← All posts
13 min read

Does Bill 194 apply to Ontario municipalities? The short answer — and what July 1, 2026 actually means

If you’re a clerk, CAO, or FOI coordinator in an Ontario municipality, you have probably seen headlines like “Bill 194 takes effect July 1” and “New public-sector cybersecurity obligations coming in 2026.” You may have been asked by council or a department head whether your municipality is ready. You may have been forwarded a law firm alert by a colleague who wasn’t sure either.

Jump to:

Bill 194 is two statutes in one

Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024 (SO 2024, c. 24), received Royal Assent on November 25, 2024. It contains two schedules, and most of the municipal confusion stems from treating them as a single package.

Schedule 1 enacts a brand new act — the Enhancing Digital Security and Trust Act, 2024 (EDSTA). EDSTA is a framework statute covering cyber security, artificial intelligence systems, and digital technology affecting individuals under 18.

Schedule 2 amends an existing statute — the Freedom of Information and Protection of Privacy Act (FIPPA). The Schedule 2 amendments added a mandatory privacy impact assessment requirement, new breach notification rules, and expanded powers for the IPC.

The two schedules have different subject matter, different timelines, and different scopes. They need to be considered separately.

Schedule 2 (the FIPPA amendments) already took effect — and does not cover municipalities

The Schedule 2 FIPPA amendments are not a future event. They are already in force, with the main substantive amendments — including the mandatory privacy impact assessment requirement — in force on July 1, 2025.

The new PIA requirement lives in FIPPA section 38(3), amended by 2024, c. 24, Sched. 2, s. 4(1). It provides that “unless the regulations provide otherwise, before collecting personal information, the head of an institution shall ensure that a written assessment is prepared” covering a prescribed list of items: the purpose, the legal authority, the types of personal information, the sources, the positions with access, any limitations, retention, and the safeguards in place.

That amendment is located in FIPPA, not in MFIPPA. It applies to FIPPA institutions: provincial ministries, most provincial agencies, universities, and similar bodies that fall within the definition of “institution” in FIPPA section 2(1). It does not apply to MFIPPA institutions. The IPC’s own FAQ on Schedule 2 of Bill 194 is explicit on this point:

Schedule 2 of Bill 194 did not include equivalent updates to the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). While FIPPA’s new provisions do not currently apply to MFIPPA institutions, many of the new provisions reflect basic privacy practices that MFIPPA institutions should also follow. These practices help MFIPPA institutions protect individuals’ privacy, reduce risk, comply with other existing requirements, and maintain public trust.

The same IPC FAQ confirms that Schedule 2’s housekeeping, whistleblower, and joint investigation amendments came into force on January 29, 2025, with all remaining amendments (including the mandatory PIA requirement) in force on July 1, 2025.

In practical terms: your municipality is an MFIPPA institution, not a FIPPA institution, and the mandatory PIA rule in Schedule 2 is directed at provincial institutions. The same is true for municipal police services boards, public library boards, and school boards — all MFIPPA institutions, all outside the new statutory PIA mandate under Bill 194.

That does not make PIAs irrelevant to your municipality. The IPC’s Planning for Success: Privacy Impact Assessment Guide for Ontario’s public institutions is written to be useful for both FIPPA and MFIPPA institutions, and the IPC recommends that MFIPPA institutions conduct PIAs voluntarily using the same methodology. A voluntary PIA on a new system or program that handles personal information is one of the most useful privacy-practice upgrades most municipalities can make this year. It just is not a legal requirement under Bill 194.

Schedule 1 (EDSTA) is in force — but its operative obligations depend on regulations

EDSTA is the part of Bill 194 that has been generating cyber security headlines. Unlike Schedule 2, EDSTA is a framework statute. Its operative sections repeatedly condition obligations on “such public sector entities as may be prescribed,” which means the actual binding requirements live in regulations rather than in the statute itself.

The e-Laws consolidation record for EDSTA shows the act came into force on January 29, 2025 (the current consolidation period begins that date; the prior period runs from Royal Assent on November 25, 2024 to January 28, 2025). The statute is on the books, but, on its own, it does not require any public sector entity to do anything. That changes only when regulations are made under it.

