SOC 2 Readiness
24/7 Security Monitoring
Canadian-Based SOC
Canadian Regulatory Coverage

Canadian ComplianceFederal, Provincial, and Sectoral Coverage

GuardsArm supports organizations across Canada’s privacy, health, financial, and critical-infrastructure regulatory landscape — from federal statutes like PIPEDA and CCSPA to provincial health and privacy acts.

4
Federal Frameworks
7
Provincial Acts
4
Sectoral Requirements

The Canadian compliance landscape, mapped

Whether you operate in a single province or across the country, the requirements stack quickly. We help organizations identify which of these frameworks apply, how they overlap, and how to build a single security and privacy program that satisfies all of them.

PIPEDA

FederalFederal

Personal Information Protection and Electronic Documents Act

Canada’s federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Enforced by the Office of the Privacy Commissioner of Canada.

Who must comply

Most federally regulated businesses and any private-sector organization handling personal information across provincial or national borders.

How GuardsArm helps

Privacy impact assessments, breach notification procedures, consent framework reviews, and safeguard control mapping aligned to the 10 PIPEDA Fair Information Principles.

BC PIPA

British ColumbiaProvincial

Personal Information Protection Act (British Columbia)

BC’s substantially similar private-sector privacy law, applying to organizations operating within British Columbia. Overseen by the Office of the Information and Privacy Commissioner for BC.

Who must comply

Private-sector organizations operating in BC, including non-profits and trade unions.

How GuardsArm helps

Provincial privacy compliance reviews, employee information handling assessments, and alignment with OIPC BC guidance.

CCSPA (Bill C-8)

FederalFederal

Critical Cyber Systems Protection Act

Proposed federal legislation establishing mandatory cybersecurity requirements for designated operators in vital federal sectors — finance, telecommunications, energy, and transportation — with reporting obligations and ministerial directive authority.

Who must comply

Designated operators of critical cyber systems in federally regulated industries.

How GuardsArm helps

Cyber security program design, incident reporting workflow development, and readiness assessments aligned to expected CCSPA designated-operator obligations.

CASL

FederalFederal

Canada’s Anti-Spam Legislation

Federal law governing commercial electronic messages, installation of computer programs, and altering of transmission data. Enforced by the CRTC with substantial monetary penalties.

Who must comply

Any organization that sends commercial electronic messages to or from a Canadian computer system.

How GuardsArm helps

Consent record-keeping reviews, marketing automation control audits, and breach risk assessments for software installation flows.

OSFI B-13

FederalSectoral

Technology and Cyber Risk Management Guideline

OSFI guideline setting expectations for federally regulated financial institutions on governance of technology and cyber risk, including third-party arrangements, resilience, and incident management.

Who must comply

Federally regulated banks, insurers, trust companies, and other OSFI-supervised institutions.

How GuardsArm helps

B-13 readiness gap analysis, third-party cyber risk programs, board-level reporting, and resilience testing aligned to the guideline’s domains.

ITSG-33

FederalFederal

IT Security Risk Management: A Lifecycle Approach

Canadian Centre for Cyber Security publication providing the IT security risk management framework and control catalogue used across Government of Canada IT systems.

Who must comply

Government of Canada departments, agencies, and contractors operating Crown IT systems.

How GuardsArm helps

Security control selection workshops, profile tailoring, and authority-to-operate evidence development for federal projects.

FINTRAC / PCMLTFA

FederalSectoral

Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Federal anti-money laundering and counter-terrorist financing regime administered by FINTRAC, requiring reporting entities to maintain compliance programs, perform client due diligence, and report prescribed transactions.

Who must comply

Banks, money services businesses, securities dealers, real estate, accountants, dealers in precious metals and stones, and other reporting entities.

How GuardsArm helps

AML technology control reviews, transaction monitoring system assessments, and information security controls for FINTRAC reporting infrastructure.

Alberta HIA

AlbertaProvincial

Alberta Health Information Act

Alberta’s health-specific privacy law governing how custodians collect, use, disclose, and protect health information. Enforced by the Office of the Information and Privacy Commissioner of Alberta.

