If you operate pipeline, energy, or industrial infrastructure in Canada, cybersecurity monitoring requirements may already apply to you — and more are coming. This page covers every province and territory so you know where you stand.
The common thread: CSA Z246.1:21 (fourth edition, 2021) — the Canadian standard for security management of petroleum and natural gas industry systems. Three of the four frameworks below reference it directly; the CCSPA requires equivalent cybersecurity programs that align with its principles.
Two regulations are already in force. Alberta and British Columbia both have active cybersecurity requirements for energy operators. This is not a future problem. If you operate in either province, compliance obligations exist today.
Federal (All Sectors) — CCSPA
| Legislation | Critical Cyber Systems Protection Act (CCSPA), Bill C-8 |
| Status | Passed House of Commons + Senate Second Reading — in Senate committee review (SECNV) |
| Sectors | Energy (interprovincial), finance, transportation |
| Enforcer | CER (interprovincial energy), provincial regulators (AER, BCER) for intraprovincial energy, sector-specific regulators for others |
The CCSPA will mandate cybersecurity programs for designated operators across critical infrastructure sectors. Key requirements include:
- Mandatory cybersecurity program within 90 days of designation
- 72-hour incident reporting to the Communications Security Establishment (CSE)
- Canadian data residency expected for incident reports and security program records (specific scope to be set by implementing regulations)
- Supply chain risk assessment
- Potential penalties (once enacted): up to $15M/day for organizations, $1M/day for individuals
The CCSPA passed the House of Commons on March 26, 2026 with cross-party support, passed Senate Second Reading on April 23, 2026, and is currently before the Standing Senate Committee on National Security, Defence and Veterans Affairs. It has not yet received Royal Assent. Operators should be preparing now — the requirements are substantial, and the 90-day compliance window after designation leaves no room for building a program from scratch.
Read our detailed CCSPA guide →
Interprovincial (Any Province)
| Regulation | CER Onshore Pipeline Regulations, SOR/99-294 s.4(1)(e) |
| Status | In force |
| Standard | CSA Z246.1:21 compliance required |
| Enforcer | Canada Energy Regulator (CER) |
If your pipeline crosses a provincial or international boundary, it falls under federal jurisdiction regardless of which province you're in. The CER requires CSA Z246.1 compliance for all CER-regulated pipelines. The CER has conducted cybersecurity audits and has publicly reported common deficiencies including lack of continuous OT network monitoring.
Alberta
| Regulation | Security Management for Critical Infrastructure Regulation, Alta Reg 84/2024 |
| Status | In force since May 31, 2025 |
| Standard | CSA Z246.1:21 compliance mandatory |
| Enforcer | Alberta Energy Regulator (AER) |
| Key provision | s.3(1) — operators must have a security management program |
The AER maintains a confidential critical infrastructure list. Operators are notified if their facility is placed on it. If you operate pipelines, processing plants, or other energy infrastructure in Alberta, your facility may already be designated.
There is no small-business exemption. A junior producer with a single pipeline faces the same obligation as a major integrated operator. Non-compliance can result in AER enforcement action, including potential facility shutdown under REDA authority.
Read our detailed Alta Reg 84/2024 guide →
British Columbia
| Regulation | Security Management Regulation, BC Reg 181/2022 |
| Status | In force |
| Standard | CSA Z246.1:21 compliance mandatory + NIST CSF objectives |
| Enforcer | BC Energy Regulator (BCER) |
| Guideline | BCER Security Management Regulation Guideline |
BC's regulation is stricter than Alberta's. The BCER reads "should" in CSA Z246.1:21 as "must" — advisory language in the standard becomes mandatory requirement in BC. This means more clauses carry compliance obligation in BC than in Alberta for the same standard.
Additionally, cybersecurity measures per Clause 7 of the standard must also meet NIST Cybersecurity Framework (CSF) objectives or an equivalent approved standard. This dual-standard requirement makes BC the most demanding provincial jurisdiction for OT cybersecurity in Canada.
Ontario
Ontario has two enforceable cybersecurity hooks that reach municipal operators — one in drinking water, one in electricity distribution. Neither follows the CSA Z246.1 pipeline pattern; they sit on top of sector-specific licensing regimes administered by the Ministry of the Environment, Conservation and Parks (MECP) and the Ontario Energy Board (OEB).
DWQMS Element 7 — Drinking Water
| Regulation | Drinking Water Quality Management Standard (DWQMS), Element 7 — Risk Assessment |
| Status | In force |
| Standard / Framework | DWQMS, issued under the Safe Drinking Water Act, 2002 (SO 2002 c 32) + O. Reg. 188/07 (Licensing of Municipal Drinking Water Systems). DWQMS 3.0 was published in February 2026 via ERO 019-4855; operating authorities must transition prior to their first audit in 2028. |
| Enforcer | Ministry of the Environment, Conservation and Parks (MECP) |
| Key provision | Element 7 — operating authorities must identify, assess, and prioritize risks to the drinking-water system, including cybersecurity threats |
Every accredited operating authority for a municipal residential drinking-water system in Ontario must consider cybersecurity threats as part of its Element 7 risk assessment. DWQMS 3.0 (ERO posting 019-4855) was published as the final standard in February 2026 and further codifies the cybersecurity expectation; operating authorities must transition prior to their first DWQMS audit in 2028.
Enforcement runs through accreditation. Non-conformance is grounds for the Director to revoke an operating authority's accreditation, which in turn revokes the system's Drinking Water Works Permit. The cybersecurity obligation is not a stand-alone statute — it is woven into the same accreditation regime that already governs sampling, treatment, and operator certification.
