Canada Passes Bill C-8, Mandates Cybersecurity for Critical Sectors

Canada's Senate passed Bill C-8, requiring mandatory cybersecurity measures for key sectors.

On June 4, 2026, the Canadian Senate passed Bill C-8, introducing mandatory cybersecurity frameworks across designated critical infrastructure sectors. This legislation affects telecommunications, finance, energy, transportation, banking, and nuclear facilities by requiring operators to establish and maintain cybersecurity programs within 90 days of designation.

Bill C-8 amends the Telecommunications Act and enacts the Critical Cyber Systems Protection Act (CCSPA) to bolster the security of Canada's vital cyber systems. The CCSPA enforces quick incident reporting, risk mitigation in supply chains, and the management of third-party risks, aiming to unify previously fragmented cybersecurity approaches.

Non-compliance carries hefty consequences, with penalties up to $15 million, and potential personal liability including imprisonment for directors and officers. KPMG Canada highlights the bill's role in compelling designated operators to enhance cybersecurity strategies and comply with new federal standards, strengthening national security.

Despite these regulatory advances, the Office of the Privacy Commissioner of Canada has voiced significant privacy concerns. Specifically, the Commissioner questions the extent of government powers and how personal information will be handled under Bill C-8, indicating ongoing debates around balancing security and privacy.

While Bill C-8 represents a major regulatory step to protect Canada’s critical infrastructure from cyber threats, specifics about enforcement and mechanisms to address privacy risks remain unclear.

Yes, but: The bill raises privacy concerns due to broad government powers and unclear handling of personal data.

What's next: Details on enforcement mechanisms and responses to privacy issues are expected to emerge as Bill C-8 is implemented.