Regulación de IA en Canadá
Resumen ejecutivo
Why «Canada lost its AI regulatory moment» is the wrong reading
The most common framing of Canadian AI regulation describes a missed opportunity: AIDA was a serious attempt at federal AI legislation that died in committee, leaving Canada without a national AI framework while the EU AI Act, Council of Europe Convention, and US state AI laws moved forward. Canada is now portrayed as a regulatory laggard, scrambling to catch up, with industry groups arguing for less regulation and human rights groups arguing for more.
The framing captures the surface and misses the institutional logic. AIDA did not die from inattention or political accident. It died because the political consensus that produced it dissolved before it could be enacted, and the consensus that replaced it after the April 2025 federal election explicitly chose a different path. The Carney government’s stated approach is not regulatory delay. It is a strategic decision to prioritize AI sovereignty, compute infrastructure, and economic capture of AI value over horizontal regulatory framework, on the explicit reasoning that comprehensive regulation could disadvantage Canadian competitiveness in a phase when AI capability is still being established globally.
The dominant narrative misses three structural realities. First, Canada has invested more in state AI capacity than the AIDA debate suggested. The Canadian AI Safety Institute was launched in November 2024 as part of a CAD $2.4 billion AI investment package, including CAD $2 billion for sovereign compute infrastructure. CAISI now operates inside the international AISI network alongside UK, US, Japan, and EU counterparts. The AI evaluation capacity the federal government built is real and operational, even though the regulatory authority was never enacted. Second, Canadian provinces have been far from passive. Quebec’s Law 25 (2021), implemented in three phases through September 2024, includes substantive AI-relevant provisions on automated decision-making, privacy impact assessments, and consent that effectively function as Quebec’s AI baseline. The Quebec Innovation Council has explicitly recommended a province-specific AI law. Other provinces are watching closely. Third, the Voluntary Code of Conduct on Responsible Development and Management of Advanced Generative AI Systems is the substantive AI governance reference Canadian organizations actually use. Major Canadian AI developers and large corporate adopters have signed onto it; it has produced real compliance behavior change in the absence of statute.
What Canadian AI regulation actually is, then, is a post-AIDA institutional landscape built on three pillars: state AI capacity (CAISI, the Sovereign Compute Strategy), provincial regulation (especially Quebec Law 25), and voluntary federal frameworks (the Code of Conduct). The political question of whether to add a fourth pillar — a comprehensive federal AI statute, AIDA-style or otherwise — has been answered for now by the Carney government’s pivot to sovereignty-first. The answer may change. Canadian human rights groups, civil society, and several legal experts continue to argue that the absence of binding statute leaves significant categories of AI risk inadequately addressed. The political tension is real and unresolved.
For organizations operating in the Canadian AI market, the operational reality is that compliance work is multi-layered and standards-anchored: PIPEDA (federal privacy), Canadian Human Rights Act (federal anti-discrimination), provincial laws (Quebec Law 25 most material), the Voluntary Code of Conduct, sectoral regulation, and increasingly EU AI Act exposure for organizations with EU market activity. Standards-based assurance — particularly ISO/IEC 42001 and NIST AI RMF — has become the operational denominator that makes multi-layer compliance manageable.
—
What AIDA would have been
Understanding what AIDA proposed, and why it failed, is essential to understanding what comes next. AIDA had four substantive features that distinguished it from the EU AI Act and from the US patchwork.
Risk-based with a single threshold: «high-impact AI systems.» Unlike the EU AI Act’s four-tier classification, AIDA proposed a single regulated category — high-impact AI systems — with the specific definition to be developed through regulation after Royal Assent. The Champagne amendments of October 2023 attempted to address criticism that the high-impact definition was too vague by specifying categories: AI systems used in employment screening, content moderation, biometric processing, healthcare decisions, and law enforcement, among others.
The AI and Data Commissioner. AIDA would have created a federal-level AI and Data Commissioner with enforcement authority. The Commissioner would have had power to compel accountability frameworks, require AI system assessments, conduct or order audits, issue compliance orders, and impose administrative monetary penalties. This is a stronger enforcement architecture than the UK’s principles-based delegation to sectoral regulators, weaker than the EU AI Act’s coordination through national authorities and the EU AI Office.
Prohibitions and serious harm provisions. AIDA included specific prohibitions against AI uses likely to cause physical or psychological harm, property damage, or economic loss. The provisions overlapped substantially with EU AI Act unacceptable-risk prohibitions but were less specifically defined.
General-purpose AI provisions added by amendment. The Champagne amendments added general-purpose AI system provisions, recognizing that GPT-class models could not be adequately addressed through use-case-specific regulation alone. These provisions would have anticipated the EU AI Act’s General-Purpose AI obligations under Articles 50–55, though with fewer concrete requirements.
