Summary

  • In the early hours of July 8, 2022, Rogers staff removed a routing policy filter during the sixth phase of an IP core upgrade. Full BGP routing tables were redistributed into OSPF, overwhelming core routers that lacked effective overload limits. The failure took both wireless and wireline services down across Canada because they shared the affected core.
  • The outage was not just a customer-access incident. A large proportion of Rogers customers could not reach 9-1-1, wireless public alerts were disrupted, Interac Debit and Interac e-Transfer became unavailable, government and municipal services lost connectivity, and small businesses lost communications and payment channels at the same time.
  • Recovery was slowed by dependencies inside the failed network. Rogers' management access relied on its IP core, critical sites lacked sufficient alternative-carrier connectivity, responders had too few third-party SIMs, and engineers could not initially reach the logs needed to identify the cause. The independent assessment says the root cause was not pinpointed for about 14 hours.
  • Rogers accepted executive accountability, issued five days of customer credits, added routing safeguards, changed its risk and review processes, built a separate management network, expanded alternative connectivity, and began separating its wireless and wireline cores. Those are meaningful measures, but accountability depends on tested outcomes and public assurance, not the size of a general capital program.
  • The wider lesson is shared. A carrier is accountable for containing its own failure and preserving emergency access. Public bodies, payment operators, and SMEs are accountable for knowing which supposedly separate functions share one carrier and for maintaining practical fallbacks that do not fail with it.

This was a national continuity event

At 4:43 a.m. Eastern Daylight Time on Friday, July 8, 2022, a policy filter was removed from distribution routers inside the Rogers network. Within two minutes, according to the later independent technical assessment, core gateways began failing. By 4:58 a.m., the routers had been flooded with more routing information than they could process, and wireless and wireline services across Canada had ceased operating. Restoration continued into the next morning. The assessment uses 7:00 a.m. on July 9 as the end of the broad event, while recognizing that service returned gradually rather than at one clean national instant.

That compressed opening matters. The destructive path ran from an approved maintenance activity to a national loss of service in minutes. The restorative path required diagnosis, physical access, controlled changes, regional sequencing, and careful management of millions of reconnecting devices. This imbalance is normal in complex infrastructure: it is much easier to express a dangerous state than to understand and reverse it under pressure. It is also the reason a carrier's most consequential controls must operate before and during a change, not only after alarms begin.

The CRTC-published assessment by Xona Partners describes more than 12 million customers losing wireless and wireline services. That population included mobile subscribers, home internet users, wholesale customers, corporate customers, and institutions delivering critical services. The number is not a count of 12 million people simultaneously attempting to place calls or make payments. It is a measure of the service population exposed to the common failure.

External measurements independently confirm the abrupt public-network effect. Cloudflare observed a near-complete loss of traffic from Rogers' AS812 beginning around 08:45 UTC, along with a spike in BGP updates and large prefix withdrawals. ThousandEyes' outage analysis saw network reachability deteriorate and noted that the public BGP withdrawals were consistent with an internal failure, while cautioning that outside measurements could not establish the internal initiating cause. The Internet Society's later review similarly treated the external route loss as a manifestation of a severe internal problem, not as proof that BGP on the public internet had initiated the incident.

The distinction is important. Saying "BGP took Rogers down" turns a governance failure into a protocol story. BGP carried and exposed routing consequences. The initiating failure was a production configuration change that allowed full BGP tables to flood an internal OSPF domain, combined with missing overload protections, ineffective validation, and a risk process that treated a core routing change as low risk. Those were controllable organizational conditions.

The event also exceeded the usual boundary of a provider outage. A mobile subscriber losing data is a service failure. A city losing staff communications, long-term-care records, payment acceptance, and remote traffic-control links at the same time is a continuity failure. When 9-1-1 access and public alerts are affected, it becomes a public-safety failure. When Interac's national debit and transfer services become unavailable, it becomes an economic dependency failure. Rogers was the technical origin, but the blast radius revealed risk choices made across an ecosystem.

What the public evidence establishes

The evidence improved substantially after the event. Rogers' first messages were broad. On July 8, its chief executive acknowledged that both wireless and wireline service were affected, accepted responsibility for restoring trust, and promised automatic credits in a public message to Canadians. On July 9, the company said a maintenance update in the core had caused routers to malfunction and that equipment had been disconnected while traffic was redirected. These statements were meaningful admissions, but they did not yet explain the filter, the internal routing flood, the missing safeguards, or the delayed diagnosis.

