set out the evidence that supports those grounds. Order in effect (3) The order continues to apply during a review unless the Canadian Nuclear Safety Commission decides otherwise. Decision on completion of review 66 (1) On completion of a review under subsection 65 (1), the Canadian Nuclear Safety Commission must confirm, amend, revoke or cancel the order and provide notice of the decision to the designated operator and the reasons for it. Deemed decision (2) If the Canadian Nuclear Safety Commission does not make a decision in respect of the request within 90 days after the day on which the request is received, or within any further period that is agreed on by the Canadian Nuclear Safety Commission and the designated operator, the Canadian Nuclear Safety Commission is deemed to have confirmed the order. Canadian Energy Regulator General Provisions Designation of inspection officers 67 (1) The Chief Executive Officer may designate persons or classes of persons as inspection officers for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations. Certificate of designation (2) Each inspection officer must be provided with a certificate of designation in a form established by the Canadian Energy Regulator and, when entering any place under subsection 68 (1), must, on request, produce the certificate to the person in charge of the place. Authority to enter place — inspection officer 68 (1) Subject to subsection 69 (1), the inspection officer may, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, enter a place, including a conveyance, in which they have reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located. Powers of entry (2) For the purpose referred to in subsection (1), the inspection officer may (a) examine anything in the place; (b) use any cyber system, or cause it to be used, for the purpose of examining, among other things, any information contained in or available to it; (c) prepare a document, or cause one to be prepared, based on the information; (d) examine any record, report, data or other document and make copies of it or take extracts from it; (e) use any copying equipment in the place or cause it to be used; and (f) remove any document, record or cyber system, or a portion of it, from the place for the purpose of examining it or copying it. Return of document, record or cyber system (3) If the inspection officer removes any document, record or cyber system referred to in paragraph (2)(f), the inspection officer must return it to its owner or the person in charge of it, on completion of the examination or copying. Duty to assist (4) Every owner or person in charge of a place that is entered by the inspection officer and every person found in the place must give the officer all reasonable assistance to enable the officer to exercise the officer’s powers or perform the officer’s duties and functions under this Act and provide that officer with any document or information, or access to any data, that the officer may reasonably require. Persons accompanying (5) The inspection officer may be accompanied by any other person that the inspection officer believes is necessary to help the inspection officer exercise the inspection officer’s powers or perform the inspection officer’s duties and functions under this section. Entering private property (6) The inspection officer and any person accompanying the inspection officer may enter and pass through private property, other than a dwelling-house on that property, in order to gain entry to a place referred to in subsection (1). Dwelling-house 69 (1) In the case of a dwelling-house, the inspection officer is not authorized to enter it without the occupant’s consent except under the authority of a warrant issued under subsection (2). Authority to issue warrant (2) A justice of the peace may, on ex parte application, issue a warrant authorizing the inspection officer named in it to enter a dwelling-house, subject to any conditions specified in the warrant, if the justice of the peace is satisfied by information on oath that (a) the dwelling-house is a place referred to in subsection 68 (1); (b) entry to the dwelling-house is necessary for a purpose referred to in subsection 68 (1); and (c) entry to the dwelling-house was refused by the occupant or there are reasonable grounds to believe that it will be refused or to believe that consent to entry cannot be obtained from the occupant. Use of force (3) In executing the warrant, the inspection officer is not entitled to use force unless the use of force has been specifically authorized in the warrant and they are accompanied by a peace officer. Internal Audit Internal audit order 70 (1) Subject to any regulations, an inspection officer who is expressly authorized by the Chief Executive Officer to make orders under this section may, by order in writing, require a designated operator to, within a specified period and in accordance with the order, conduct an internal audit of its practices, books and other records to determine whether the designated operator is in compliance with any provision of this Act or the regulations. Notice and report (2) The inspection officer who makes an order under this section must, as soon as possible, report the circumstances and terms of the order to the Commission. Exemption from Statutory Instruments Act (3) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Report 71 The designated operator must comply with the order and provide to the inspection officer within the period specified in the order, a report of the results of the audit, including, if the designated operator determines that there is non-compliance with any provision of this Act or the regulations, the nature of the non-compliance and any measures that have been taken or will be taken by the designated operator to comply with the provision. Notice of Non-Compliance Notice of non-compliance 72 (1) If an inspection officer has reasonable grounds to believe that a designated operator or other person has contravened any provision of this Act or the regulations made under this Act, the inspection officer may issue a notice of non-compliance to the designated operator or other person. Contents of notice (2) The notice of non-compliance must be made in writing and must set out (a) the name of the designated operator or other person to which the notice is directed; (b) the provision of this Act or of the regulations made under it that is alleged to have been contravened or the order or decision that is alleged to have been contravened; (c) the relevant facts surrounding the alleged contravention; and (d) the period within which the designated operator or other person may provide comments in response to the notice. Compliance Order Power to order termination of contravention 73 (1) If the inspection officer who is expressly authorized by the Chief Executive Officer to make orders under this section believes on reasonable grounds that there is or is likely to be a contravention of any provision of this Act or the regulations, the inspection officer may order a designated operator to (a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or (b) take any measure that is necessary in order to comply with the requirements of that provision or to mitigate the effects of non-compliance. Time and manner (2) The order may specify the time within which and the manner in which the designated operator may request a review of the order by the Commission. Notice and report (3) An inspection officer who makes an order under this section must, as soon as possible, (a) notify, in writing, the designated operator of the terms of the order and the reasons for the order; and (b) report the circumstances and terms of the order to the Commission. Exemption from Statutory Instruments Act (4) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Compliance with order 74 (1) A designated operator that is subject to an order made under section 73 must comply with it. Notification of compliance (2) Once the designated operator complies with the order, it must notify the inspection officer, without delay, of its compliance. Powers of Commission 75 (1) The Commission may designate persons or classes of persons to conduct reviews under this section. Request for review (2) An order that is made under section 73 must be reviewed by the Commission or the person designated under subsection (1) at the written request of the designated operator that is subject to the order. Contents and time for making request (3) The request must be made within the time and in the manner specified in the order, if any, and state the grounds for review and set out the evidence that supports those grounds. Order in effect (4) The order continues to apply during a review unless the Commission or the person designated under subsection (1) decides otherwise. Decision on completion of review 76 (1) On completion of a review, the Commission or the person designated under subsection 75 (1) must confirm, amend, revoke or cancel the order and provide notice of the decision to the designated operator and the reasons for it. Deemed decision (2) If the Commission or the person designated under subsection 75 (1) does not make a decision in respect of the request within 90 days after the day on which the request is received, or within any further period that is agreed on by the Commission or the person designated under subsection 75 (1) and the designated operator, the Commission or the person designated under subsection 75 (1) is deemed to have confirmed the order. Minister of Transport General Provisions Delegation 77 The Minister of Transport may delegate, subject to any restrictions or limitations that the Minister of Transport may specify, any of the Minister of Transport’s powers, duties