Canadian Centre for Cyber Security Warns of Iranian Cyber Threats Targeting Canadian Infrastructure
The Canadian Centre for Cyber Security (CCCS) issued a bulletin on March 3 warning that Iranian state sponsored threat actors and affiliated hacktivists are likely to conduct cyberattacks against Canadian organizations. The warning follows escalating U.S. and Israeli military action in the Middle East, with Canada identified as a target due to its support for the coalition.
The threat assessment identifies multiple attack vectors: cyberattacks on energy grids and government networks, cyberespionage against political activists, journalists, and human rights advocates, and online harassment of military personnel and diaspora communities. The Globe and Mail reported that pro Iran hacktivists could target Canadian critical infrastructure operators specifically.
The CCCS National Cyber Threat Assessment 2025 to 2026 previously listed Iran alongside China and Russia as the greatest strategic cyber threats to Canada. This latest bulletin elevates the immediacy of the Iranian threat from strategic to operational, meaning organizations should be reviewing their incident response procedures and threat intelligence feeds now.
Implications
Organizations operating critical infrastructure, energy, government services, or defence supply chains should immediately review their threat detection capabilities and incident response plans. CyberSecure Canada Control 13 (Incident Response Plan) and CPCSC controls both require documented, tested response procedures. Organizations should verify that their security operations teams are monitoring for indicators of compromise associated with Iranian threat actors and ensure that CCCS advisories are integrated into their threat intelligence workflows.
Canadian Tire Data Breach Confirmed at 38 Million Accounts: Largest Canadian Retail Breach on Record
The Canadian Tire Corporation data breach, first identified on October 2, 2025, has now been confirmed as impacting over 38 million unique email addresses and 42 million total records. The breach notification site Have I Been Pwned added the dataset in early March 2026, revealing the full scale of the compromise.
Exposed data includes names, addresses, email addresses, dates of birth, encrypted passwords, phone numbers, and gender information. Less than 150,000 accounts had full dates of birth exposed. Canadian Tire confirmed that in store systems, Canadian Tire Bank, and Triangle Rewards were not affected. The company has offered credit monitoring services to impacted customers.
Implications
This breach underscores the scale of risk in retail e commerce platforms. Organizations should review their own breach notification timelines against PIPEDA requirements, which mandate reporting to the Privacy Commissioner and affected individuals as soon as feasible. The five month gap between breach identification and full public disclosure raises questions about notification adequacy. Organizations pursuing CyberSecure Canada certification should ensure their incident response plans include documented notification procedures with defined timelines.
Ransomware Identified as Top Cybercrime Threat to Canadian Critical Infrastructure
The CCCS National Cyber Threat Assessment 2025 to 2026 confirms that ransomware remains the most significant cybercrime threat to Canadian critical infrastructure. The assessment warns that ransomware actors will almost certainly escalate extortion tactics and refine capabilities using AI enhanced tools and ransomware as a service platforms.
Canada’s critical infrastructure sectors, including energy, water, food, transportation, and health systems, face increasingly sophisticated attacks. State sponsored threat actors are becoming bolder and more aggressive in targeting these systems, with attacks growing in both frequency and complexity.
Implications
Organizations in critical infrastructure must treat ransomware resilience as a board level priority. NIST CSF 2.0’s Recover function and CyberSecure Canada Controls 1 (Incident Response Plan) and 2 (Automatic Patching) provide the baseline controls. Organizations should also validate their backup and recovery procedures through tabletop exercises, ensuring that recovery time objectives are documented and achievable.
CCCS Issues Qualcomm Security Advisory: March 2026 Monthly Rollup (AV26 190)
The Canadian Centre for Cyber Security published advisory AV26 190 covering the Qualcomm March 2026 monthly security rollup. CISA has added CVE 2026 21385 to its Known Exploited Vulnerabilities (KEV) database, confirming active exploitation in the wild.
Organizations using Qualcomm chipsets in mobile devices, IoT infrastructure, or embedded systems should prioritize patching. For organizations pursuing CyberSecure Canada certification, Control 3 (Automatic Patching) requires demonstrated evidence that security updates are applied within defined timeframes, particularly for actively exploited vulnerabilities.
Implications
Mobile device management and IoT security are expanding attack surfaces. Organizations should ensure that firmware and chipset level vulnerabilities are covered by their patch management programs, not just operating system and application patches. This is a common gap identified during CyberSecure Canada and ISO 27001 audits.
