What Is Bill C-8? Canada’s New Cybersecurity Law Explained for Small Businesses
By Mike Pearlstein, CISSP | March 2026
Bill C-8 was written for federally regulated critical infrastructure. Banks, telecom carriers, energy companies, transport firms. Most SMBs read that list and assume they’re not affected. They’re usually half right. If your clients operate in those sectors, Bill C-8’s vendor requirements will reach your business regardless of your own regulatory status. The Cyber Centre’s National Cyber Threat Assessment 2025-2026 describes cybercrime as a persistent and widespread threat across Canada. And Bill C-8 is Parliament’s policy response. Understanding what it requires, and where the supply chain exposure is, is what this guide is for.
Note: This post is an operational guide written from an MSP perspective. It isn’t legal advice. For legal interpretation of Bill C-8 and how it applies to your organization, consult a lawyer who specializes in Canadian cybersecurity regulation.
Watch: Mike Pearlstein, CISSP, breaks down what Bill C-8 means for Canadian businesses
WHAT THIS GUIDE COVERS
- Which organizations are directly regulated. And which aren’t, but still need to act
- The specific program requirements and incident reporting obligations the bill introduces
- What supply chain exposure means for Canadian SMBs that aren’t federally regulated
Bill C-8 introduces formal cybersecurity requirements for designated critical infrastructure operators, with incident reporting obligations to the Communications Security Establishment (CSE) and financial penalties for non-compliance. For businesses not directly regulated, the practical impact comes through supply chain requirements and the direction it sets for Canadian cybersecurity regulation more broadly. The sections below cover what each requirement actually entails.
What Does Bill C-8 Do?
Bill C-8 (Canada’s Critical Cyber Systems Protection Act) mandates that designated critical infrastructure operators implement cybersecurity programs, report material cyber incidents to the federal government within 72 hours, and manage supply chain risk. Non-compliance carries significant penalties. Organizations in finance, telecommunications, energy, and transportation sectors are directly regulated. their vendors face indirect compliance pressure.
Bill C-8 is a Canadian federal legislative proposal that strengthens privacy and data protection requirements for businesses. Key provisions include mandatory data breach reporting to the Privacy Commissioner, enhanced consent requirements for personal data collection, algorithmic transparency obligations for automated decision-making, and significantly increased financial penalties for non-compliance.
TL;DR
Bill C-8 is a Canadian federal bill that proposes updates to the country’s privacy and data protection framework, including mandatory breach reporting, stronger consent requirements, algorithmic transparency obligations, and increased penalties for non-compliance. Canadian businesses processing personal data should prepare by auditing data handling practices and updating privacy policies.
Full name: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. It replaces Bill C-26, which died in January 2025 when Parliament was prorogued. Not an opposition defeat. Prorogation killed all pending bills. Ottawa reintroduced the same agenda as Bill C-8. The committee tabled its report with amendments on March 11, 2026. Bill C-8 Canada’s cybersecurity bill now sits at report stage in the House of Commons.
Fusion Computing is a Canadian-owned managed IT and cybersecurity provider serving businesses with 10 to 150 employees since 2012. With a 93% first-contact resolution rate and CISSP-certified security leadership, Fusion Computing delivers monitoring, help desk, and security services aligned to CIS Controls v8.1.
Two operative parts make up Bill C-8 Canada’s cybersecurity framework.
Part one amends the Telecommunications Act, giving Ottawa new tools to address security threats in Canada’s telecom networks. That’s the part sparking the encryption controversy (more on that below).
Part two creates the Critical Cyber Systems Protection Act (CCSPA). For businesses trying to understand Bill C-8 Canada’s real-world effects, this is the section that matters.
Under the CCSPA, designated operators have four core obligations:
- Establish a cybersecurity program within 90 days of being designated. The program must be documented, approved by the board, and reviewed annually.
- Report cyber incidents to the Canadian Centre for Cyber Security (CSE) within 72 hours. No discretion on timing. If you don’t know if it’s a reportable incident within 72 hours, you report anyway.
- Manage supply chain and third-party risk. Section 9(1)(a) explicitly requires designated operators to identify and manage cybersecurity risks from vendors and service providers. This is where SMBs enter the picture.
