Comparing Canada’s proposed Critical Cyber Systems Protection Act with cybersecurity legal requirements in the EU

This article examines the Canadian federal government’s proposed Critical Cyber Systems Protection Act (CCSPA), compares it with existing and proposed cybersecurity legal requirements in the European Union (EU), and sets out recommendations to address shortcomings of the proposed Canadian legislation. One of the cornerstone components of Bill C‑26, the CCSPA seeks to regulate critical cyber systems in federally regulated private sectors. It represents a significant overhaul of Canadian cybersecurity regulation. However, the current proposed legislation exhibits many flaws, including a commitment to, and entrenchment of, a patchwork approach to regulation that focuses on formal registration; a lack of oversight of its confidentiality provisions; a weak penalty scheme that focuses solely on compliance, not deterrence; and diluted conduct, reporting, and mitigation obligations. To repair these flaws, this article reviews the provisions of the proposed law and compares them with the EU’s Directive Concerning Measures for a High Common Level of Security of Network and Information Systems Across the Union, the first EU-wide cybersecurity legislation, as well as its proposed successor, the NIS2 Directive. Where relevant, various other cybersecurity regulations in peer states are discussed. Specific recommendations are put forward.