Skip to main content
NOPE
In Effect Law AI Safety Moderate Relevance

Ontario Bill 194

Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Enhancing Digital Security and Trust Act)

Ontario's first AI-specific legislation regulating public sector use of AI systems. Requires accountability frameworks, risk management, disclosure, and human oversight. Also addresses cybersecurity and digital information affecting minors under 18.

Jurisdiction

Ontario

CA-ON

Enacted

Nov 25, 2024

Effective

Jan 29, 2025

Enforcement

Information and Privacy Commissioner of Ontario (IPC)

Received Royal Assent November 25, 2024; EDSTA came into force January 29, 2025; full implementation pending regulations (expected July 1, 2025)

Who Must Comply

This law applies to:

  • Public sector entities: institutions under FIPPA, institutions under MFIPPA, children's aid societies, school boards
  • Excludes: Legislative Assembly of Ontario

Capability triggers:

publicSector (required)
Required Increases applicability

Applicability thresholds:

Under 18 years old

minor_protection

Special protection for digital information relating to individuals under age 18

Who bears obligations:

Operator

Exemptions

Legislative Assembly Exemption

high confidence

Legislative Assembly of Ontario explicitly excluded from definition of 'public sector entities'

Conditions:

  • • Legislative Assembly of Ontario

Safety Provisions

  • Public sector entities must develop and implement accountability frameworks for AI use
  • Risk management requirements for AI systems
  • Disclosure requirements for AI system use
  • Human oversight requirements in prescribed circumstances
  • Minister may set technical standards for AI systems
  • Special protections for digital information relating to individuals under age 18
  • Privacy Impact Assessments required
  • Data breach notification obligations

Compliance Timeline

Jan 29, 2025

Enhancing Digital Security and Trust Act (EDSTA) came into force

Jul 1, 2025

Full implementation including mandatory PIA and breach notification obligations

Enforcement

Enforced by

Information and Privacy Commissioner of Ontario (IPC)

Penalties

Penalties pending regulatory determination

No explicit penalties; enforcement through IPC compliance orders and investigations. Note: Section 13 provides that failure to comply does not affect validity of decisions.

Quick Facts

Binding
Yes
Mental Health Focus
No
Child Safety Focus
Yes
Algorithmic Scope
Yes

Why It Matters

First Canadian provincial AI regulation, though limited to public sector. Sets accountability and transparency precedent. Criticized for weak enforcement (non-compliance doesn't void decisions) and lack of private right of action. May influence other provinces.

Recent Developments

EDSTA in force January 29, 2025. Complemented by 'Responsible Use of Artificial Intelligence Directive' (December 1, 2024) guiding Ontario ministries. Full regulations pending for July 2025. IPC criticized lack of enforcement mechanisms and direct privacy complaint avenue.

What You Need to Comply

Public sector entities must develop accountability frameworks, manage AI risks, disclose AI use where required, ensure human oversight in prescribed circumstances, and follow technical standards set by the Minister. Special requirements for digital information affecting minors.

NOPE can help

Cite This

APA

Ontario. (2024). Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Enhancing Digital Security and Trust Act). Retrieved from https://nope.net/regs/ca-on-bill-194

BibTeX

@misc{ca_on_bill_194,
  title = {Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (Enhancing Digital Security and Trust Act)},
  author = {Ontario},
  year = {2024},
  url = {https://nope.net/regs/ca-on-bill-194}
}

Related Regulations

In Effect PE AI Safety

Peru AI Regulations

Peru's first comprehensive AI regulatory framework, inspired by EU AI Act. Establishes three-tier risk-based approach: prohibited uses, high-risk systems (including healthcare), and low-risk/acceptable AI. First general AI regulation in Latin America. Requires human oversight, transparency, and risk assessments for high-risk AI including healthcare applications.

In Effect SV AI Safety

El Salvador AI Law

First comprehensive AI law in Latin America. Promotes AI development while establishing ethical principles and governance framework. Creates the National Agency for Artificial Intelligence (ANIA) to oversee AI development and regulation.

In Effect CO AI Safety

Colombia SIC AI Circular

10-point checklist for AI data processing. Mandatory PIAs for high-risk AI. Note: Separately, Colombia's Consejo Superior de la Judicatura adopted UNESCO AI Guidelines for judiciary (Dec 16, 2024).

Failed CA Online Safety

C-63

Would have established Digital Safety Commission with platform duties for seven harmful content categories including content inducing children to harm themselves. Required 24-hour CSAM takedown.

In Effect CARICOM Data Protection

CARICOM CCSCAP 2025

CARICOM's 2025 regional cyber security framework establishing digital safety culture and coordinated incident response across 18 member states.

In Effect CL Data Protection

Chile Cybersecurity Law

First cybersecurity framework law in Latin America (Law 21,663 promulgated Mar 26, 2024; published Apr 8, 2024). Creates National Cybersecurity Agency (ANCI), mandatory incident reporting, and encryption rights.

Back to all regulations Check if this applies to you