What Is Bill C-8? Canada’s New Cybersecurity Law Explained
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Key Takeaways
- Bill C-8 creates the Critical Cyber Systems Protection Act for federally regulated sectors.
- Direct scope: telecom, banking, interprovincial transport, energy, and nuclear designated operators.
- Operators must run a documented cyber program, report significant incidents quickly, and manage supplier risk.
- Penalties reach significant administrative monetary levels per violation with personal liability for officers.
- SMB suppliers feel the law through vendor questionnaires, contract clauses, and insurer expectations.
Bill C-8 is the federal cybersecurity law that codifies what regulators have asked telecoms, banks, and energy operators to do for years. Most Canadian small businesses sit outside its direct scope, yet many will feel it through procurement clauses, insurer questionnaires, and supplier baselines. This guide covers what the bill is, who it covers, and where pressure lands for SMB suppliers.
Get a Free IT & Security Assessment
What is Bill C-8?
Bill C-8 + Copilot: the Pre-Copilot SharePoint Audit closes the SharePoint exposure gap that Canadian incident-reporting timelines now reach into.
Bill C-8 is the federal bill titled “An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.” Its second part creates the Critical Cyber Systems Protection Act, giving Ottawa authority to set and enforce cybersecurity baselines across federally regulated industries. The full text is tracked on the Parliament of Canada site.
The bill is the renamed successor to the lapsed Bill C-26; references in older articles should now read as C-8.
Who does Bill C-8 actually apply to?
Bill C-8’s direct obligations land on designated operators inside federally regulated critical sectors. The bill names categories; specific organizations are added by schedule and regulation. Innovation, Science and Economic Development Canada and the relevant sector regulators set the operational rules, and the ISED Canada site hosts the policy guidance.
The five anchor sectors are telecommunications under CRTC oversight, banking under OSFI oversight, interprovincial transportation, the nuclear sector under CNSC oversight, and energy infrastructure including pipelines and major power systems. A typical Canadian SMB is almost never directly designated. What changes for those businesses is what their regulated clients can require contractually.
| Sector | Regulator | What changes under C-8 |
|---|---|---|
| Telecommunications | CRTC + ISED | Mandatory baseline plus federal authority to compel vendor or equipment removal. |
| Banking | OSFI | Cyber program, incident reporting, and supply-chain risk management requirements. |
| Interprovincial transport | Transport Canada | Designated rail, air, and marine operators face incident-reporting obligations. |
| Nuclear | CNSC | Existing security regimes layered with C-8 program and reporting duties. |
| Energy (pipelines, power) | CER + provincial co-regulators | Critical operators must document programs and report incidents on schedule. |
If your business is not on a designated-operator list, Bill C-8 does not impose duties on your organization directly. To check where your existing controls land, book a free IT and security assessment.
What does Bill C-8 require organizations to do?
For designated operators, the Critical Cyber Systems Protection Act sets four pillars: establish a documented cybersecurity program proportionate to risk, manage supply-chain and third-party cyber risk, report significant cyber incidents on a defined timeline, and keep records available for inspection. Boards approve the program and review it on cadence. The Canadian Centre for Cyber Security publishes the technical baseline most Canadian businesses use as the floor.
Across Fusion Computing’s 2026 client-engagement data, the common gap among non-designated suppliers is not the program existing on paper. It is that the program lacks board sign-off, named owners, and a tested incident-response runbook. Those three artifacts are exactly what regulated clients ask for in vendor due-diligence packets.
Bill C-8 incident reporting timeline and process
The bill requires designated operators to notify the federal government of significant cyber incidents promptly after detection. Practitioners should expect a window measured in hours, not days. The Canadian Centre for Cyber Security receives the technical report; the responsible sector regulator receives the operational notice.
The trigger is a cyber incident affecting a critical cyber system that has, or is likely to have, significant impact on the operator’s ability to deliver the regulated service. That captures near-misses and active intrusions, not only completed breaches. Operators log the event, classify, file the initial report, then update as the investigation matures.