The regulator then demanded a much wider record. The CRTC's July 12 request for information asked Rogers to explain the cause, chronology, restoration, customer communications, emergency-service effects, prior testing, credits, and measures to prevent recurrence. The letter recorded two immediate public concerns: Rogers had provided few useful details during the first hours, and it had failed to tell Canadians how they might reach 9-1-1 by alternate means. A second CRTC letter on August 5 pressed on the removed routing filter, the actual network policy change, test coverage, why notification to public-safety answering points took nearly four hours, and why some emergency calls succeeded while others did not.

The strongest synthesis is Xona Partners' independent assessment, commissioned in the regulatory process and later published by the CRTC in an abridged form. It was based on multiple rounds of Rogers responses and meetings with technical and management staff. The report reaches findings that go well beyond the company's first-day explanation. It identifies the removed access-control-list policy filter, the redistribution of full BGP tables into OSPF, resource exhaustion in core routers, lack of overload protection, ineffective change auditing, the inappropriate risk downgrade, missing production-representative lab testing, management-network dependence, insufficient third-party communications, and incident-response weaknesses.

It also preserves important limits. Some details remain redacted, including parts of the topology, equipment identification, exact configuration and internal timeline. The report concludes that Rogers' pre-outage core was conventional for a large Tier 1 provider and that the common core was a design choice rather than, by itself, a design flaw. It assesses the combination of measures Rogers implemented after the outage as satisfactory to address the root cause and improve resilience. An accountability analysis should not quietly replace those findings with a claim that the whole network was recklessly designed.

Nor should it overstate what the report proves about present conditions. The assessment found that core separation remained in progress when reviewed. In July 2024, the CRTC required Rogers to report on continuing effectiveness and core-separation progress, and the public proceeding record shows a July 2025 Rogers filing. Public filings and regulator acceptance offer more assurance than a press release, but they are not the same as publishing every test case, exception, architecture boundary, or independent retest. Confidence can be high that the causal chain is understood and still be bounded about the durability of every remediation.

The sequence from change to recovery

The public record supports the following chronology. Times are Eastern Daylight Time. They mark operational milestones, not a complete internal log.

Time or date Event and accountability significance
Weeks before July 8 Rogers began a seven-phase IP core upgrade. The overall process was initially rated high risk, but prior successful phases influenced the risk algorithm and the sixth phase was treated as low risk.
4:43 a.m., July 8 Staff removed a policy filter from affected distribution routers. The change was intended as configuration cleanup associated with the upgrade, but it allowed full BGP route tables to be redistributed into OSPF.
Within two minutes Core gateways began to fail as route information flooded the core. The routers lacked effective limits that would have capped redistributed routes or protected the OSPF database.
4:58 a.m. The assessment marks broad service failure. Wireless, wireline, home phone, internet, business connectivity, 9-1-1 connectivity, and public-alert delivery were affected.
6:00 a.m. Rogers' chief technology officer contacted counterparts at Bell and TELUS, warned them of the outage, and raised the possibility of a cyberattack while the cause remained unknown.
Early response Rogers personnel lost normal access to network elements and key logs because management connectivity depended on the failed core. Limited alternative-carrier SIMs impaired internal coordination, and technicians had to be dispatched to sites.
8:39 a.m. Rogers notified 9-1-1 network providers, almost four hours after the trigger, and asked them to cascade notice to public-safety answering points.
11:19 a.m. Rogers notified the CRTC. Government and emergency-management coordination was already under way through other channels.
Afternoon and evening Rogers communicated that wireless public alerts would not reach users connected to its network. Engineers continued diagnosis and initially considered more than one change made during the maintenance window.
About 14 hours after onset Engineers identified the distribution routers flooding the core as the root cause. Restoration then proceeded methodically, beginning in Central and East regions.
Evening, July 8 Rogers throttled mobile registration to avoid a signalling storm as devices attempted to reconnect. External observers saw partial traffic recovery and repeated route announcements and withdrawals.
7:00 a.m., July 9 The independent assessment uses this as the broad restoration endpoint, although individual customers and functions recovered at different times.
July 2022 onward Rogers issued five days of credits, changed routing and management controls, expanded alternate communications, and announced physical separation of wireless and wireline cores. Industry and government developed emergency-roaming, mutual-assistance, and outage-communication arrangements.

The timeline prevents two common simplifications. First, the incident was not repaired as soon as routes reappeared publicly. A prefix announcement, working home internet, successful mobile registration, restored 9-1-1 path, and fully stable national service are different recovery states. Second, the absence of an immediate root-cause diagnosis does not itself show incompetence. The network was complex, several changes had occurred, logs were inaccessible, and restoration had to avoid further overload. The accountability problem is that foreseeable design and process choices made diagnosis unnecessarily difficult.

