Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Ontario non-profits hold donor records, client health information, and payroll data that attackers want, and the province has just put public-sector cybersecurity into law with Bill 194. Most non-profit leaders I talk to assume the new rules apply to them. For the large majority of registered charities and community organizations, they do not.
The honest answer matters here. Acting on a law that does not bind you wastes money you do not have, and ignoring the funder requirements that actually do bind you creates real risk.
This guide gives you the straight answer on whether Bill 194 covers your organization, how to check, and how Fusion Computing helps non-profits fund a security baseline whether the law applies or not.
Key Takeaways
- Bill 194’s cyber duties flow from O. Reg. 51/26, which is in force July 1, 2026 and applies to a named list of public-sector entities, not to non-profits broadly.
- Children’s aid societies are the one clearly covered non-profit-type entity. Most charities, foundations, and associations are not covered.
- Bill 194 is Ontario public-sector law. It is separate from federal Bill C-8, which targets critical-infrastructure sectors.
- Even when the law does not apply, funders and grant agreements increasingly require a documented security baseline.
- Fusion Computing funds that baseline through TechSoup, non-profit licensing, and targeted grants so the cost stays inside a budgetable flat fee.
Does Bill 194 apply to my non-profit?
According to the Legislative Assembly of Ontario (2024), Bill 194 received Royal Assent on November 25, 2024, and its cyber-security duties operate through O. Reg. 51/26, which comes into force July 1, 2026. That regulation applies to a defined list of prescribed public-sector entities. Typical registered charities and community non-profits are not on that list.
For most non-profit organizations in Ontario, the answer is no. Bill 194 does not impose cyber-security obligations on you. The exception is the small set of non-profit-type bodies that the regulation names directly, which I cover in the next section. If your organization is a private charity, a foundation, or a membership association, the law almost certainly leaves you outside its scope.
Not sure which side of the line you fall on? Talk to our team for a free scope check →
Which organizations Bill 194 actually covers
According to Borden Ladner Gervais (2026), O. Reg. 51/26 names prescribed public-sector entities including colleges, universities, most public hospitals, school boards, and children’s aid societies. Municipalities are not on that list. Children’s aid societies are the one clearly covered entity that many people think of as a non-profit, because they deliver publicly funded social services.
So if you run a children’s aid society, or a publicly funded health or education body that the regulation names, you are in scope and the compliance clock is running. Everyone else, the community food bank, the arts charity, the advocacy group, the private foundation, sits outside the regulation. The table below shows where the line falls.
| Organization type | Covered by Bill 194 cyber rules? | Why |
|---|---|---|
| Children’s aid society | Yes | Named as a prescribed entity in O. Reg. 51/26 |
| Public hospital, school board, college, university | Yes | Prescribed public-sector entities |
| Registered charity or foundation | No | Not a prescribed entity |
| Community non-profit or association | No | Not a prescribed entity |
| Municipality | No | Not named in the cyber regulation |
How to check whether your non-profit is in scope
According to the Information and Privacy Commissioner of Ontario (2026), the cyber obligations attach to entities prescribed in regulation, and prescribed institutions must run a cyber-security maturity assessment with the first one due July 1, 2027 and every two years after. If your organization is not named in O. Reg. 51/26, none of those duties land on you.
The practical test runs in three steps. First, check whether your organization is a children’s aid society or a publicly funded health or education body named in the regulation. Second, check whether a government funder or contract has written the regulation’s standard into your agreement. Third, document the answer so your board has a record of the decision.
Get our public-sector scope matrix
- Which entity types the Ontario cyber regulation names
- The freedom-of-information test in plain language
- A one-page record your board can sign off
Bill 194 versus Bill C-8
According to the Legislative Assembly of Ontario (2024), Bill 194 is provincial law aimed at Ontario public-sector institutions. Federal Bill C-8 is a separate piece of legislation aimed at federally regulated critical-infrastructure sectors such as telecommunications, banking, transport, and energy. The two are easy to confuse and apply to different organizations.
For a non-profit, neither one is likely to apply directly. Bill 194 covers prescribed Ontario public-sector entities. Bill C-8 covers federally regulated critical sectors. A charity or community group typically falls under neither, though privacy laws such as PIPEDA and PHIPA still govern how you handle personal and health information.
If you are not covered, a baseline still matters
According to Public Safety Canada (2025), federal cyber funding programs explicitly back the resilience of non-profit organizations and the communities they serve. That tells you something. Funders treat a security baseline as table stakes, even for organizations that no statute compels.
In practice, the pressure reaches non-profits through their funders, not through Bill 194. Grant agreements, insurance applications, and partnership contracts increasingly ask for multifactor authentication, managed backups, staff training, and a written incident plan. Fusion Computing builds that baseline against the CIS Controls v8.1 framework so it maps cleanly to whatever a funder asks for next.
