Canada is constructing a new category of research governance without having named it. Through a succession of federal policy instruments, a growing share of publicly funded research now occupies a regulatory middle ground between “open” and “classified,” subject to security review without the formal infrastructure that accompanies classified work. Call it “regulated research.” The term appears in no federal policy document, but the condition it describes is already reshaping how universities manage data, structure collaborations, and design information security controls.

What makes this category analytically distinctive, and operationally consequential, is not the presence of new regulation but the absence of a foundational concept. The United States anchors its research security framework in National Security Decision Directive (NSDD) 189, issued in 1985, which establishes that the products of fundamental research “remain unrestricted to the maximum extent possible.” That principle gives American institutions a clear baseline from which security controls are scoped upward: if research is openly published and not subject to specific access or dissemination restrictions, it is fundamental, and the apparatus of export controls, classified information handling, and security clearance requirements does not apply. Canada’s framework lacks this anchor. No Canadian statute, directive, or policy instrument establishes an equivalent principle. The Export and Import Permits Act contains no fundamental research exclusion; the federal research security frameworks that followed add security review requirements without defining a baseline category of research that remains unrestricted. The result is not a deficit of regulation but its proliferation without a governing principle.

Separate instruments, cumulative condition

Each of the federal instruments now shaping research security was introduced to address a specific risk. The National Security Guidelines for Research Partnerships (NSGRP), introduced in 2021, target partnership risk: they require security risk assessments for grant applications involving certain foreign collaborations. The Policy on Sensitive Technology Research and Affiliations of Concern (STRAC), effective since May 2024, targets affiliation risk: it identifies 103 Named Research Organizations (NRO) and 11 Sensitive Technology Research Areas, and prohibits funding for applicants with affiliations to listed organizations in listed technology domains. Each instrument is coherent on its own terms. The problem is that their cumulative effect produces a governance condition that none of them was individually designed to manage.

As of March 2026, the NSGRP’s risk assessment requirements are expanding to SSHRC (Social Sciences and Humanities Research Council) Partnership Grants and NSERC (Natural Sciences and Engineering Research Council of Canada) Partnership Engage Grants. The 2023–24 Annual Report on the Implementation of Research Security Policies shows approximately two percent of covered applications referred to Public Safety Canada for national security assessment, a rate that will grow as program coverage expands. More important than the rate itself is the structural condition it reflects: a growing body of research that is neither classified nor truly open, subject to security review but without the formal infrastructure (clearances, controlled environments, designated security officers) that accompanies classified work. This is the condition I am calling “regulated research,” and it has emerged as a byproduct of layered instruments rather than as a deliberate governance design.

The policy architecture is legible at the federal level. At the institutional level, where information security controls must actually be scoped and implemented, its consequences are far less clear. When a researcher’s grant application triggers an NSGRP referral, what happens to the data they have already collected with an international collaborator? When a STRAC restriction applies to one co-investigator on a multi-institutional project, how should network access controls be scoped? When a postdoctoral fellow affiliated with a NRO joins a lab that handles unrelated, non-sensitive research, what are the institution’s obligations? These are not hypothetical scenarios. They are the daily reality of running a research information security program at a Canadian university.

Incrementalism and its costs

The strongest defence of the current approach holds that incrementalism is deliberate: that policymakers prefer instrument-by-instrument layering precisely because it preserves flexibility, avoids the political cost of a foundational directive, and allows the governance regime to evolve with the threat landscape. There is merit to this position. But it carries a structural consequence that warrants more attention than it has received: incrementalism exports the integration burden to the institutions that must reconcile overlapping instruments without a shared conceptual baseline. The federal government issues the instruments; universities absorb the ambiguity.

Most Canadian universities lack the dedicated research compliance offices that have been standard at major US R1 institutions since the early 2000s, where export control specialists, facility security officers, and established protocols for segregating controlled and uncontrolled research are all enabled by the clear scoping baseline that NSDD-189 provides. A small number of Canadian institutions are beginning to build comparable capacity, but across the sector the gap is significant, and it is widening as regulatory requirements accumulate faster than institutions can hire the specialists and deploy the technical controls needed to comply. Canada’s “Sovereignty by Design” ambitions, reinforced by Budget 2025’s $81.8 billion in defence spending over five years, depend on a research enterprise that can securely handle sensitive work while remaining open enough to attract international talent and collaboration. That enterprise cannot be secured by institutions working ad hoc from overlapping policy instruments.

A deliberate choice, not a default

Canada needs to make a deliberate decision, and it needs to be made at the federal level, within the research security governance architecture that spans ISED, the tri-agencies, Public Safety, and the Canadian Centre for Cyber Security. Individual institutions cannot resolve this through local policy. One option is to adopt something analogous to NSDD-189: a clear statement that fundamental research conducted at Canadian universities and intended for open publication is exempt from security restrictions absent specific, contract-level controls. This would give institutions a defensible baseline and allow information security programs to scope their controls with precision. The other option is to accept that Canada’s regulatory environment is fundamentally different and build a “regulated research” governance model explicitly designed for the middle ground between open and classified, with dedicated infrastructure, funding, and institutional capacity.

Either choice has profound implications for information security architecture. A fundamental research exclusion simplifies the scoping problem but requires robust mechanisms to identify when research crosses out of the exclusion’s boundaries. A dedicated regulated-research model requires purpose-built secure research enclaves, specialized personnel, and a compliance framework that does not yet exist at most Canadian institutions. Neither model can be designed in isolation from parallel governance claims, Indigenous data sovereignty frameworks foremost among them, that operate on principles distinct from state security classifications.

What Canada cannot afford is the current default: a growing body of regulation without a governing principle, implemented by institutions absorbing an integration burden that federal policy created but did not fund or design for. If sovereignty by design is the aspiration, then the design must start with naming what we are building and deciding what principles govern it. That is a federal responsibility, and the sector is ready to do its part once the foundation is set.