and functions under this Act — other than the power to delegate under this section — to any person or class of persons. Authority to enter place — Minister of Transport 78 (1) Subject to section 79 , the Minister of Transport may, for the purpose of verifying compliance or preventing non-compliance with any provision of this Act or the regulations, enter a place, including a conveyance, in which the Minister of Transport has reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located. Powers of entry (2) For the purpose referred to in subsection (1), the Minister of Transport may (a) examine anything in the place; (b) use any cyber system, or cause it to be used, for the purpose of examining, among other things, any information contained in or available to it; (c) prepare a document, or cause one to be prepared, based on the information; (d) examine any record, report, data or other document and make copies of it or take extracts from it; (e) use any copying equipment in the place or cause it to be used; and (f) remove any document, record or cyber system, or a portion of it, from the place for the purpose of examining it or copying it. Return of document, record or cyber system (3) If the Minister of Transport removes any document, record or cyber system referred to in paragraph (2)(f), the Minister of Transport must return it to its owner or the person in charge of it, on completion of the examination or copying. Duty to assist (4) Every owner or person in charge of a place that is entered by the Minister of Transport and every person found in the place must give the Minister of Transport all reasonable assistance to enable the Minister of Transport to exercise the Minister of Transport’s powers or perform the Minister of Transport’s duties and functions under this Act and provide that Minister with any document or information, or access to any data, that the Minister of Transport may reasonably require. Persons accompanying (5) The Minister of Transport may be accompanied by any other person that the Minister of Transport believes is necessary to help the Minister of Transport exercise the Minister of Transport’s powers or perform the Minister of Transport’s duties and functions under this section. Entering private property (6) The Minister of Transport and any person accompanying the Minister of Transport may enter and pass through private property, other than a dwelling-house on that property, in order to gain entry to a place referred to in subsection (1). Dwelling-house 79 (1) In the case of a dwelling-house, the Minister of Transport is not authorized to enter it without the occupant’s consent except under the authority of a warrant issued under subsection (2). Authority to issue warrant (2) A justice of the peace may, on ex parte application, issue a warrant authorizing the Minister of Transport to enter a dwelling-house, subject to any conditions specified in the warrant, if the justice of the peace is satisfied by information on oath that (a) the dwelling-house is a place referred to in subsection 78 (1); (b) entry to the dwelling-house is necessary for a purpose referred to in subsection 78 (1); and (c) entry to the dwelling-house was refused by the occupant or there are reasonable grounds to believe that it will be refused or to believe that consent to entry cannot be obtained from the occupant. Use of force (3) In executing the warrant, the Minister of Transport is not entitled to use force unless the use of force has been specifically authorized in the warrant and they are accompanied by a peace officer. Internal Audit Internal audit order 80 (1) Subject to any regulations, the Minister of Transport may, in writing, order a designated operator to, within a specified period and in accordance with the order, conduct an internal audit of its practices, books and other records to determine whether the designated operator is in compliance with any provision of this Act or the regulations. Exemption from Statutory Instruments Act (2) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Report 81 The designated operator must comply with an order and provide to the Minister of Transport, within the period specified in the order, a report of the results of the audit, including, if the designated operator determines that there is non-compliance with any provision of this Act or the regulations, the nature of the non-compliance and any measures that have been taken or will be taken by the designated operator to comply with the provision. Compliance Order Power to order termination of contravention 82 (1) If the Minister of Transport believes on reasonable grounds that there is or is likely to be a contravention of any provision of this Act or the regulations, the Minister of Transport may order a designated operator to (a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or (b) take any measure that is necessary in order to comply with the requirements of that provision or to mitigate the effects of non-compliance. Time and manner (2) The order must specify the time within which and the manner in which the designated operator may request a review of the order by the Minister of Transport. Exemption from Statutory Instruments Act (3) An order made under subsection (1) is exempt from the application of the Statutory Instruments Act . Compliance with order 83 (1) A designated operator that is subject to an order made under section 82 must comply with it. Notification of compliance (2) Once the designated operator complies with the order, it must notify the Minister of Transport, without delay, of its compliance. Request for review 84 (1) An order that is made under section 82 must be reviewed by the Minister of Transport at the written request of the designated operator that is subject to the order. Contents and time for making request (2) The request must be made within the time and in the manner specified in the order and state the grounds for review and set out the evidence that supports those grounds. Order in effect (3) The order continues to apply during a review unless the Minister of Transport decides otherwise. Decision on completion of review 85 (1) On completion of a review, the Minister of Transport must confirm, amend, revoke or cancel the order and provide notice of the decision to the designated operator and the reasons for it. Deemed decision (2) If the Minister of Transport does not make a decision in respect of the request within 90 days after the day on which the request is received, or within any further period that is agreed on by the Minister of Transport and the designated operator, the Minister of Transport is deemed to have confirmed the order. General Provisions Obstruction 86 A person must not obstruct or hinder the Superintendent, inspector, person designated under subsection 49 (1) or 58 (1), inspection officer or Minister of Transport, as the case may be, in exercising their powers or performing their duties and functions under this Act. Providing false or misleading information 87 A person must not, with respect to any matter related to this Act, knowingly (a) provide any person with false or misleading information; or (b) provide any incident report that contains false or misleading information. Administrative Monetary Penalties General Provisions Definition of penalty 88 In sections 89 to 135 , penalty means an administrative monetary penalty imposed under those sections for a violation. Purpose of penalty 89 The purpose of a penalty is to promote compliance with this Act and not to punish. Violation 90 Every designated operator or other person that contravenes or fails to comply with a provision of this Act or of the regulations made under this Act — designated by regulations made under paragraph 135 (1)(f) — commits a violation and is liable to a penalty of an amount to be determined in accordance with this Act and the regulations. Penalty 91 The amount that may be fixed under any regulations made under paragraph 135 (1)(h) as the penalty for a violation must not be more than (a) $500,000, in the case of an individual; and (b) $15,000,000, in any other case. Due diligence available 92 (1) Due diligence is a defence in a proceeding in relation to a violation. Common law principles (2) Every rule and principle of the common law that renders any circumstance a justification or excuse in relation to a charge for an offence under this Act applies in respect of a violation to the extent that it is not inconsistent with this Act. Liability of directors or officers 93 If a designated operator commits a violation, any director or officer of the designated operator that directed, authorized, assented to, acquiesced in or participated in the commission of the violation is a party to the violation and is liable to a penalty of an amount to be determined in accordance with this Act and the regulations, whether or not the designated operator has been proceeded against in accordance with this Act. Continuing violation 94 A violation that is committed or continued on more than one day constitutes a separate violation in respect of each day on which it is committed or continued. Violation or offence 95 (1) Proceeding with any act or omission as a violation under this Act precludes proceeding with it as an offence under this Act, and proceeding with it as an offence under this Act precludes proceeding with it as a violation under this Act. Violations not offences (2) For greater certainty, a violation is not an offence and, accordingly, section 126 of the Criminal Code does not apply in respect of a violation. Limitation period or prescription 96 Proceedings in respect of a violation must not be commenced later than three years after the subject-matter of the proceedings became known to the