ITCS GROUP

CYBERSECURITY SOLUTIONS

Initializing secure connection...

Back to blog
ComplianceFebruary 20, 20267 min

Quebec Law 25 : Cybersecurity Compliance Guide for 2026

What is Law 25?

Short answer: Law 25 (formerly Bill 64) is Quebec's personal information protection law. Progressively enacted since 2022, it imposes strict obligations on organizations that collect, use, or disclose personal information of Quebec residents.

Key obligations for 2026

Designating a privacy officer

Every organization must designate a person responsible for the protection of personal information and publish their contact information on their website.

Privacy Impact Assessment (PIA)

A PIA is mandatory before any project involving the collection, use, or disclosure of personal information, including projects using artificial intelligence.

Incident notification

In the event of a confidentiality incident presenting a serious risk of harm, the organization must notify the Commission d'accès à l'information (CAI) and affected individuals. The deadline is 72 hours after becoming aware of the incident.

Governance policy

Organizations must establish and publish policies and practices governing personal information, accessible on their website.

Penalties and fines

Penalties can reach $25 million or 4% of global revenue for the most serious violations. Administrative fines range from $15,000 to $10 million.

Recommended cybersecurity measures

Data encryption

Encrypt personal information at rest and in transit. Use robust algorithms (AES-256, TLS 1.3).

Strict access control

Apply the principle of least privilege with mandatory multi-factor authentication (MFA) for all access to personal data.

Continuous monitoring

Deploy monitoring and anomaly detection tools to quickly identify any suspicious activity on systems containing personal data.

Regular penetration testing

Regularly validate the effectiveness of your security measures with penetration tests conducted by certified experts.

How ITCS Group can help

ITCS Group offers comprehensive support for Law 25 compliance: security audits, penetration testing, implementation of protective measures, and 24/7 incident response. Our unique expertise at the intersection of cybersecurity and cyber insurance allows us to offer protection tailored to the Canadian regulatory context.

Share this articleLinkedInXFacebook

Related articles

Cybersecurity

Ransomware in 2026: Complete Guide for Canadian Businesses

Ransomware attacks are evolving rapidly. Discover the latest cybercriminal tactics and how to protect your organization with a multi-layered defense strategy.

Read Cyber Insurance

2026 Indemnity Clock: The $226K Canadian Cyber Claims Reality

In 2026, the most expensive part of a breach is no longer data recovery — it's the Indemnity Clock. For Cyber Claims Experts and Breach Coaches, the game has changed: every hour of downtime costs a fortune.

Read