Bill C-8 is now a law. Now what?
Bill C-8 is now a law. Now what?
https://thedeepdive.ca/canada-bill-c8-cybersecurity-law/
Publish Date: 2026-06-23 14:39:00
Source Domain: thedeepdive.ca
Using an unordered list, summarize the following article with between 4 and 8 key points.
Canada’s new cybersecurity law does not just tell critical infrastructure operators to harden their systems. It gives Ottawa a lever to force action, require reporting, and penalize non-compliance, while leaving some of the government’s most sensitive cyber orders shielded from public view.
Bill C-8, An Act Respecting Cyber Security, received royal assent on June 15, 2026. That turned a long-running cyber policy fight into a live legal regime for telecommunications and federally regulated critical infrastructure.
The law changes the balance of power in Canadian cybersecurity. Companies that operate designated critical systems can be required to build formal cyber programs, manage supplier risks, report incidents quickly, preserve records, and follow federal directions. The government, in turn, gets new tools to intervene when it believes telecom networks or vital systems are exposed to threats.
Sponsored · Power Metallic Inc.
For affected operators, the practical meaning is simple: cyber failure is no longer only an operational risk. It can now become a regulatory event.
Telecom
The first part of Bill C-8 amends the Telecommunications Act. Security is now an explicit objective of Canadian telecom policy.
Ottawa can now order telecom service providers to take specific steps to secure the system. Those steps can include removing products, avoiding vendors, changing practices, reviewing systems, or preparing security plans.
The government says the telecom amendments take immediate effect after royal assent. That gives the state a faster path to act when it sees a network, supplier, service, or technical dependency as a security risk.
Sponsored · Granada Gold Mine Inc.
The law also allows information-sharing in defined circumstances, including with provincial governments, foreign states, and international organizations. Justice Canada’s Charter Statement says written arrangements must restrict how recipients use that information, and confidential information cannot be shared through that specific power.
Cybersecurity
The second part of Bill C-8 creates the Critical Cyber Systems Protection Act. That regime is aimed at federally regulated services and systems whose disruption could affect national security or public safety. The law points to sectors such as telecommunications, banking, clearing and settlement, interprovincial or international energy systems, nuclear energy, and federally regulated transportation.
The important word is “designated.” Not every company in these sectors is automatically covered in the same way. The regime depends on designated classes of operators and critical cyber systems identified through the law and future regulations.
Once covered, an operator must establish a cybersecurity program within 90 days. That program must address cyber risk, third-party and supply-chain exposure, protection of critical systems, detection of incidents, and ways to reduce damage when incidents happen.
This is where Bill C-8 shifts from national security language to corporate execution. A designated company will need to know which systems are critical, which vendors touch them, who reports an incident, who approves disclosure, and who owns the evidence trail afterward.
The 72-hour rule
Bill C-8 requires designated operators to report cyber incidents affecting critical cyber systems to the Communications Security Establishment within a prescribed period. That period cannot exceed 72 hours.
The law also requires notice to the appropriate regulator after the report is made.
The 72-hour cap does not mean every operational disruption becomes a public event. It does mean companies covered by the regime will need to make legal, technical, and operational judgments quickly during an attack or outage.
That is a material change. Incident response will no longer be only about restoring systems. It will also be about meeting a federal reporting clock while facts are still developing.
$15M penalty
Bill C-8 carries large administrative penalties. Under the telecom changes, corporations and other non-individuals can face penalties of up to $10 million for a first violation and $15 million for a subsequent violation. Individuals can face penalties of up to $25,000 for a first violation and $50,000 for a subsequent violation.
Under the Critical Cyber Systems Protection Act, organizations can face penalties of up to $15 million. Individuals can face penalties of up to $500,000.
Continuing violations can count separately for each day they continue.
What now?
The government frames Bill C-8 as a response to increasingly sophisticated cyber threats against critical infrastructure. Public Safety Canada said the law will strengthen telecommunications and cyber systems, help essential services remain operational, and support accountability across vital sectors.
Privacy and civil liberties groups have focused on a different risk: the concentration of state power. The Office of the Privacy Commissioner told the Senate that Parliament had made meaningful privacy-related improvements, including proportionality language, privacy considerations in order-making, after-the-fact notice requirements in some cases, and a five-year review. The commissioner still recommended stronger safeguards for personal information.
OpenMedia argued before passage that the bill still lacked stronger independent oversight and proactive privacy protections. The Canadian Civil Liberties Association warned about broad information collection, secrecy, and risks tied to telecom order powers.
The final bill includes language stating that orders must not require the decoding of encrypted private communications. That limits one of the most politically sensitive concerns but it does not erase the broader dispute over how much cyber authority should operate through confidential orders and closed processes.
Bill C-8 makes Canada’s cyber regime more muscular, but not yet fully visible. The telecom provisions are already in force, according to the government. The Critical Cyber Systems Protection Act will roll out in phases, which means much of the real-world impact depends on future designations, regulations, and enforcement posture.
For companies likely to fall within the regime, the waiting period is not empty time. The law points toward a future where regulators ask not only what happened after a cyber incident, but what the operator had already built before it.
For Ottawa, the risk is different. The government has gained new tools to protect networks that Canadians rely on every day. It now has to prove those tools can be used with enough speed to matter, enough secrecy to avoid helping attackers, and enough oversight to avoid turning cyber defence into a trust problem.
Bill C-8 is now law. The next question is not what it says on paper. It is who gets designated first, how fast the rules arrive, and whether Canada can regulate cyber risk without making accountability disappear behind the firewall.
Information for this briefing was found via the sources and the companies mentioned. The author has no securities or affiliations related to this organization. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.
