What Is Bill C-8? Canada’s New Cybersecurity Law Explained for Small Businesses

By Mike Pearlstein, CISSP | March 2026

What is Bill C-8? Canada’s federal cybersecurity bill targets critical infrastructure operators: banks, telecom carriers, energy companies, and transport firms. Your 20-person law firm isn’t in scope. Neither is your 50-person manufacturing shop. But here’s the catch. Clients in those sectors, or insurers tracking regulatory trends, Bill C-8 Canada’s reach will hit you anyway. The Cyber Centre’s National Cyber Threat Assessment 2025-2026 describes cybercrime as a persistent, widespread, and disruptive threat across Canada. Parliament wrote Bill C-8 as part of Canada’s response to that broader risk picture. Its ripple effects touch every business in the supply chain.

What Does Bill C-8 Do?

Full name: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. It replaces Bill C-26, which died in January 2025 when Parliament was prorogued. Not an opposition defeat. Prorogation killed all pending bills. Ottawa reintroduced the same agenda as Bill C-8. The committee tabled its report with amendments on March 11, 2026. Bill C-8 Canada’s cybersecurity bill now sits at report stage in the House of Commons.

Two operative parts make up Bill C-8 Canada’s cybersecurity framework.

Part one amends the Telecommunications Act, giving Ottawa new tools to address security threats in Canada’s telecom networks. That’s the part sparking the encryption controversy (more on that below).

Part two creates the Critical Cyber Systems Protection Act (CCSPA). For businesses trying to understand Bill C-8 Canada’s real-world effects, this is the section that matters.

Under the CCSPA, designated operators have four core obligations:

• Establish a cybersecurity program within 90 days of being designated. The program must be documented, approved by the board, and reviewed annually.
• Report cyber incidents to the Canadian Centre for Cyber Security (CSE) within 72 hours. No discretion on timing. If you don’t know if it’s a reportable incident within 72 hours, you report anyway.
• Manage supply chain and third-party risk. Section 9(1)(a) explicitly requires designated operators to identify and manage cybersecurity risks from vendors and service providers. This is where SMBs enter the picture.
• Store records in Canada and make them available to the government on request.

Penalties aren’t symbolic. Fines hit $15 million per day for organizations. Officers and directors? Up to $1 million per day, and that liability is personal. Willful non-compliance can mean prison time, and these aren’t hypothetical caps either. They’re written into the bill text.

Does Bill C-8 Apply to My Business?

Probably not. Bill C-8 Canada’s scope is narrow. It covers designated operators in six federally regulated sectors: telecom, pipelines and power lines, nuclear, transport (rail, air, marine), banking, and clearing and settlement.

A 30-person accounting firm? Not a designated operator. Running an MSP serving mid-market clients in Ontario, you aren’t one either. In the House of Commons on September 26, 2025, Public Safety’s minister told the committee this law won’t “impact or impose conditions on SMEs” (Hansard).

That statement is technically correct. But for businesses tracking Bill C-8 Canada’s supply chain ripple effects, it’s operationally misleading.

Outside the direct scope? Sure. Outside its consequences? No. Supply chain obligations in Section 9(1)(a) don’t apply to you directly. But they apply to your clients in regulated sectors. Those clients push compliance down to their vendors. You’re the vendor.

Why Bill C-8 Canada Matters Even If It Doesn’t Name You

Supply chain flow-down. Under Bill C-8 Canada’s CCSPA, designated operators must ID and manage cyber risks from their supply chains (Section 9(1)(a)). That duty doesn’t stop at their door. It flows to every MSP, software vendor, and IT contractor touching their systems. Serve a bank? Expect a vendor security form. Run cloud for a telecom? Same thing. Those forms ask about your IRP, MFA, backups, and vendor oversight. Verbal assurances won’t cut it. You need written answers.

Insurer expectations rise. Only 22% of Canadian businesses carry cyber insurance (IBC, 2025). Breach costs average $6.98 million in Canada (IBM, 2025). Statistics Canada reported that businesses spent $1.2 billion recovering from cybersecurity incidents in 2023. Those numbers alone should scare you.