AIDA progressed through second reading in April 2023 and committee deliberation through 2024. Substantial criticism came from three directions: civil society and academic groups argued the law inadequately protected fundamental rights and lacked independent regulatory oversight; industry groups argued it would create regulatory uncertainty and disadvantage Canadian competitiveness; technical experts argued the high-impact definition was too vague to operationalize. The Standing Committee on Industry and Technology was working through amendments when Prime Minister Trudeau resigned and prorogued Parliament in January 2025. Bill C-27, including AIDA, died on the Order Paper.
The April 2025 federal election produced a Liberal minority government under Mark Carney. AI Minister Evan Solomon confirmed in June 2025 that AIDA would not return as drafted; only fragments might survive in any future AI framework. The Carney government’s approach, articulated as «light, tight, right,» pivots away from comprehensive horizontal regulation toward targeted intervention plus AI sovereignty investment.
—
What is in force now: the post-AIDA landscape
With no federal AI statute, Canadian organizations operate within a multi-layer compliance environment. Six elements anchor the current regime.
The Voluntary Code of Conduct on Responsible Development and Management of Advanced Generative AI Systems. Released by the federal government in September 2023. Voluntary framework targeting developers and managers of advanced generative AI systems. Six principles: accountability, safety, fairness, transparency, human oversight, and robustness. Signatories include major Canadian AI labs and corporate adopters. The Code is the substantive federal AI governance reference in the absence of statute. Compliance with the Code does not provide formal legal protection but does shape regulator and counterparty expectations.
PIPEDA and federal privacy law. The Personal Information Protection and Electronic Documents Act (2000) remains Canada’s federal private-sector privacy law. PIPEDA applies to AI systems that process personal information, with the Office of the Privacy Commissioner of Canada (OPC) issuing guidance on AI specifically. The OPC has consistently interpreted PIPEDA to require meaningful consent, purpose limitation, and accountability for AI processing, providing de facto AI privacy regulation in the absence of dedicated statute. The Consumer Privacy Protection Act (CPPA) that would have replaced PIPEDA was part of Bill C-27 and died with AIDA.
The Canadian Human Rights Act and provincial human rights statutes. Federal and provincial human rights law applies to AI systems used in employment, services, and accommodation. Discriminatory outcomes from AI systems are actionable under existing anti-discrimination law regardless of AIDA’s status. The Canadian Human Rights Commission has indicated active monitoring of AI in employment and federally regulated services.
Quebec Law 25. Act to modernize legislative provisions as regards the protection of personal information, passed September 2021, implemented in three phases (September 2022, September 2023, September 2024). Substantive AI-relevant provisions include: right to be informed when an automated decision system is used, right to obtain explanations of automated decisions, mandatory privacy impact assessments before deploying technology projects affecting personal information, mandatory consent for sensitive personal information processing. Law 25 is currently the most operationally significant AI-relevant statute in Canada. It applies to all organizations doing business in Quebec, regardless of headquarters location.
Sectoral federal regulation. AI use cases in financial services (OSFI guidance), healthcare (Health Canada AI medical device framework), telecommunications (CRTC), and other regulated sectors are addressed under existing sectoral statute. The Office of the Superintendent of Financial Institutions (OSFI) has issued guidance on AI/ML model risk management; Health Canada applies medical device frameworks to AI-as-Software-as-Medical-Device.
The Canadian AI Safety Institute (CAISI). Launched 12 November 2024 as part of the CAD $2.4 billion federal AI investment. Operates inside the international AISI network. Conducts technical evaluation of frontier AI models, alignment research, and societal risk assessment. Like UK AISI, US AISI, and Japan AISI, CAISI does not have enforcement powers; it is a state technical capability rather than a regulator. The federal government has committed CAD $2 billion to the Canadian AI Sovereign Compute Strategy and AI Compute Access Fund, building domestic compute infrastructure for Canadian AI development.
—
The Carney government’s pivot to AI sovereignty
The most operationally significant development for Canadian AI policy since the April 2025 federal election has been the Carney government’s articulated pivot from regulation-first to sovereignty-first. Three elements define the pivot.
Compute and infrastructure investment. The Sovereign Compute Strategy commitments — CAD $2 billion for sovereign compute, CAD $700 million for the AI ecosystem — represent the largest federal AI investment in Canadian history. The strategic premise is that AI sovereignty depends on domestic compute capacity, AI talent, and AI ecosystem health, not on regulatory framework alone. The investment is being deployed through Innovation, Science and Economic Development Canada and partner programs.
Skepticism of comprehensive regulation. AI Minister Evan Solomon has been explicit that the government wants to move «away from over-indexing on warnings and regulation» to ensure the economy benefits from AI. The framing aligns Canada with US dominance-first orientation more than with EU comprehensive regulation, while preserving distinctively Canadian elements (CAISI, sovereign compute, Indigenous data sovereignty considerations, Quebec Law 25’s continued force).
