Previously McMillan's Privacy and Data Protection Group reported on Bill C-26, which died on the Order Paper when Parliament was prorogued in January 2025 (read our in-depth analysis of Bill – C-26 here).
On June 18, 2025, the Minister of Public Safety reintroduced the Bill as Bill C-8: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts ("Bill C-8"). Nearly identical to its predecessor, Bill C-8 would do two things if passed: (1) revise the Telecommunications Act and (2) establish the Critical Cyber Systems Protection Act ("CCSPA"). Bill C-8 would grant new enforcement powers for cybersecurity across Canada's critical federal infrastructure.
PART ONE: TELECOMMUNICATIONS ACT
Part One of Bill C-8 would amend the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy. Notably, Bill C-8 would grant the Governor in Council and Minister of Industry broad powers to secure the Canadian telecommunications system, such as by prohibiting telecommunications service providers from using specified products or services, or requiring their removal from networks or facilities.1 The amendments would also allow the Minister to require telecommunications service providers to implement security measures such as vulnerability assessments.2
Bill C-8 would establish an administrative monetary penalty regime for violations of orders with penalties of up to $25,000 for individuals ($50,000 for subsequent violations) and up to $10 million for non-individuals ($15 million for subsequent violations).3 Notably, losses incurred as a result of an order would not be recoverable.4
PART TWO: CRITICAL CYBER SYSTEMS PROTECTION ACT
Part Two enacts the CCSPA, which would create new cybersecurity obligations for designated operators managing vital services or systems in the federal sector. Currently, Schedule 1 of the Bill lists the following as vital services and vital systems that will be subject to the CCSPA:
- Telecommunications services;
- Interprovincial or international pipeline and power line systems;
- Nuclear energy systems;
- Transportation systems that are within the legislative authority of Parliament;
- Banking systems; and
- Clearing and settlement systems.5
The designated operators to which the CCSPA would apply have yet to be specified. Any companies operating in the above-listed industries may be designated in the future, and should be aware of their potential cybersecurity obligations under the CCSPA.
The CCSPA would require designated operators to: (i) establish a cyber security program that complies with the regulatory requirements, notify the appropriate regulator and submit a copy of the program to the appropriate regulator within 90 days of becoming a designated operator;6 (ii) implement measures to address and reduce supply-chain risks identified by the cyber security program;7 (iii) report any cybersecurity incidents affecting critical cyber security systems to the Communications Security Establishment within 72 hours (or an earlier timeframe if prescribed) and inform the appropriate regulator of the incident;8 (iv) comply with cyber security directions imposed by the Governor in Council;9 and (v) maintain and preserve certain records in accordance with regulations.10
In sum, the CCSPA would establish a proactive cybersecurity regime that shifts responsibility to operators before incidents occur, rather than relying solely on reactive measures. This framework would create ongoing compliance obligations that would require significant operational oversight from designated operators.
When Will Bill C-8 Be Passed?
Bill C‑8 was introduced in the House of Commons on June 18, 2025, and has completed its first reading. It is currently at second reading in the House, where it will undergo debate, committee review, amendment and report stages. After passing third reading in the House of Commons, the Bill must then move through all three readings in the Senate before receiving Royal Assent.
Given that Bill C‑8 closely mirrors Bill C‑26, which had already reached the third reading in the Senate before dying on the Order Paper when Parliament was prorogued in January 2025, some observers expect it could proceed through the legislative process relatively swiftly. That said, the timing will depend heavily on parliamentary scheduling, the complexity of committee review, and whether any amendments spark extended debate.
Conclusion and Takeaways
Bill C-8's broad scope and significant penalties highlight the government's commitment to cybersecurity, but also create substantial compliance challenges that require immediate attention and strategic planning to avoid costly enforcement actions and operational disruptions. Organizations operating in Canada's telecommunications sector and critical federal infrastructure should prepare for these new compliance obligations.
McMillan's Privacy and Data Protection Group will continue to monitor updates related to Bill C-8's progression. For our prior analysis on Bill C-26, which is relevant to Bill C-8, please read our previous bulletin here and commentary by Robbie Grant in the Globe and Mail here.
Footnotes
1 Telecommunications Act, SC 1993, c 38, sections 15.1(1) and 15.2(1), as amended by Bill C-8 [Telecommunications Act].
2 Telecommunications Act, section 15.2(2)(i)-(l), as amended by Bill C-8.
3 Telecommunications Act, section 72.131, as amended by Bill C-8.
4 Telecommunications Act, sections 15.1(8) and 15.2(10), as amended by Bill C-8.
5 Critical Cyber Systems Protection Act, Schedule 1, as enacted by Bill C-8. [CCSPA]
6 CCSPA, section 9.
7 CCSPA, section 15.
8 CCSPA, section 17.
9 CCSPA, section 20.
10 CCSPA, section 30.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2025
