In January 2025, Ontario brought a new law into effect—Bill 194, formally known as The Strengthening Cyber Security and Building Trust in the Public Sector Act. Though aimed at public institutions, its implications extend well beyond government walls.
For businesses that partner with, serve, or support Ontario’s public sector, especially in healthcare, education, or IT—this is a line in the sand.
Digital governance is no longer advisory. It’s regulatory.
What Bill 194 Does
Bill 194 introduces two major frameworks:
- The Enhancing Digital Security and Trust Act (EDSTA) establishes cybersecurity and AI oversight requirements for designated public sector organizations.
- The Freedom of Information and Protection of Privacy Act (FIPPA) now includes stricter rules for data collection, breach reporting, and risk assessments.
Ontario is moving towards structured digital accountability, focusing on securing systems, safeguarding personal information, and governing the use of emerging technologies, such as AI.
Key Changes
1. Cybersecurity Standards Become Law
Organizations must now maintain documented cybersecurity programs. These must include governance structures, staff training, detection tools, and clear plans for responding to incidents.
This brings a level of consistency to how public data is protected—and raises expectations for any vendors or third parties connected to these systems.
2. Privacy Risk Assessments Are Mandatory
Before institutions collect personal information, they must now complete a written Privacy Impact Assessment (PIA). These documents must outline the purpose of data collection, the safeguards in place, how risks will be mitigated, and the duration for which data will be retained.
The Information and Privacy Commissioner (IPC) can request copies of these assessments at any time.
3. Stricter Breach Reporting Rules
Starting July 1, 2025, public institutions must:
- Maintain internal records for every privacy breach
- Report serious breaches to the IPC
- Notify affected parties in appropriate cases
- Submit annual breach summaries beginning in 2026
This creates a permanent public record of how institutions handle incidents and puts indirect pressure on vendors to meet the same standard.
4. Stronger Enforcement for the IPC
According to the IPC, these new requirements “introduce a new privacy complaint and review regime, with explicit powers for the Commissioner to conduct investigations and issue binding orders”. The Commissioner now has the authority to compel institutions to cease unsafe practices, destroy improperly collected data, or implement new controls without requiring court approval, making enforcement faster and more direct.
According to an article by Dentons Data “forthcoming regulations governing AI systems—are new and unprecedented … while many details regarding institutions’ cybersecurity and AI obligations are yet to be established by regulations, public bodies can begin preparing for compliance now.”
This includes proactively evaluating and implementing risk management practices and policies for responsible AI use.
What This Means for Business
If your company handles personally identifiable information, delivers IT solutions, or provides AI tools to the public sector, the message is clear: you’re part of the compliance chain. You may not be ‘called out’ specifically in the legislation, but your practices will be scrutinized under its lens. Institutions are now required to vet their partners and vendors more thoroughly, and failure to align with these standards could mean lost contracts or legal exposure.
A New Era of Digital Accountability
Bill 194 signals a turning point in how Ontario expects organizations to handle personal data and emerging technologies. The province is setting clear and firm expectations around cybersecurity, privacy, and the responsible use of AI, treating them not as add-ons, but as core obligations tied to public trust.
For Ontario businesses, the path forward is clear: review your privacy posture, document your controls, and be prepared to demonstrate how you protect both data and digital ethics.
Resources
Thompson, K. (2025, February 6). Ontario’s new public sector cybersecurity and AI law now in force – What public and private sector organizations need to know. Dentons Data. https://www.dentonsdata.com/ontarios-new-public-sector-cybersecurity-and-ai-law-now-in-force-what-public-and-private-sector-organizations-need-to-know/
Bill 194 – Strengthening cybersecurity and building public trust. Information and Privacy Commissions of Ontario. https://www.ipc.on.ca/en/resources/bill-194-strengthening-cyber-security-and-building-trust-public-sector-act
Need more info?
Take the next step—contact us today for a free compliance and cybersecurity strategy session to ensure your business is fully protected and compliant!
Our Cyntry experts can identify strategies to safeguard your data and systems. At Cyntry, simplifying the compliance journey and strengthening your security posture is what we do best.
Book a no-cost 30-minute compliance and cybersecurity strategy session at Cyntry.com.
