As cyber threats continue to escalate in frequency, scope, and sophistication, Canada is preparing to respond by implementing a sweeping new regulatory framework. The framework is set out in An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts ("Bill C-8"),1 and is set to fundamentally reshape the compliance landscape for organizations operating in federally regulated critical infrastructure sectors.
Bill C-8 will enact the Critical Cyber Systems Protection Act ("CCSPA") to establish a comprehensive framework for the protection of "critical cyber systems" in key sectors such as banking, telecommunications, energy, transportation, nuclear, and clearing and settlement systems. It will simultaneously amend the Telecommunications Act, making the security of Canada's telecommunications system a central policy objective.2 In this blog, we break down the main components of the CCSPA, highlighting the key obligations for Canadian companies, and offer practical advice for organizations seeking to prepare for the CCSPA's adoption and entry into force.
Key Obligations
If your organization is classified as a "designated operator" under the list of "vital services and vital systems"3 defined by the CCSPA, it will be subject to a range of new and significant obligations. These requirements are designed to ensure that critical infrastructure operators are not only prepared for cyber incidents, but that they are actively working to prevent them.
Critical infrastructure is the focus, but the CCSPA does not – in its current form – contemplate any exemption or accommodation for small or medium-sized businesses that may be designated as operators. All designated operators, regardless of size, would therefore become subject to the same obligations and penalties summarized below:
- Establishing a Cybersecurity Program
Designated operators will be required to develop, implement, and maintain a comprehensive cybersecurity program. For any designated operator, such program must be developed and implemented within 90 days of being designated. For all designated operators, such program must go beyond basic IT security measures. It should include a thorough assessment of organizational cyber risks, including those arising from supply chains and third-party vendors. The program must also set out clear protocols for protecting critical systems, detecting and responding to incidents, and regularly reviewing and updating security measures to keep pace with evolving threats. Organizations should expect regulators to scrutinize the adequacy and effectiveness of these programs, making it essential to document all policies, procedures, and risk assessments.
- Incident Reporting and Response
Under the CCSPA, organizations will be required to report cybersecurity incidents that affect critical systems to the Communications Security Establishment ("CSE") within 72 hours of discovery. This reporting obligation is strict and time-sensitive, and organizations must also report any such incidents to their sector regulator. The definition of a reportable incident is broad, encompassing any event that could compromise the confidentiality, integrity, or availability of a critical system regardless of the category of impacted data (e.g., personal information, proprietary or commercial data, etc.). Companies should ensure they have robust incident detection and escalation processes in place, as well as clear lines of communication between IT, legal, and executive teams to facilitate timely and sufficient reporting.
- Managing Supply Chain and Third-Party Risks
Bill C-8 places a strong emphasis on supply chain security. Under the CCSPA, Designated operators must actively assess and mitigate risks associated with their supply chains and the use of third-party products or services. This means organizations will need to conduct due diligence on vendors, require contractual commitments to cybersecurity standards, and monitor for vulnerabilities that could be introduced through external partners.
- Compliance with Government Directions
One of the most significant features of the CCSPA is the authority it grants to the federal government to issue binding cybersecurity directions to designated operators. These directions may be issued with little or no prior consultation and can require organizations to implement specific security measures, cease certain activities, or remove particular technologies from their systems (e.g., in scenarios where a certain technology or system is perceived as posing a national security risk to Canada). Compliance is mandatory, and failure to follow a government direction can result in severe penalties.
- Record-Keeping, Audits, and Regulatory Oversight
Designated operators must maintain detailed records of their cybersecurity activities, including risk assessments, incident reports, and compliance measures. These records must be readily available for inspection by regulators, who are empowered to conduct audits, enter premises (with appropriate legal authority), and issue compliance orders. Organizations should ensure that their record-keeping practices are thorough, up-to-date, and capable of withstanding regulatory scrutiny. Regular internal audits and compliance reviews can help identify and address gaps before they become enforcement issues.
- Enforcement, Penalties, and Personal Liability
The CCSPA introduces significant administrative monetary penalties for non-compliance, with fines reaching up to $15 million per day for organizations and $1 million per day for individuals. Notably, directors and officers may be held personally liable if they are found to have directed, authorized, or participated in violations or offences. This heightened accountability underscores the importance of board-level engagement and oversight in cybersecurity governance.
The enforcement regime introduced by CCSPA will rely on existing regulators (i.e., the Minister of Industry, the Minister of Transport, the Superintendent of Financial Institutions, the Bank of Canada, the Canadian Energy Regulator, and the Canadian Nuclear Safety Commission), as appropriate for each specific designated operator.
Practical Steps for Canadian Companies
With Bill C-8 expected to move swiftly through Parliament, organizations should take action now. Proactive preparation will not only reduce legal and operational risks, both at home and abroad. As the Legislative Summary explains, Canada's approach draws inspiration international trends from Canada's allies such as Australia, the European Union, the United Kingdom, and the United States.4 If any of these regimes apply to your organization, then Bill C-8 may seem familiar. If not, their existence is a strong indication that Canada will pass Bill C-8, or a similar bill, in the near future. Until then, voluntary compliance can position companies as leaders in cybersecurity resilience. Here are several practical steps to consider:
- Assess Your Regulatory Exposure
Begin by determining whether your organization is likely to be considered as a designated operators under the CCSPA. Review your operations, subsidiaries, and supply chains for connections to federally regulated sectors. Map out your critical cyber systems and identify which assets, processes, and data flows are likely to fall within the scope of the bill. Early identification of your exposure will allow you to allocate resources and plan effectively.
