Ontario Regulation 51/26, made under the Enhancing Digital Security and Trust Act, 2024, establishes a cyber security governance and reporting framework for designated public sector entities in Ontario. The regulation is primarily aimed at strengthening cyber resilience through standardized maturity assessments, accountability structures, and mandatory incident reporting requirements.

The regulation begins by defining key terms, most notably “cyber security maturity assessment,” which refers to evaluations conducted in line with industry standards or best practices endorsed by the Ministry’s Chief Information Security Officer. These assessments measure the status and progress of a prescribed public sector entity’s cyber security posture. The regulation also defines the Ministry as the ministry of the responsible Minister and identifies “prescribed public sector entities” as those listed in section 2.

The scope of covered entities includes educational institutions as defined under the Freedom of Information and Protection of Privacy Act, public hospitals classified as Group A, B, or C under the Public Hospitals Act, the University of Ottawa Heart Institute, children’s aid societies, and school boards. These entities are collectively required to implement structured cyber security programs that meet or exceed the baseline requirements set out in the regulation.

A central governance requirement is the designation of a primary point of contact and an alternate within each entity. Both individuals must occupy senior management positions and possess decision-making authority over cyber security matters. The primary contact is responsible for liaising with the Ministry on all cyber security issues and approving assessment summaries, while the alternate assumes these responsibilities when necessary. Entities must provide the Chief Information Security Officer with full contact details for both individuals and update any changes within ten business days, ensuring continuous accountability and communication channels.

The regulation also mandates regular cyber security maturity assessments. Each prescribed entity must complete an initial assessment within one year of the regulation’s application to it. Subsequent assessments must occur at least every two years. However, entities that have completed a relevant assessment within one year prior to the regulation’s application may treat that assessment as their initial benchmark, improving compliance while maintaining continuity in evaluation.

The regulation introduces mandatory reporting obligations for “critical cyber security incidents.” Such incidents include events that compromise the security, continuity, confidentiality, integrity, or availability of digital information or related infrastructure, provided they meet at least one qualifying threshold. These thresholds include significant disruption to public services, risks to public safety, activation of incident response plans, or substantial reputational harm and loss of public confidence.

Ontario (51/2026) April 8, 2026
Disclaimer: Insights are for informational purposes only and does not reflect RRI’s official position or constitute legal opinion