Now add what Bill C-8 Canada’s $15M/day penalty tells insurers. They use regulatory benchmarks to set rates. A $15M/day bar for banks tells the market what “serious” looks like. Underwriters will raise their minimums. Premiums go up if you can’t show documented controls. No policy? You’re exposed. Have one? Your next renewal will be tougher.

Incident reporting changes the game. Bill C-8 Canada’s 72-hour reporting rule means breaches at designated operators get disclosed fast. Before the full scope is clear. If that breach touches your systems as a vendor? You’re in the disclosure too.

Here’s the gap. Only 11% of Canadian SMBs have a formal IRP (IBC 2025). 52% have nothing. A client calls Friday at 11 PM. Breach. CSE needs a report in 72 hours. No documented process on your end? That’s a crisis for both of you. You don’t need to fall under Bill C-8 Canada’s scope to need an IRP. You just need clients who do.

The “reasonable measures” bar rises. Courts look at what similar businesses do when they judge your security. Once Bill C-8 Canada mandates programs, 72-hour reporting, and vendor risk management for banks, that’s the new bar. “Legally required for banks” and “good enough for everyone” merge. The gap shrinks every year. Handling sensitive client data? A judge won’t care that you weren’t named in the bill.

What Canadian SMBs Should Do Now

Document your cybersecurity program. Not a policy buried in a shared drive since 2019. Write down who owns security decisions, what controls you run, how you detect threats, and how you respond when something breaks. Clients doing vendor assessments will ask for this document, and so will your insurer at renewal. Can’t produce it? That’s where you begin.

Know your vendor risk. Who has access to your systems, and what are their security practices? Under Bill C-8 Canada’s supply chain rules, designated operators must assess every vendor. They’ll be assessing you. Meanwhile, you should be asking the same questions about your own vendors. Auditing which third parties hold credentials to your systems? Half a day. Skipping that audit gets harder to defend every year.

Build an incident response plan. More than half of Canadian SMBs don’t have one. Keep it simple. Yours doesn’t need to be 40 pages. Four questions matter: who do we call, what do we isolate, what do we tell clients, and what do we document? Friday night breach? Those answers can’t be “let’s figure it out.” Your IT support provider should be part of that plan from day one.

Turn on MFA everywhere. The Canadian Centre for Cyber Security calls MFA a top defense (2025 Baseline Controls). Old advice. Still not done at most firms. Check your Microsoft 365 setup, your VPN, your admin consoles, and your cloud tools. Missing MFA on any of them? Vendors, insurers, and clients will flag it. M365 has conditional access and MFA built in, so there’s no cost excuse for skipping it.

Get a cybersecurity assessment. You can’t fix what you haven’t measured. A cybersecurity assessment gives you a documented baseline: where your controls stand, where the gaps are, what to fix first. Without one, you’re walking into vendor audits and insurance renewals blind. Statistics Canada reported that about 1 in 6 Canadian businesses were impacted by cyber security incidents in 2023. That trend line won’t help your case.

Review your cyber insurance. 78% of Canadian businesses don’t carry it (IBC 2025). Find a broker who understands technology risks. Already covered? Read your policy. Most SMBs don’t know what theirs actually covers until they file a claim. Check the exclusions. Check the incident reporting rules. Make sure your current controls meet your policy’s minimum requirements, or your coverage might not hold when you need it.

Bill C-8 Isn’t the Only Law Changing in 2026

Canada’s proposed privacy overhaul (Bill C-27) died alongside C-26 in January 2025. It wasn’t voted down. Time ran out. A new privacy bill is expected, but as of March 2026, nothing has been tabled.

When it arrives, watch the penalties. C-27 proposed fines up to $25 million or 5% of global revenue. GDPR-tier. That bill isn’t law yet. No draft text exists for this session. But Parliament’s signal is clear: data protection fines are going way up. Build your privacy and security practices now, or play catch-up later.