- Store records in Canada and make them available to the government on request.
Penalties aren’t symbolic. Fines hit $15 million per day for organizations. Officers and directors? Up to $1 million per day, and that liability is personal. Willful non-compliance can mean prison time, and these aren’t hypothetical caps either. They’re written into the bill text.
Does Bill C-8 Apply to My Business?
Bill C-26 is Canadian federal legislation that establishes a cybersecurity framework for critical infrastructure operators in telecommunications, finance, energy, and transportation. It grants the government authority to direct cyber-defense actions and mandates incident reporting. Businesses in designated sectors should prepare for compliance requirements including security programs and breach notification obligations.
Probably not. Bill C-8 Canada’s scope is narrow. It covers designated operators in six federally regulated sectors: telecom, pipelines and power lines, nuclear, transport (rail, air, marine), banking, and clearing and settlement.
A 30-person accounting firm? Not a designated operator. Running an MSP serving mid-market clients in Ontario, you aren’t one either. In the House of Commons on September 26, 2025, Public Safety’s minister told the committee this law won’t “impact or impose conditions on SMEs” (Hansard).
That statement is technically correct. But for businesses tracking Bill C-8 Canada’s supply chain ripple effects, it’s operationally misleading.
Outside the direct scope? Sure. Outside its consequences? No. Supply chain obligations in Section 9(1)(a) don’t apply to you directly. But they apply to your clients in regulated sectors. Those clients push compliance down to their vendors. You’re the vendor.
Why Bill C-8 Canada Matters Even If It Doesn’t Name You
Supply chain flow-down. Under Bill C-8 Canada’s CCSPA, designated operators must ID and manage cyber risks from their supply chains (Section 9(1)(a)). That duty doesn’t stop at their door. It flows to every MSP, software vendor, and IT contractor touching their systems. Serve a bank? Expect a vendor security form. Run cloud for a telecom? Same thing. Those forms ask about your IRP, MFA, backups, and vendor oversight. Verbal assurances won’t cut it. You need written answers.
Insurer expectations rise. Only 22% of Canadian businesses carry cyber insurance (IBC, 2025). Breach costs average $6.98 million in Canada (IBM, 2025). Statistics Canada reported that businesses spent $1.2 billion recovering from cybersecurity incidents in 2023. Those numbers alone should scare you.
Now add what Bill C-8 Canada’s $15M/day penalty tells insurers. They use regulatory benchmarks to set rates. A $15M/day bar for banks tells the market what “serious” looks like. Underwriters will raise their minimums. Premiums go up if you can’t show documented controls. No policy? You’re exposed. Have one? Your next renewal will be tougher.
Incident reporting changes the game. Bill C-8 Canada’s 72-hour reporting rule means breaches at designated operators get disclosed fast. Before the full scope is clear. If that breach touches your systems as a vendor? You’re in the disclosure too.
Here’s the gap. Only 11% of Canadian SMBs have a formal IRP (IBC 2025). 52% have nothing. A client calls Friday at 11 PM. Breach. CSE needs a report in 72 hours. No documented process on your end? That’s a crisis for both of you. You don’t need to fall under Bill C-8 Canada’s scope to need an IRP. You just need clients who do.
The “reasonable measures” bar rises. Courts look at what similar businesses do when they judge your security. Once Bill C-8 Canada mandates programs, 72-hour reporting, and vendor risk management for banks, that’s the new bar. “Legally required for banks” and “good enough for everyone” merge. The gap shrinks every year. Handling sensitive client data? A judge won’t care that you weren’t named in the bill.
What Canadian SMBs Should Do Now
Document your cybersecurity program. Not a policy buried in a shared drive since 2019. Write down who owns security decisions, what controls you run, how you detect threats, and how you respond when something breaks. Clients doing vendor assessments will ask for this document, and so will your insurer at renewal. Can’t produce it? That’s where you begin.
Know your vendor risk. Who has access to your systems, and what are their security practices? Under Bill C-8 Canada’s supply chain rules, designated operators must assess every vendor. They’ll be assessing you. Meanwhile, you should be asking the same questions about your own vendors. Auditing which third parties hold credentials to your systems? Half a day. Skipping that audit gets harder to defend every year.
