Summary
Canada’s approach to post-quantum cryptography is broader and tougher than it looks on the surface. The three PQC guidance documents published in mid-2025 sit atop a layered enforcement stack that already shapes private sector obligations. Financial regulators like OSFI require “strong cryptographic technologies” and have issued a quantum readiness bulletin. PIPEDA’s technology-neutral “appropriate safeguards” standard continues to evolve with emerging threats, which points directly to PQC. Add securities disclosure pressures and the pending CCSPA with penalties up to C$15 million per violation per day, and the direction of travel is unmistakable.
For CISOs in critical infrastructure, the real signal is the convergence of these instruments into a practical enforcement regime that rivals the bite of EU frameworks like NIS2 and DORA, even if Canada rarely spells out PQC explicitly. Analysts who read only ITSM.40.001 and see “recommended” language risk missing the point. The regulatory teeth are distributed across finance, privacy, critical infrastructure, and disclosure, and they collectively make quantum readiness a present-tense compliance and resilience issue.
The author’s inside view underscores a Canadian style that is quiet but intentional. Agencies like CSE, OSFI, and TBS know what they are doing, and the framework they are building leaves little room for delay. The takeaway for security leaders is simple: there is no single law and no single excuse. Inventory cryptography, design for crypto agility, map PQC migration to existing obligations, and brief boards and regulators accordingly.
Read more
See the original article at: https://postquantum.com/quantum-policies/canada-pqc-regulatory-framework/