Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver. Updated June 22, 2026 to reflect Royal Assent.
Not to be confused with Bill C-9: Bill C-8 is Canada’s cybersecurity law, the Critical Cyber Systems Protection Act. Bill C-9 is the Combatting Hate Act, a Criminal Code amendment unrelated to cybersecurity. This guide covers Bill C-8 and what it means for Canadian businesses.
Key Takeaways
- Bill C-8 received Royal Assent on June 16, 2026 and is now law. It creates the Critical Cyber Systems Protection Act (CCSPA) for federally regulated sectors.
- The Telecommunications Act amendments took effect immediately. The CCSPA obligations on operators phase in by order in council, with the details set by regulation.
- Direct scope: designated operators in telecom, banking, energy, nuclear, interprovincial transport, and clearing and settlement.
- Operators must run a documented cyber program (within 90 days of designation), report significant incidents to the Cyber Centre within a window of up to 72 hours, and manage supplier risk.
- Penalties reach $15 million per day for organizations and $1 million per day for individuals, with personal liability for officers and directors.
- Most SMBs are not designated, yet feel the law through vendor questionnaires, contract clauses, and insurer expectations.
Bill C-8 is now Canadian law. On June 16, 2026 it received Royal Assent, turning Canada’s long-running critical-infrastructure cybersecurity reform into a binding statute. It codifies what regulators have asked telecoms, banks, and energy operators to do for years.
Most Canadian small businesses sit outside its direct scope, yet many will feel it through procurement clauses, insurer questionnaires, and supplier baselines. This guide covers what the new cybersecurity law is, who it covers, what changed when it passed, and where the pressure lands for SMB suppliers.
Get a Free IT & Security Consultation
What is Bill C-8?
Bill C-8, the successor to Bill C-26, is now law: it received Royal Assent on June 16, 2026. It amends the Telecommunications Act (in force immediately) and enacts the Critical Cyber Systems Protection Act, which applies to federally regulated sectors such as telecom, banking, energy, and transport and phases in by order in council. Most SMBs fall outside direct scope and should still anchor on CyberSecure Canada and CIS Controls v8.1.
Bill C-8 + Copilot: the Pre-Copilot SharePoint Audit closes the SharePoint exposure gap that Canadian incident-reporting timelines now reach into.
Bill C-8 is the federal statute titled “An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.” It has two operative parts. Part 1 amends the Telecommunications Act and adds security as an explicit policy objective, giving Ottawa authority to compel action against threats to telecom networks.
Part 2 enacts the Critical Cyber Systems Protection Act (CCSPA), giving the government authority to set and enforce cybersecurity baselines across federally regulated industries. The full text is tracked on the Parliament of Canada site.
The law is the renamed successor to Bill C-26, which lapsed when Parliament was prorogued in January 2025. References in older articles should now read as C-8. Bill C-8 passed Third Reading in the House of Commons on March 26, 2026, cleared the Senate, and received Royal Assent on June 16, 2026.
What changed when Bill C-8 became law?
Bill C-8 received Royal Assent on June 16, 2026. The Telecommunications Act amendments are in force now. The CCSPA obligations on operators come into force on dates fixed by order in council, with reporting windows, designated-operator classes, and penalty schedules to follow by regulation. Three amendments shaped the final text: an explicit bar on ordering the decoding of encrypted communications, a higher threshold for ministerial action, and a mandatory five-year review.
For three years this was a bill in motion. That phase is over. Here is what the final law actually does, and what is still pending.
Part 1 is live today. The Telecommunications Act amendments took effect the moment Bill C-8 received Royal Assent. They let the Governor in Council and the Minister of Industry issue binding orders to telecom providers, including prohibiting the use of a specified supplier’s products and directing the removal of high-risk equipment from Canadian networks. If you run or depend on telecom infrastructure, these powers are real now, not someday.
Part 2 phases in. The CCSPA is law, but the obligations on designated operators come into force on dates the Governor in Council will fix, and the operational detail arrives by regulation. The schedule that names which classes of operators are designated is still being populated, and the exact incident-reporting window (capped at 72 hours) will be set in regulation. In practice, designated operators have a runway, not an overnight deadline. Use it.
The encryption fight was settled in the text. Civil-liberties groups spent the bill’s life worried that the telecom powers could be used to weaken encryption. The final Act answers that directly: it explicitly prohibits the government from ordering a provider to intercept a private communication or to decode an encrypted private communication.
Two further amendments tightened the guardrails: a higher threshold of “serious, systematic threats” with “reasonable grounds” before the Minister can act, and a mandatory review of the law within five years. Privacy advocates still flag the breadth of information sharing among federal agencies, so the core concern is now answered in law even as those questions continue.