For SMB suppliers the effect is contractual: if an incident in the supplier’s environment touches the regulated client, the supplier must notify the client fast enough that the client meets its own filing window. A documented incident-response plan is the artifact that turns that clause from a problem into a paragraph.
What are the penalties under Bill C-8?
The bill carries an administrative monetary penalty regime designed to be material at the scale of Canadian critical infrastructure. Public commentary and committee testimony have referenced AMP ceilings up to the millions of dollars per violation, with additional offence provisions for willful non-compliance. Confirm exact ceilings against the live Parliament of Canada source.
Three features matter. AMPs apply per violation, so failures across sections compound. Officers and directors of designated operators carry personal exposure, moving cyber accountability into the boardroom. Certain breaches can be prosecuted as offences. For SMB suppliers, the regime acts indirectly: insurers and regulated buyers read the ceilings and update their own minimum standards.
Field Note from Mike
A Hamilton engineering firm we onboarded in early 2026 thought Bill C-8 had nothing to do with them. Six weeks in, their largest client, a federally regulated transport operator, sent a 14-page vendor security questionnaire with a 30-day deadline. We had already mapped them to CIS Controls v8.1 and built an incident-response runbook. They returned it in nine days and kept the contract.
Bill C-8 vs PIPEDA vs PHIPA vs Quebec Law 25: how do they fit together?
Bill C-8 does not replace existing Canadian privacy or sector laws. Most Canadian SMBs already have obligations under PIPEDA federally, PHIPA in Ontario for health information, and Law 25 in Quebec. C-8 layers cyber-program duties on top of that privacy stack for designated operators only.
| Law | Scope | Trigger | Notification | Penalty |
|---|---|---|---|---|
| Bill C-8 (CCSPA) | Designated operators in federally regulated critical sectors | Significant cyber incident on a critical cyber system | Federal government and sector regulator, on a tight defined window | AMPs up to significant per-violation ceilings, plus offence provisions |
| PIPEDA | All Canadian commercial activity touching personal information | Real risk of significant harm from a privacy breach | Privacy Commissioner of Canada and affected individuals | Up to CAD 100,000 per offence, plus reputational impact |
| PHIPA (Ontario) | Ontario health-information custodians and their agents | Loss, theft, or unauthorized use of personal health information | IPC of Ontario and affected patients | Fines up to CAD 200,000 individuals, CAD 1,000,000 organizations |
| Quebec Law 25 | Quebec-connected processing of personal information | Confidentiality incident with risk of serious injury | CAI Quebec and affected individuals | Up to 4 percent of worldwide turnover or CAD 25 million |
For most Canadian SMBs: keep complying with PIPEDA, PHIPA, or Law 25 as applicable, and treat C-8 as the supplier-program standard regulated clients will use. If you are unsure where your stack sits today, request a free assessment.
What does a Canadian SMB supplier of a regulated entity need to know?
If your business sells software, services, support, or hosted infrastructure to a bank, telecom, transport operator, energy company, or nuclear operator, expect three changes. Vendor questionnaires get longer, contract clauses get firmer, and audit rights get exercised. None of that requires you to be a designated operator. It only requires that your client is one.
The Insurance Bureau of Canada has reported Canadian cyber-incident costs rising sharply, and regulated buyers cite that data when justifying tighter supplier controls. Practical readiness starts with three artifacts: a framework mapping such as CIS Controls v8.1 or NIST CSF, an incident-response plan with named contacts and a notification path, and a vendor-risk register for the SMB’s own providers.
Book a Free IT & Security Assessment
How do you prepare for Bill C-8 compliance?