A deleted filter became a national authority problem

The removed filter had a protective role. In simplified terms, Rogers' distribution routers learned large quantities of routing information through BGP, while OSPF distributed topology and reachability inside the core. The filter constrained what could cross that boundary. Removing it allowed full BGP tables to be redistributed into OSPF. Core routers then received more link-state information than their processing and memory resources could handle and crashed.

This was not merely an unfortunate line in a configuration file. The change had authority over a boundary between routing domains serving national wireless and wireline traffic. Its maximum possible effect, rather than its label inside a multi-stage project, should have determined the level of scrutiny. A cleanup action that can remove a route-control barrier is still a high-consequence production change.

The independent assessment identifies four protections recognized in network practice: overload protection on core routers, limits on the number of routes redistributed by distribution routers, manual and automated policy audits, and automatic rollback. Rogers did not have an effective combination capable of stopping this event. The audit process did not flag the erroneous change. The core lacked the relevant overload limit. Lab testing did not reproduce and reject the dangerous state. Multiple changes in the window made the initial rollback choice less obvious.

Longstanding operational guidance supports the principle without deciding liability. The Internet Engineering Task Force's BGP operations and security guidance in RFC 7454 discusses prefix filtering, maximum-prefix controls, monitoring, and disciplined configuration as protections against damaging route propagation. The RFC is not a law governing Rogers, and the outage involved internal redistribution into OSPF rather than a simple external route leak. It does show that limiting route volume and filtering routing information were established operational concerns, not lessons invented after July 2022.

The most useful accountability question is therefore not who deleted the filter. The public assessment says Rogers staff made the change but does not supply a basis for judging an individual employee's intent, training, or compliance with instructions. The better question is why the organization allowed a core routing boundary to depend on one removable filter without a separate capacity limit or fail-closed validation. An operator action should not carry the whole moral weight of a system that approved, executed, and failed to contain it.

Good control design assumes a validly authorized person can still be wrong. A high-impact routing change should face semantic comparison against the current production topology, route-count limits enforced by the target devices, peer review by people independent of the implementation, representative lab replay, staged deployment to a bounded segment, live abort criteria, and a rollback path proven to work when ordinary management access is impaired. Several controls can fail, but they should not all share the same assumption about what the change will do.

The risk score learned the wrong lesson from success

One of the most revealing findings is administrative rather than technical. Rogers initially classified the seven-phase upgrade as high risk. Earlier phases completed successfully. Its algorithm then used those successes to lower the risk of the sixth phase, including the routing-policy change that caused the outage, to low. That rating reduced the need for additional scrutiny, senior approval, and laboratory testing.

Past success can be evidence about a repeated, materially identical action. It is weak evidence about a later phase that changes a different control with a different blast radius. A program may become more dangerous as it approaches the core, even while its earlier access or preparatory steps succeed. Treating sequence completion as a reason to relax control confuses project momentum with technical risk.

The error also shows why risk algorithms require governance. A score is not an objective property of a change. It is a policy decision expressed through factors and weights. If prior success can override the presence of BGP-to-IGP redistribution, national core scope, a filter deletion, multiple simultaneous changes, and limited rollback independence, the model is encoding an unsafe preference. The organization must test the model with known catastrophic cases just as it tests router software.

For directors and senior executives, the relevant metric is not the percentage of changes labelled low risk or completed without incident. A mature report would show how many changes can affect both wireless and wireline cores, which policy features force a high-risk classification, how often engineers override automated scores, whether denied changes are tracked, and how the risk engine performs against a library of known dangerous configurations. It should also show whether a successful early phase can ever reduce control requirements for a later phase that touches a new fault boundary.

Rogers told the independent reviewers that it introduced a new risk assessment algorithm, new categories for automated and restricted changes, earlier collaboration between engineering and operations, a core engineering peer-review team, stronger lab testing, and limits on change volume during maintenance windows. These measures target the observed weaknesses. Their enduring value depends on evidence from attempted unsafe changes and drills, not on the existence of revised process documents.

Redundant hardware shared one logical fate

The Xona assessment did not find that Rogers lacked the physical architecture expected of a Tier 1 provider. The network had redundant transport, multiple regions, and equipment from major vendors. Yet both wireless and wireline services used a common IP core, and the damaging configuration state reached the core broadly enough to defeat the practical benefit of that redundancy.

This is the difference between component redundancy and fate separation. Two routers are redundant if one can carry traffic when the other fails. They are not independent if one policy update can overload both. Regions isolate ordinary faults only if the control plane cannot push the same harmful state across all of them. Separate vendors reduce some defect risk, but a common configuration process can still produce an interoperable failure. Physical diversity is real and useful; it simply does not answer a logical common-mode event.