Who does Bill C-8 actually apply to?
According to Statistics Canada’s survey of cyber security and cybercrime, small and medium businesses absorb a disproportionate share of incident impact while running the leanest security teams.
Bill C-8’s direct obligations land on designated operators inside federally regulated critical sectors. The law names six categories of vital services and systems in its schedule; specific organizations are added as designated operators by further schedule and regulation. Innovation, Science and Economic Development Canada and the relevant sector regulators set the operational rules, and the ISED Canada site hosts the policy guidance.
The six vital sectors are telecommunications, banking, interprovincial and international pipelines and power lines, the nuclear sector, federally regulated transportation, and clearing and settlement systems. A typical Canadian SMB is almost never directly designated. What changes for those businesses is what their regulated clients can require contractually.
| Sector | Regulator | What changes under C-8 |
|---|---|---|
| Telecommunications | CRTC + ISED | Mandatory baseline plus federal authority to compel vendor or equipment removal. |
| Banking | OSFI | Cyber program, incident reporting, and supply-chain risk management requirements. |
| Interprovincial transport | Transport Canada | Designated rail, air, and marine operators face incident-reporting obligations. |
| Nuclear | CNSC | Existing security regimes layered with C-8 program and reporting duties. |
| Energy (pipelines, power) | CER + provincial co-regulators | Critical operators must document programs and report incidents on schedule. |
| Clearing and settlement | Bank of Canada | Payment and settlement systems gain cyber-program and incident-reporting duties. |
If your business is not on a designated-operator list, Bill C-8 does not impose duties on your organization directly. To check where your existing controls land, book a free IT and security consultation.
What does Bill C-8 require organizations to do?
According to Microsoft and CISA, multi-factor authentication blocks the large majority of account-takeover attacks, which is why it is the highest-impact control most Canadian SMBs can deploy.
For designated operators, the Critical Cyber Systems Protection Act sets four pillars: establish a documented cybersecurity program within 90 days of designation, manage supply-chain and third-party cyber risk, report significant cyber incidents on a defined timeline, and keep Canadian records available for inspection.
The program must identify and manage cyber risks (including supply-chain risk under section 9), be implemented and maintained, and be reviewed at least annually. The Canadian Centre for Cyber Security publishes the technical baseline most Canadian businesses use as the floor.
Across Fusion Computing’s 2026 client-engagement data, the common gap among non-designated suppliers is not the program existing on paper. It is that the program lacks board sign-off, named owners, and a tested incident-response runbook. Those three artifacts are exactly what regulated clients ask for in vendor due-diligence packets.
Bill C-8 incident reporting timeline and process
According to the Canadian Centre for Cyber Security (2025), ransomware remains the top cybercrime threat to Canadian organizations, with state-sponsored and AI-assisted attacks increasing both the pace and the sophistication of intrusions.
The CCSPA requires designated operators to report significant cyber incidents to the federal government promptly after detection. The statute caps the window at 72 hours, and the exact timeline will be fixed by regulation, so practitioners should plan for a response measured in hours. The Canadian Centre for Cyber Security receives the technical report; the responsible sector regulator receives the operational notice.
The trigger is a cyber incident affecting a critical cyber system that interferes, or may interfere, with the operator’s ability to deliver the regulated service. That captures near-misses and active intrusions, not only completed breaches. Operators log the event, classify it, file the initial report, then update as the investigation matures.
For SMB suppliers the effect is contractual: if an incident in the supplier’s environment touches the regulated client, the supplier must notify the client fast enough that the client meets its own filing window. A documented incident-response plan is the artifact that turns that clause from a problem into a paragraph.
What are the penalties under Bill C-8?
The penalties are real and now law. Under the CCSPA, administrative monetary penalties reach up to $15 million per day for organizations and up to $1 million per day for individuals, with each day of non-compliance counted as a separate violation. The specific amounts tied to particular violations will be set by regulation.
The Telecommunications Act side carries its own penalty regime, up to $10 million per violation for organizations (rising to $15 million for repeat contraventions). Confirm the live figures against the Parliament of Canada source as regulations are published.
Three features matter beyond the headline numbers. AMPs apply per violation, so failures across sections compound. Certain contraventions can also be prosecuted as criminal offences, carrying imprisonment of up to two years less a day on summary conviction or up to five years on indictment.
Officers and directors who direct, authorize, or acquiesce in a violation carry personal exposure, which moves cyber accountability into the boardroom. A due-diligence defence rewards documented, demonstrable compliance. For SMB suppliers, the regime acts indirectly: insurers and regulated buyers read these ceilings and update their own minimum standards.