appropriate regulator. Debts to His Majesty 97 (1) A penalty and any interest due in respect of the penalty constitute a debt due to His Majesty in right of Canada and may be recovered in the Federal Court or any other court of competent jurisdiction. Limitation period or prescription (2) Proceedings to recover the debt must not be commenced after the period of five years that begins on the day on which the debt became payable. Proceeds payable to Receiver General (3) A penalty paid or recovered under this Act is payable to and must be remitted to the Receiver General. Certificate of default 98 (1) The unpaid amount of any debt referred to in subsection 97 (1) may be certified by (a) the appropriate regulator; or (b) if the appropriate regulator is the Minister of Transport, by the Tribunal. Registration (2) Registration in the Federal Court or in any other court of competent jurisdiction of a certificate issued under subsection (1) has the same force and effect as a judgment of that court for a debt of the amount specified in the certificate and all related registration costs. Superintendent of Financial Institutions General Provisions Notice of violation — Superintendent 99 (1) If the Superintendent has reasonable grounds to believe that a designated operator or other person has committed a violation, the Superintendent may issue a notice of violation to the designated operator or other person. If a notice of violation is issued, the Superintendent must cause it to be served on the designated operator or other person. Contents of notice of violation (2) The notice of violation must name the designated operator or other person that is alleged to have committed the violation, identify the alleged violation and set out (a) the penalty for the violation that the designated operator or other person is liable to pay; (b) the right of the designated operator or other person, within 30 days after the notice is served or within any longer period that the Superintendent specifies, to pay the penalty or to make representations to the Superintendent with respect to the violation or the proposed penalty, or both, and the manner for doing so; and (c) the fact that, if the designated operator or other person does not pay the penalty or make representations in accordance with the notice, the designated operator or other person will be deemed to have committed the violation and be liable to the penalty set out in the notice. Correction or cancellation of notice of violation (3) At any time before the designated operator or other person makes representations in respect of a notice of violation to the Superintendent or enters into a compliance agreement with the Superintendent, the Superintendent may cancel the notice of violation or correct an error in it. Penalty 100 The penalty for a violation is to be determined by taking into account (a) the designated operator’s or other person’s history of compliance or non-compliance with the provisions of this Act or of the regulations; (b) the nature and scope of the violation; (c) whether the designated operator or other person made reasonable efforts to mitigate or reverse the effects of the violation; (d) whether the designated operator or other person derived any competitive or economic benefit from the violation; (e) any other factors prescribed by the regulations; and (f) any other factors that the Superintendent considers relevant. Payment 101 (1) If the designated operator or other person named in the notice of violation pays the penalty set out in the notice, they are deemed to have committed the violation and the proceedings commenced in respect of the violation are ended. Alternatives (2) Instead of paying the penalty set out in the notice, the designated operator or other person named in the notice may, in accordance with the notice, (a) make representations to the Superintendent in respect of the alleged violation or of the penalty; or (b) if the Superintendent offers a compliance agreement, enter into the compliance agreement with the Superintendent to ensure the designated operator’s or other person’s compliance with the provision to which the violation relates. Representation to Superintendent 102 (1) The Superintendent must decide, on a balance of probabilities, after considering any representations made under paragraph 101 (2)(a), whether the designated operator or other person committed the violation and, if the Superintendent so decides, the Superintendent may, subject to the regulations made under paragraph 135 (1)(h), impose the penalty set out in the notice, a lesser penalty or no penalty. Decision (2) The Superintendent must render a decision in writing, including reasons for it and must serve a copy of the decision on the designated operator or other person. Responsibility to pay penalty (3) If the Superintendent decides that the designated operator or other person committed the violation, the designated operator or other person is liable to the penalty as set out in the decision. Effect of payment (4) If the designated operator or other person pays the penalty set out in the decision, the Superintendent must accept the amount as complete satisfaction of the penalty in respect of the violation and the proceedings commenced in respect of the violation are ended. Violation not committed — effect (5) If the Superintendent decides that the designated operator or other person did not commit the violation, the proceedings commenced in respect of the violation are ended. Compliance Agreements Entering into compliance agreements 103 (1) If the Superintendent offers to enter into a compliance agreement with the designated operator or other person, the agreement is subject to any terms that the Superintendent considers appropriate, including the reduction, in whole or in part, of the penalty for the violation. Representations (2) If a compliance agreement is entered into, the designated operator or other person cannot make any representations under paragraph 101 (2)(a). Deeming (3) A designated operator or other person that enters into a compliance agreement with the Superintendent is deemed to have committed the violation in respect of which the compliance agreement was entered into. Notice of compliance (4) If the Superintendent is of the opinion that a designated operator or other person that has entered into a compliance agreement has complied with it, the Superintendent must serve a notice to that effect on the designated operator or other person and, on the service of the notice, the proceedings commenced in respect of the violation are ended. Notice of default (5) If the Superintendent is of the opinion that a designated operator or other person that has entered into a compliance agreement has not complied with it, the Superintendent must cause the designated operator or other person to be served with a notice of default informing them that (a) they are liable to pay, within the time and in the manner set out in the notice of default, the penalty set out in the notice of violation in respect of which the compliance agreement was entered into, less any amount they paid under the compliance agreement; and (b) the Superintendent may make public the designated operator’s or other person’s name, the nature of the violation, the scope of the non-compliance with the compliance agreement and the penalty payable. Effect of payment (6) If a designated operator or other person pays the penalty set out in the notice of default within the time and in the manner set out in that notice, the Superintendent must accept the amount as complete satisfaction of the penalty owing in respect of the violation and the proceedings commenced in respect of the violation are ended. Minister of Industry General Provisions Designation 104 The Minister of Industry may designate persons or classes of persons who are authorized to issue notices of violation and to enter into a compliance agreement with a designated operator. Notice of violation — designated person 105 (1) If a person designated under section 104 has reasonable grounds to believe that a designated operator or other person has committed a violation, the person so designated may issue a notice of violation to the designated operator or other person. If a notice of violation is issued, the person designated under section 104 must cause it to be served on the designated operator or other person. Contents of notice of violation (2) The notice of violation must name the designated operator or other person that is alleged to have committed the violation, identify the alleged violation and set out (a) the penalty for the violation that the designated operator or other person is liable to pay; (b) the right of the designated operator or other person, within 30 days after the notice is served or within any longer period that the person designated under section 104 specifies, to pay the penalty or to make representations to the Minister of Industry with respect to the violation or the proposed penalty, or both, and the manner for doing so; and (c) the fact that, if the designated operator or other person does not pay the penalty or make representations in accordance with the notice, the designated operator or other person will be deemed to have committed the violation and be liable to the penalty set out in the notice. Correction or cancellation of notice of violation (3) At any time before the designated operator or other person makes representations in respect of a notice of violation to the Minister of Industry or enters into a compliance agreement with the person designated under section 104 , the person so designated may cancel the notice of violation or correct an error in it. Penalty 106 The penalty for a violation is to be determined