Selective regulatory development. The «light, tight, right» approach signals targeted intervention — likely on copyright in AI training, on the most powerful frontier models, and on specific high-risk use cases — rather than horizontal AIDA-style framework. This mirrors the UK government’s narrowing from comprehensive AI bill to a Frontier AI Bill plus copyright legislation, with similar political logic.
The political tension is real and unresolved. The Canadian Centre for Policy Alternatives, civil liberties groups, and human rights organizations have argued that the sovereignty-first pivot leaves Canadian AI subjects without binding protection. The 3 February 2026 ISED «national sprint» report acknowledged many of these concerns: privacy, safety, transparency, accountability, governance gaps. Whether the Carney government will respond with new statute, expanded sectoral regulation, or continued reliance on the voluntary framework is the principal unresolved question for Canadian AI policy through 2026.
—
Provincial regulation and Quebec Law 25
In the absence of federal AI statute, provincial regulation has become disproportionately important, and Quebec is the most significant case.
Quebec Law 25 is operationally the closest thing Canada has to AI-specific regulation, despite being framed as privacy legislation. The Act’s provisions on automated decision-making include:
- Right to be informed when an organization uses personal information to render a decision based exclusively on automated processing
- Right to explanations of the principal personal information used in such automated decisions
- Right to opportunity to submit observations to a person who has authority to review the automated decision
- Privacy impact assessments mandatory before deploying technology projects involving personal information processing — including AI deployments
- Consent for sensitive personal information processing, including biometric data
Quebec’s Commission d’accès à l’information (CAI) has authority to issue penalties up to CAD $25 million or 4% of global turnover for serious violations. The penalty structure is comparable to GDPR.
Law 25 applies to all organizations doing business in Quebec regardless of headquarters location. A US AI vendor selling to a Quebec-based customer is subject to Law 25 obligations on the customer’s processing. A federally regulated bank operating in Quebec applies both PIPEDA and Law 25 simultaneously. The compliance work overlaps substantially with EU AI Act and GDPR, which is why many Canadian organizations have adopted GDPR-level practices as the operational baseline.
The Quebec Innovation Council has recommended that Quebec adopt a province-specific AI law beyond Law 25. The recommendation has not been acted on as of May 2026, but it signals provincial willingness to legislate where the federal level has not.
Other provinces. Ontario, British Columbia, and Alberta have not enacted province-specific AI legislation as of May 2026, though all three have provincial privacy law (PIPA in BC and Alberta, FIPPA and PHIPA in Ontario for public sector and health) that applies to AI use cases. Provincial legislators have been watching the federal AIDA experience closely; the Carney pivot to sovereignty-first may slow provincial appetite for AI-specific legislation.
—
The Canadian AI Safety Institute (CAISI)
CAISI is the institutional mirror of the UK and US AI Safety Institutes within the broader international AISI network. Understanding what CAISI is and is not matters for Canadian AI organizations.
What it is. A federal technical capability for AI safety research and frontier model evaluation, established within Innovation, Science and Economic Development Canada. CAISI conducts research on frontier AI capability, alignment, security risks, and societal risk assessment. It has formal coordination relationships with UK AISI, US AISI, Japan AISI, and the EU AI Office, contributing to the international AISI network that emerged from the Bletchley and Seoul Safety Summits.
What it is not. A regulator. CAISI has no enforcement authority, no power to compel evaluation submissions, and no ability to prohibit deployment. Its operating model is voluntary cooperation with Canadian AI developers and frontier model providers, supplemented by federal funding for AI safety research, similar to UK AISI’s pre-Frontier-AI-Bill posture.
Strategic role. CAISI is the technical anchor of the Carney government’s sovereignty-first approach. State AI capacity — the ability to evaluate, understand, and respond to frontier AI risk — is treated as more important than regulatory framework. The premise is that Canada needs to build technical understanding before legislating, in much the same way the UK has done. The premise is contested by civil society groups, who argue that voluntary cooperation and technical research do not substitute for binding rights protection.
—
Intersections with other regimes
Five intersections shape how Canadian AI regulation operates within the broader international architecture.
Council of Europe Framework Convention on AI. Canada was an initial signatory on 5 September 2024. The Convention entered into force on 1 November 2025. Canadian ratification has not occurred and has not been politically prioritized by the Carney government. Convention obligations apply to Canada as signatory; their domestic implementation depends on either ratification or treaty-aligned domestic statute, neither of which is currently scheduled.
G7 Hiroshima Process. Canada is G7 member, holds the 2025 G7 Presidency, and has supported expansion of the Hiroshima Code of Conduct and the OECD-hosted Reporting Framework. Canadian frontier AI developers (Cohere, AI21, others) are direct addressees of the Hiroshima Code of Conduct and engage with the Reporting Framework.