EDSTA’s statutory definition of “public sector entity” in Schedule 1, section 1(1) is broad:

“‘public sector entity’ means, (a) an institution within the meaning of subsection 2(1) of the Freedom of Information and Protection of Privacy Act, (b) an institution within the meaning of subsection 2(1) of the Municipal Freedom of Information and Protection of Privacy Act, (c) a children’s aid society, and (d) a school board.”

Ontario municipalities are MFIPPA institutions, so they fall within clause (b). Read on its own, that suggests EDSTA’s future cyber security rules could apply to your municipality. That reading is half right. The statute’s scope includes municipalities, but a municipality is only subject to a specific obligation if the regulations prescribe it for that obligation — or if the Minister issues a directive under section 4, which is the more flexible route worth knowing about.

The Minister’s directive power: a scope mechanism that does not require a regulation

EDSTA section 4 gives the Minister of Public and Business Service Delivery and Procurement a second tool alongside the regulation-making power in section 2. Section 4(1) reads: “The Minister may issue directives to public sector entities respecting cyber security.” Section 4(2) adds that a directive “may be general or particular in its application, and may provide for different classes or categories.” Section 4(4) provides that “a public sector entity to whom a directive is issued shall comply with the directive.”

The important nuance here is what section 4 does not say. Sections 2 and 3 of EDSTA both condition obligations on “such public sector entities as may be prescribed” — which means those obligations only apply to entities a regulation has specifically named. Section 4 contains no such “prescribed” qualifier. On its face, the Minister’s directive power reaches any “public sector entity” within the section 1(1) definition, which includes MFIPPA institutions and therefore Ontario municipalities.

As of this writing, we have not identified any publicly-issued EDSTA directive targeting Ontario municipalities. Directives are not subject to Part III (Regulations) of the Legislation Act, 2006 under section 4(3), which means they fall outside the normal regulation-filing regime and the primary public channel for them is whatever the Minister or the Ministry chooses to publish. The power exists, it does not require an amendment to O. Reg. 51/26 to exercise, and it is more flexible than the regulation-making power in section 2. In practical terms: this is the scope mechanism most likely to extend cyber security obligations to municipalities quickly, if and when the government decides to extend them. It is worth a flag on your watchlist even though nothing visible has happened yet.

O. Reg. 51/26 and O. Reg. 52/26: the July 1, 2026 regulations

On March 23, 2026, two regulations were filed under EDSTA. Both come into force on July 1, 2026. Both carry an e-Laws header note reading “THIS REGULATION IS NOT YET IN FORCE. It comes into force on July 1, 2026.” This is the actual source of the “July 1, 2026” date that has been circulating.

O. Reg. 51/26 — Cyber Security

O. Reg. 51/26 (Cyber Security) is made under EDSTA. Section 2 of the regulation identifies the prescribed public sector entities directly:

“The following public sector entities are prescribed for the purpose of section 2 of the Act:

  1. An educational institution as defined in subsection 2(1) of the Freedom of Information and Protection of Privacy Act.
  2. A public hospital graded as a Group A, B or C hospital under the Public Hospitals Act.
  3. The University of Ottawa Heart Institute.
  4. A children’s aid society.
  5. A school board.”

The obligations that attach to a prescribed entity are specific. Each entity must designate a senior management primary point of contact (and an alternate) with decision-making authority for cyber security, who is responsible for communicating with the Ministry and approving summaries of the entity’s cyber security maturity assessments (section 4). The entity must complete an initial cyber security maturity assessment within one year of the regulation first applying, and then a further assessment within each subsequent two-year period (section 5). Within 30 business days of completing an assessment, the entity must submit a summary to the Chief Information Security Officer of the Ministry covering the method used, the framework applied, a maturity score, and any identified areas for improvement (section 6). Where a “critical cyber security incident” occurs — defined as one that impacts the confidentiality, integrity, or availability of the entity’s digital information or infrastructure and meets one of four criteria including significant adverse impact to public services, risk to public safety, significant recovery effort, or significant reputational risk — the entity must report it to the Ministry as soon as reasonably practical, and in any event no later than 72 hours after confirmation (section 7). Section 7(5) makes clear that the regulation’s reporting obligations do not displace any other legal obligations the entity may have, including under FIPPA.