by taking into account (a) the designated operator’s or other person’s history of compliance or non-compliance with the provisions of this Act or of the regulations; (b) the nature and scope of the violation; (c) whether the designated operator or other person made reasonable efforts to mitigate or reverse the effects of the violation; (d) whether the designated operator or other person derived any competitive or economic benefit from the violation; (e) any other factors prescribed by the regulations; and (f) any other factors that the person designated under section 104 who issued the notice of violation considers relevant. Payment 107 (1) If the designated operator or other person named in the notice of violation pays the penalty set out in the notice, they are deemed to have committed the violation and the proceedings commenced in respect of the violation are ended. Alternatives (2) Instead of paying the penalty set out in the notice, the designated operator or other person named in the notice may, in accordance with the notice, (a) make representations to the Minister of Industry in respect of the alleged violation or of the penalty; or (b) if the person designated under section 104 offers a compliance agreement, enter into the compliance agreement with the person so designated to ensure the designated operator’s or other person’s compliance with the provision to which the violation relates. Representation 108 (1) The Minister of Industry must decide, on a balance of probabilities, after considering any representations made under paragraph 107 (2)(a), whether the designated operator or other person committed the violation and, if that Minister so decides, that Minister may, subject to the regulations made under paragraph 135 (1)(h), impose the penalty set out in the notice, a lesser penalty or no penalty. Decision (2) The Minister of Industry must render a decision in writing, including reasons for it and must serve a copy of the decision on the designated operator or other person. Responsibility to pay penalty (3) If the Minister of Industry determines that the designated operator or other person committed the violation, the designated operator or other person is liable to the penalty as set out in the decision. Effect of payment (4) If the designated operator or other person pays the penalty set out in the decision, the Minister of Industry must accept the amount as complete satisfaction of the penalty in respect of the violation and the proceedings commenced in respect of the violation are ended. Violation not committed — effect (5) If the Minister of Industry determines that the designated operator or other person did not commit the violation, the proceedings commenced in respect of it are ended. Compliance Agreements Entering into compliance agreements 109 (1) If the person designated under section 104 offers to enter into a compliance agreement with the designated operator or other person, the agreement is subject to any terms that the person so designated considers appropriate, including the reduction, in whole or in part, of the penalty for the violation. Representations (2) If a compliance agreement is entered into, the designated operator or other person cannot make any representations under paragraph 107 (2)(a). Deeming (3) A designated operator or other person that enters into a compliance agreement with the person designated under section 104 is deemed to have committed the violation in respect of which the compliance agreement was entered into. Notice of compliance (4) If the person designated under section 104 is of the opinion that a designated operator or other person that has entered into a compliance agreement has complied with it, the person so designated must serve a notice to that effect on the designated operator or other person and, on the service of the notice, the proceedings commenced in respect of the violation are ended. Notice of default (5) If the person designated under section 104 is of the opinion that a designated operator or other person that has entered into a compliance agreement has not complied with it, the person so designated must cause the designated operator or other person to be served with a notice of default informing them that (a) they are liable to pay, within the time and in the manner set out in the notice of default, the penalty set out in the notice of violation in respect of which the compliance agreement was entered into, less any amount they paid under the compliance agreement; and (b) the Minister of Industry may make public the designated operator’s or other person’s name, the nature of the violation, the scope of the non-compliance with the compliance agreement and the penalty payable. Effect of payment (6) If a designated operator or other person pays the amount set out in the notice of default within the time and in the manner specified in that notice, the Minister of Industry must accept the amount as complete satisfaction of the amount owing in respect of the violation and the proceedings commenced in respect of the violation are ended. Bank of Canada General Provisions Notice of violation — Bank 110 (1) If the Bank has reasonable grounds to believe that a designated operator or other person has committed a violation, the Bank may issue a notice of violation to the designated operator or other person. If a notice of violation is issued, the Bank must cause it to be served on the designated operator or other person. Contents of notice of violation (2) The notice of violation must name the designated operator or other person, identify the alleged violation and set out (a) the penalty for the violation that the designated operator or other person is liable to pay; (b) the right of the designated operator or other person, within 30 days after the notice is served or within any longer period that the Bank specifies, to pay the penalty or to make representations to the Governor with respect to the violation or the proposed penalty, or both, and the manner for doing so; and (c) the fact that, if the designated operator or other person does not pay the penalty or make representations in accordance with the notice, the designated operator or other person will be deemed to have committed the violation and be liable to the penalty set out in the notice. Correction or cancellation of notice of violation (3) At any time before the designated operator or other person makes representations in respect of a notice of violation to the Governor or enters into a compliance agreement with the Bank, the Bank may cancel the notice of violation or correct an error in it. Penalty 111 The penalty for a violation is to be determined by taking into account (a) the designated operator’s or other person’s history of compliance or non-compliance with the provisions of this Act or of the regulations; (b) the nature and scope of the violation; (c) whether the designated operator or other person made reasonable efforts to mitigate or reverse the effects of the violation; (d) whether the designated operator or other person derived any competitive or economic benefit from the violation; (e) any other factor prescribed by the regulations; and (f) any other factors that the Bank considers relevant. Payment 112 (1) If the designated operator or other person named in the notice of violation pays the penalty set out in the notice, they are deemed to have committed the violation and the proceedings commenced in respect of the violation are ended. Alternatives (2) Instead of paying the penalty set out in the notice, the designated operator or other person named in the notice may, in accordance with the notice, (a) make representations to the Governor in respect of the alleged violation or of the penalty; or (b) if the Bank offers a compliance agreement, enter into the compliance agreement with the Bank to ensure the designated operator’s or other person’s compliance with the provision to which the violation relates. Representation to Governor 113 (1) The Governor must decide, on a balance of probabilities, after considering any representations made under paragraph 112 (2)(a), whether the designated operator or other person committed the violation and, if the Governor so decides, the Governor may, subject to the regulations made under paragraph 135 (1)(h), impose the penalty set out in the notice, a lesser penalty or no penalty. Decision (2) The Governor must render a decision in writing, including reasons for it and the Bank must serve a copy of the decision on the designated operator or other person. Responsibility to pay penalty (3) If the Governor decides that the designated operator or other person committed the violation, the designated operator or other person is liable to the penalty as set out in the decision. Effect of payment (4) If the designated operator or other person pays the penalty set out in the decision, the Bank must accept the amount as complete satisfaction of the penalty in respect of the violation and the proceedings commenced in respect of the violation are ended. Violation not committed — effect (5) If the Governor decides that the designated operator or other person did not commit the violation, the proceedings commenced in respect of it are ended. Compliance Agreements Entering into compliance agreements 114 (1) If the Bank offers to enter into a compliance agreement with the designated operator or other person, the agreement is subject to any terms that the Bank considers appropriate, including the reduction, in whole or in part, of the penalty for the violation. Representations (2) If a compliance agreement is entered into, the designated operator or other person cannot make any representations under paragraph 112 (2)(a). Deeming (3) A designated operator or other