EU AI Act. Canadian AI providers placing systems on the EU market are subject to the AI Act regardless of Canadian regulatory status. Major Canadian AI vendors operating in EU markets satisfy both regimes. The asymmetry — comprehensive EU regulation, voluntary Canadian framework — creates compliance translation work that organizations active in both markets manage through standards-based programs.
US AI architecture. Canada and the US share trade flows, talent flows, and AI ecosystem integration. The Carney government’s sovereignty-first pivot aligns Canada more closely with US dominance-first orientation than with EU regulation. The bilateral CUSMA framework continues to govern most cross-border AI trade. US AI executive orders and state AI laws (Colorado AI Act, NYC LL144) apply to Canadian organizations to the extent their AI systems are used in US territory.
International AI Safety Institute network. CAISI is an active member of the international AISI network, contributing to coordinated frontier AI evaluation alongside UK, US, Japan, and EU counterparts. The network operates through informal coordination rather than treaty obligation, but its technical work increasingly shapes how Canadian AI safety policy develops.
—
## ⚖️ How Zertia operates within the Canadian AI regulatory regime
Built for Canadian AI compliance from day one
Accreditations and memberships: 🎖️ ANAB-accredited (US) · 🎖️ UKAS process (UK) · 🎖️ ENAC process (EU) · 🏛️ IAPP member · 🏛️ INCITS member · 🏛️ UKAI member · 📜 EU AI Pact signatory
Zertia is an ANAB-accredited AI management system certification body, with offices in Boston, Madrid, and London. Canada’s post-AIDA multi-layer compliance environment — PIPEDA, Canadian Human Rights Act, Quebec Law 25, Voluntary Code of Conduct, sectoral regulation, EU AI Act exposure — makes accredited certification and standards-based assurance the operational denominator that organizations need to manage compliance across layers.
Certification — ISO/IEC 42001, AIUC-1, ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301. ISO/IEC 42001 certification provides the management system structure that integrates PIPEDA AI processing obligations, Quebec Law 25 automated decision-making provisions, Voluntary Code of Conduct alignment, sectoral regulator expectations, and EU AI Act compliance for organizations with EU exposure. The same management system supports the structured AI safety engagement that CAISI evaluates voluntarily for frontier-adjacent organizations. AIUC-1 provides agent-level technical assurance for Canadian AI vendors deploying agents into procurement environments where multiple compliance layers apply simultaneously.
Regulatory frameworks — EU AI Act Conformity Assessment, NIST AI RMF Attestation, ISO/IEC 23894 Risk Assessment, Algorithmic Impact Assessment, Pre-Certification Assessment. Algorithmic Impact Assessments are structured to satisfy Quebec Law 25 privacy impact assessment obligations on automated decision-making systems, alongside PIPEDA accountability requirements, Voluntary Code of Conduct transparency commitments, and EU AI Act high-risk system evaluation needs.
Audit — AI Management System audits, High-Risk AI System audits, AI Model audits, EU AI Act audits, NIST AI risk audits. Independent audits structured to support the multi-layer Canadian compliance environment, the Voluntary Code of Conduct, sectoral regulator engagement (OSFI, Health Canada), CAISI voluntary evaluation engagement for frontier-adjacent organizations, and EU AI Act compliance for Canadian firms with EU market exposure.
Training — AI Governance, Data Governance, Privacy Governance through Zertia Academy. Programmes treat the Canadian regime explicitly, including the post-AIDA institutional landscape, the Quebec Law 25 operational baseline, the Carney government’s sovereignty-first pivot, the Voluntary Code of Conduct, and the practical implications of operating across federal, Quebec, and EU/US regulatory layers simultaneously. Particularly relevant for legal, compliance, and risk teams in Canadian financial services, healthcare, AI-native vendors, and federally regulated sectors.
Zertia operates from Boston, Madrid, and London, with ANAB accreditation in the United States and active accreditation processes with UKAS (United Kingdom) and ENAC (Spain/EU). Member of IAPP, INCITS, and UKAI. Signatory to the EU AI Pact.
🎯 Take action
🔍 Diagnose your gap 📊 Build the assurance backbone Pre-Certification Assessment → ISO/IEC 42001 Certification → Independent diagnosis against the Voluntary Code of Conduct, OPC AI principles, OSFI E-23, and federal Directive on Automated Decision-Making expectations. The accredited management system that operationalises Canadian AI governance into a defensible backbone irrespective of whether AIDA or successor legislation enters into force.
—
Regulación que entiendes es regulación que puedes convertir en ventaja competitiva.
¿No estás seguro de si este marco aplica a tu organización? Hablemos.