Field Note from Mike
A Hamilton engineering firm we onboarded in early 2026 thought Bill C-8 had nothing to do with them. Six weeks in, their largest client, a federally regulated transport operator, sent a 14-page vendor security questionnaire with a 30-day deadline. We had already mapped them to CIS Controls v8.1 and built an incident-response runbook. They returned it in nine days and kept the contract.
Bill C-8 vs PIPEDA vs PHIPA vs Quebec Law 25: how do they fit together?
Bill C-8 does not replace existing Canadian privacy or sector laws. Most Canadian SMBs already have obligations under PIPEDA federally, PHIPA in Ontario for health information, and Law 25 in Quebec. C-8 layers cyber-program duties on top of that privacy stack for designated operators only, and the statute expressly preserves PIPEDA, so cybersecurity reporting and privacy-breach notification run in parallel rather than one replacing the other.
| Law | Scope | Trigger | Notification | Penalty |
|---|---|---|---|---|
| Bill C-8 (CCSPA) | Designated operators in federally regulated critical sectors | Significant cyber incident on a critical cyber system | Federal government and sector regulator, within a window of up to 72 hours | AMPs up to $15M per day (organizations), plus offence provisions |
| PIPEDA | All Canadian commercial activity touching personal information | Real risk of significant harm from a privacy breach | Privacy Commissioner of Canada and affected individuals | Up to CAD 100,000 per offence, plus reputational impact |
| PHIPA (Ontario) | Ontario health-information custodians and their agents | Loss, theft, or unauthorized use of personal health information | IPC of Ontario and affected patients | Fines up to CAD 200,000 individuals, CAD 1,000,000 organizations |
| Quebec Law 25 | Quebec-connected processing of personal information | Confidentiality incident with risk of serious injury | CAI Quebec and affected individuals | Up to 4 percent of worldwide turnover or CAD 25 million |
Watch the privacy side too. Bill C-8 is the cybersecurity half of Canada’s digital-law overhaul. The privacy half is moving again: on June 15, 2026, one day before C-8’s Royal Assent, the government introduced Bill C-36, the Protecting Privacy and Consumer Data Act, the third attempt to modernize PIPEDA.
It proposes a new federal regulator, the Digital Safety and Data Protection Commission of Canada, and is at first reading only, so it is not law yet. The direction is clear: build your cybersecurity program now and it carries straight into whatever the privacy reform finalizes.
For most Canadian SMBs: keep complying with PIPEDA, PHIPA, or Law 25 as applicable, and treat C-8 as the supplier-program standard regulated clients will use. If you are unsure where your stack sits today, request a free consultation.
What does a Canadian SMB supplier of a regulated entity need to know?
If your business sells software, services, support, or hosted infrastructure to a bank, telecom, transport operator, energy company, or nuclear operator, expect three changes. Vendor questionnaires get longer, contract clauses get firmer, and audit rights get exercised. None of that requires you to be a designated operator. It only requires that your client is one.
The Insurance Bureau of Canada has reported Canadian cyber-incident costs rising sharply, and regulated buyers cite that data when justifying tighter supplier controls. Practical readiness starts with three artifacts: a framework mapping such as CIS Controls v8.1 or NIST CSF, an incident-response plan with named contacts and a notification path, and a vendor-risk register for the SMB’s own providers.
Book a Free IT & Security Consultation
How do you prepare for Bill C-8 compliance?
Designated operators must build the program, satisfy the reporting clock, and align supply-chain reviews to the new statute. SMBs touching regulated clients face a lighter version of the same path. Across Fusion Computing’s 2026 client-engagement data, the checklist below is what moves a supplier from “at risk” to “passes on first pass.” Managed detection and response sits at the core of most readiness plans.
| Action | Outcome |
|---|---|
| Map regulated clients in your customer base | Know which contracts will trigger C-8 supplier clauses |
| Adopt CIS Controls v8.1 or NIST CSF as your baseline | Provides the framework regulated buyers expect to see |
| Document and rehearse an incident-response plan | Meets the supplier-notification clauses your client carries |
| Stand up endpoint detection and response (EDR or MDR) | Closes the most common questionnaire gap for SMB suppliers |
| Maintain a vendor-risk register for your own providers | Demonstrates supply-chain hygiene downstream of your client |
| Confirm cyber insurance coverage aligns to the new control bar | Avoids renewal surprises as insurers raise minimum standards |
| Brief leadership annually on Canadian cyber regulation | Keeps officer and director risk visible at board level |
Most of those actions a competent cybersecurity services partner can stand up in under a quarter for a typical 30 to 150-employee Canadian business. The deciding factor is sequence more than budget.