Build an incident response plan. More than half of Canadian SMBs don’t have one. Keep it simple. Yours doesn’t need to be 40 pages. Four questions matter: who do we call, what do we isolate, what do we tell clients, and what do we document? Friday night breach? Those answers can’t be “let’s figure it out.” Your IT support provider should be part of that plan from day one.
Turn on MFA everywhere. The Canadian Centre for Cyber Security calls MFA a top defense (2025 Baseline Controls). Old advice. Still not done at most firms. Check your Microsoft 365 setup, your VPN, your admin consoles, and your cloud tools. Missing MFA on any of them? Vendors, insurers, and clients will flag it. M365 has conditional access and MFA built in, so there’s no cost excuse for skipping it.
Get a cybersecurity assessment. You can’t fix what you haven’t measured. A cybersecurity assessment gives you a documented baseline: where your controls stand, where the gaps are, what to fix first. Without one, you’re walking into vendor audits and insurance renewals blind. Statistics Canada reported that about 1 in 6 Canadian businesses were impacted by cyber security incidents in 2023. That trend line won’t help your case.
Review your cyber insurance. 78% of Canadian businesses don’t carry it (IBC 2025). Find a broker who understands technology risks. Already covered? Read your policy. Most SMBs don’t know what theirs actually covers until they file a claim. Check the exclusions. Check the incident reporting rules. Make sure your current controls meet your policy’s minimum requirements, or your coverage might not hold when you need it.
Bill C-8 Isn’t the Only Law Changing in 2026
Canada’s proposed privacy overhaul (Bill C-27) died alongside C-26 in January 2025. It wasn’t voted down. Time ran out. A new privacy bill is expected, but as of March 2026, nothing has been tabled.
When it arrives, watch the penalties. C-27 proposed fines up to $25 million or 5% of global revenue. GDPR-tier. That bill isn’t law yet. No draft text exists for this session. But Parliament’s signal is clear: data protection fines are going way up. Build your privacy and security practices now, or play catch-up later.
Here’s the overlap: cybersecurity programs, IRPs, and vendor risk management are all Bill C-8 Canada requirements. They’ll also be requirements under any future privacy bill. Build them now. You’ll be ready for both.
What to Watch: Bill C-8 Canada’s Encryption Controversy
Bill C-8 Canada’s Telecom Act amendments give Ottawa broad new powers over telecom operators. CCLA and OpenMedia have both raised flags. In theory, these powers could force carriers to weaken encryption or add surveillance tools.
Canada’s Privacy Commissioner wants guardrails. Ottawa says the powers target telecom security threats, not domestic spying. That fight isn’t settled.
Worth watching. Not worth panicking about. If you run encrypted comms, or if your clients care about data sovereignty, track how the regs get drafted. CIRA’s 2025 vendor-selection release says Canadian organizations are putting more weight on country of origin and data-sovereignty questions when they buy cybersecurity tools. Clients already pick vendors based on where data lives. Bill C-8 Canada’s final rules will push that trend further.
Canadian Cybersecurity Compliance Requirements
| Framework | Applies To | Key Requirements | Penalty for Non-Compliance |
|---|---|---|---|
| Bill C-26 (CCSPA) | Critical infrastructure operators | Cyber program, incident reporting, compliance audits | Fines up to $15M + imprisonment |
| PIPEDA | All businesses handling personal data | Consent, breach reporting within 72 hours, data minimization | Fines up to $100K per violation |
| PHIPA | Ontario healthcare providers | Encryption, access controls, breach notification | Fines up to $200K (individuals), $500K (orgs) |
| SOC 2 | SaaS, cloud, and service providers | Security, availability, confidentiality controls | Loss of enterprise contracts |
| PCI DSS | Businesses accepting credit cards | Encryption, network segmentation, access controls | Fines + loss of card processing |
Does Bill C-8 apply to small businesses?
Not directly. Bill C-8 Canada’s legislation applies to designated operators in six federally regulated sectors: telecom, pipelines and power lines, nuclear, transportation, banking, and clearing and settlement. Most SMBs don’t fall into these categories. However, if you serve organizations that are designated operators, expect vendor security requirements as they manage supply chain risk under Section 9(1)(a) of the CCSPA.
