Summary of Regulations Under Enhancing Digital Security and Trust Act

Related Practice Areas

Overview

As we previously wrote about here, the Enhancing Digital Security and Trust Act, 2024 introduced new regulatory frameworks for Ontario public sector employers with respect to topics like artificial intelligence systems, cyber security, school boards’ collection of digital information of youth under age 18, and more.  

On July 1, 2026, two new regulations – O. Reg. 51/26: Cyber Security and O. Reg. 52/26: Digital Technology Affecting Individuals Under Age 18 – came into effect. Below is a summary of the key elements of each regulation. 

O. Reg. 51/26: Cyber Security

This regulation applies to prescribed public sector entities, which include educational institutions, hospitals, children’s aid societies, and school boards. O. Reg. 51/26 requires every prescribed public sector entity to designate one employee as its primary cyber security point of contact and another employee as an alternate. Among other duties, the primary point of contact is responsible for communicating with the Ministry of Public and Business Service Delivery and Procurement (the “Ministry”) on cyber security matters and approving summaries of the entity’s cyber security maturity assessments.

These cyber security maturity assessments evaluate how well an entity responds to cyber security threats. Each entity must conduct its first cyber security maturity assessment no later than July 1, 2027. Thereafter, the entity must complete a cyber security maturity assessment at least once every two years. Once completed, a summary must be submitted to the Chief Information Security Officer at the Ministry. Every summary must include a description of the method used to conduct the assessment, the name of the model or framework used, a score representing the entity’s overall cyber security maturity, and a summary of any cyber security areas for future improvement.

In addition, this regulation requires every prescribed public sector entity affected by a critical cyber security incident to submit an incident report to the Chief Information Security Officer of the Ministry as soon as reasonably practicable. A critical cyber security incident is defined to mean an incident that has impacted (i) the security, continuity, confidentiality, integrity or availability of digital information that the entity collected, used, retained or disclosed; or (ii) the infrastructure housing or transmitting digital information that the entity collected, used, retained or disclosed; and that meets at least one of the prescribed criteria.

The report must include the relevant names of the primary and alternate point of contact, the name of the public sector entity, relevant dates, a general description of the incident, and a general description of the type of information affected or stolen.

O. Reg. 52/26: Digital Technology Affecting Individuals Under Age 18

This regulation requires school boards to provide prior written notice to a parent or guardian before disclosing personal digital information about an individual under the age of 16 to a third-party owner or operator of a software application. The notice must include the following:

  • the specific elements of personal digital information that will be disclosed;
  • the legal authority to disclose that information;
  • the purpose of the disclosure;
  • the name of the third-party software application and its owner/operator;
  • the contact information of an individual authorized by the school board to answer questions about the disclosure; and
  • a statement outlining the rights of an individual under 16, and those of their parent or guardian, who thinks the individual’s personal digital information may have been  improperly collected, used, retained or disclosed.

Generally, any notice of disclosure must be given as soon as it is operationally feasible for the school board to do so.

Where the personal digital information relates to an individual who is between 16 and 18 years old, the school board must provide the same notice described above, except instead of notifying the individual’s parent or guardian, the school board must notify the individuals themselves.

Key Takeaways

Public sector entities should consider implementing a cyber security risk assessment and mitigation plan if they have not already done so. In particular, affected entities must appoint a designated and alternate point of contact for cyber security matters. It is also worthwhile for affected entities to start planning for their initial cyber security maturity assessment, which must be completed before the July 1st, 2027, deadline.

School boards must also familiarize themselves with the new disclosure notice requirements when disclosing students’ personal digital information to third-party software platforms. The written notice of disclosure differs slightly depending on whether the individual is under 16 or is between 16 and 18 years of age.

Need More Information?

For more information or assistance with privacy or workplace laws, please contact Melanie McNaught at mmcnaught@filionlaw.com or your regular lawyer at the firm.