- Build or Enhance Your Cybersecurity Program
Evaluate your existing cybersecurity program against recognized frameworks such as NIST or ISO/IEC 27001, and identify any gaps relative to the anticipated requirements of the CCSPA. Develop or update policies and procedures for risk assessment, incident response, and supply chain management. Ensure that your program includes clear lines of accountability, with defined roles for board members, executives, and operational staff. Regularly test your program through tabletop exercises and simulations to ensure it is effective in practice.
- Prepare for Incident Reporting and Response
Review and refine your incident response plan to ensure you can detect, assess, and report incidents within the 72-hour window mandated by the bill. While 72 hours is often a benchmark target, hitting that target may require investments in monitoring technologies, staff training, and cross-functional coordination. Establish clear protocols for escalating incidents to legal and executive teams, and ensure that all relevant personnel understand their roles and responsibilities in the event of a cyber incident.
- Review Contracts and Strengthen Supply Chain Security
Cybersecurity and breach notification clauses are part of routine contracting for many organizations. Organizations with strong contracting processes may only need to verify that their existing process endures they meet the requirements of the CCSPA. Others will need to conduct a thorough review of contracts with vendors and service providers to ensure they include appropriate cybersecurity obligations, audit rights, and incident notification clauses.
Any organization that is subject to CCSPA should engage with key suppliers to communicate its compliance expectations and assess their readiness to support its organization's obligations under the CCSPA. The CCSPA is also a reason to consider implementing third-party risk and contract management tools, as well as processes to monitor for third-party vulnerabilities (e.g., Dark Web monitoring encompassing your vendors and key third-party business partners) to ensure ongoing compliance.
- Enhance Governance, Training and Board Engagement
Educate your board and senior management on the new obligations and potential liabilities introduced by the CCSPA. Provide regular training to staff on cybersecurity best practices, incident escalation procedures, and compliance protocols. Foster a culture of cybersecurity awareness throughout the organization, emphasizing the importance of proactive risk management and regulatory compliance.
- Monitor Regulatory Developments and Engage with Stakeholders
Stay informed about the progress of Bill C-8 and any sector-specific guidance or regulations that may follow. Engage with industry associations, legal counsel, and regulators to provide feedback, seek clarifications, and stay ahead of emerging requirements. Consider participating in industry forums or working groups to share best practices and learn from peers.
Conclusion
Bill C-8 represents a significant evolution in Canada's approach to cybersecurity regulation, shifting the focus from reactive measures to proactive risk management and accountability. By taking early, concrete steps to align with the bill's requirements, Canadian companies can not only reduce their legal and operational risks but also strengthen their resilience in an increasingly complex cyber threat landscape.
Footnotes
1. Note that Bill C-8 is the new iteration of Bill C-26 (i.e., a substantially similar bill that died on the Order Paper on January 6, 2025 following an unrelated prorogation of Parliament). You can find our blog regarding Bill C-26 on TechLex for reference.
2. This blog focuses on the CCSPA portion of Bill C-8. As such, we have not gone into detail about the amendments to the Telecommunications Act in this text. We may address the amendments introduced by the Telecommunications Act in a later blog, so please follow our future publications on the TechLex blog.
3. For clarity, while "vital services" and "vital systems" refers to a service or a system that is referred to in Schedule 1 of the CCSPA, not all organizations that fall under one of the categories listed in Schedule 1 will ultimately be listed as "designated operators" under Schedule 2 of the CCSPA (with the latter currently being empty).
4. "Part 2 [of Bill C-26 (i.e., the previous iteration of Bill C-8], which would have created the CCSPA – appeared to be inspired by the Australian model, incorporating several elements of the Security of Critical Infrastructure Act 2018 and substantive amendments of the Security Legislation Amendment (Critical Infrastructure) Act 2021. These 2021 reforms significantly expanded the Australian federal government's powers to enforce cyber security obligations on operators of critical infrastructure and to intervene in case of major cyber incidents. Similarly, the CCSPA would have imposed requirements on designated operators in vital sectors (telecommunications, energy, transportation and finance), such as the creation of cyber security programs, mandatory incident reporting and compliance with government cyber security orders.
This approach was consistent with an international trend toward bolstering the resilience of vital infrastructure against digital threats. For example, the United StatesCyber Incident Reporting for Critical Infrastructure Act of 2022requires critical infrastructure operators to report cyber incidents to the Cybersecurity and Infrastructure Security Agency. In the United Kingdom, the reporting requirement is provided byThe Network and Information Systems Regulations 2018, which is derived from the European Union's 2016 Directive on security of network and information systems (NIS directive). The overarching objective of all these regimes is to achieve an enhanced and common level of security for critical cyber infrastructures while enabling the relevant authorities to better understand and manage cyber risks."
To view the original article click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