Frequently asked questions
What is Bill C-8 in simple terms?
Bill C-8 is now Canadian law. It creates the Critical Cyber Systems Protection Act for critical infrastructure and amends the Telecommunications Act. Designated operators in telecommunications, banking, transport, energy, nuclear, and clearing and settlement must run a documented cyber program, report significant incidents to the federal government, and manage supplier risk. Most Canadian SMBs fall outside its direct reach but feel it through the supplier expectations of regulated clients.
Has Bill C-8 received royal assent?
Yes. Bill C-8 received Royal Assent on June 16, 2026 and is now law. The Telecommunications Act amendments are in force immediately. The Critical Cyber Systems Protection Act obligations on designated operators come into force on dates fixed by order in council, with reporting windows, operator classes, and penalty schedules set by regulation. Designated operators then have 90 days from designation to establish their cybersecurity program.
When does Bill C-8 take effect for businesses?
It depends on the part. The Telecommunications Act powers took effect on Royal Assent, June 16, 2026. The CCSPA obligations on designated operators phase in by order in council, so they are not all live the day the law passed. For SMB suppliers, the practical trigger is not a government date at all: it is the moment a regulated client sends a C-8-aligned vendor questionnaire or contract clause, which is already happening.
Does Bill C-8 weaken encryption?
No. The final Act explicitly prohibits the government from ordering a telecom provider to intercept a private communication or to decode an encrypted private communication. That language was added to address the central civil-liberties concern raised during the bill’s passage.
Amendments also raised the threshold for ministerial action to serious, systematic threats and added a mandatory five-year review. Privacy advocates still flag the breadth of information sharing among federal agencies, so the central concern is addressed even as those debates continue.
Does Bill C-8 apply to small businesses?
Bill C-8’s direct obligations apply to designated operators in federally regulated critical sectors, not to typical Canadian small businesses. The practical effect arrives through the supply chain. A small business selling to a regulated bank, telecom, transport operator, energy company, or nuclear operator will see C-8-aligned cyber requirements flow down through procurement and vendor questionnaires.
What sectors does Bill C-8 cover?
Bill C-8 covers six categories of vital services and systems named in the Critical Cyber Systems Protection Act schedule: telecommunications, banking, interprovincial and international pipelines and power lines, the nuclear sector, federally regulated transportation, and clearing and settlement systems. Sector regulators such as OSFI, the CRTC, the Canadian Nuclear Safety Commission, and the Bank of Canada set the operational rules within their domains.
What are the penalties under Bill C-8?
Under the CCSPA, administrative monetary penalties reach up to $15 million per day for organizations and up to $1 million per day for individuals, with each day of non-compliance treated as a separate violation. The exact amounts for specific violations are set by regulation.
Certain contraventions can be prosecuted as criminal offences, with imprisonment of up to five years on indictment. Officers and directors who direct or acquiesce in a violation carry personal exposure, and a due-diligence defence rewards documented compliance.
How does Bill C-8 differ from PIPEDA?
PIPEDA is a privacy law triggered by real risk of significant harm from a privacy breach. Bill C-8 is a cybersecurity statute triggered by cyber incidents on critical cyber systems. PIPEDA reports go to the Privacy Commissioner; C-8 reports go to the federal government and sector regulators. They overlap when an incident at a designated operator also exposes personal information, and Bill C-8 expressly preserves PIPEDA so both regimes apply in parallel.
What incident reporting does Bill C-8 require?
Designated operators must report significant cyber incidents to the federal government within a window capped at 72 hours, with the exact timeline fixed by regulation. The Canadian Centre for Cyber Security receives the technical report; the sector regulator receives the operational notice. The trigger captures both completed breaches and active intrusions that interfere, or may interfere, with the regulated service.
How should a Canadian SMB prepare for Bill C-8?
Map which clients are federally regulated, adopt CIS Controls v8.1 or NIST CSF as a written baseline, document and rehearse an incident-response plan, deploy endpoint or managed detection and response, maintain a vendor-risk register, and confirm cyber-insurance coverage aligns to the new control bar. Those six artifacts answer most C-8-driven supplier questionnaires on first pass.
Related Resources
- Cybersecurity Services
- PIPEDA Compliance for Small Business in Canada
- Cyber Insurance Coverage Checklist
- Cyber Insurance Requirements for Canadian Small Businesses
- Incident Response Plan for Canadian Small Business
- What Is Managed Detection and Response?
Part of the Canadian IT Compliance Hub. PIPEDA, PHIPA, OSFI B-13, Bill C-8, CyberSecure Canada and cyber-insurance guidance for Canadian SMBs, in one place.
