June 8, 2026 Canada’s proposed Bill C-8 is moving through Parliament and could introduce sweeping new cybersecurity obligations for organizations that operate some of the country’s most critical infrastructure. If passed, the legislation would create the Critical Cyber Systems Protection Act (CCSPA), requiring designated operators in sectors such as telecommunications, banking, energy, transportation and nuclear power to establish cybersecurity programs and report significant changes that could affect cyber risk.
The bill was introduced for first reading on June 18, 2025, by the Minister of Public Safety and is currently at second reading in the House of Commons. It is substantially similar to the Critical Cyber Systems Protection Act that was previously proposed under Bill C-26 before that legislation died on the order paper.
The proposed law is designed to protect critical cyber systems that support services considered essential to Canada’s infrastructure. It would apply to federally regulated entities providing what the government defines as “vital services” and “vital systems.”
The sectors covered include telecommunications services, interprovincial and international pipeline and power line systems, nuclear energy systems, transportation systems under federal jurisdiction, banking systems, and clearing and settlement systems.
Under the legislation, designated operators would be required to establish and maintain cybersecurity programs. These programs would need to identify and manage organizational cybersecurity risks, including risks linked to supply chains and the use of third-party products and services.
Organizations would also be required to implement measures to protect critical cyber systems from compromise, detect cybersecurity incidents, and minimize the impact of incidents when they occur.
In addition to cybersecurity program requirements, designated operators would need to notify regulators about material changes in ownership or control, as well as significant changes to supply chains or the use of third-party products and services.
The bill would also require organizations to keep records in Canada relating to the implementation of their cybersecurity programs and any cybersecurity incidents affecting their systems.
The proposed legislation carries significant penalties for non-compliance. Violations of the CCSPA could result in administrative monetary penalties of up to $1 million for individuals and up to $15 million for organizations and other entities.
If enacted, Bill C-8 would establish a formal cybersecurity compliance framework for operators of critical infrastructure across multiple sectors, placing greater emphasis on risk management, incident detection, supply chain oversight, and regulatory reporting.