person that enters into a compliance agreement with the Bank is deemed to have committed the violation in respect of which the compliance agreement was entered into. Notice of compliance (4) If the Bank is of the opinion that a designated operator or other person that has entered into a compliance agreement has complied with it, the Bank must serve a notice to that effect on the designated operator or other person and, on the service of the notice, the proceedings commenced in respect of the violation are ended. Notice of default (5) If the Bank is of the opinion that a designated operator or other person that has entered into a compliance agreement has not complied with it, the Bank must cause the designated operator or other person to be served with a notice of default informing them that (a) they are liable to pay, within the time and in the manner set out in the notice of default, the penalty set out in the notice of violation in respect of which the compliance agreement was entered into, less any amount they paid under the compliance agreement; and (b) the Bank may make public the designated operator’s or other person’s name, the nature of the violation, the scope of the non-compliance with the compliance agreement and the penalty payable. Effect of payment (6) If a designated operator or other person pays the amount set out in the notice of default within the time and in the manner specified in that notice, the Bank must accept the amount as complete satisfaction of the amount owing in respect of the violation and the proceedings commenced in respect of the violation are ended. Canadian Nuclear Safety Commission General Provisions Designation 115 The Canadian Nuclear Safety Commission may designate persons or classes of persons who are authorized to issue notices of violation and to enter into a compliance agreement with a designated operator. Notice of violation — designated person 116 (1) If a person designated under section 115 has reasonable grounds to believe that a designated operator or other person has committed a violation, the person so designated may issue a notice of violation to the designated operator or other person. If a notice of violation is issued, the person so designated must cause it to be served on the designated operator or other person. Contents of notice of violation (2) The notice of violation must name the designated operator or other person that is alleged to have committed the violation, identify the alleged violation and set out (a) the penalty for the violation that the designated operator or other person is liable to pay; (b) the right of the designated operator or other person, within 30 days after the notice is served or within any longer period that the person designated under section 115 specifies, to pay the penalty or to make representations to the Canadian Nuclear Safety Commission with respect to the violation or the proposed penalty, or both, and the manner for doing so; and (c) the fact that, if the designated operator or other person does not pay the penalty or make representations in accordance with the notice, the designated operator or other person will be deemed to have committed the violation and be liable to the penalty set out in the notice. Correction or cancellation of notice of violation (3) At any time before the designated operator or other person makes representations in respect of a notice of violation to the Canadian Nuclear Safety Commission or enters into a compliance agreement with the person designated under section 115 , the person so designated may cancel the notice of violation or correct an error in it. Penalty 117 The penalty for a violation is to be determined by taking into account (a) the designated operator’s or other person’s history of compliance or non-compliance with the provisions of this Act or of the regulations; (b) the nature and scope of the violation; (c) whether the designated operator or other person made reasonable efforts to mitigate or reverse the effects of the violation; (d) whether the designated operator or other person derived any competitive or economic benefit from the violation; (e) any other factor prescribed by the regulations; and (f) any other factors that the person designated under section 115 who issued the notice of violation considers relevant. Payment 118 (1) If the designated operator or other person named in the notice of violation pays the penalty set out in the notice, they are deemed to have committed the violation and the proceedings commenced in respect of the violation are ended. Alternatives (2) Instead of paying the penalty set out in the notice, the designated operator or other person named in the notice may, in accordance with the notice, (a) make representations to the Canadian Nuclear Safety Commission in respect of the alleged violation or of the penalty; or (b) if the person designated under section 115 offers a compliance agreement, enter into the compliance agreement with the person so designated to ensure the designated operator’s or other person’s compliance with the provision to which the violation relates. Representation 119 (1) The Canadian Nuclear Safety Commission must decide, on a balance of probabilities, after considering any representations made under paragraph 118 (2)(a), whether the designated operator or other person committed the violation and, if it so decides, it may, subject to the regulations made under paragraph 135 (1)(h), impose the penalty set out in the notice, a lesser penalty or no penalty. Decision (2) The Canadian Nuclear Safety Commission must render a decision in writing, including reasons for it and must serve a copy of the decision on the designated operator or other person. Responsibility to pay penalty (3) If the Canadian Nuclear Safety Commission decides that the designated operator or other person committed the violation, the designated operator or other person is liable to the penalty as set out in the decision. Effect of payment (4) If the designated operator or other person pays the penalty set out in the decision, the Canadian Nuclear Safety Commission must accept the amount as complete satisfaction of the penalty in respect of the violation and the proceedings commenced in respect of the violation are ended. Violation not committed — effect (5) If the Canadian Nuclear Safety Commission decides that the designated operator or other person did not commit the violation, the proceedings commenced in respect of it are ended. Compliance Agreements Entering into compliance agreements 120 (1) If the person designated under section 115 offers to enter into a compliance agreement with the designated operator or other person, the agreement is subject to any terms that the person so designated considers appropriate, including the reduction, in whole or in part, of the penalty for the violation. Representations (2) If a compliance agreement is entered into, the designated operator or other person cannot make any representations under paragraph 118 (2)(a). Deeming (3) A designated operator or other person that enters into a compliance agreement with the person designated under section 115 is deemed to have committed the violation in respect of which the compliance agreement was entered into. Notice of compliance (4) If the person designated under section 115 is of the opinion that a designated operator or other person that has entered into a compliance agreement has complied with it, the person so designated must serve a notice to that effect on the designated operator or other person and, on the service of the notice, the proceedings commenced in respect of the violation are ended. Notice of default (5) If the person designated under section 115 is of the opinion that a designated operator or other person that has entered into a compliance agreement has not complied with it, the person so designated must cause the designated operator or other person to be served with a notice of default informing them that (a) they are liable to pay, within the time and in the manner set out in the notice of default, the penalty set out in the notice of violation in respect of which the compliance agreement was entered into, less any amount they paid under the compliance agreement; and (b) the Canadian Nuclear Safety Commission may make public the designated operator’s or other person’s name, the nature of the violation, the scope of the non-compliance with the compliance agreement and the penalty payable. Effect of payment (6) If a designated operator or other person pays the amount set out in the notice of default within the time and in the manner specified in that notice, the Canadian Nuclear Safety Commission must accept the amount as complete satisfaction of the amount owing in respect of the violation and the proceedings commenced in respect of the violation are ended. Canadian Energy Regulator General Provisions Designation 121 The Chief Executive Officer may designate persons or classes of persons who are authorized to issue notices of violation and to enter into a compliance agreement with a designated operator. Notice of violation — designated person 122 (1) If a person designated under section 121 has reasonable grounds to believe that a designated operator or other person has committed a violation, the person so designated may issue a notice of violation to the designated operator or other person. If a notice of violation is issued, the person so designated must cause it to be served on the designated operator or other person. Contents of notice of violation (2) The notice of violation must name the designated operator or other person that is alleged to have committed the violation, identify the alleged violation and set out (a) the penalty for the violation that