In Effect Law AI Safety

Ontario Bill 194

Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Enhancing Digital Security and Trust Act)

Ontario's first AI-specific legislation regulating public sector use of AI systems. Requires accountability frameworks, risk management, disclosure, and human oversight. Also addresses cybersecurity and digital information affecting minors under 18.

Jurisdiction

Ontario

Enacted

Nov 25, 2024

Effective

Jan 29, 2025

Enforcement

Information and Privacy Commissioner of Ontario (IPC)

Received Royal Assent November 25, 2024; EDSTA came into force January 29, 2025; full implementation pending regulations (expected July 1, 2025)

Ontario Legislative Assembly: Bill 194

Why It Matters

First Canadian provincial AI regulation, though limited to public sector. Sets accountability and transparency precedent. Criticized for weak enforcement (non-compliance doesn't void decisions) and lack of private right of action. May influence other provinces.

Recent Developments

EDSTA in force January 29, 2025. Complemented by 'Responsible Use of Artificial Intelligence Directive' (December 1, 2024) guiding Ontario ministries. Full regulations pending for July 2025. IPC criticized lack of enforcement mechanisms and direct privacy complaint avenue.

At a Glance

Applies to

Government AI

Requires

Risk Assessment Transparency Human Oversight Incident Reporting

Who Must Comply

Public sector entities: institutions under FIPPA, institutions under MFIPPA, children's aid societies, school boards
Excludes: Legislative Assembly of Ontario

Obligations fall on:

Operator — Operates the platform or service

Applicability thresholds:

Under 18 years old — Special protection for digital information relating to individuals under age 18

Safety Provisions

Public sector entities must develop and implement accountability frameworks for AI use
Risk management requirements for AI systems
Disclosure requirements for AI system use
Human oversight requirements in prescribed circumstances
Minister may set technical standards for AI systems
Special protections for digital information relating to individuals under age 18
Privacy Impact Assessments required
Data breach notification obligations

Exemptions

Legislative Assembly Exemption

Legislative Assembly of Ontario explicitly excluded from definition of 'public sector entities'

• Legislative Assembly of Ontario

Compliance & Enforcement

Key Dates

Jan 29, 2025

Enhancing Digital Security and Trust Act (EDSTA) came into force

Jul 1, 2025

Full implementation including mandatory PIA and breach notification obligations

Penalties

Penalties pending regulatory determination

Primary Source

Ontario Legislative Assembly: Bill 194

https://www.ola.org/en/legislative-business/bills/parliament-43/session-1/bill-194

View on map

Ontario

Focus Areas

Child safety

Algorithmic accountability

Active safeguards required

Compliance Help

Public sector entities must develop accountability frameworks, manage AI risks, disclose AI use where required, ensure human oversight in prescribed circumstances, and follow technical standards set by the Minister. Special requirements for digital information affecting minors.

See how NOPE helps

Cite This

APA

Ontario. (2024). Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Enhancing Digital Security and Trust Act).

Related Regulations

In Effect PE

Peru AI Regulations

Peru's first comprehensive AI regulatory framework, inspired by EU AI Act. Establishes three-tier risk-based approach: prohibited uses, high-risk systems (including healthcare), and low-risk/acceptable AI. First general AI regulation in Latin America. Requires human oversight, transparency, and risk assessments for high-risk AI including healthcare applications.

In Effect SV

Last updated January 22, 2026. Verify against primary sources before relying on this information.