⚠   BILL C-22 PASSED THE HOUSE  —  SENATE STUDY BEGINS SEPTEMBER 21, 2026  —  TAKE ACTION NOW →
Canadian Cybersecurity Alert

Bill C-22 Passed. The Senate is the Last Stop.

Every Canadian security professional, auditor, lawyer, insurer, and investor needs to understand what this law does — and what to do before September 21.

Time remaining until Senate study begins
--Days
:
--Hours
:
--Minutes
:
--Seconds

Written by a cybersecurity professional working in GRC, purple team operations, and security research. This page is not legal advice. If you believe your organization may be affected by Bill C-22, seek qualified legal counsel.

Background

What is Bill C-22 and How Did It Pass?

The Lawful Access Act, 2026 compels designated "core providers" — telecoms, internet providers, and potentially any platform with a communications component — to build government access capabilities into their systems, retain Canadians' metadata for up to six months, and assist with testing of that access infrastructure. In plain language: it mandates backdoors.

The government passed this bill in a midnight committee session, with MPs barred from introducing new amendments and voting on changes without debate or public disclosure of their contents. It then passed the full House with no recorded vote, bundled into a single motion with other bills as Parliament rose for the summer.

Prof. Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, called it "a genuine abrogation of democratic norms."

Signal, Windscribe, NordVPN, Apple, and Meta have all raised public concerns. The Privacy Commissioner, the Canadian Chamber of Commerce, and civil liberties groups called for changes. The government's response was to shut down debate. The Senate is now the only check remaining.

Technical & Legal Analysis

Five Problems Security Professionals Need to Understand

Problem 01 / Scope
Nobody Knows Who It Applies To

"Core provider" is not defined in the bill. The Schedule is blank. Section 5(1) hands that definition entirely to Cabinet — by regulation, with no parliamentary vote and no criteria defined in the legislation. The bill defines "electronic service provider" broadly as any person who provides an electronic service to the public.

A provider could discover overnight that it is now a core provider, subject to all obligations, all gag provisions, and all criminal liability — with no advance notice. The scope can be expanded silently, at any time, by Cabinet alone.

On the regulatory process: federal regulations do go through Canada Gazette pre-publication with a standard 30-day comment period — that is a real safeguard. The concern is not that regulations appear without process. It is that the fundamental question of who this law applies to is determined outside Parliament entirely, with no criteria in the legislation and no requirement for parliamentary approval of changes.

Directly affects
TelecomsCloud ProvidersSaaS PlatformsVPN ProvidersMessaging AppsSatellite Providers
Problem 02 / Cryptography
The Impossible Carve-Out

The bill says providers don't have to comply if doing so would introduce a "systemic vulnerability." In the version passed, that term was amended at midnight to mean a vulnerability creating a "credible risk, based on recognized international technical standards," that secure information could be accessed by someone without authority.

This amendment actually strengthens the technical argument against the bill. "Recognized international technical standards" includes the overwhelming cryptographic consensus — from NIST, from academic research, from the security industry — that backdoors are by definition systemic vulnerabilities.

You cannot create a second decryption pathway, centralize key material, and build an invocation mechanism without creating exactly what the carve-out describes. This is not a policy opinion. It is cryptographic fact. Prof. Geist independently identified the same structural contradiction: the carve-out says you are not required to comply, but the enforcement provisions say you must.

Directly affects
All Core ProvidersEncryption VendorsSecurity Architects
Problem 03 / Disclosure
A Gag Order You May Never Know About

Once this becomes law, section 15 will prohibit a core provider — and anyone acting on their behalf — from disclosing: the contents of a Ministerial Order, the information the Minister relied upon, or the mere fact that an order exists at all.

"Anyone acting on their behalf" is not defined. It could capture employees, contractors, MSSPs, auditors, legal counsel, insurers, and business partners. There will be no requirement that these parties be notified they are bound. The provider may be legally prohibited from telling them.