the designated operator or other person is liable to pay; (b) the right of the designated operator or other person, within 30 days after the notice is served or within any longer period that the person designated under section 121 specifies, to pay the penalty or to make representations to the Commission with respect to the violation or the proposed penalty, or both, and the manner for doing so; and (c) the fact that, if the designated operator or other person does not pay the penalty or make representations in accordance with the notice, the designated operator or other person will be deemed to have committed the violation and be liable to the penalty set out in the notice. Correction or cancellation of notice of violation (3) At any time before the designated operator or other person makes representations in respect of a notice of violation to the Commission or enters into a compliance agreement with the person designated under section 121 , the person so designated may cancel the notice of violation or correct an error in it. Penalty 123 The penalty for a violation is to be determined by taking into account (a) the designated operator’s or other person’s history of compliance or non-compliance with the provisions of this Act or of the regulations; (b) the nature and scope of the violation; (c) whether the designated operator or other person made reasonable efforts to mitigate or reverse the effects of the violation; (d) whether the designated operator or other person derived any competitive or economic benefit from the violation; (e) any other factor prescribed by the regulations; and (f) any other factors that the person designated under section 121 who issued the notice of violation considers relevant. Payment 124 (1) If the designated operator or other person named in the notice of violation pays the penalty set out in the notice, they are deemed to have committed the violation and the proceedings commenced in respect of the violation are ended. Alternatives (2) Instead of paying the penalty set out in the notice, the designated operator or other person named in the notice may, in accordance with the notice, (a) make representations to the Commission in respect of the alleged violation or of the penalty; or (b) if the person designated under section 121 offers a compliance agreement, enter into the compliance agreement with the person so designated to ensure the designated operator’s or other person’s compliance with the provision to which the violation relates. Powers of Commission 125 (1) The Commission may designate persons or classes of persons to consider the representations made under paragraph 124 (2)(a). Representation to Commission (2) The Commission or the person designated under subsection (1) must decide, on a balance of probabilities, after considering any representations made under paragraph 124 (2)(a), whether the designated operator or other person committed the violation and, if it so decides, it may, subject to the regulations made under paragraph 135 (1)(h), impose the penalty set out in the notice, a lesser penalty or no penalty. Decision (3) The Commission or the person designated under subsection (1) must render a decision in writing, including reasons for it and must serve a copy of the decision on the designated operator or other person. Responsibility to pay penalty (4) If the Commission or the person designated under subsection (1) decides that the designated operator or other person committed the violation, the designated operator or other person is liable to the penalty as set out in the decision. Effect of payment (5) If the designated operator or other person pays the penalty set out in the decision, the Commission or the person designated under subsection (1) must accept the amount as complete satisfaction of the penalty in respect of the violation and the proceedings commenced in respect of the violation are ended. Violation not committed — effect (6) If the Commission or the person designated under subsection (1) decides that the designated operator or other person did not commit the violation, the proceedings commenced in respect of it are ended. Federal Court (7) Despite section 28 of the Federal Courts Act , the Federal Court has exclusive original jurisdiction to hear and determine an application for judicial review of a decision made under this section by the Commission or the person designated under subsection (1). Compliance Agreements Entering into compliance agreements 126 (1) If the person designated under section 121 offers to enter into a compliance agreement with the designated operator or other person, the agreement is subject to any terms that the person so designated considers appropriate, including the reduction, in whole or in part, of the penalty for the violation. Representations (2) If a compliance agreement is entered into, the designated operator or other person cannot make any representations under paragraph 124 (2)(a). Deeming (3) A designated operator or other person that enters into a compliance agreement with the person designated under section 121 is deemed to have committed the violation in respect of which the compliance agreement was entered into. Notice of compliance (4) If the person designated under section 121 is of the opinion that a designated operator or other person that has entered into a compliance agreement has complied with it, the person so designated must serve a notice to that effect on the designated operator or other person and, on the service of the notice, the proceedings commenced in respect of the violation are ended. Notice of default (5) If the person designated under section 121 is of the opinion that a designated operator or other person that has entered into a compliance agreement has not complied with it, the person designated under section 121 must cause the designated operator or other person to be served with a notice of default informing them that (a) they are liable to pay, within the time and in the manner set out in the notice of default, the penalty set out in the notice of violation in respect of which the compliance agreement was entered into, less any amount they paid under the compliance agreement; and (b) the Canadian Energy Regulator may make public the designated operator’s or other person’s name, the nature of the violation, the scope of the non-compliance with the compliance agreement and the penalty payable. Effect of payment (6) If a designated operator or other person pays the amount set out in the notice of default within the time and in the manner specified in that notice, the Canadian Energy Regulator must accept the amount as complete satisfaction of the amount owing in respect of the violation and the proceedings commenced in respect of the violation are ended. Minister of Transport General Provisions Notice of violation — Minister of Transport 127 (1) If the Minister of Transport has reasonable grounds to believe that a designated operator or other person has committed a violation, the Minister of Transport may issue a notice of violation to the designated operator or other person. If a notice of violation is issued, the Minister of Transport must cause it to be served on the designated operator or other person. Contents of notice of violation (2) The notice of violation must name the designated operator or other person that is alleged to have committed the violation, identify the alleged violation and set out (a) the penalty for the violation that the designated operator or other person is liable to pay; (b) the right of the designated operator or other person, within 30 days after the notice is served or within any longer period that the Minister of Transport specifies, to pay the penalty and the manner for doing so; (c) the right of the designated operator or other person, within 30 days after the notice is served or within any longer period that the Tribunal on application may allow, to file a request to review under paragraph 129 (2)(a) with respect to the violation or the proposed penalty, or both; and (d) the fact that, if the designated operator or other person does not pay the penalty or file a request to review with the Tribunal in accordance with the notice, the designated operator or other person will be deemed to have committed the violation and be liable to the penalty set out in the notice. Correction or cancellation of notice of violation (3) At any time before the designated operator or other person files a request to review with the Tribunal under paragraph 129 (2)(a) or enters into a compliance agreement with the Minister of Transport, the notice of violation may be canceled by the Minister of Transport or an error in it may be corrected. Penalty 128 The penalty for a violation is to be determined by taking into account (a) the designated operator’s or other person’s history of compliance or non-compliance with the provisions of this Act or of the regulations; (b) the nature and scope of the violation; (c) whether the designated operator or other person made reasonable efforts to mitigate or reverse the effects of the violation; (d) whether the designated operator or other person derived any competitive or economic benefit from the violation; (e) any other factor prescribed by the regulations; and (f) any other factors that the Minister of Transport considers relevant. Payment 129 (1) If the designated operator or other person named in the notice of violation pays the penalty set out in the notice, they are deemed to have committed the violation and the proceedings commenced in respect of the violation are ended. Alternatives (2) Instead of paying the penalty set out in the notice, the designated operator or other person named in the notice may, in accordance with the