Funding the work without raiding the mission
According to the Government of Ontario (2024), the statute behind Bill 194 is built around assessment, reporting, and governance duties, all of which carry a cost. For covered entities that cost is unavoidable. For non-profits the question is different. How do you reach a credible security baseline when no one funded it?
This is the part I care most about. Non-profits get handed security expectations with no budget to meet them, and that money comes straight out of the mission.
Fusion Computing works the incentive side hard so the baseline costs as little net new money as possible. That means non-profit software licensing and TechSoup Canada programs, grant applications aimed at the exact goals of the engagement, and engineering choices that hold spending inside a flat fee you can put in a budget.
Funder asking for controls you cannot afford? Get in touch and we will map the incentives →
What we tell non-profits to do now
According to the Information and Privacy Commissioner of Ontario (2026), prescribed entities must designate a senior cyber point of contact and report on their maturity. Non-profits can borrow the structure without the legal weight. Name an owner, write down where your data lives, and decide on a baseline you can fund.
Start with the scope question so you know whether the law touches you. Then read your largest funder agreements for security clauses, because that is where the real obligation usually hides. Then pick a baseline and find the money for it. Fusion Computing helps non-profits across Ontario do all three, and we scope the work to a flat fee so the number never surprises your board.
Fusion Computing has supported Canadian non-profits since 2012, and Mike Pearlstein holds the CISSP and an MSc in AI. We would rather tell you the law does not apply and help you fund a sensible baseline than sell you compliance you do not owe.
Frequently Asked Questions
Does Bill 194 apply to non-profits in Ontario?
For most non-profits, no. Bill 194’s cyber-security duties come from O. Reg. 51/26, which is in force July 1, 2026 and applies to a named list of public-sector entities. Typical registered charities, foundations, and community groups are not on that list. The main exception is children’s aid societies, which the regulation names directly.
Is my registered charity covered by Bill 194?
Almost certainly not. Charitable registration with the CRA does not place your organization under Bill 194. The cyber regulation applies to prescribed public-sector entities such as hospitals, school boards, colleges, universities, and children’s aid societies. A standard registered charity or private foundation falls outside that list, so the assessment and reporting duties do not bind you.
Are children’s aid societies covered by Bill 194?
Yes. Children’s aid societies are named as prescribed entities under O. Reg. 51/26, so they carry the full set of cyber duties. That includes a cyber-security maturity assessment with the first one due July 1, 2027, reporting a summary to the Ministry within 30 days, and naming a senior employee as the cyber point of contact.
When does Bill 194 take effect for cybersecurity?
The cyber-security regulation, O. Reg. 51/26, comes into force July 1, 2026. Covered entities must complete a first cyber-security maturity assessment by July 1, 2027, then repeat it every two years. Bill 194 itself received Royal Assent on November 25, 2024, and related privacy amendments took effect earlier, on July 1, 2025.
What is the difference between Bill 194 and Bill C-8?
Bill 194 is Ontario provincial law covering prescribed public-sector entities such as hospitals and school boards. Bill C-8 is federal law covering federally regulated critical-infrastructure sectors such as telecommunications, banking, transport, and energy. They target different organizations. Most non-profits fall under neither, though privacy laws like PIPEDA and PHIPA still govern personal and health data.
Are municipalities covered by Bill 194?
Not under the cyber-security regulation. Although municipalities are institutions under municipal freedom-of-information law, they are not named in the list of prescribed entities in O. Reg. 51/26. Legal reviews from firms such as Borden Ladner Gervais confirm municipalities sit outside the cyber rules, even though other parts of Bill 194 touch the broader public sector.
What does Bill 194 require covered organizations to do?
Covered entities must run a cyber-security maturity assessment, with the first due July 1, 2027 and every two years after. They report a summary to the Ministry within 30 days of finishing, report serious incidents within 72 hours, and name a senior employee with decision-making authority as the cyber point of contact.
If Bill 194 does not apply to my non-profit, do I still need cybersecurity?
Yes. Even when Bill 194 passes your organization by, funders, insurers, and partners increasingly ask for multifactor authentication, managed backups, staff training, and a written incident plan. Grant agreements often write these controls into the contract. A baseline built on the CIS Controls v8.1 framework keeps your donor and client data protected and your funding relationships intact.
How can a non-profit afford a cybersecurity baseline?
Stack the incentives. Non-profit software licensing and TechSoup programs cut recurring costs, and targeted grants can fund the project work a funder mandated. Fusion Computing scopes the engagement to a budgetable flat fee and looks for those efficiencies first, so a security upgrade that looked impossible on the operating budget becomes something a board can approve.
What privacy laws apply to Ontario non-profits if Bill 194 does not?
PIPEDA, the federal private-sector privacy law, applies to many organizations that handle personal information in commercial activity. If your non-profit handles personal health information, Ontario’s PHIPA likely applies as well. These laws govern how you collect, use, store, and protect data, and they apply regardless of whether Bill 194 names your organization.