Designated operators must build the program, satisfy the reporting clock, and align supply-chain reviews to the new statute. SMBs touching regulated clients face a lighter version of the same path. Across Fusion Computing’s 2026 client-engagement data, the checklist below is what moves a supplier from “at risk” to “passes on first pass.” Managed detection and response sits at the core of most readiness plans.
| Action | Outcome |
|---|---|
| Map regulated clients in your customer base | Know which contracts will trigger C-8 supplier clauses |
| Adopt CIS Controls v8.1 or NIST CSF as your baseline | Provides the framework regulated buyers expect to see |
| Document and rehearse an incident-response plan | Meets the supplier-notification clauses your client carries |
| Stand up endpoint detection and response (EDR or MDR) | Closes the most common questionnaire gap for SMB suppliers |
| Maintain a vendor-risk register for your own providers | Demonstrates supply-chain hygiene downstream of your client |
| Confirm cyber insurance coverage aligns to the new control bar | Avoids renewal surprises as insurers raise minimum standards |
| Brief leadership annually on Canadian cyber regulation | Keeps officer and director risk visible at board level |
Most of those actions a competent cybersecurity services partner can stand up in under a quarter for a typical 30 to 150-employee Canadian business. The deciding factor is sequence, not budget.
Frequently asked questions
What is Bill C-8 in simple terms?
Bill C-8 creates the Critical Cyber Systems Protection Act for Canadian critical infrastructure. Designated operators in telecommunications, banking, transport, energy, and nuclear must run a documented cyber program, report significant incidents to the federal government, and manage supplier risk. Most Canadian SMBs do not fall directly under it, but feel it through the supplier expectations of regulated clients.
Why was the bill renamed?
Bill C-8 is the policy successor to a previous federal cybersecurity bill that lapsed at prorogation and was reintroduced under a new number with the same policy core. The regulated sectors, program duties, reporting obligations, and supply-chain structure carry through. Canadian businesses should update contracts and policies to reference C-8 going forward.
Does Bill C-8 apply to small businesses?
Bill C-8’s direct obligations apply to designated operators in federally regulated critical sectors, not to typical Canadian small businesses. The practical effect arrives through the supply chain. A small business selling to a regulated bank, telecom, transport operator, energy company, or nuclear operator will see C-8-aligned cyber requirements flow down through procurement and vendor questionnaires.
What sectors does Bill C-8 cover?
Bill C-8 covers federally regulated critical sectors named in the Critical Cyber Systems Protection Act schedule: telecommunications, banking, interprovincial transportation, energy infrastructure including pipelines and major power systems, and the nuclear sector. Sector regulators such as OSFI, CRTC, and the Canadian Nuclear Safety Commission set the operational rules within their domains.
What are the penalties under Bill C-8?
Bill C-8 carries administrative monetary penalties applied per violation, with significant per-violation ceilings and offence provisions for willful misconduct. Officers and directors of designated operators carry personal exposure. For exact dollar figures, reference the latest Parliament of Canada bill text and any sector regulations published by the responsible regulator.
How does Bill C-8 differ from PIPEDA?
PIPEDA is a privacy law triggered by real risk of significant harm from a privacy breach. Bill C-8 is a cybersecurity statute triggered by cyber incidents on critical cyber systems. PIPEDA reports go to the Privacy Commissioner; C-8 reports go to the federal government and sector regulators. They overlap when an incident at a designated operator also exposes personal information.
What incident reporting does Bill C-8 require?
Designated operators must report significant cyber incidents to the federal government on a tight defined window after detection. The Canadian Centre for Cyber Security receives the technical report; the sector regulator receives the operational notice. The trigger captures both completed breaches and active intrusions with significant impact on the regulated service. Sector regulations set the exact filing form and contents.
How should a Canadian SMB prepare for Bill C-8?
Map which clients are federally regulated, adopt CIS Controls v8.1 or NIST CSF as a written baseline, document and rehearse an incident-response plan, deploy endpoint or managed detection and response, maintain a vendor-risk register, and confirm cyber-insurance coverage aligns to the new control bar. Those six artifacts answer most C-8-driven supplier questionnaires on first pass.
Has Bill C-8 received royal assent?
As of 2026, Bill C-8 has progressed through committee and is moving through Parliament. Confirm the current royal-assent and proclamation status against the Parliament of Canada record before relying on it for legal advice. Sector regulations finalizing reporting windows, designated-operator schedules, and penalty schedules follow royal assent.