Canadian Cybersecurity Compliance Requirements
| Framework | Applies To | Key Requirements | Penalty for Non-Compliance |
|---|---|---|---|
| Bill C-26 (CCSPA) | Critical infrastructure operators | Cyber program, incident reporting, compliance audits | Fines up to $15M + imprisonment |
| PIPEDA | All businesses handling personal data | Consent, breach reporting within 72 hours, data minimization | Fines up to $100K per violation |
| PHIPA | Ontario healthcare providers | Encryption, access controls, breach notification | Fines up to $200K (individuals), $500K (orgs) |
| SOC 2 | SaaS, cloud, and service providers | Security, availability, confidentiality controls | Loss of enterprise contracts |
| PCI DSS | Businesses accepting credit cards | Encryption, network segmentation, access controls | Fines + loss of card processing |
What is the Critical Cyber Systems Protection Act?
CCSPA is Bill C-8’s second major component. It creates Canada’s legal framework for mandatory cybersecurity programs, incident reporting, supply chain risk management, and records retention for designated operators. Penalties reach $15 million per day for organizations and $1 million per day for individuals. Directors face personal liability. Willful non-compliance can lead to prison.
Canadian Cybersecurity Compliance Requirements
| Framework | Applies To | Key Requirements | Penalty for Non-Compliance |
|---|---|---|---|
| Bill C-26 (CCSPA) | Critical infrastructure operators | Cyber program, incident reporting, compliance audits | Fines up to $15M + imprisonment |
| PIPEDA | All businesses handling personal data | Consent, breach reporting within 72 hours, data minimization | Fines up to $100K per violation |
| PHIPA | Ontario healthcare providers | Encryption, access controls, breach notification | Fines up to $200K (individuals), $500K (orgs) |
| SOC 2 | SaaS, cloud, and service providers | Security, availability, confidentiality controls | Loss of enterprise contracts |
| PCI DSS | Businesses accepting credit cards | Encryption, network segmentation, access controls | Fines + loss of card processing |
When does Bill C-8 take effect?
As of March 2026, Bill C-8 Canada’s cybersecurity bill is at report stage. The committee tabled its report on March 11, 2026, but Royal Assent hasn’t happened yet. After passage, enforcement dates get set by order-in-council, and designated operators will have 90 days to build their cybersecurity programs. We’ll update this post as the timeline firms up.
Canadian Cybersecurity Compliance Requirements
| Framework | Applies To | Key Requirements | Penalty for Non-Compliance |
|---|---|---|---|
| Bill C-26 (CCSPA) | Critical infrastructure operators | Cyber program, incident reporting, compliance audits | Fines up to $15M + imprisonment |
| PIPEDA | All businesses handling personal data | Consent, breach reporting within 72 hours, data minimization | Fines up to $100K per violation |
| PHIPA | Ontario healthcare providers | Encryption, access controls, breach notification | Fines up to $200K (individuals), $500K (orgs) |
| SOC 2 | SaaS, cloud, and service providers | Security, availability, confidentiality controls | Loss of enterprise contracts |
| PCI DSS | Businesses accepting credit cards | Encryption, network segmentation, access controls | Fines + loss of card processing |
What’s the difference between Bill C-8 and Bill C-27?
Separate laws for separate problems. Bill C-8 Canada’s cybersecurity law targets critical infrastructure with rules on cybersecurity programs, incident reporting, and supply chain risk. C-27 was a privacy modernization bill. It would have replaced PIPEDA (Canada’s private-sector privacy law) with a new Consumer Privacy Protection Act and stronger enforcement. Both bills died in January 2025 when Parliament was prorogued. C-8 has been reintroduced in Canada. C-27 hasn’t been retabled as of March 2026.
Canadian Cybersecurity Compliance Requirements
| Framework | Applies To | Key Requirements | Penalty for Non-Compliance |
|---|---|---|---|
| Bill C-26 (CCSPA) | Critical infrastructure operators | Cyber program, incident reporting, compliance audits | Fines up to $15M + imprisonment |
| PIPEDA | All businesses handling personal data | Consent, breach reporting within 72 hours, data minimization | Fines up to $100K per violation |
| PHIPA | Ontario healthcare providers | Encryption, access controls, breach notification | Fines up to $200K (individuals), $500K (orgs) |
| SOC 2 | SaaS, cloud, and service providers | Security, availability, confidentiality controls | Loss of enterprise contracts |
| PCI DSS | Businesses accepting credit cards | Encryption, network segmentation, access controls | Fines + loss of card processing |
What penalties does Bill C-8 impose?
