As we continue to see high profile attacks on critical infrastructure in Canada, the US, and elsewhere the calls for specific Canadian regulations pertaining to affected sectors have remained consistent. With the current geopolitical climate, US security agencies have called for increased vigilance, which should come as no surprise. The European Union had responded to these threats by requiring EU Member States to transpose the NIS2 Directive into national law by October 2024.
On June 18, 2025, Canada's Minister of Public Safety tabled Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. If enacted, Bill C-8 would establish the Critical Cyber Systems Protection Act (CCSPA), a framework previously introduced in the last Parliament under Bill C-26. The CCSPA is designed to strengthen the protection of critical cyber systems deemed essential to national infrastructure and public safety.
Key sectors affected
The CCSPA would apply to industries that deliver "vital services" or operate "vital systems", including:
- Telecommunications services
- Interprovincial and international pipelines and power lines
- Nuclear energy systems
- Federally regulated transportation systems
- Banking institutions
- Financial clearing and settlement systems
Compliance obligations
Designated operators of these vital services and systems would face several mandatory cybersecurity obligations, including:
- Developing and maintaining a cybersecurity program designed to assess and manage organizational cyber risk on a regular basis
- Mitigating cybersecurity risks in the supply chain, including third-party products and services
- Reporting material changes in ownership, control, or use of third-party providers to the appropriate regulator
- Complying with government-issued cybersecurity directions, while maintaining strict confidentiality regarding the direction's existence and content
- Maintaining detailed records of the cybersecurity program and incidents, with all records stored within Canada
What's new and what's not
While largely identical to Bill C-26, Bill C-8 includes updated judicial review procedures for cybersecurity directions. Bill C-26 had previously advanced to third reading in the Senate but did not pass before Parliament was prorogued in January 2025.
As a result, Bill C-8 must restart the full legislative process, including House and Senate readings, committee review, and report stages. However, due to the momentum behind Bill C-26 and the substantive overlap between the two, Bill C-8 may move swiftly through Parliament.
Business considerations
For organizations operating in affected sectors, early preparation is critical. Key considerations include:
- Conducting a readiness assessment to evaluate current cybersecurity posture
- Reviewing vendor and third-party risk management practices
- Developing internal processes to comply with potential reporting, record-keeping, and confidentiality obligations
- Understanding data localization requirements, given the mandate to store cybersecurity records within Canada
- Monitoring legislative progress to anticipate compliance timelines
Organizations should also assess whether they may be designated as operators under the Act and begin planning accordingly.
For more background, see our previous analyses relating to Bill C-26:
- Privacy, Data Protection, and Cybersecurity Laws in Canada (Apr 29, 2024)
- AI poses new threats to cybersecurity: How Canadian boards can navigate the evolving cyber risk landscape to stay ahead of the curve (Jun 07, 2023)
- Tackling privacy and cybersecurity challenges as critical parts of ESG success (Apr 11, 2023)
- Tactical and strategic steps for successful cyber incident preparedness(Sep 30, 2022)
- Bill C-26: A strengthening of Canada's cyber security through mandatory reporting of cyber incidents (June 20, 2022)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