Converging wireless and wireline traffic onto a common IP core can improve efficiency, performance, and manageability. The report calls it a common industry design choice, not a flaw. Accountability lies in the protections required by that choice. When convergence increases the maximum impact of one change, route limits, partitioning, management independence, emergency paths, and test rigor must increase with it.

Rogers announced that it would physically separate the wireless and wireline IP cores. In his July 25 opening statement to the House industry committee, CEO Tony Staffieri estimated at least $250 million for the additional layer and described a broader three-year network investment. The later Xona report used a $261 million separation figure and explained that a new wireless core would be built while the existing core continued to serve wireline traffic.

Separation is valuable only if operations preserve it. Two cores can reacquire a common fate through synchronized changes, shared orchestration, shared identity, common route policy, common transport bottlenecks, or one management network. The independent report itself notes that avoiding simultaneous failure assumes the same harmful upgrade is not applied to both at the same time. A board should therefore ask for a dependency map and joint-failure tests, not simply a project completion percentage.

The recovery network failed with the network under repair

The outage's duration cannot be understood from the routing error alone. Rogers' management network relied on the production IP core. When that core failed, remote engineers lost access to network elements and error logs. Critical sites, including the network operations centre, did not have enough secure connectivity from alternative providers. Staff had to travel to equipment, and the company had too few third-party SIMs for all critical responders to communicate independently of Rogers service.

These were recovery dependencies inside the incident's blast radius. They transformed a fast configuration failure into a long diagnostic problem. The assessment says Rogers could not identify the root cause for roughly 14 hours. Several configuration changes had occurred during the maintenance window, so teams also had to decide which change ticket to reverse without the information they would normally use. This is a particularly dangerous combination: reduced visibility, reduced control, impaired communication, and multiple plausible causes.

An out-of-band management network is not independent merely because it has a different name, address range, or set of interfaces. It must survive the production core, corporate DNS, normal identity services, primary carrier, and central operations site. Access must remain secure under emergency conditions, with limited commands, strong authentication, dual control where appropriate, tamper-evident logs, offline procedures, and regular use in exercises. Independence without security creates a back door; security without independence creates a recovery plan that cannot be reached.

The report says Rogers subsequently implemented a separate physical and logical management IP network, added alternative-provider connectivity at critical facilities, expanded third-party SIM distribution to incident and crisis teams, improved alarm prioritization, broadened monitoring, and enhanced automatic rollback. It assessed third-party connectivity as an adequate improvement and suggested satellite connectivity for especially strategic locations. These measures address the mechanics that delayed recovery rather than merely promising more uptime.

They should be tested together. A realistic exercise would remove production routing and corporate communications, deny access to one operations site, make a recent change ticket misleading, and require responders to locate the right devices through the independent path. It would measure time to establish command, retrieve trustworthy logs, identify blast radius, contact public authorities, publish customer guidance, and begin a bounded rollback. A tabletop assertion that backup SIMs exist is not the same as proving they are charged, assigned, reachable, and known to responders at 5 a.m.

Emergency calls exposed a gap between radio and service

The most serious impact was loss of emergency access. The Rogers radio access network remained operating in parts of the country while the core was down. That created a counterintuitive state: a phone could still see and attach to its home radio network enough that it did not automatically search for another carrier, while the path needed to complete a 9-1-1 call through Rogers was unavailable. Some calls succeeded over older 2G or 3G infrastructure when parts of the core were intermittently reachable; some newer devices found another network; a large proportion did not connect.

The public assessment does not disclose the precise successful-call percentage, so a responsible account should not invent one. It does establish that connectivity to 9-1-1 network providers and public-safety answering points was severed and that many customers could not reach emergency services. It also found no additional edge-and-core route dedicated to preserving emergency traffic under this failure condition.

Notification compounded the access problem. Rogers did not notify 9-1-1 network providers until 8:39 a.m., nearly four hours after the trigger, and relied on them to cascade the warning to answering points. The CRTC's first letter criticized the absence of practical public guidance about alternate means of reaching 9-1-1. Wireless public alerting was affected too: Rogers later confirmed to the national alert aggregator that emergency messages would not be delivered to wireless users connected to its network during the outage.

The House of Commons industry committee's follow-up letter called for mechanisms to transfer emergency service, adequate customer notification, and sufficient redundancy to reduce the affected population. The distinction between priority and survivability is central. Prioritizing a 9-1-1 packet on an operating network does nothing when the core cannot route it. Emergency continuity requires a path that remains reachable, a reliable trigger for roaming or handoff, capacity on the receiving network, and instructions that people can follow without working mobile data.

