Comparing Canada's proposed Critical Cyber Systems Protection Act with cybersecurity legal requirements in the EU.

Abstract

This article examines the Canadian federal government's proposed Critical Cyber Systems Protection Act (CCSPA), compares it with existing and proposed cybersecurity legal requirements in the European Union (EU), and sets out recommendations to address shortcomings of the proposed Canadian legislation. One of the cornerstone components of Bill C‑26, the CCSPA seeks to regulate critical cyber systems in federally regulated private sectors. It represents asignificant overhaul of Canadian cybersecurity regulation. However, the current proposed legislation exhibits many flaws, including acommitment to, and entrenchment of, apatchwork approach to regulation that focuses on formal registration; alack of oversight of its confidentiality provisions; aweak penalty scheme that focuses solely on compliance, not deterrence; and diluted conduct, reporting, and mitigation obligations. To repair these flaws, this article reviews the provisions of the proposed law and compares them with the EU's Directive Concerning Measures for aHigh Common Level of Security of Network and Information Systems Across the Union, the first EU-wide cybersecurity legislation, as well as its proposed successor, the NIS2 Directive. Where relevant, various other cybersecurity regulations in peer states are discussed. Specific recommendations are put forward.