Who must comply

Designated custodians — Alberta Health Services, physicians, pharmacists, regional health authorities, and other health professionals named under the Act.

How GuardsArm helps

Custodian security risk assessments, electronic health record safeguard reviews, and breach response planning compliant with HIA notification rules.

Alberta FOIP

AlbertaProvincial

Freedom of Information and Protection of Privacy Act (Alberta)

Alberta’s public-sector access-to-information and privacy law applying to provincial public bodies, including ministries, agencies, post-secondary institutions, and municipalities.

Who must comply

Alberta public bodies and entities listed under the FOIP Regulation.

How GuardsArm helps

Public-body security and privacy assessments, records management control reviews, and incident response procedures aligned to FOIP notification expectations.

Alberta Reg 84/2024

AlbertaSectoral

Alberta Health Information Regulation 84/2024

Alberta regulation updating health-information requirements under the HIA, refining custodian obligations around safeguards, electronic systems, and information-sharing arrangements.

Who must comply

Alberta health information custodians and affiliates handling personal health information in scope of the regulation.

How GuardsArm helps

Regulation-aligned safeguard assessments, vendor agreement reviews, and operational control updates for custodians implementing the new requirements.

Manitoba PHIA

ManitobaProvincial

Personal Health Information Act (Manitoba)

Manitoba’s health information privacy law governing trustees who collect, use, or disclose personal health information in the province. Oversight by the Manitoba Ombudsman.

Who must comply

Designated trustees — regional health authorities, hospitals, physicians, and other health-information holders under the Act.

How GuardsArm helps

Trustee privacy and security program assessments, EHR safeguard audits, and breach handling procedures consistent with PHIA expectations.

Saskatchewan HIPA

SaskatchewanProvincial

Health Information Protection Act (Saskatchewan)

Saskatchewan’s health-information privacy legislation establishing rules for trustees collecting, using, or disclosing personal health information in the province.

Who must comply

Trustees as defined under HIPA, including health authorities, providers, and licensed practitioners.

How GuardsArm helps

HIPA-aligned security assessments, privacy impact assessments for new clinical systems, and incident response readiness aligned to the Information and Privacy Commissioner’s guidance.

Quebec Law 25

QuebecProvincial

Act to modernize legislative provisions as regards the protection of personal information

Quebec’s significantly updated private-sector privacy regime, introducing privacy officer designation, mandatory breach notification, privacy impact assessments, consent rules, and individual rights including data portability.

Who must comply

Any organization — public or private — that collects, holds, uses, or communicates personal information of individuals in Quebec, regardless of where the organization is based.

How GuardsArm helps

Law 25 readiness programs, privacy impact assessments, consent and de-identification reviews, breach response operationalization, and DPO advisory engagements.

Ontario PHIPA

OntarioProvincial

Personal Health Information Protection Act (Ontario)

Ontario’s health-information privacy law setting rules for health information custodians and their agents. Oversight by the Information and Privacy Commissioner of Ontario.

Who must comply

Hospitals, physicians, pharmacies, long-term care homes, public health units, and other designated custodians in Ontario.

How GuardsArm helps

Custodian and agent privacy controls reviews, electronic health record audit trail design, and IPC-aligned breach handling procedures.

SOX / CSOX

Cross-borderSectoral

Sarbanes-Oxley (US) and Canadian SOX equivalents

Public-company financial reporting controls regime. SOX applies to SEC registrants; Canadian equivalents — most notably National Instrument 52-109 — require equivalent CEO and CFO certification of disclosure controls and ICFR for Canadian reporting issuers.

Who must comply

Canadian reporting issuers, SEC-registered Canadian companies, and cross-listed entities.

How GuardsArm helps

IT general controls scoping, application control reviews, automated control evidence design, and SOC reporting alignment supporting management certification and audit readiness.

Not sure which of these apply to you?

A short scoping conversation usually clarifies which federal and provincial frameworks apply, which overlap, and what a realistic compliance roadmap looks like for your organization.