The industry response was a Memorandum of Understanding on Telecommunications Reliability covering emergency roaming, mutual assistance, and communications with governments and the public. It recognizes emergency roaming when technically feasible and includes 9-1-1 access. That qualification matters. A radio network that appears available while its core is unavailable is precisely the scenario that can prevent ordinary roaming behavior. Xona therefore recommended testing the MOU against the July 2022 condition, not merely confirming that agreements exist.

Emergency service is a shared chain. Rogers must make its network fail safely and notify quickly. Other carriers must be able to accept feasible emergency traffic without destabilizing their own networks. Device and standards behavior must support selection of another route. Public authorities and answering points need direct, authenticated notice. The public needs simple, accessible guidance distributed through radio, television, independently hosted web channels, and local institutions. Accountability fails if each participant points to the next link.

Toronto shows what public-sector dependence looks like up close

National language can make the effects abstract. The City of Toronto's later operational impact review provides a concrete picture of one government's dependencies. More than 55 percent of city staff with mobile business devices relied on Rogers. The outage disrupted initial coordination between technology incident management and the Emergency Operations Centre, affected fire and life-safety functions, and touched long-term care, shelters, immunization clinics, public Wi-Fi, payments at city facilities, and remote traffic control.

The details show how telecom concentration crosses departmental boundaries. Teams at ten directly operated long-term-care homes lost access to electronic records for more than 2,600 residents. Staff who were ill or quarantined could not call a centralized scheduling unit. Some vaccination clinics used alternative-carrier hotspots; others recorded information manually for later upload. More than 600 intersections continued to run their local signal timing, but central monitoring and remote adjustment over Rogers cellular links were unavailable until connectivity returned. The city considered cancelling recreation activities because reliable emergency calling was uncertain, then continued after alternative-carrier phones were supplied.

This was not a total failure of municipal government. Toronto activated its Emergency Operations Centre, shifted work where possible, deployed more than 75 backup devices, used secondary networks, and maintained core responsibilities. Those successful adaptations are as important as the failures. They show that continuity is a collection of bounded alternatives, not a promise that normal digital service will remain unchanged.

The ISED briefing prepared for the July 25 parliamentary hearing records effects on Service Canada and municipal services and explains the federal coordination role. ISED activated its emergency telecommunications team and industry working-group playbook; Bell and TELUS provided some assistance; Rogers did not request federal assistance. The department could coordinate information and help with needs such as frequencies or movement of resources, but it did not own the failed network or have the ability to repair it.

Public-sector accountability begins before procurement. A contract specifying availability and credits does not guarantee operational diversity. Agencies need to map carrier ownership beneath resellers, private links, mobile plans, cloud access, building alarms, payment terminals, and backup hotspots. Two invoices do not mean two networks. They need minimum manual procedures for health, shelter, transport, and public-information functions; inventories of alternate devices; tested priority restoration contacts; and a communications plan that does not rely on the failed carrier's data service.

The right continuity objective is not to duplicate every service at any cost. It is to identify life-safety and time-critical functions and give those functions genuine path diversity. A traffic signal can keep local timing without its central link. A clinic can record a vaccination on paper for later reconciliation. A care home may need records, staffing communications, and emergency calling through separate mechanisms because delay has greater consequences. Continuity design should follow consequence, not organizational chart.

Interac turned a carrier failure into a payment failure

The outage also disabled Interac Debit and Interac e-Transfer. That meant the effect reached people and merchants who were not themselves Rogers subscribers. A shop could have internet from another carrier and still be unable to accept the payment method its customers expected. A household could have working Wi-Fi and still be unable to send an e-Transfer. The provider dependency sat inside a national payment service rather than at the user's visible edge.

Interac's own outage statement and remediation updates are unusually direct. It said its platforms had redundant networks and circuit diversity, with supplier availability commitments, but July 8 showed that those arrangements were still too vulnerable to Rogers' core maintenance. It also said it facilitated nearly 25 million transactions on a day like July 8. That is transaction-volume context, not a count of failed payments or a measured loss.

Interac did not treat "the carrier failed" as an excuse to stop its accountability. It added a secondary carrier and a third link with enough backup capacity for network volume, enabled a secure private backup mode for e-Transfer participants, and revised business-continuity and crisis-response practices. Its update says the carrier-diversity project was completed in June 2023 and the private e-Transfer alternative in January 2023. That is a stronger remediation record than a generic statement that existing links were redundant.