CPCSC Level 1 Mandatory in April 2026: Final Countdown for Defence Supply Chain Organizations
With less than 30 days until CPCSC Level 1 self assessment becomes mandatory for all new DND related procurements, organizations in the Canadian defence supply chain face an imminent compliance deadline. The official Level 1 compliance kit is expected by March 31, 2026, giving contractors the definitive control mapping and evidence requirements.
The requirement applies to both prime contractors and subcontractors handling controlled unclassified information (CUI). Companies must complete their self assessment and upload certification to their BuyandSell.gc.ca profile. The program is based on NIST SP 800 171 Rev 3 and maintains alignment with the U.S. CMMC framework, allowing organizations operating in both markets to build unified compliance documentation.
- Level 1 requires annual self assessment against NIST SP 800 171 Rev 3 controls
- Cloud infrastructure processing CUI must be hosted in Canada
- Level 2, requiring third party assessment by an accredited certification body, becomes mandatory April 2027
- The Standards Council of Canada is actively accrediting inspection bodies for Level 2 assessments
Implications
Organizations that have not begun gap assessments should treat this as an emergency priority. The control implementation work for Level 1 is substantial, and organizations that rush their self assessments risk submitting inaccurate attestations. Companies should also begin planning for Level 2 now, as the control requirements are the same; only the assessment mechanism changes from self assessment to third party certification.
Canada’s AI Strategy Task Force Launches National Consultation Following ISED Sprint
Innovation, Science and Economic Development Canada (ISED) released the results of its national sprint on AI strategy on February 3, 2026. An AI Strategy Task Force is now consulting on Canada’s next national AI strategy, signalling a shift from the abandoned legislative approach (AIDA) toward a policy and investment driven model.
The current federal government, under PM Mark Carney, has indicated it will regulate AI through privacy legislation, sector specific policy, and investment rather than comprehensive AI specific law. In May 2025, Canada appointed its first Minister responsible for Artificial Intelligence and Digital Innovation, Evan Solomon, underscoring that AI governance remains a federal priority despite the absence of binding legislation.
Implications
Organizations should not wait for Canadian AI legislation to implement governance structures. ISO/IEC 42001 provides the management system framework that satisfies international requirements now and will align with anticipated Canadian regulation. The consultation period also presents an opportunity for organizations to submit their perspectives on standards based approaches to AI governance.
EU AI Act: August 2, 2026 Deadline for High Risk AI Systems Approaching
The EU AI Act’s most significant enforcement milestone is now less than five months away. On August 2, 2026, comprehensive requirements for Annex III high risk AI systems become enforceable, covering biometrics, critical infrastructure, education, employment, essential services, law enforcement, and migration.
Key obligations include risk management systems, data governance, technical documentation, transparency requirements, human oversight mechanisms, and cybersecurity measures. Penalties for non compliance are severe: up to €35 million or 7% of worldwide turnover for prohibited practices, up to €15 million or 3% for other infringements.
- Annex III high risk systems span eight regulated domains
- Conformity assessment procedures and post market monitoring become mandatory
- Member states must have designated national competent authorities
- The European Commission has missed its own deadline for guidance on high risk classification
Implications
Canadian organizations that deploy AI systems in EU markets or process EU resident data face binding obligations regardless of Canada’s domestic regulatory timeline. ISO/IEC 42001 implementation provides a structured path to EU AI Act compliance, as the standard’s risk management and governance controls map directly to the Act’s requirements. Organizations should conduct an AI system inventory and classify systems against Annex III categories now.
NIST Cyber AI Profile: Draft Framework for Securing AI Systems Advances
The NIST National Cybersecurity Center of Excellence (NCCoE) is advancing its Cybersecurity Framework Profile for Artificial Intelligence (NISTIR 8596). The preliminary draft, published in December 2025, overlays three AI focus areas on CSF 2.0: Secure (protecting AI systems), Detect (AI enabled cyber defence), and Thwart (countering AI enabled attacks).
The Cyber AI Profile uses the existing voluntary CSF 2.0 and maps AI specific considerations to its Functions, Categories, and Subcategories. Following a January 2026 workshop and public comment period, NIST plans to release the initial public draft later in 2026. This framework complements ISO 42001 by focusing specifically on the cybersecurity dimensions of AI.
Implications
Organizations implementing AI systems should monitor the Cyber AI Profile as it develops. The framework provides a practical crosswalk between AI governance (ISO 42001) and cybersecurity (ISO 27001, CSF 2.0), helping organizations build integrated control structures rather than managing AI and cybersecurity as separate domains. Early adopters who align their AI security practices with the draft profile will be well positioned when the final version is published.
