On June 18, 2025, the Government of Canada tabled Bill C-8, the Critical Cyber Systems Protection Act. Reviving and strengthening the provisions of the previous Bill C-26, this legislation establishes a mandatory cybersecurity framework for operators of critical cyber systems across Canada's vital services sectors. The bill is currently at second reading in the House of Commons.
What Is Bill C-8
Bill C-8 creates a legal framework requiring designated operators of critical cyber systems to establish and maintain cybersecurity programs, report cyber incidents to the Communications Security Establishment (CSE), and comply with government-issued cybersecurity directives. The bill grants the Governor in Council authority to designate vital services and critical systems, and empowers regulators to enforce compliance through administrative monetary penalties.
Who Is Affected
The legislation targets operators in six critical infrastructure sectors:
- Telecommunications: Federally regulated telecommunications service providers
- Pipelines and Power: Interprovincial and international pipeline operators and electricity providers
- Nuclear Energy: Nuclear facilities and operators licensed under the Nuclear Safety and Control Act
- Transportation: Federally regulated air, rail, and marine transportation systems
- Banking: Federally regulated financial institutions and clearing/settlement systems
- Crown Corporations: Federal Crown corporations operating critical cyber systems
Mandatory Requirements
Designated operators must establish a cybersecurity program that includes risk assessments, mitigation measures, incident detection and response capabilities, business continuity planning, and supply chain security controls. Programs must be reviewed annually and made available to the appropriate regulator upon request. Operators must also notify the regulator of any material changes to their cybersecurity program within a prescribed timeframe.
Incident Reporting Obligations
One of the most significant provisions requires operators to report cybersecurity incidents to the CSE within 72 hours of detection. Reportable incidents include any event that impairs or could impair the continuity or security of a critical cyber system. The CSE may share reported information with other government agencies, allied foreign governments, and sector-specific regulators as needed to protect national security.
Privacy Concerns
Privacy advocates and civil liberties organizations have raised concerns about several provisions in the bill. The legislation grants the government authority to compel the production of information from operators, potentially including personal data and encrypted communications. Critics argue that insufficient safeguards exist to prevent overreach, and that the bill lacks adequate judicial oversight for cybersecurity directives. The Canadian Civil Liberties Association has called for amendments to strengthen privacy protections and transparency requirements.
How to Prepare for Compliance
- Determine whether your organization operates systems that may be designated as critical cyber systems under the Act
- Assess your current cybersecurity program against the anticipated mandatory requirements
- Establish or enhance your incident detection and reporting capabilities to meet the 72-hour reporting obligation
- Review your supply chain security practices and third-party risk management processes
- Engage legal counsel to understand the implications of government cybersecurity directives for your organization
- Monitor the bill's progress through Parliament and participate in public consultations when available