The event illustrates why diversity must be traced end to end. Circuits can take different local routes and still depend on one provider's core. A service can contract with more than one supplier while participating banks or endpoints retain a shared carrier. Backup capacity can exist but be too small for national failover. A continuity test that switches one link during normal conditions may miss the operational and traffic surge of a systemwide carrier loss.

Payment operators and financial institutions should therefore prove the complete failover path under a carrier-wide outage, including participant connections, identity and fraud controls, settlement messaging, customer communication, and capacity. They should know which degraded functions are safer than total unavailability. Offline authorization or higher contactless limits can preserve some commerce, but they also change fraud and credit exposure. Resilience is not a demand to accept every transaction blindly; it is a pre-agreed balance between continuity and financial control.

Small businesses carried losses that a service credit could not repair

For many SMEs, the outage removed several channels at once: fixed internet, mobile service, voice, online orders, food-delivery tablets, cloud point-of-sale access, debit payments, staff coordination, and customer contact. The apparent diversity of those tools concealed a common telecom dependency. A five-day refund on a monthly bill compensated for unavailable Rogers service according to a broad customer policy. It did not replace a day's sales, a missed booking, spoiled inventory, payroll time, or reputational damage.

Contemporaneous Canadian Press reporting on small-business effects cited the Canadian Federation of Independent Business and owners who described losses from hundreds to thousands of dollars. Businesses could not process online orders or card transactions, and one cafe let regular customers defer payment when debit was unavailable. These are credible examples of loss mechanisms, not a statistically representative national total.

Rogers' 2022 annual report says customer refunds associated with the outage were approximately $150 million and notes litigation related to the event. The accounting figure is concrete for Rogers. It should not be presented as the total economic cost. It excludes losses borne by non-customers, public agencies, Interac participants, employees, and businesses whose service charges were small relative to interrupted commerce. Allegations in litigation are not findings of liability, and this article does not infer a legal outcome from their existence.

SMEs have fewer resources than banks or cities to buy fully diverse managed networks, but they can still make continuity choices proportional to their exposure. A merchant can keep a tested hotspot on a genuinely different carrier, know how its point-of-sale terminal behaves without the primary link, maintain a small cash procedure, retain an offline customer and supplier list, and post updates through a separately hosted channel. A professional service firm can keep local copies of the next day's appointments and a call tree outside corporate messaging. A delivery-dependent restaurant can know which ordering platforms and payment paths share its fixed connection.

The goal is not expensive duplication for every sole proprietor. It is to avoid discovering during an outage that every revenue path has one hidden parent. Owners should ask vendors a plain question: if this carrier's national core is unavailable, which parts of my service still work and how have you tested that claim? A supplier that answers only with an uptime percentage has not answered the continuity question.

Communication was an operational control, not public relations

Rogers' customer communication was constrained by the same outage it needed to explain. Enterprise teams could not reliably contact customers directly, although some employees with alternate connectivity could use cloud customer-management tools. The company had no reliable restoration estimate and did not want to publish one that might prove wrong. That caution is understandable. The absence of a useful estimate does not excuse the absence of practical safety guidance, clear scope, and scheduled update intervals.

The CRTC's July 12 letter was blunt: during the first several hours, Rogers was unable or ineffective in reassuring customers and provided few details on its site or social accounts. The regulator singled out the failure to tell people how to seek alternate 9-1-1 access. A good outage message does not require a known root cause. It can state what services are affected, when the incident began, which regions are involved, whether emergency calling is impaired, what verified alternatives exist, when the next update will arrive, and which information is still unknown.

The post-outage industry MOU includes a communications protocol for the public and governmental authorities. In September 2022, the federal government's reliability-agenda statement described the agreement as a first step and framed the agenda around robust networks, coordinated preparedness, and accountability. The MOU created a common framework, but effective communication still depends on provider-specific tooling, current contact lists, accessible formats, and a publishing path outside the failed network.

A national carrier's status capability should be architecturally separate from its production core. DNS, hosting, authentication, staff access, and outbound notification should not all depend on the network whose condition is being reported. Authorized responders need a way to publish from alternate carriers without normal corporate single sign-on. Messages should reach emergency agencies directly rather than waiting for public social-media discovery. Templates should cover 9-1-1, alerting, accessibility services, payment dependencies, and wholesale customers, with facts filled in during the incident.

Communication also creates an evidence trail. Time to first accurate scope statement, time to safety guidance, notification time for each authority, correction history, update cadence, and accessibility coverage can be measured. These are board-level resilience indicators because they show whether the organization can still exercise responsibility while its main technical system is unavailable.

