On June 18, 2025, the newly elected federal government took a decisive step toward strengthening Canada’s cybersecurity regime by introducing Bill C-8, formally titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. Nearly identical to its predecessor, Bill C-26, the new Bill C-8 reveals a greater urgency to support the digital defence of sectors deemed central to national interests.
Bill C-8 proposes a two-pronged regulatory framework. One prong involves amending the Telecommunications Act to allow the federal government to respond promptly to cyber risks originating from Canada’s telecommunications infrastructure. The second prong creates a new statute, the Critical Cyber Systems Protection Act (CCSPA), designed to regulate digital systems underpinning Canada’s essential services.
Reshaping the Telecommunications Act
As part of its first proposition, Bill C-8 seeks to establish sweeping changes to the Telecommunications Act by giving the Minister of Industry and the Governor-in-Council unprecedented authority over Canadian telecommunications service providers.
With these changes, the government could restrict or ban certain suppliers from operating in Canada, direct providers to remove at-risk equipment already in use, and even suspend or terminate service agreements with vendors deemed high-risk. Procurement processes would fall under this umbrella as well: any acquisition or upgrade involving designated technologies would require prior approval from Ottawa. Additionally, affected companies would have no entitlement to compensation for any resulting financial loss.
These powers are intended to give the government the flexibility to respond rapidly to increasingly sophisticated cyber threats – primarily for those posed by foreign-controlled telecommunications vendors. Telecom providers affected by these directives would not be entitled to compensation, even for substantial financial losses. Additionally, non-compliant entities may be subject to administrative monetary penalties of up to $25,000–$50,000 per day for individuals and $10 million–$15 million per day for corporations, while directors and officers who fail to comply may also face criminal prosecution and imprisonment.
Introducing the Critical Cyber Systems Protection Act
Alongside the revamped Telecommunications Act, Bill C-8 establishes the CCPSA, a new statute targeting organizations that underpin Canada’s essential services. Entities operating in sectors such as telecommunications, interprovincial energy transmission and power generation, nuclear facilities, federally regulated transportation networks, banking, and financial clearing systems would be designated as “Designated Operators.”
Each Designated Operator would be responsible for crafting a comprehensive cybersecurity program within 90 days of designation, and must commit to annual reviews thereafter. They must systematically identify and mitigate risks, specifically those stemming from third-party products and services, and promptly inform regulators of any material changes in ownership, supply-chain arrangements, or their own cybersecurity systems. Moreover, all records of cybersecurity activities and incidents must be retained on Canadian soil, and operators are bound to follow any confidential directives issued by the government.
Bill C-8 also reintroduces the information-sharing rules from its predecessor, Bill C-26, obliging telecom carriers and “Designated Operators” to report cyber-security data to the Industry Minister and federal regulators, and when needed, to provincial authorities or international partners. Although companies can still challenge directives in court, strict confidentiality provisions may limit their ability to see or discuss the reasons behind those orders.
Failure to meet these obligations stipulated in the CCPSA can trigger penalties of up to $1 million per day for individuals and $15 million per day for corporate entities.
What changed with Bill C-8, and what didn’t?
Though largely similar to Bill C-26, the following are a few notable differences observed in Bill C-8:
- Bill C-26’s proposed Canada Evidence Act amendments, which would have granted the Federal Court specific jurisdiction over certain matters, have been removed.
- The definition of threats justifying federal intervention has been narrowed by eliminating the non-exhaustive list found under Bill C-26, and limiting it to threats of “interference, manipulation, disruption, or degradation.”
- The proposed judicial review provisions under the Telecommunications Act and CCSPA have been amended to increase transparency by removing the ability of the government to make confidential submissions to the court and withhold disclosure on the basis of national security concerns.
- Correction of drafting errors that appeared in Bill C-26.
Despite these updates, Bill C-8 does not address a number of concerns that were raised during Bill C-26’s lifespan including high compliance costs, the lack of exemptions for small businesses or mature organizations with strong existing cybersecurity protocols, and the lack of financial incentives to supporting proactive investment in cyber protection.
Final Notes
With the quick return of cybersecurity legislation to the House of Commons, the federal government is sending a clear signal: Canada’s critical infrastructure is a strategic asset, and its protection is imperative. Though Bill C-8 will need to complete the full legislative process – including three readings in both the House and Senate – we anticipate that its progress will be swift given how far its predecessor advanced and the strong similarities between the two Bills.
For more information on this topic, please contact Jaime Cardy or other members of the Dentons Privacy and Cybersecurity group. The author would like to thank Ira Chandershekar, Student-at-Law in Dentons’ Toronto office.