ZoneSentry's continuous boundary monitoring, anomaly detection, and 72-hour incident reports produce evidence that aligns with the Element 7 obligation to identify, assess, and prioritize cybersecurity threats on an ongoing basis. (Detailed guide coming soon.)
OEB Cyber Security Framework + 2024 Standard — Electricity Distribution
| Regulation | Ontario Cyber Security Framework (OCSF) v1.1 + 2024 Cyber Security Standard |
| Status | In force (licence condition) |
| Standard / Framework | NIST Cybersecurity Framework + US DoE C2M2; four Maturity Indicator Levels (MIL0–MIL3) |
| Enforcer | Ontario Energy Board (OEB), with IESO "Lighthouse" sector monitoring |
| Key provision | Licence condition under the Ontario Energy Board Act, 1998 — applies to every licensed electricity transmitter and distributor in Ontario, including municipally-owned LDCs |
The OCSF is built on NIST CSF and the US Department of Energy's C2M2 maturity model. Licensed transmitters and distributors must self-assess against the framework and progress through the maturity indicator levels. The 2024 Cyber Security Standard sits alongside the framework and tightens specific control expectations.
Because the obligation rides on the OEB licence, it reaches every Ontario electricity distributor — including municipally-owned local distribution companies. OEB enforcement applies, and IESO operates a "Lighthouse" sector monitoring function that gives the regulator visibility into utility cyber posture between formal reviews.
ZoneSentry's continuous syslog ingestion, boundary monitoring, and 72-hour incident reports map to OCSF Detect (DE.AE, DE.CM) and Respond (RS.AN, RS.CO) domains on the OT side of an LDC network. (Detailed guide coming soon.)
Saskatchewan
Saskatchewan currently references CSA Z662 for pipeline integrity, which is not cybersecurity-specific. There is no provincial equivalent of Alta Reg 84/2024 yet.
However, interprovincial pipeline operators in Saskatchewan are still covered by CER requirements above. And if the CCSPA passes, designated operators in Saskatchewan will face the same federal obligations as every other province.
We monitor Saskatchewan's regulatory landscape for changes.
Manitoba, Quebec, Atlantic Provinces, Territories
No OT-specific cybersecurity regulations have been identified yet at the provincial or territorial level in these jurisdictions. Drinking-water statutes outside Ontario focus on water quality, treatment, sampling, and operator certification — not cybersecurity.
Interprovincial pipeline operators are covered by CER requirements regardless of province. When the CCSPA passes, designated operators in any jurisdiction will be subject to federal requirements.
Provincial regulators may adopt CSA Z246.1:21 requirements following Alberta and BC's lead, or follow Ontario's licence-condition model for electricity distributors and drinking-water operating authorities. We monitor for changes and will update this page promptly.
At a Glance
| Jurisdiction | Regulation | Status | Standard / Framework |
|---|---|---|---|
| Federal (CCSPA) | Bill C-8 | Passed House / In Senate | CSA Z246.1:21 expected |
| Interprovincial | CER OPR s.4(1)(e) | In Force | CSA Z246.1:21 required |
| Alberta | Alta Reg 84/2024 | In Force | CSA Z246.1:21 mandatory |
| British Columbia | BC Reg 181/2022 | In Force | CSA Z246.1:21 mandatory ("should" = "must") + NIST CSF |
| Ontario (water) | DWQMS Element 7 | In Force | DWQMS / Safe Drinking Water Act, 2002 |
| Ontario (electricity LDC) | OEB OCSF v1.1 + 2024 Cyber Security Standard | In Force | NIST CSF + DoE C2M2 |
| Saskatchewan | — | No provincial OT regs | Via CER only |
| Other provinces | — | No provincial OT regs | Via CER only |
What This Means for You
If you're reading this page, you're already ahead of most operators. Here's the practical takeaway:
- Start with CSA Z246.1:21. It's the common denominator across every regulatory framework above. Building compliance with Z246.1:21 now is future-proof regardless of what happens with CCSPA or other provincial regulators. Free download for Canadian customers.
- Get network monitoring in place. Every framework requires the ability to detect and respond to cybersecurity events. ZoneSentry delivers this using the syslog your firewall already generates — no hardware, no agents, no process disruption.
- Whether you're on the AER's list or not, being ready is cheaper than scrambling when you get the call. The AER's confidential designation process means you may not know you're covered until an audit letter arrives.
- Don't wait for CCSPA. Two provincial regulations are already in force. CER already requires it for interprovincial pipelines. CCSPA adds federal teeth, but the obligation to monitor is already here.
ZoneSentry provides the monitoring component of your security management program — continuous boundary monitoring, anomaly detection, compliance reporting, and incident evidence. It is not a complete compliance solution (no single product is), but it covers the network monitoring and detection requirements that every framework above mandates.
Primary Regulatory Sources
We link to primary sources throughout this page. Here they are collected for reference:
- Alta Reg 84/2024 — Security Management for Critical Infrastructure Regulation
- BC Reg 181/2022 — Security Management Regulation
- BCER Security Management Regulation Guideline
- Bill C-8 — Critical Cyber Systems Protection Act
- CSA Z246.1:21 — Security management for petroleum and natural gas industry systems
- CER Security Program
- Safe Drinking Water Act, 2002 (SO 2002 c 32)
- DWQMS Pocket Guide — Ontario MECP
- ERO 019-4855 — DWQMS 3.0 (final, published February 2026)
- Ontario Cyber Security Framework (OCSF) — OEB
- 2024 OEB Cyber Security Standard
Page last updated: May 21, 2026. Regulatory landscapes change. If you believe any information on this page is outdated, please let us know. The accuracy of this content is our commitment to the industry — educate first, sell second.