Remediation must be separated from capital expenditure

Rogers' response contained both specific controls and very large investment figures. At the parliamentary hearing, the company described an enhanced reliability plan, physical separation of networks, more oversight and testing, technology partnerships, and a multibillion-dollar network program. Large numbers signal capacity to act, but they can blur the difference between ordinary expansion and outage-specific risk reduction.

The Xona assessment makes that distinction. Spending on access-network coverage and technology would not necessarily mitigate the July 8 failure. Core separation could reduce simultaneous wireless and wireline loss, but it also served broader performance and strategic objectives. The most direct remediations were narrower: limits on BGP redistribution and OSPF database entries, independent management access, alternate-carrier connectivity, stronger change review, production-representative labs, reduced change volume, automated rollback, alarm prioritization, and backup communications for responders.

That distinction matters for accountability because money is an input. A board can approve billions and still leave the failed control unchanged. Closure evidence should show that an attempted full-table redistribution is rejected at more than one layer; that the risk model cannot downgrade a core route-policy deletion because earlier phases succeeded; that a change is stopped in a bounded region before national propagation; that logs remain reachable when the core is absent; and that responders can communicate and recover without Rogers service.

The independent assessment concluded that the combination of post-outage measures satisfactorily addressed the root cause and improved reliability. The CRTC's 2024 letter said the measures had addressed the cause and required ongoing reporting. That is significant external assurance and should not be minimized. The remaining accountability question is durability: whether controls keep working as topology, vendors, automation, staff, and business priorities change.

Control owners should report exceptions and failed tests, not only completed projects. Router limits can be raised. Lab models can drift from production. Peer review can become routine approval. Alternative circuits can be consolidated during procurement. Separate cores can share a new orchestrator. Backup SIMs can expire. A remediation is sustained through configuration compliance, adversarial test cases, exercises, independent sampling, and tracked corrective actions.

Regulation moved from ad hoc inquiry to standing obligations

The immediate CRTC response relied on detailed questions to Rogers and the public record. In February 2023, the Commission opened Telecom Notice of Consultation 2023-39 and imposed interim expectations for carriers to report major outages within two hours and submit a post-outage report within 14 days. The proceeding asked about impacts on 9-1-1, public alerting, accessibility, consumer communication, compensation, technical measures, and penalties.

In September 2025, Telecom Decision CRTC 2025-225 established final mandatory notification and reporting requirements for major telecommunications outages. Providers must notify the CRTC, ISED, and relevant authorities under defined conditions, provide updates, confirm restoration, and submit post-outage information. The framework turns some expectations exposed by Rogers into standing sector obligations.

Reporting is not prevention, but it changes accountability in three ways. It creates a common clock for notification. It gives public authorities information needed to coordinate safety and continuity. It produces records through which recurring causes, weak remediations, and sector-wide dependencies can be identified. A carrier can no longer treat communication with government as an improvised courtesy during a crisis of this scale.

The limits are equally clear. A report filed on time does not preserve 9-1-1. Confidential technical submissions can leave customers unable to test broad resilience claims. Threshold definitions can encourage attention to whether an event is reportable rather than whether it is dangerous. Regulators need enough technical capability to challenge root-cause categories, distinguish a direct fix from a general investment, compare remediation across carriers, and demand retesting where common-mode exposure remains.

The Rogers case also cautions against using competition as a complete explanation. A concentrated national market can increase the social reach of one carrier's failure and reduce practical alternatives for some users. More providers alone would not have stopped an approved filter deletion inside Rogers, and a customer buying two nominal services can still select the same underlying core. Market structure and engineering control are related risk questions, but neither substitutes for the other.

What accountable leadership should be able to show

Tony Staffieri told Parliament that, as CEO, he was accountable for the outage. That statement properly placed responsibility above the engineer nearest the change. Executive accountability becomes meaningful when it produces evidence that the organization changed the conditions which made the incident national and prolonged it.

A board-level assurance package should answer concrete counterfactuals:

  1. Change authority: Which current commands, templates, and automation jobs can affect more than one region or both cores? What immutable limits constrain their maximum route and service impact?
  2. Risk classification: Which technical features force a high-risk rating regardless of project history? How is the scoring model tested against the July 2022 configuration and other known catastrophic cases?
  3. Validation independence: Do the lab, policy checker, peer review, device limit, staged deployment, and rollback rely on different data and failure assumptions, or can one misunderstanding defeat them all?
  4. Fate separation: Can wireless, wireline, 9-1-1, public alerting, management access, corporate communications, and status publishing fail independently? Which shared control planes remain?
  5. Recovery independence: Can named responders access logs, devices, credentials, facilities, vendors, and public communications when the production core and normal identity services are unavailable?
  6. Emergency continuity: Has emergency roaming been tested with the radio network up and the home core down? How many devices and call paths behaved as intended, and what residual populations need other guidance?
  7. External dependency: Which institutional and wholesale customers can create national secondary effects? Have Interac-like dependencies been mapped and jointly exercised?
  8. Sustained closure: Who independently samples router limits, risk decisions, lab fidelity, alternate circuits, SIM inventories, exercise actions, and separation boundaries? What exceptions are overdue?

