Canada does not have a federal AI law. AIDA died with Parliament’s dissolution in 2025, and the renewed national AI strategy is still in consultation. Most organizations took that as permission to wait.
That was a mistake. While Ottawa deliberated, three regulatory forces moved ahead without it.
Quebec Moved First, and Enforcement Is Real
Law 25’s Section 12.1 requires organizations to tell people when a decision about them is made entirely by an automated system. That covers AI-powered hiring screens, credit scoring models, insurance underwriting, chatbots making account decisions. Section 3.3 requires privacy impact assessments for any processing that presents elevated privacy risk, and AI systems almost always qualify.
The Commission d’accès à l’information du Québec has signaled that routine compliance audits will increase in 2026. Penalties run to $25 million or 4% of worldwide turnover, whichever stings more. This is not theoretical. If your organization operates in Quebec and uses AI to make decisions about people, the CAI can knock on your door this year.
Most organizations I speak with have not connected their AI deployments to their Law 25 obligations. They completed their privacy policies and consent mechanisms in 2023 and 2024, checked the box, and moved on. The AI provisions landed in a gap between IT, legal, and operations where nobody owns them.
Ontario Added a New Wrinkle in January
Since January 1, 2026, job postings in Ontario must disclose if AI is used in the hiring process. This is narrow in scope but broad in signal: provinces are not waiting for Ottawa. If you recruit across provincial lines, you now have different AI disclosure obligations depending on where the job is posted.
For companies hiring nationally, this creates a compliance asymmetry that is easy to miss and embarrassing to get wrong. The fix is straightforward: standardize your hiring disclosures to the highest provincial standard. But someone has to own that decision, and in most organizations, nobody does.
The EU Is Four Months from Enforcing the AI Act
On August 2, 2026, most EU AI Act provisions take effect. High-risk AI systems need completed conformity assessments, technical documentation, CE marking, and EU database registration. If your company sells products or services into Europe, processes data from EU residents, or has European subsidiaries, this applies to you regardless of where your servers sit.
Canadian companies have a specific blind spot here. Many treat EU regulation as “a European problem” until a customer or partner audit surfaces it. By then, four months is not enough time to build an AI management system from scratch.
What This Means in Practice
The organizations that will struggle most are the ones operating across jurisdictions: hiring in Ontario, serving customers in Quebec, selling into Europe. They face a layered compliance puzzle that no single regulation covers cleanly.
The good news: these obligations overlap more than they conflict. Law 25’s transparency requirements, Ontario’s disclosure mandates, and the EU AI Act’s documentation obligations all point in the same direction. Build a solid AI management system once, grounded in something like ISO 42001, and you address multiple regulatory requirements simultaneously rather than playing whack-a-mole with each jurisdiction’s specific rules.
The bad news: the window for proactive preparation is shrinking. Quebec is auditing now. Ontario’s law is live. The EU deadline is August. Waiting for a federal framework that may not arrive in 2026 is not a compliance strategy.
My advice: pick the most stringent standard you face and build to that. For most Canadian organizations with any international exposure, that means starting with ISO 42001 as your governance backbone, then mapping your specific obligations under Law 25, Ontario’s employment standards, and the EU AI Act onto that framework.
The federal government will eventually catch up. When it does, you will already be compliant. And if it takes another two years, you will have spent that time operating with a system that reduces your risk today, not just someday.