notice, (a) file a request for a review with the Tribunal in respect of the alleged violation or of the penalty; or (b) if the Minister of Transport offers a compliance agreement, enter into the compliance agreement with the Minister of Transport to ensure the designated operator’s or other person’s compliance with the provision to which the violation relates. Time and place of review 130 (1) On receipt of the request referred to in paragraph 129 (2)(a), the Tribunal must appoint a time and place for the review and notify the Minister of Transport and the designated operator or other person who filed the request of the time and place in writing. Review procedure (2) The member of the Tribunal who is assigned to conduct the review must provide the Minister of Transport and the designated operator or other person that filed the request with an opportunity that is consistent with procedural fairness and natural justice to present evidence and make representations. Burden of proof (3) The Minister of Transport has the burden of establishing on a balance of probabilities that the designated operator or other person committed a violation. Designated operator or other person not compelled to testify (4) A designated operator or other person that is alleged to have committed a violation is not required to give any evidence or testimony in the matter. Disclosure of confidential information (5) For the purpose of a review requested under paragraph 129 (2)(a), the Minister of Transport or the designated operator or other person may disclose confidential information to the Tribunal. Determination by Tribunal member 131 In making a determination at the conclusion of a review, the member of the Tribunal who conducts the review must, without delay, inform the Minister of Transport and the designated operator or other person (a) that the designated operator or other person has not committed a violation, in which case no further proceedings under this Act are to be taken against the designated operator or other person in respect of the alleged violation; or (b) that the designated operator or other person has committed a violation, in which case the member must also inform the Minister of Transport and the designated operator or other person of the amount determined by the member, subject to section 128 and the regulations made under paragraph 135 (1)(h), to be payable to the Tribunal by or on behalf of the designated operator or other person and the period within which it must be paid. Right of appeal 132 (1) Within 30 days after a determination is made under section 131 , the Minister of Transport or designated operator or other person affected by the determination may appeal the determination to the Tribunal. Loss of right of appeal (2) A party who does not appear at a review hearing is not entitled to appeal the determination, unless the party establishes that there was sufficient reason to justify their absence. Disposition of appeal (3) The appeal panel of the Tribunal that is assigned to hear an appeal may dismiss it or allow it and, in allowing the appeal, may substitute its decision for the determination. Finding of violation (4) If the appeal panel finds that a designated operator or other person has committed a violation, the panel must immediately inform the designated operator or other person, as the case may be, and the Minister of Transport of the finding and, subject to any regulations made under paragraph 135(1)(h), of the amount determined by the panel to be payable to the Tribunal by or on behalf of the designated operator or other person, as the case may be, in respect of the violation and the time within which it must be paid. Finding of no violation (5) If the appeal panel finds that a designated operator or other person has not committed a violation, the panel must immediately inform the designated operator or other person, as the case may be, and the Minister of Transport of the finding. Certificate 133 The Minister of Transport may obtain from the Tribunal or the member, as the case may be, a certificate in the form established by the Governor in Council setting out the penalty required to be paid by the designated operator or other person that fails, within the time required, (a) to pay the penalty set out in the notice of violation or to file a request for a review under paragraph 129 (2)(a); or (b) to pay the amount determined under paragraph 131 (b). Compliance Agreements Entering into compliance agreements 134 (1) If the Minister of Transport offers to enter into a compliance agreement with the designated operator or other person, the agreement is subject to any terms that the Minister of Transport considers appropriate, including the reduction, in whole or in part, of the penalty for the violation. Filing request (2) If a compliance agreement is entered into, the designated operator or other person cannot file a request for a review under paragraph 129 (2)(a). Deeming (3) A designated operator or other person that enters into a compliance agreement with the Minister of Transport is deemed to have committed the violation in respect of which the compliance agreement was entered into. Notice of compliance (4) If the Minister of Transport is of the opinion that a designated operator or other person that has entered into a compliance agreement has complied with it, the Minister of Transport must serve a notice to that effect on the designated operator or other person and, on the service of the notice, the proceedings commenced in respect of the violation are ended. Notice of default (5) If the Minister of Transport is of the opinion that a designated operator or other person that has entered into a compliance agreement has not complied with it, the Minister of Transport must cause the designated operator to be served with a notice of default informing them that (a) they are liable to pay, within the time and in the manner set out in the notice of default, the penalty set out in the notice of violation in respect of which the compliance agreement was entered into, less any amount they paid under the compliance agreement; and (b) the Minister of Transport may make public the designated operator’s or other person’s name, the nature of the violation, the scope of the non-compliance with the compliance agreement and the penalty payable. Effect of payment (6) If a designated operator or other person pays the penalty set out in the notice of default within the time and in the manner set out in that notice, the Minister of Transport must accept the amount as complete satisfaction of the penalty owing in respect of the violation and the proceedings commenced in respect of the violation are ended. Regulations Regulations 135 (1) The Governor in Council may make regulations for carrying out the purposes and provisions of this Act, including regulations (a) respecting cyber security programs; (b) respecting any condition and criteria respecting internal audits; (c) respecting the form, manner and period for reporting any cyber security incidents referred to in section 17 and the types of incidents that must be reported; (d) respecting the period within which a notification referred to under subsection 14 (1) is to be provided; (e) respecting the management of records referred to in section 30 , including the collection, use, retention, disclosure and disposal of those records; (f) designating any provision of this Act or of the regulations made under this Act for the purposes of section 90 ; (g) classifying each violation as a minor violation, a serious violation or a very serious violation; (h) fixing the maximum penalty in respect of each violation; (i) defining, for the purposes of this Act, any word or expression that is used in this Act but is not defined; and (j) prescribing anything that is to be prescribed under this Act. Consistency with regulatory and standards regimes (2) In making regulations under subsection (1), the Governor in Council must, to the extent possible, ensure consistency with existing regulatory and standards regimes, such as those established by provincial regulatory agencies or recognized industry standards development organizations. Other regulatory or standards regimes (3) In making regulations under subsection (1), the Governor in Council may provide that compliance with a requirement under a regulatory or standards regime referred to in subsection (2) is deemed to be compliance with any corresponding requirement under this Act. Offences Summary offences 136 (1) Every person who contravenes section 10 , subsection 13 (1) or 14 (1), section 17 or 18 , subsection 30 (1) or (2) or 32 (4), section 35 , subsection 37 (1) or 41 (4), section 44 , subsection 46 (1) or 50 (4), section 53 , subsection 55 (1) or 59 (4), section 62 , subsection 64 (1) or 68 (4), section 71 , subsection 74 (1) or 78 (4), section 81 or subsection 83 (1) is guilty of an offence punishable on summary conviction. Offence and punishment — section 29 (2) Every person, partnership or unincorporated organization that contravenes section 29 is guilty of an offence punishable on summary conviction. Offence and punishment 137 Every person who contravenes subsection 9 (1), section 12 or 15 , subsection 20 (4), section 24 , subsection 25 (2), section 26 or 86 or paragraph 87 (a) or (b) is guilty of an offence and liable (a) on summary conviction (i) in the case of an individual, to a fine in an amount that is in the discretion of the court or to imprisonment for a term of not more than two years less a day, or to both, and (ii) in the case of a corporation, to a fine in an amount that is in the discretion of the court; or (b) on conviction on indictment (i) in the case of an individual, to a fine in an amount that is in the discretion