Human Resources Legislative Update
New Public Sector Cybersecurity Governance & Student Digital Information Transparency Obligations in Force July 1
Date: March 25, 2026
On March 23, 2026, two regulations made under the Enhancing Digital Security and Trust Act, 2024 (Act) were filed setting out the obligations on entities subject to the Act with respect to both cyber security and the use of digital technologies by persons under the age of 18. Notably, no regulation has been issued addressing the regulation of artificial intelligence which is also dealt with in the Act.
Links to the regulations are set out below:
- O. Reg. 51/26: CYBER SECURITY (O. Reg. 51/26)
- O. Reg. 52/26: DIGITAL TECHNOLOGY AFFECTING INDIVIDUALS UNDER AGE 18 (O. Reg. 52/26)
Both regulations will come into force on July 1, 2026. Below is a brief summary of the key features of each regulation.
O. Reg. 51/26: CYBER SECURITY
O. Reg. 51/26 sets out the framework for cybersecurity in certain public sector entities in Ontario, including school boards, colleges and universities, many public hospitals and children’s aid societies, to manage, assess, and report on their cyber security practices.
The regulation sets out a number of important minimum requirements for affected entities to implement cyber security programs. The key new obligations include:
- The requirement to designate a senior management representative with decision making authority with respect to cyber security as a primary point of contact. The contact will be responsible for communicating with the Ministry on cyber security matters and approving summaries of cyber security maturity assessments.
- The requirement to prepare cyber security maturity assessments at intervals identified in the regulation. The first assessment is due one year from the application date of the regulation. Cybersecurity maturity assessments are defined as assessments of the entity’s status or progress with respect to cyber security and must meet industry standards or best practices endorsed by the Ministry. A summary of the assessment must be furnished to the Ministry within 30 days of its completion and contain content prescribed in the regulation.
- The requirement to report critical cyber security incidents to the Ministry. The regulation contains a definition of the incidents which meet the definition of critical cyber security incidents and the content required in the report. Reports are due within 72 hours of confirmation of the incident. Such incidents are not limited to instances involving personal information.
O. Reg. 52/26: DIGITAL TECHNOLOGY AFFECTING INDIVIDUALS UNDER AGE 18
O. Reg. 52/26 sets out mandatory notice requirements for school boards when they disclose students’ personal digital information to third-party software application providers. It applies specifically to children and youth under age 18 and distinguishes between students who are under age 16, and students aged 16 and 17.
For students under 16, notice must be provided to the student’s parent or guardian. In the case of students ages 16 and 17, notice must be provided to the student. The content of the notices is set out in the regulation and is largely identical, although for students under 16 a separate statement of rights for persons who believe their personal digital information has been improperly, collected, used, disclosed, or retained must be included. The time requirements for issuing the notices is set out in the regulation.
While the Act provided that both school boards and children’s aid societies could be made subject to regulation of personal digital information, Reg 52/26 only applies to school boards.
Should you have questions about compliance with these upcoming obligations, please contact Scott T. Williams, Andrew J. Movrin or Victoria McCorkindale, members of the firm’s Information, Data Security & Privacy Practice Group.
The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©