Regina Procurement and Vendor Cybersecurity Bylaw

Technology and Data Saskatchewan 3 Minutes Read · published May 24, 2026 Flag of Saskatchewan

Regina, Saskatchewan requires suppliers working with the city to meet procurement rules and reasonable cybersecurity expectations before and during contract performance. This guide explains how municipal procurement interacts with vendor information security, who enforces requirements, what to expect in contracts and tender documents, and practical steps for registration and incident reporting. It focuses on municipal practice for Regina procurement processes and vendor obligations, highlights where the official procurement portal and procurement office publish details, and shows how to appeal or report compliance concerns.

Vendor cybersecurity expectations

City procurement documents commonly require vendors to protect city data, maintain reasonable technical and organizational measures, and report breaches. Exact contractual clauses, reporting timelines, and technical standards are set in each solicitation or contract; if not published there, vendors should seek clarification during the bidding phase.

Ask for the security annex or schedule before submitting a bid.
  • Data handling clauses: data classification, storage location, and retention requirements.
  • Access control and least-privilege expectations for personnel and subcontractors.
  • Incident reporting obligations; specific timelines are set in contracts or RFPs and may be not specified on the cited page.
  • Security-related deliverables or audits may be required; any fees for audits are contract-specific and not specified on the cited page.

Penalties & Enforcement

Enforcement of procurement terms and vendor cybersecurity obligations is coordinated by Procurement & Supply Services and the contracting city department. Fine amounts and statutory penalties for procurement-related security failures are not specified on the cited page. Procurement & Supply Services[1]

  • Fine amounts: not specified on the cited page.
  • Escalation: contracts typically allow stepwise remedies such as cure notices, suspension of work, and termination; exact escalation steps and fees are contract-specific and not specified on the cited page.
  • Non-monetary sanctions: corrective orders, suspension or termination of contract, access revocation, withholding payments, and referral to legal action or courts.
  • Enforcer and inspections: Procurement & Supply Services together with the contract administrator enforce compliance; formal complaints and contract disputes follow the contractual dispute resolution process.
  • Appeals/review: appeal or dispute mechanisms are those set out in the contract or procurement documents; specific time limits are not specified on the cited page.
  • Defences/discretion: city remedies often allow discretion for reasonable excuse, remediation plans, or approved variances when documented in advance.

Applications & Forms

Vendor registration and bid submissions use the city bid portal and each solicitation will list required forms and clauses. See the city vendor portal for registration and submission details. Vendor bids and registration portal[2]

If a specific security questionnaire, supplier code of conduct, or insurance certificate is required it will be listed in the RFP or contract; if no form is published, none is required beyond the solicitation documents.

Practical action steps

  • Review the RFP or contract schedules for security annexes before bidding.
  • Compile evidence: policies, evidence of encryption, access controls, and incident response plans.
  • Report suspected breaches to the contract administrator and Procurement & Supply Services promptly.
Keep clear records of communications and remediation steps after any security incident.

FAQ

Do vendors need a separate cybersecurity certification to bid?
Not always; certification requirements depend on the solicitation. Check the specific RFP or contract for mandated certifications or evidence.
Who do I contact about a suspected data breach involving city information?
Contact the contract administrator listed in your contract and Procurement & Supply Services; see Help and Support for official contacts.
Are there standard indemnity or insurance requirements related to cyber incidents?
Indemnity and insurance terms vary by contract; required coverages are specified in the solicitation or contract documents.

How-To

  1. Register as a vendor on the city bid portal and complete any supplier profile information.
  2. Review current solicitations and download security annexes or forms included with the RFP.
  3. Prepare documentation: security policies, evidence of controls, and contact points for incident reporting.
  4. Submit bids and attach required security documents as specified; retain proof of submission.
  5. If awarded, follow contract reporting and remediation timelines and cooperate with city audits.

Key Takeaways

  • Contracts define specific cybersecurity obligations; review them early.
  • Keep documentation ready to demonstrate controls and incident response readiness.
  • Procurement & Supply Services is the primary administrative contact for procurement matters.

Help and Support / Resources

  1. [1] City of Regina - Procurement & Supply Services
  2. [2] Regina Bids and Tenders - Vendor portal

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data