On duration: Ministerial Orders were amended to a two-year cap. However, the gag provisions carry no equivalent sunset. The confidentiality obligation under section 15 is not time-limited to the order's two-year term. The gag and the order are separate instruments.

If this passes, anyone in your professional engagement chain could find themselves bound by a gag order by operation of law — with no notification and no way for the provider to tell them.

Directly affects
AuditorsLawyersConsultantsMSSPsBusiness PartnersInvestors
Problem 04 / Professional Liability
The Auditor's Trap

If this passes and you are engaged to audit a provider under a section 7 order: they cannot tell you the order exists (section 15). You cannot produce an accurate, complete report. Your SOC 2, ISO 27001, or pentest findings will be materially incomplete by law.

If the provider discloses the order before engagement begins, they face criminal liability under section 44. If they say nothing, you carry professional liability for an incomplete report. There is no pre-engagement disclosure mechanism in the bill. No safe harbour for auditors who ask directly.

Informed consent to an audit engagement will be structurally impossible for any provider under a compelled access order. Your E&O coverage, your professional certifications, your report accuracy — all compromised by a law that gives you no exit.

Directly affects
Security AuditorsGRC PractitionersPentestersISO 27001 AuditorsSOC 2 Assessors
Problem 05 / Access Control
Undefined Testers with No Clearance Floor

Section 14 will compel providers to assist with testing of access mechanisms. The authorized list includes civilian employees of police forces — with no security clearance requirement defined in the bill. Clearance requirements are deferred entirely to future regulations that do not yet exist.

"Tester" is never defined anywhere in the legislation. But section 44 makes it a criminal offence to obstruct one. You can be criminally liable for obstructing a role the law never defines, performed by someone with no mandated clearance, conducting activities with no defined scope.

Directly affects
Core ProvidersSecurity TeamsSecurity Researchers
Stakeholder Impact

Who Should Be Paying Attention Right Now

🔒
Security Professionals

Research disclosures touching mandated access infrastructure carry no safe harbour. Get legal advice before any disclosure in this space.

📋
Auditors & GRC

Review engagement letter templates now. Add scope warranties — and understand that a provider under an order may be legally unable to sign them.

⚖️
Lawyers

Outside counsel for a core provider may be captured under the gag. Solicitor-client privilege carve-outs exist (s.20.22(2)), but interaction with third-party obligations remains unaddressed.

📊
Insurers

You cannot accurately underwrite cyber liability for a provider whose scope and gag status are undefined and can change without parliamentary vote.

💼
Investors

Material obligations that can expand by Cabinet regulation — and that a target company may be legally unable to disclose — represent unquantifiable due diligence risk.

🔗
Partners & Suppliers

Upstream and downstream relationships with a designated provider may draw your organization into the gag and liability framework by operation of law.

Call to Action

What You Can Do Before September 21

01
Submit a Brief to the Senate Committee

The Standing Senate Committee on National Security, Defence and Veterans Affairs (SECD) will study Bill C-22 when Parliament resumes. Anyone can submit a written brief — technical professional perspectives are exactly what the committee needs.

Senate Committee on National Security, Defence and Veterans Affairs →
How to appear as a witness or submit a brief →
02
Contact Your Senator Directly

Every Canadian has a Senator. Unlike MPs, Senators are not subject to party discipline in the same way and are more likely to engage with technical expert input. Use the tool below to draft and send a message.

Find your Senator's contact information →
03
Share This Page

The government passed this bill without a recorded vote, in the middle of the night. The Senate is the democratic check the House bypassed. Share this page with your network — the security community, the legal community, and the business community all have a stake in this.

📬 Draft a Message to Your Senator

Use this tool to draft a message you can copy and send directly to your Senator. Choose a template below or write your own. Be specific about your professional background — it carries weight.

Message Template
0 characters
Find My Senator Paste the copied message into your Senator's contact form or email.
Further Reading

Key Resources