Under the CCSPA, organizations that fail to comply face penalties up to $15 million per day. Individual officers and directors face up to $1 million per day. Director liability is personal, meaning a board member can be held accountable individually. Willful non-compliance can also lead to imprisonment. These are statutory maximums from the bill text, not guesses.
Canadian Cybersecurity Compliance Requirements
| Framework | Applies To | Key Requirements | Penalty for Non-Compliance |
|---|---|---|---|
| Bill C-26 (CCSPA) | Critical infrastructure operators | Cyber program, incident reporting, compliance audits | Fines up to $15M + imprisonment |
| PIPEDA | All businesses handling personal data | Consent, breach reporting within 72 hours, data minimization | Fines up to $100K per violation |
| PHIPA | Ontario healthcare providers | Encryption, access controls, breach notification | Fines up to $200K (individuals), $500K (orgs) |
| SOC 2 | SaaS, cloud, and service providers | Security, availability, confidentiality controls | Loss of enterprise contracts |
| PCI DSS | Businesses accepting credit cards | Encryption, network segmentation, access controls | Fines + loss of card processing |
Should I get a cybersecurity assessment?
Yes. A cybersecurity assessment shows you where your controls stand, where the gaps are, and what to fix first. It’s the document a vendor questionnaire or insurance underwriter will ask for. Statistics Canada reported that about 1 in 6 Canadian businesses were impacted by cyber security incidents in 2023. Serving clients in regulated sectors or holding sensitive data? A baseline isn’t optional.
How Canada’s Cybersecurity Law Affects Small Businesses
Bill C-8 is written for critical infrastructure operators, but its ripple effects reach every Canadian business that handles sensitive data. Here’s why:
- Supply chain requirements. If your clients are in a regulated sector (finance, healthcare, energy, telecom), they’ll push Bill C-8 compliance requirements down to their vendors. That includes you.
- Cyber insurance alignment. Insurance carriers are already referencing Bill C-8’s incident reporting timelines in their policy language. Missing those timelines could void coverage.
- PIPEDA overlap. PIPEDA’s breach notification rules already require reporting breaches that pose “real risk of significant harm.” Bill C-8 adds federal reporting obligations on top of that for designated operators.
The practical takeaway for Canadian SMBs: even if Bill C-8 doesn’t directly apply to your business, the security controls it mandates. incident response plans, MFA, continuous monitoring, and documented cybersecurity programs. Are becoming the baseline expectation from clients, partners, and insurers.
Not sure where your cybersecurity stands?
Our cybersecurity assessment gives you a clear picture of your security posture, compliance gaps, and practical next steps. No obligation, no sales pressure.
Fusion Computing provides cybersecurity services and IT support in Toronto for Canadian businesses in a regulatory environment that keeps getting more demanding. Whether you need help building a cybersecurity program, preparing for a vendor assessment, or understanding what working with an MSSP actually looks like, we’re one call away. And as Bill C-8 Canada’s rules take shape, being ready early beats scrambling later. We also work with organizations that need structured compliance readiness, including CARF IT readiness for accredited service providers. If you’re thinking about the cost of IT support against the cost of a breach, that math has gotten a lot clearer.
Mike Pearlstein, CISSP is the CEO of Fusion Computing and holds the Certified Information Systems Security Professional designation. He advises Canadian businesses on cybersecurity strategy, compliance readiness, and incident response planning. Learn more about Fusion Computing.
Related reading
Related Resources
- Cybersecurity Services for Canadian Businesses
- Cybersecurity Assessment
- Managed IT Support
- What Is an MSSP?
- Free IT Business Assessment
- Book a Consultation
Fusion Computing serves Canadian businesses across:
Managed IT. Toronto · Managed IT. Hamilton · Managed IT. Metro Vancouver
Concerned About Your Cybersecurity Posture?
Find out where your organization stands with a free cybersecurity assessment from our CISSP-certified team.
