What Ontario's Bill 194 Means for Your Organization

In November 2024, Ontario enacted Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act. Within it sits the Enhancing Digital Security and Trust Act (EDSTA), which establishes new legal requirements for how public sector organizations — including municipalities — handle AI, cybersecurity, and digital trust. Key provisions came into effect on January 29, 2025, with additional FIPPA amendments following on July 1, 2025.

EDSTA defines AI broadly, consistent with the OECD definition: a machine-based system that infers from input to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. This covers everything from ChatGPT and Copilot to automated decision-making systems, computer vision, and any emerging AI technology. If your organization uses any tool that fits this description, EDSTA applies.

The Act requires organizations to develop formal AI governance and risk management frameworks. This goes beyond simply having an AI use policy — it requires specific, documented policies about how AI systems are implemented, monitored, and managed. Organizations must maintain records of what AI systems they use, how they're deployed, and what safeguards are in place. This documentation requirement means that informal or ad hoc AI usage is no longer acceptable.

On the cybersecurity front, EDSTA mandates that organizations implement cybersecurity frameworks with authentication protocols, access controls, and encryption standards. Security awareness training programs must be established and maintained. Organizations must have documented cyber incident response plans ready to activate. The Information and Privacy Commissioner has been given expanded powers to review information and privacy practices, adding enforcement capability to these requirements.

The FIPPA amendments that took effect on July 1, 2025 added further obligations. Organizations must now conduct mandatory Privacy Impact Assessments before collecting personal information through new systems or processes. Privacy breaches must be reported to the IPC, and affected individuals must be notified. The IPC has also recommended that the government urgently amend MFIPPA to extend mandatory breach reporting requirements specifically to municipal institutions.

For organizations that haven't yet acted, the compliance gap is growing. The provisions are already in force, which means organizations operating without the required frameworks are already out of compliance. The question isn't whether to act — it's how quickly you can close the gap. Starting with an AI audit of current tool usage, developing acceptable use policies, implementing Privacy Impact Assessments, and establishing governance documentation are the foundational steps.

The organizations that have already begun this work are finding that governance doesn't slow down AI adoption — it makes it sustainable. Clear policies give staff confidence to use AI tools appropriately. Documentation protects the organization when questions arise. Training reduces the risk of incidents that could damage public trust. And a formal framework demonstrates to regulators, citizens, and stakeholders that your organization takes its digital responsibilities seriously.