An Act Respecting Cyber Security, Amending the Telecommunications Act and Making Consequential Amendments to Other Acts
Bill Type: House Government Bill
Bill Sponsor: Minister of Public Safety
Status: Third Reading (Senate) — June 4, 2026. Awaiting Royal Assent.
How would YOU vote? Scroll down to vote and comment below.
What is this Bill For?
Bill C-8 creates Canada's first mandatory cyber security framework for critical infrastructure.
Part 1 gives Government authority to direct telecommunications providers to remove products, suspend services and implement security measures.
Part 2 creates the Critical Cyber Systems Protection Act — mandatory cyber security requirements for federally regulated sectors including telecoms, banking, pipelines, nuclear energy and transportation. The coming-into-force date is set by Government order — no date is specified in the Bill.
WHO GAINS POWER
The Governor in Council gains authority to issue directions to critical infrastructure operators — telecoms, banks, pipelines, nuclear facilities and transportation systems — requiring specific cyber security actions. Directions can include removing products from networks, suspending services to specific persons and implementing security measures. Non-disclosure provisions mean the content of those directions may not be made public.
The Minister of Industry gains authority to prohibit telecommunications providers from using products or services from specified persons — effectively giving Government the power to ban specific foreign technology vendors from Canadian networks without a separate Parliamentary vote.
Six separate regulators gain enforcement authority over different sectors — the Minister of Industry, Minister of Transport, Superintendent of Financial Institutions, Bank of Canada, Canadian Nuclear Safety Commission and Canadian Energy Regulator — each with inspection, audit and compliance order powers within their jurisdiction.
The Communications Security Establishment gains a mandatory reporting pipeline — all designated operators must report cyber security incidents to CSE within 72 hours, centralizing national security intelligence about infrastructure vulnerabilities.
WHO LOSES POWER
Designated operators — telecom companies, banks, pipeline operators, nuclear facilities and transportation systems — lose discretion over their own cyber security architecture. They must establish programs within 90 days of designation, follow mandatory standards, report incidents within 72 hours and submit to inspections and audits.
⚠️Vendors Banned by Government Direction, No Legislative Process Suppliers and vendors named in a Governor in Council direction lose access to Canadian critical infrastructure markets without a separate Legislative process. The direction mechanism bypasses normal procurement or regulatory review. No compensation mechanism exists in the statute and no dedicated appeal process is specified beyond standard judicial review.
Parliament does not approve individual directions issued to operators. Annual reporting to Parliament is required — but after directions are already issued and in effect.
WHO GAINS MONEY
Cyber security firms, consultants and technology providers gain mandatory business — every designated operator must build and maintain a compliant cyber security program, creating a guaranteed market for security services, audits and technology.
Legal and compliance firms gain work as designated operators navigate six different regulatory regimes with overlapping jurisdiction.
WHO LOSES MONEY
Designated operators bear the full cost of compliance — cyber security programs, supply chain risk assessments, incident response infrastructure, record-keeping and regular program reviews — with no cost-sharing or transition funding built into the Bill.
Smaller operators in regulated sectors face the same compliance obligations as large ones. Penalties reach $15 million per violation for corporations and $1 million for individuals, with criminal penalties of up to five years imprisonment for serious violations.
Vendors and suppliers removed from networks by Ministerial direction lose contracts with no compensation mechanism built into the statute.
THE CATCH
⚠️ Six Regulators, No Coordinator — Bill C-8 assigns enforcement to six separate regulators across six sectors with no statutory body responsible for consistent application. A telecom and a bank face the same framework — enforced by different regulators with no coordination requirement written into the Law.
⚠️ Government Directions, No Parliamentary Approval — Directions issued by the Governor in Council to critical infrastructure operators are protected by non-disclosure provisions. Parliament receives annual reports after directions are already in effect — not before.
⚠️ CSE Gets the Intelligence, No Civilian Oversight — All incident reports flow to the Communications Security Establishment, a signals intelligence agency. No independent civilian oversight body is specified to review how that intelligence is used.
⚠️Vendors Have No Appeal— Suppliers removed from Canadian networks by Ministerial direction have no appeal mechanism specified beyond standard judicial review. No compensation mechanism exists in the statute. This is not a right that existed and was removed — Bill C-8 creates this power from scratch and chose not to build in a dedicated appeal process. The absence is a drafting decision, not an oversight of an existing protection.
⚠️ The Entire Bill Is Inert Until Government Acts — Coming into force is set by Order in Council with no deadline required. Government could pass this Bill and never bring it into force.
Source: Bill C-8 — An Act respecting cyber security, First Reading June 18, 2025