Notably absent from the prescribed-entity list: municipalities, local boards, and municipal services corporations. The first round of EDSTA cyber security rules focuses on the education, health, and child welfare sectors. Municipalities remain within EDSTA’s statutory scope under clause (b) of the section 1(1) definition, but they are not prescribed under section 2 of O. Reg. 51/26.

O. Reg. 52/26 — Digital Technology Affecting Individuals Under Age 18

O. Reg. 52/26 (Digital Technology Affecting Individuals Under Age 18) is also made under EDSTA, and it takes a much narrower approach. Section 2 of the regulation simply provides: “Every school board is a prescribed school board for the purposes of section 9 of the Act.” The regulation applies to school boards and no one else, despite EDSTA’s statutory authorization extending to children’s aid societies as well.

The substantive rule in the regulation is a notice requirement. When a school board discloses a student’s personal digital information (defined in section 1 as personal information within the meaning of MFIPPA section 2(1) that is in a digital format) to a third-party owner or operator of a software application, the school board must provide notice. For students under 16, notice goes to a parent or guardian (section 4). For students aged 16 or 17, notice goes to the student directly (section 5). The notice must include the specific data elements being disclosed, the legal authority, the purpose, the name of the software application and its operator, contact information for someone at the school board who can answer questions, and a statement of the individual’s rights.

Municipalities are not prescribed under O. Reg. 52/26. It is a school-board-only regulation.

Artificial intelligence: no regulation yet

EDSTA authorizes the Lieutenant Governor in Council and the Minister to make regulations governing the use of artificial intelligence systems by public sector entities (Schedule 1, sections 5 through 8). As of the regulations filed on March 23, 2026, no AI regulation has been made under EDSTA. When one is eventually filed, it will likely impose requirements along the lines of section 5: providing information to the public about AI use, developing and implementing an accountability framework, taking prescribed risk-management steps, and ensuring human oversight in prescribed circumstances. But until that regulation exists, none of those obligations is binding.

What this means for your municipality

On Schedule 2 and mandatory privacy impact assessments: Bill 194 does not require your municipality to conduct PIAs. You should still consider doing so voluntarily on a new system, program, or vendor relationship that involves personal information — particularly where the program touches a population with heightened privacy interests, or where you are procuring a third-party software product. The IPC’s Planning for Success guide is the framework to use. A voluntary PIA is how you get ahead of where Ontario privacy law is moving, and it is also how you build the kind of documented decision-making record that protects your municipality when something goes wrong.

On EDSTA cyber security: your municipality is not a prescribed entity under O. Reg. 51/26. The specific obligations — the designated contact, the maturity assessment, the 30-business-day summary, the 72-hour incident report — do not apply to municipalities on July 1, 2026. That said, EDSTA’s statutory scope already covers MFIPPA institutions, the obligations the regulation creates for school boards and hospitals are a reasonable baseline for any public sector organization, and municipal ransomware incidents are a real and growing operational risk. If your municipality does not already have a designated senior cyber security contact, a written incident response plan, and a periodic maturity assessment, building those this year is sensible regardless of whether any regulation currently names you.

On artificial intelligence: EDSTA authorizes AI regulations that could extend to MFIPPA institutions, but none has been filed. If your municipality is procuring or building an AI system that touches residents in any way — permit intake, chatbot services, translation, decision support — talk to your solicitor about what an accountability framework and risk-management documentation would look like now, so that whatever the first AI regulation requires, you are not starting from zero.

Practical next steps

Three things worth doing this quarter:

  1. Document your current PIA practice. If your FOI coordinator or clerk cannot answer, on demand, “who at our municipality decides when a PIA is needed, and where is that decision documented?” — that is the first gap to close. You do not need a new policy. You need a short written procedure that names a responsible person and describes what record gets kept.
  2. Inventory your personal-information systems. List the systems and programs where your municipality collects, stores, or shares personal information about residents, employees, or third parties. This is the prerequisite for any voluntary PIA, and it is likely to be the basis for any future EDSTA regulation that names municipalities.
  3. Name a senior cyber security contact. Even if no regulation requires it. Put the assignment in writing, and make sure that person has a reporting relationship to council or the CAO. If EDSTA’s prescribed-entity list is later extended to municipalities, you will start from a position of readiness rather than scrambling.