Privacy Commissioner Finds Loblaw Violated PIPEDA on Data Retention Practices
The Office of the Privacy Commissioner of Canada (OPC) released PIPEDA Findings #2026 001, concluding that Loblaw Companies Ltd. contravened PIPEDA Principle 4.10 in its handling of PC Optimum Loyalty Program data. The investigation found that Loblaw took an unreasonable amount of time to address deletion requests and failed to respond to some privacy related inquiries.
The investigation also raised concerns about Loblaw’s data anonymization practices. Upon account closure, Loblaw deletes personal identifiers but retains purchase transaction data, claiming it has been anonymized. The OPC found that Loblaw did not demonstrate sufficient steps to ensure the retained information could not be re identified, a critical distinction under PIPEDA’s retention principle.
Implications
This finding establishes important precedent on data retention and anonymization. Organizations relying on anonymization as a basis for retaining data after deletion requests must be able to demonstrate that re identification is not reasonably possible. ISO 27701 (Privacy Information Management) provides controls for managing data subject requests and retention policies. Organizations should audit their own deletion workflows and anonymization techniques against this finding.
ISO 27001:2022 Transition Complete: All Certifications Now Against the 2022 Edition
The 36 month transition period for ISO 27001:2022 has concluded. All ISO 27001:2013 certifications expired by October 31, 2025, meaning every certification audit conducted in 2026 is against the 2022 edition. Auditors are now focusing on how effectively controls reduce risk, not merely their presence.
The 2022 edition introduced the climate action amendment (Amendment 1, published February 2024), which requires organizations to consider whether environmental changes, including extreme weather events, are relevant to their information security context. This acknowledges that floods, fires, and supply chain disruptions can affect data availability and fall within ISMS scope. ISO 27701 has also been updated to function as a standalone management system, meaning organizations no longer need ISO 27001 certification as a prerequisite.
Implications
Organizations maintaining or pursuing ISO 27001 certification should ensure their risk assessments account for climate related threats to information availability, as this is now an auditable requirement. The move toward continuous compliance and evidence of control effectiveness signals that auditors will expect more than documented policies; they will want demonstrable risk reduction. Organizations should also evaluate whether the standalone ISO 27701 certification path simplifies their privacy compliance strategy.
ISO 42001 Adoption Accelerating as EU AI Act Deadline Drives Demand
ISO/IEC 42001, the international standard for AI Management Systems (AIMS), is seeing accelerating adoption as the EU AI Act’s August 2026 enforcement deadline approaches. As the only certifiable international management system standard for AI, ISO 42001 provides organizations with a structured, auditable framework for managing AI related risks and opportunities.
The standard includes 38 distinct controls covering risk management, AI system impact assessment, lifecycle management, and third party supplier oversight. Its Plan Do Check Act methodology aligns with ISO 27001 and ISO 9001, allowing organizations with existing management systems to integrate AI governance without building parallel structures.
Implications
Organizations deploying AI in regulated sectors or international markets should evaluate ISO 42001 certification as a strategic investment. The standard provides demonstrable governance that satisfies EU AI Act requirements, addresses the anticipated Canadian regulatory direction, and builds stakeholder confidence. Organizations already certified to ISO 27001 can leverage their existing ISMS infrastructure to accelerate ISO 42001 implementation through an integrated management system approach.
Canada Privacy Reform Expected Spring 2026: Stronger Enforcement Powers Anticipated
New federal privacy legislation is expected as early as spring 2026, replacing the failed Bill C 27 that died on the order paper when Parliament was prorogued in January 2025. Privacy reform is expected to emphasize rights based protections, stronger enforcement powers for the Privacy Commissioner, and modernized consent rules aligned with international standards.
The Privacy Commissioner has outlined seven key provisions for the next comprehensive privacy bill, including the power to issue binding orders, impose administrative monetary fines, and conduct proactive audits. The current PIPEDA enforcement model, limited to an ombudsman role, is widely regarded as insufficient for the scale of modern data processing. Data sovereignty, open banking regulation, and AI specific privacy requirements are also expected to feature in the new legislation.
Implications
Organizations should prepare for a materially stronger enforcement regime. Administrative monetary penalties, binding orders, and proactive audits would bring Canada closer to the GDPR enforcement model. Organizations that have implemented ISO 27701 (Privacy Information Management) or maintain robust PIPEDA compliance programs will be better positioned for the transition. Those relying on minimal compliance should begin strengthening their privacy management systems now.