If you operate pipeline, energy, or industrial infrastructure in Canada, cybersecurity monitoring requirements may already apply to you — and more are coming. This page covers every province and territory so you know where you stand.
The common thread: CSA Z246.1:21 (fourth edition, 2021) — the Canadian standard for security management of petroleum and natural gas industry systems. Every regulatory framework below points to it.
Two regulations are already in force. Alberta and British Columbia both have active cybersecurity requirements for energy operators. This is not a future problem. If you operate in either province, compliance obligations exist today.
Alberta
| Regulation | Security Management for Critical Infrastructure Regulation, Alta Reg 84/2024 |
| Status | In force since May 31, 2025 |
| Standard | CSA Z246.1:21 compliance mandatory |
| Enforcer | Alberta Energy Regulator (AER) |
| Key provision | s.3(1) — operators must have a security management program |
The AER maintains a confidential critical infrastructure list. Operators are notified if their facility is placed on it. If you operate pipelines, processing plants, or other energy infrastructure in Alberta, your facility may already be designated.
There is no small-business exemption. A junior producer with a single pipeline faces the same obligation as a major integrated operator. Non-compliance can result in facility shutdown — the AER has the authority to order operations to cease.
Read our detailed Alta Reg 84/2024 guide →
British Columbia
| Regulation | Security Management Regulation, BC Reg 181/2022 |
| Status | In force |
| Standard | CSA Z246.1:21 compliance mandatory + NIST CSF objectives |
| Enforcer | BC Energy Regulator (BCER) |
| Guideline | BCER Security Management Regulation Guideline |
BC's regulation is stricter than Alberta's. The BCER reads "should" in CSA Z246.1:21 as "must" — advisory language in the standard becomes mandatory requirement in BC. This means more clauses carry compliance obligation in BC than in Alberta for the same standard.
Additionally, cybersecurity measures per Clause 7 of the standard must also meet NIST Cybersecurity Framework (CSF) objectives or an equivalent approved standard. This dual-standard requirement makes BC the most demanding provincial jurisdiction for OT cybersecurity in Canada.
Interprovincial (Any Province)
| Regulation | CER Onshore Pipeline Regulations, s.4(1)(e) |
| Status | In force |
| Standard | CSA Z246.1:21 compliance required |
| Enforcer | Canada Energy Regulator (CER) |
If your pipeline crosses a provincial or international boundary, it falls under federal jurisdiction regardless of which province you're in. The CER requires CSA Z246.1 compliance for all CER-regulated pipelines. The CER has conducted cybersecurity audits and has publicly reported common deficiencies including lack of continuous OT network monitoring.
Federal (All Sectors) — CCSPA
| Legislation | Critical Cyber Systems Protection Act (CCSPA), Bill C-8 |
| Status | In SECU committee — expected to pass |
| Sectors | Energy, finance, transportation, nuclear |
| Enforcer | CER (energy sector), sector-specific regulators for others |
The CCSPA will mandate cybersecurity programs for designated operators across critical infrastructure sectors. Key requirements include:
- Mandatory cybersecurity program within 90 days of designation
- 72-hour incident reporting to the Communications Security Establishment (CSE)
- All records kept in Canada
- Supply chain risk assessment
- Potential penalties: up to $15M/day for organizations, $1M/day for individuals
The CCSPA has not yet received Royal Assent. It is currently before Parliament's Standing Committee on Public Safety and National Security (SECU) and is expected to pass. However, operators should be preparing now — the requirements are substantial, and the 90-day compliance window after designation leaves no room for building a program from scratch.
Read our detailed CCSPA guide →
Saskatchewan
Saskatchewan currently references CSA Z662 for pipeline integrity, which is not cybersecurity-specific. There is no provincial equivalent of Alta Reg 84/2024 yet.
However, interprovincial pipeline operators in Saskatchewan are still covered by CER requirements above. And if the CCSPA passes, designated operators in Saskatchewan will face the same federal obligations as every other province.
We monitor Saskatchewan's regulatory landscape for changes.
Ontario, Manitoba, Quebec, Atlantic Provinces, Territories
No OT-specific cybersecurity regulations have been identified yet at the provincial or territorial level in these jurisdictions.
Interprovincial pipeline operators are covered by CER requirements regardless of province. When the CCSPA passes, designated operators in any jurisdiction will be subject to federal requirements.
Provincial regulators may adopt CSA Z246.1:21 requirements following Alberta and BC's lead. We monitor for changes and will update this page promptly.
At a Glance
| Jurisdiction | Regulation | Status | CSA Z246.1:21 |
|---|---|---|---|
| Alberta | Alta Reg 84/2024 | In Force | Mandatory |
| British Columbia | BC Reg 181/2022 | In Force | Mandatory ("should" = "must") |
| Interprovincial | CER OPR s.4(1)(e) | In Force | Required |
| Federal (CCSPA) | Bill C-8 | In Committee | Expected |
| Saskatchewan | — | No provincial OT regs | Via CER only |
| Other provinces | — | No provincial OT regs | Via CER only |
What This Means for You
If you're reading this page, you're already ahead of most operators. Here's the practical takeaway:
- Start with CSA Z246.1:21. It's the common denominator across every regulatory framework above. Building compliance with Z246.1:21 now is future-proof regardless of what happens with CCSPA or other provincial regulators. Free download for Canadian customers.
- Get network monitoring in place. Every framework requires the ability to detect and respond to cybersecurity events. ZoneSentry delivers this using the syslog your firewall already generates — no hardware, no agents, no process disruption.
- Whether you're on the AER's list or not, being ready is cheaper than scrambling when you get the call. The AER's confidential designation process means you may not know you're covered until an audit letter arrives.
- Don't wait for CCSPA. Two provincial regulations are already in force. CER already requires it for interprovincial pipelines. CCSPA adds federal teeth, but the obligation to monitor is already here.
ZoneSentry provides the monitoring component of your security management program — continuous boundary monitoring, anomaly detection, compliance reporting, and incident evidence. It is not a complete compliance solution (no single product is), but it covers the network monitoring and detection requirements that every framework above mandates.
Primary Regulatory Sources
We link to primary sources throughout this page. Here they are collected for reference:
- Alta Reg 84/2024 — Security Management for Critical Infrastructure Regulation
- BC Reg 181/2022 — Security Management Regulation
- BCER Security Management Regulation Guideline
- Bill C-8 — Critical Cyber Systems Protection Act
- CSA Z246.1:21 — Security management for petroleum and natural gas industry systems
- CER Security Program
Page last updated: March 2026. Regulatory landscapes change. If you believe any information on this page is outdated, please let us know. The accuracy of this content is our commitment to the industry — educate first, sell second.