These questions do not ask directors to configure routing. They ask management to translate technical resilience into decision evidence. A dashboard showing average availability can remain green while one untested change retains national blast radius. The board needs tail-risk measures: maximum scope per change, number of common control dependencies, time to independent management access, time to emergency notification, percentage of critical responders reachable off-network, and time to restore a minimum safe service.

Accountability should also distinguish fault from blame. The evidence supports findings about Rogers' process, architecture choices, and management controls. It does not establish that one employee acted recklessly or that a named vendor caused the incident. Removing an individual may be appropriate for reasons not in the public record, but it is not a substitute for correcting organizational authority. Conversely, a learning culture should not protect senior leaders from consequences if proven high-consequence weaknesses remain open.

Continuity obligations do not stop at the carrier boundary

Rogers held the primary duty to operate and recover its network safely. The outage nevertheless shows why customers with public or economic functions cannot outsource continuity completely. A city, hospital, payment operator, or merchant chooses how much of its operation shares one provider, even when procurement options and budgets are constrained.

For public bodies, the minimum control set is practical. Keep an authoritative inventory of critical telecom dependencies down to the underlying carrier. Assign diverse service to life-safety and incident-command roles. Store essential contact and procedure information offline. Test manual service for a defined period. Maintain public messaging through independent hosting and broadcast channels. Exercise the exact condition in which staff mobile service, office internet, cloud access, and payment acceptance disappear together.

For SMEs, the list should be shorter and tied to revenue. Identify the two or three functions whose loss stops trading. Test a second-carrier hotspot before it is needed. Know whether the payment provider has carrier diversity, not just circuit redundancy. Keep the next operational day's records available locally. Decide when to accept cash, deferred payment, or no payment, and set limits in advance. Retain a way to tell customers what is happening without the primary office connection.

For intermediaries such as banks, managed-service providers, wholesalers, and cloud communications vendors, the obligation is to disclose meaningful dependency. "Redundant" should state whether paths use different access facilities, carrier cores, management planes, and power domains, and whether capacity has been tested under full failover. Customers cannot make proportionate decisions if diversity is only a marketing adjective.

Credits and contracts still matter. They allocate some direct service risk and give providers an incentive to restore. They are weak continuity controls because the customer's largest losses may be consequential and excluded. An institution should compare the price of genuine diversity with the consequence of its most important function being unavailable, not with the monthly telecom bill alone.

The enduring signal

The July 2022 Rogers outage is often remembered as the day a coding or maintenance error knocked Canada offline. That description is too small. The event began with a configuration error, but it became catastrophic because a protective routing boundary could be removed without an independent overload limit; a risk model discounted danger after unrelated success; wireless and wireline traffic shared the affected core; management and staff communications depended on the network in distress; and critical customers had hidden common dependencies.

The incident also produced evidence of improvement. Rogers accepted executive responsibility, funded credits, installed route safeguards, separated management access, expanded alternative connectivity and response communications, changed its control process, and pursued core separation. Interac added carrier diversity and private backup connectivity. Toronto strengthened redundancy after exercising real fallbacks. Carriers signed emergency-roaming and mutual-assistance arrangements. The CRTC moved toward mandatory national outage notification and reporting.

None of those measures promises that a national telecom network will never fail. That is not a credible standard. The accountable standard is that a foreseeable human or software error cannot move from one maintenance action to country-scale loss without crossing independent barriers; that emergency and recovery paths survive the main network; that authorities and customers receive timely, useful information; and that remediation is tested for as long as the system continues to change.

The deepest lesson is about continuity ownership. Rogers could not transfer responsibility for its core to the person who changed a filter. Interac could not transfer responsibility for payments to Rogers. A city could not transfer public-service continuity to its carrier contract. A small business could not recover lost trade through five days of service credit. Each actor owned a different part of the same dependency chain.

The question worth carrying forward is not whether another router can fail. It is whether, when one does, the rest of the system still leaves people a way to call for help, public institutions a way to operate, businesses a way to trade, and engineers a way back in.