Every Canadian security professional, auditor, lawyer, insurer, and investor needs to understand what this law does — and what to do before September 21.
Written by a cybersecurity professional working in GRC, purple team operations, and security research. This page is not legal advice. If you believe your organization may be affected by Bill C-22, seek qualified legal counsel.
The Lawful Access Act, 2026 compels designated "core providers" — telecoms, internet providers, and potentially any platform with a communications component — to build government access capabilities into their systems, retain Canadians' metadata for up to six months, and assist with testing of that access infrastructure. In plain language: it creates a framework compelling providers to build government access capabilities — while prohibiting requirements that introduce a systemic vulnerability. Whether those two obligations can coexist is the central technical problem.
The government passed this bill in a midnight committee session, with MPs barred from introducing new amendments and voting on changes without debate or public disclosure of their contents. It then passed the full House with no recorded vote, bundled into a single motion with other bills as Parliament rose for the summer.
Prof. Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, called it "a genuine abrogation of democratic norms."
Signal, Windscribe, NordVPN, Apple, and Meta have all raised public concerns. The Privacy Commissioner, the Canadian Chamber of Commerce, and civil liberties groups called for changes. The government's response was to shut down debate. The Senate is now the only check remaining.
I used AI tools extensively while researching and developing this analysis. They helped me review drafts, challenge assumptions, identify gaps, and work through the legislation.
I also asked a Canadian lawyer to review an earlier draft. His feedback identified areas where I had gone too far into legal interpretation and where the regulatory process needed to be described more accurately. I revised the analysis in response and narrowed the focus to the cybersecurity, GRC, and assurance issues I work with professionally.
The conclusions and concerns presented here are mine. I reviewed the source material, challenged the analysis, and take responsibility for what I have published.
“Core provider” is not defined in the bill. The Schedule is blank. Section 5(1) leaves the classes of providers to Cabinet through regulation. The bill itself does not set criteria for deciding which classes belong on that list, and adding a class does not require another vote in Parliament.
That matters because the definition of “electronic service provider” is extremely broad. A company can be brought into the core-provider regime through regulation and, from that point forward, be subject to the Act’s technical, confidentiality, and enforcement requirements.
To be clear about the regulatory process: proposed federal regulations are normally pre-published in the Canada Gazette and the standard comment period is 30 days. That is a real process and a real opportunity to respond. My concern is different: Parliament is being asked to pass the framework before the legislation tells us which classes of providers it will ultimately govern, or what statutory test Cabinet must use to add them.
The bill says a provider does not have to comply where compliance would introduce a “systemic vulnerability.” The House-passed version defines that as a vulnerability creating a “credible risk, based on recognized international technical standards,” that secure information could be accessed by someone without authority.
That wording is important. The security industry has spent years warning that exceptional-access mechanisms can create broader security risk. NIST guidance, academic research, and industry practice all treat new decryption paths, concentrated key material, and reusable access mechanisms as things that have to be threat-modelled very carefully.
The definition also excludes a risk that “relates only to” people already subject to a warrant or other lawful authority. I expect the government’s answer is that a properly targeted capability only creates risk for the person named in the authority and therefore is not systemic.
Here is where I think the technical problem remains: the legal authority can be targeted to one person while the capability used to execute it is not. A second decryption path, centralized key material, or a reusable invocation mechanism can create risk outside the subjects of a particular warrant, even if every individual use is authorized.
That is the contradiction I cannot get past. The bill relies on “recognized international technical standards,” but the technical question is about the capability itself, not simply the legal scope of each invocation. Prof. Michael Geist has raised the same broader structural concern about the systemic-vulnerability exception.
Section 14 prohibits an electronic service provider, and anyone acting on its behalf, from disclosing information in an order, the information the Minister relied on, or even the fact that the provider is or was subject to the order, except where the Act or the Canada Evidence Act permits disclosure.
The phrase “acting on its behalf” is not defined in the Act. For people who work around these environments, that raises an immediate operational question: which employees, contractors, service providers, or other third parties fall inside that phrase, and how are they supposed to know when they do?