of the court or to imprisonment for a term of not more than five years, or to both, and (ii) in the case of a corporation, to a fine in an amount that is in the discretion of the court. Liability of directors or officers 138 If a designated operator commits an offence under this Act, any director or officer of the designated operator that directed, authorized, assented to, acquiesced in or participated in the commission of the offence is a party to the offence and is liable on conviction to the punishment provided for by this Act, even if the designated operator is not prosecuted for or convicted of the offence. Continuing offence 139 If an offence under section 136 or 137 is committed or continued on more than one day, it constitutes a separate offence for each day on which the offence is committed or continued. Limitation period or prescription 140 A prosecution must not be commenced in respect of an offence under this Act later than three years after the day on which the subject matter of the prosecution arose. Due diligence defence 141 A person, partnership or unincorporated organization is not to be found guilty of an offence under this Act — other than an offence under section 137 that is in respect of a contravention of section 26 or paragraph 87(a) or (b) — if they establish that they exercised all due diligence to prevent the commission of the offence. Offence by employee or agent or mandatary 142 In a prosecution under this Act, it is sufficient proof of an offence to establish that it was committed by an employee or agent or mandatary of the accused whether or not the employee or agent or mandatary is identified or has been prosecuted for the offence. Proof of documents 143 In any action or proceeding under this Act, any document purporting to be certified by a regulator as a true copy of a document made, given or issued under this Act is, without proof of the signature or of the official character of the person appearing to have signed the document, (a) evidence of the original document of which it purports to be a copy; (b) evidence of the fact that the original document was made, given or issued by or by the authority of or deposited with the person named in it and was made, given or issued at the time stated in the certified copy, if a time is stated in it; and (c) evidence of the fact that the original document was signed, certified, attested or executed by the persons and in the manner shown in the certified copy. Document entries as proof 144 In any action or proceeding under this Act, an entry in any record required under this Act to be kept is, in the absence of evidence to the contrary, proof of the matters stated in it as against the person who made the entry or the designated operator that was required to keep the record. Judicial review — rules 145 (1) The following rules apply to judicial review proceedings in respect of the issuance of a cyber security direction under section 20 : (a) if the judge determines that evidence or other information provided by the Minister is not relevant or if the Minister withdraws the evidence or other information, the decision of the judge must not be based on that evidence or other information and the judge must return it to the Minister; and (b) the judge must ensure the confidentiality of all evidence and other information that the Minister withdraws. Definition of judge (2) In this section, judge means the Chief Justice of the Federal Court or a judge of that Court designated by the Chief Justice. Protection of information on appeal 146 Section 145 applies to any appeal of a decision made by the judge in relation to the judicial review proceedings referred to in that section and to any further appeal, with any necessary modifications. General Report to Parliament 147 (1) The Minister must, within three months after the end of each fiscal year, prepare a report on the administration of this Act for that fiscal year and cause a copy of the report to be laid before each House of Parliament on any of the first 15 sitting days of that House after the report is completed. Contents (2) The report must include, for the fiscal year covered by the report, the following information in relation to orders made under subsection 20(1): (a) the number of orders made under subsection 20(1) and the nature of the directions set out in those orders; (b) the number of directions revoked under subsection 20(2); (c) the number of designated operators that were subject to a direction; (d) description of compliance of designated operators that partially complied with a direction; (e) description of compliance of designated operators that fully complied with a direction; and (f) an explanation of the necessity, proportionality, reasonableness and utility of the directions. Contents (3) The report must contain information on, among other things, (a) the number of directions issued under subsection 20(1) in the immediately preceding fiscal year; (b) the number of designated operators that were issued directions under subsection 20(1) in the immediately preceding fiscal year; and (c) any other information relating to the immediately preceding fiscal year that the Minister considers relevant, if that information is not likely to be about an identifiable designated operator or other person. Solicitor-client privilege or professional secrecy 148 Nothing in this Act may be construed as affecting solicitor-client privilege or, in Quebec, the professional secrecy of advocates and notaries. Consequential Amendments R.S., c. 18 (3rd Supp.), Part I Office of the Superintendent of Financial Institutions Act 2011, c. 15, s. 25 12 Subsection 23(1) of the Office of the Superintendent of Financial Institutions Act is replaced by the following: Superintendent to ascertain expenses 23 (1) The Superintendent shall, before December 31 in each year, ascertain the total amount of expenses incurred during the immediately preceding fiscal year for or in connection with the administration of the Bank Act , the Cooperative Credit Associations Act , the Critical Cyber Systems Protection Act , the Green Shield Canada Act , the Insurance Companies Act , the Protection of Residential Mortgage or Hypothecary Insurance Act and the Trust and Loan Companies Act . 13 The schedule to the Act is amended by adding the following in alphabetical order: Critical Cyber Systems Protection Act Loi sur la protection des cybersystèmes essentiels 1997, c. 9 Nuclear Safety and Control Act 2013, c. 33, s. 173 14 Subsections 21(2) and (3) of the Nuclear Safety and Control Act are replaced by the following: Fees recoverable under any other Act of Parliament (1.1) The Commission may charge any fees that may be prescribed for any information, product or service that it provides under any other Act of Parliament. Refund of fees (2) The Commission may, under the prescribed circumstances, refund all or part of any fee referred to in paragraph (1)(g) or subsection (1.1). Expenditure of revenue from fees (3) The Commission may spend for its purposes the revenue from the fees it charges in the fiscal year in which the revenues are received or in the next fiscal year. 2001, c. 29 Transportation Appeal Tribunal of Canada Act 2019, c. 29, s. 290 15 Subsection 2(3) of the Transportation Appeal Tribunal of Canada Act is replaced by the following: Jurisdiction in respect of other Acts (3) The Tribunal also has jurisdiction in respect of reviews and appeals in connection with administrative monetary penalties provided for under sections 177 to 181 of the Canada Transportation Act , sections 127 to 133 of the Critical Cyber Systems Protection Act , sections 43 to 55 of the International Bridges and Tunnels Act , sections 129.01 to 129.19 of the Canada Marine Act , sections 16.1 to 16.25 of the Motor Vehicle Safety Act , sections 39.1 to 39.26 of the Canadian Navigable Waters Act and sections 130.01 to 130.19 of the Marine Liability Act . Coming into Force Order in council 16 The provisions of this Part come into force on a day or days to be fixed by order of the Governor in Council. PART 3 Five-year Review Review of Act 17 (1) Within five years after the day on which this Act receives royal assent, the Minister must complete a review of the provisions enacted or amended by this Act. Report (2) Within 90 days after the conclusion of the review, the Minister must complete a report on the review that sets out the Minister’s findings on the effectiveness of the measures provided by this Act respecting offences that are more easily committed using cyber technology, among other matters, and the Minister’s recommendations, including any changes to any Act, such as the Criminal Code . Tabling of report (3) The Minister must cause the report to be tabled before each House of Parliament on any of the first 15 days on which that House is sitting after the report is completed.
Version History
March 26, 2026 at 11:03 PM
Doc ID: 13995712
March 12, 2026 at 07:03 AM
Doc ID: 13961698
June 19, 2025 at 06:28 AM
Doc ID: 13569583
Votes on this bill
No recorded votes
There are no vote records for this bill yet.
First reading
Jun 18, 2025
Second reading
Oct 3, 2025
Standing Committee on Public Safety and National Security
(SECU)
Consideration in committee
Mar 11, 2026
Standing Committee on Public Safety and National Security
(SECU)
Report stage
Mar 26, 2026
Third reading
Mar 26, 2026
First reading
Mar 26, 2026
Second reading
Apr 23, 2026
Standing Senate Committee on National Security, Defence and Veterans Affairs
(SECD)
Consideration in committee
Standing Senate Committee on National Security, Defence and Veterans Affairs
(SECD)
Report stage
Third reading
Latest statements by members (274)
Sort by:
Your mission control for Canadian politics. 100% independent and free.