When to watch for changes

Bill 194 is enacted. EDSTA is in force. The scope of EDSTA’s operative obligations is set by regulation and by ministerial directive — and both mechanisms can extend to municipalities without new legislation. The first-round regulations do not prescribe municipalities, but that can change. Signals to watch for include a new consultation on the Ontario Regulatory Registry proposing to prescribe additional public sector entities under EDSTA, a new regulation filed directly to e-Laws under the EDSTA “Regulations under this Act” listing, any directive issued by the Minister under EDSTA section 4 (which does not need to be laid out in a regulation and is not subject to the Legislation Act’s regulation-publication regime), updates in AMO’s Watchfile or the IPC’s What’s New page, and any alerts from your solicitor. A prudent approach is to monitor the EDSTA regulation listing directly every two to four weeks and to ask your solicitor or AMO contact to flag any ministerial directive activity, rather than relying on any single intermediary.

Until something changes in the regulations, the answer to “does Bill 194 apply to our municipality?” is: not in any way that requires action by July 1, 2026 — but the direction of travel is clear, and voluntary alignment with the IPC’s current guidance is the best use of the runway.

Cedar Meridian builds compliance software for Ontario municipalities. Our Staff Compliance Manager gives clerks, CAOs, and HR leads an audit-ready record of policy acknowledgements, training completion, and procedural attestations — the kind of evidence that voluntary cyber security and privacy-practice upgrades depend on. If you would like to see how it fits into a municipal readiness plan, get in touch.

Frequently asked questions

Does Bill 194 require Ontario municipalities to complete Privacy Impact Assessments?
No. The mandatory Privacy Impact Assessment requirement was added by Schedule 2 of Bill 194 to the provincial Freedom of Information and Protection of Privacy Act (FIPPA), in FIPPA section 38(3). That amendment is located in FIPPA, not in the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and it applies only to FIPPA institutions — provincial ministries, most provincial agencies, and similar bodies. Ontario municipalities are MFIPPA institutions, so the mandatory PIA rule does not apply to them. The Information and Privacy Commissioner of Ontario recommends that MFIPPA institutions conduct PIAs voluntarily using the same guidance, but this is not a legal requirement under Bill 194.
Is July 1, 2026 a compliance deadline for Ontario municipalities?
Not currently. July 1, 2026 is the in-force date for two regulations filed on March 23, 2026 under the Enhancing Digital Security and Trust Act, 2024 (Schedule 1 of Bill 194): O. Reg. 51/26 on cyber security and O. Reg. 52/26 on digital technology affecting individuals under age 18. Neither regulation prescribes municipalities as an entity to which its obligations apply. O. Reg. 51/26 prescribes educational institutions, Group A/B/C public hospitals, the University of Ottawa Heart Institute, children's aid societies, and school boards. O. Reg. 52/26 applies only to school boards.
Is my municipality a prescribed entity under O. Reg. 51/26?
No. Section 2 of O. Reg. 51/26 lists five categories of prescribed public sector entities: educational institutions as defined in FIPPA section 2(1), Group A, B or C public hospitals under the Public Hospitals Act, the University of Ottawa Heart Institute specifically, children's aid societies, and school boards. Municipalities, local boards, and municipal services corporations are not on the list. This can change — the Lieutenant Governor in Council can amend the regulation to prescribe additional entities without new legislation — so it is worth monitoring the EDSTA regulation listing on e-Laws.
Does Bill 194 give the Minister power to impose cyber security obligations directly on municipalities?
Potentially, yes, via EDSTA section 4 directives. Section 4 of the Enhancing Digital Security and Trust Act, 2024 authorizes the Minister of Public and Business Service Delivery and Procurement to issue directives to public sector entities respecting cyber security. Unlike the regulations under EDSTA section 2, which apply only to prescribed entities, section 4 directives are not limited to prescribed entities — they can target any public sector entity within EDSTA's statutory definition, which includes MFIPPA institutions (and therefore municipalities). We have not identified any publicly-issued EDSTA directive targeting municipalities as of this writing, but the power exists and does not require an amendment to O. Reg. 51/26 to be exercised.

Tagged