Here’s the overlap: cybersecurity programs, IRPs, and vendor risk management are all Bill C-8 Canada requirements. They’ll also be requirements under any future privacy bill. Build them now. You’ll be ready for both.

What to Watch: Bill C-8 Canada’s Encryption Controversy

Bill C-8 Canada’s Telecom Act amendments give Ottawa broad new powers over telecom operators. CCLA and OpenMedia have both raised flags. In theory, these powers could force carriers to weaken encryption or add surveillance tools.

Canada’s Privacy Commissioner wants guardrails. Ottawa says the powers target telecom security threats, not domestic spying. That fight isn’t settled.

Worth watching. Not worth panicking about. If you run encrypted comms, or if your clients care about data sovereignty, track how the regs get drafted. CIRA’s 2025 vendor-selection release says Canadian organizations are putting more weight on country of origin and data-sovereignty questions when they buy cybersecurity tools. Clients already pick vendors based on where data lives. Bill C-8 Canada’s final rules will push that trend further.

Frequently Asked Questions

Does Bill C-8 apply to small businesses?

Not directly. Bill C-8 Canada’s legislation applies to designated operators in six federally regulated sectors: telecom, pipelines and power lines, nuclear, transportation, banking, and clearing and settlement. Most SMBs don’t fall into these categories. However, if you serve organizations that are designated operators, expect vendor security requirements as they manage supply chain risk under Section 9(1)(a) of the CCSPA.

What is the Critical Cyber Systems Protection Act?

CCSPA is Bill C-8’s second major component. It creates Canada’s legal framework for mandatory cybersecurity programs, incident reporting, supply chain risk management, and records retention for designated operators. Penalties reach $15 million per day for organizations and $1 million per day for individuals. Directors face personal liability. Willful non-compliance can lead to prison.

When does Bill C-8 take effect?

As of March 2026, Bill C-8 Canada’s cybersecurity bill is at report stage. The committee tabled its report on March 11, 2026, but Royal Assent hasn’t happened yet. After passage, enforcement dates get set by order-in-council, and designated operators will have 90 days to build their cybersecurity programs. We’ll update this post as the timeline firms up.

What’s the difference between Bill C-8 and Bill C-27?

Separate laws for separate problems. Bill C-8 Canada’s cybersecurity law targets critical infrastructure with rules on cybersecurity programs, incident reporting, and supply chain risk. C-27 was a privacy modernization bill. It would have replaced PIPEDA (Canada’s private-sector privacy law) with a new Consumer Privacy Protection Act and stronger enforcement. Both bills died in January 2025 when Parliament was prorogued. C-8 has been reintroduced in Canada. C-27 hasn’t been retabled as of March 2026.

What penalties does Bill C-8 impose?

Under the CCSPA, organizations that fail to comply face penalties up to $15 million per day. Individual officers and directors face up to $1 million per day. Director liability is personal, meaning a board member can be held accountable individually. Willful non-compliance can also lead to imprisonment. These are statutory maximums from the bill text, not guesses.

Should I get a cybersecurity assessment?

Yes. A cybersecurity assessment shows you where your controls stand, where the gaps are, and what to fix first. It’s the document a vendor questionnaire or insurance underwriter will ask for. Statistics Canada reported that about 1 in 6 Canadian businesses were impacted by cyber security incidents in 2023. Serving clients in regulated sectors or holding sensitive data? A baseline isn’t optional.

Fusion Computing provides cybersecurity services and IT support in Toronto for Canadian businesses in a regulatory environment that keeps getting more demanding. Whether you need help building a cybersecurity program, preparing for a vendor assessment, or understanding what working with an MSSP actually looks like, we’re one call away. And as Bill C-8 Canada’s rules take shape, being ready early beats scrambling later. We also work with organizations that need structured compliance readiness, including CARF IT readiness for accredited service providers. If you’re thinking about the cost of IT support against the cost of a breach, that math has gotten a lot clearer.

Related Resources