This article was prepared with the assistance of summer law student Amy Fisher.
On June 18, 2025, Bill C-8 was introduced into the House of Commons. The Bill, which introduces more stringent cybersecurity regulations for critical Canadian infrastructure, aims to protect systems and services that are critical to Canada’s security. While a similar Bill, C-26, was tabled in the last session of Parliament, it was not enacted due to proroguing.
The introduction of Bill C-8 shows that cybersecurity is a top priority of the current government and, as such, businesses should expect changes in the regulatory environment. Bill C-8 introduces some of these changes through amendments to the Telecommunications Act and the creation of the Critical Cyber Systems Protection Act.
Who is subject to this legislation?
The Critical Cyber Systems Protection Act (the Act) will apply to the providers of vital services and vital systems (designated operators), as defined in the Act. Presently, vital services and systems include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems that are within the legislative authority of Parliament, banking systems and clearing and settlement systems. However, this list could be modified any time either before or after the legislation is enacted, meaning the legislation could apply to more categories of service or system providers.
Though the Bill may change as it progresses, the Act presently applies to those regulated by the following government bodies:
- The Superintendent of Financial Institutions,
- The Canadian Nuclear Safety Commission
- The Canadian Energy Regulator
- The Minister of Transport
What is a critical cyber system?
A critical cyber system is a digital system that helps manage important information and services we rely on every day – like electricity, healthcare or banking. If this system is hacked or otherwise fails, it could seriously interrupt the essential services Canadians rely on. For this reason, the federal and some provincial governments have introduced legislation that will protect the confidentiality, availability and integrity of these systems.
What does the legislation require?
The Act requires that designated operators do the following:
1. Establish a cybersecurity program
The program must be in line with the Act and any associated regulations and must be created and reported to the appropriate regulator no more than 90 days after being declared a designated operator by the Governor in Council.
2. Implement, maintain and review said cybersecurity program
At a minimum, the designated operator must review the program annually, unless the regulations specify a different frequency. The review must be completed within 60 days, and the designated operator must report the results of this review, including any changes that were made to the program, to the regulator no more than 30 days after the review is completed.
3. Monitor for and mitigate cybersecurity threats associated with their supply chain or third parties
The designated operator must immediately notify the regulator of any identified threats or risks.
4. Report cybersecurity incidents
The Designated Operator must report any incident within 72 hours to the Communications Security Establishment. However, changes to the regulations may reduce the reporting window.
On the whole, the Act creates a new mandatory framework for administering and protecting Canada’s most critical cybersecurity networks. This brings with it clear requirements for reporting, record keeping and compliance.
What can organizations do to prepare?
Though Bill C-8 is subject to change, designated operators should consider the following to best prepare themselves if the Bill passes:
1. Assess whether this legislation would apply to your organization
Has your industry been identified as a vital service or system? Is your business part of Canada’s critical infrastructure? If yes, your organization will likely be impacted by the Bill and, as such, will want to ensure you stay informed about its status.
2. Monitor the Bill’s status and changes
Set up alerts for articles posted by news outlets announcing the progress of Bill C-8, subscribe to the MLT Aikins Legal Roundup Newsletter to directly receive any future insights we may post about the Bill and review the status of Bill C-8 directly on Parliament’s website.
3. Assess your present cybersecurity practices
Look at what cybersecurity protocols are already in place and compare these to the Act’s requirements. Do the current practices meet the Act’s requirements? Do they fall short? Consider what changes need to be made if the Act is enacted.
4. Work with legal counsel
Have discussions with legal professionals to understand the implications of Bill C-8 on your organization and develop strategies should the Bill be passed.
Whether your organization have already been flagged as a vital system/service or you anticipate your organization may be flagged in the future, our technology, intellectual property and privacy team can provide advice on navigating Bill C-8 and the Critical Cyber Systems Protection Act, should it be enacted.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.
Share