The duration also deserves attention. A section 7 order is capped at two years. I do not see an equivalent sunset in section 14. The confidentiality obligation is written separately from the duration of the order.
My concern is not simply that an order can be secret. It is that the confidentiality obligation can intersect with a provider’s wider engagement chain, while the boundaries of “acting on its behalf” are left undefined.
This is the part of the bill that worries me most from a GRC and assurance perspective.
Assume I am engaged to assess a provider that is subject to a section 7 order. Section 14 restricts disclosure of the order and even the fact that the provider is or was subject to it. Section 15 does provide a way for the provider to ask the Minister for authorization to disclose.
There is an important distinction in section 15. If the information is relevant to a regulatory authority, the Minister must authorize disclosure to that authority, subject to reasonable terms. I do not read a private ISO auditor, SOC 2 assessor, pentester, MSSP, insurer, or due-diligence reviewer as obviously falling within that definition.
For a private assurance engagement, the provider appears to depend on the discretionary section 15(1) process. I cannot find a mandatory disclosure pathway for private assessors, an explicit assurance safe harbour, or a statutory deadline for the Minister to answer the request.
So what is the assessor supposed to do? If the provider cannot disclose by default, and authorization to disclose to a private assessor is discretionary, how does that assessor know whether the evidence in front of them is complete? How does an auditor scope the control environment? How does a pentester assess an access path they are not permitted to know exists?
This is not a theoretical concern for me. We sign reports, make representations about scope, and carry professional liability for the conclusions we reach. The bill creates a mandatory disclosure path for regulatory authorities. I think Parliament should explain why private assurance work is left to Ministerial discretion.
Section 13 requires providers to give reasonable assistance for the assessment or testing of access mechanisms. The people who may receive that assistance include CSIS employees, RCMP personnel, civilian employees of other police forces, and peace officers.
The request must state the purpose of the testing and any limits or conditions the Minister considers appropriate. What I do not see in section 13 is a statutory security-clearance floor or a technical qualification standard for the people carrying out that work. Section 18 allows future regulations to address security-clearance and location requirements for certain employees and engaged persons, but those details are not in the bill today.
My concern is narrower than that: the bill identifies broad classes of people who may participate in testing, while personnel-security requirements are left to regulation.
For access mechanisms this sensitive, I would rather see a clear statutory baseline than wait for the regulations to tell us who needs what level of clearance.
Research disclosures touching mandated access infrastructure carry no safe harbour. Get legal advice before any disclosure in this space.
Review engagement letter templates now. Add scope warranties — and understand that a provider under an order may be legally unable to sign them.
Outside counsel for a core provider may be captured under the gag. Part 2 does not contain a general solicitor-client privilege carve-out. The interaction with Law Society duties around candour and professional obligations to third parties remains unaddressed.
You cannot accurately underwrite cyber liability for a provider whose scope and gag status are undefined and can change without parliamentary vote.
Material obligations that can expand by Cabinet regulation — and that a target company may be legally unable to disclose — represent unquantifiable due diligence risk.
Upstream and downstream relationships with a designated provider may draw your organization into the gag and liability framework by operation of law.
The Standing Senate Committee on National Security, Defence and Veterans Affairs (SECD) will study Bill C-22 when Parliament resumes. Anyone can submit a written brief — technical professional perspectives are exactly what the committee needs.
Senate Committee on National Security, Defence and Veterans Affairs →Every Canadian has a Senator. Unlike MPs, Senators are not subject to party discipline in the same way and are more likely to engage with technical expert input. Use the tool below to draft and send a message.
Find your Senator's contact information →The government passed this bill without a recorded vote, in the middle of the night. The Senate is the democratic check the House bypassed. Share this page with your network — the security community, the legal community, and the business community all have a stake in this.
Use this tool to draft a message you can copy and send directly to your Senator. Choose a template below or write your own. Be specific about your professional background — it carries weight.