Canada’s Next Cybersecurity Chapter: Bill C-8

On June 18, 2025, the Minister of Public Safety introduced into Parliament the first reading of Bill C-8, An Act Respecting Cyber Security, amending the Telecommunications Act (“Bill C-8”). Bill C-8 is substantially similar to the previous Bill C-26, which died on the order paper when Justin Trudeau, then Prime Minister of Canada, prorogued Parliament on January 6, 2025, effectively bringing all parliamentary activities to a halt. There are minor differences between the current Bill C-8 and the previous Bill C-26. For example, Bill C-8 does not make consequential changes to the Canada Evidence Act that were encompassed in Bill C-26.  

The appointment of a new federal minister for artificial intelligence and the recent introduction of Bill C-8 signals that Canada’s newly elected federal government is embracing innovation, prioritizing cybersecurity and modernizing Canada’s telecom framework.

Bill C-8 is divided into two parts: (1) the first proposes amendments to the Telecommunications Act, as well as consequential amendments to other statutes; and (2) the second proposes the enactment of the Critical Cyber Systems Protection Act (“CCSPA”). The enactment of the CCSPA will create powers for the Governor-in-Council and the Minister of Industry to order Canadian telecommunication services to secure the protection of the Canadian telecommunications system, including against threats of interference, manipulation or disruption. Additionally, the CCSPA will provide a framework for federally regulated private industries that would protect systems that are vital to national security and public safety. Non-compliance with either regime may result in high monetary penalties or imprisonment for individuals.

Part One: Amendments to the Telecommunications Act

The Telecommunications Act amendments will establish new powers for the Governor-in-Council and the Minister of Industry to direct telecommunication service providers to take, or refrain from taking, specific actions in order to secure the Canadian telecommunications system. The powers of the Governor-in-Council will include, but not be limited to, the ability to:

• prohibit a telecommunications service from using all the products and services offered by a specified person; and
• direct a telecommunications service to remove all products provided by a specified person.

Under the newly proposed changes to the Telecommunications Act, where the Minister of Industry believes on reasonable grounds that it will be necessary to secure a Canadian telecommunications system, the Minister of Industry will be able to, by order:

• prohibit a telecommunications service from providing services to a specified person;
• direct a telecommunications service to suspend any service to a specified person;
• prohibit telecommunication services from using any specified product in, or in relation to, their network or facilities;
• prohibit telecommunication services from entering service agreements for any product or service;
• require telecommunication services to terminate a service agreement;
• prohibit the upgrade of any specified product or service; and
• subject the telecommunication services’ procurement plans to a review process.

Importantly, if the proposed amendments under Bill C-8 are enacted, telecommunication services will not be compensated for any financial losses resulting from the orders under the Telecommunications Act. The proposed amendments include additional enforcement powers, including the issuance of administrative monetary policies of up to, in the case of an individual, $25,000-$50,000 per day, and in any other case, $10 million to $15 million per day. Additionally, if Bill C-8 were to come into force, any infringement of orders rendered by the Minister of Industry under the Telecommunications Act may also result in prosecution whereby officers and directors of telecommunication providers may face imprisonment.

Part Two: The Critical Cyber Systems Protection Act

The proposed enactment of the CCSPA will create new cybersecurity obligations for designated operators managing vital services or systems (“Designated Operators”). As stated in Schedule 1 of Bill C-8, vital services subject to the CCSPA include:

• telecommunications services;
• interprovincial or international pipeline and power line systems;
• nuclear energy systems;
• transportation systems that are within the legislative authority of parliament;
• banking systems; and
• clearing and settlement systems.

Under the newly proposed CCSPA, Designated Operators of vital services will be obligated to:

• establish a cybersecurity program within 90 days of an order made by the Governor-in-Council;
• implement and maintain a cybersecurity program, and review it annually;
• mitigate cybersecurity threats arising from their supply chains, or products and services offered by third parties; and
• notify an appropriate regulator of any material changes in the Designated Operator’s ownership and the vital service’s cybersecurity programs.

Regarding enforcement, the CCSPA will, if enacted, provide regulators with the ability to investigate, make orders, and issue administrative monetary penalties for non-compliance – up to $1 million per day for individuals or $15 million in any other case.

Information Sharing and Secrecy

Further, the proposed enactment of the CCSPA under Bill C-8, similar to the previous Bill C-26, will require Designated Operators, telecommunications providers, and others to share confidential information with regulators, the Minister of Industry, and the Governor-in-Council to support the objectives of Bill C-8. This information may also be disclosed to federal agencies, provincial and international counterparts, and international organizations to further these goals. Although such information sharing is generally governed by agreements of understanding, the Minister of Industry will have the authority, if Bill C-8 comes into force, to disclose information if, in their judgment, it is necessary to protect the security of the telecommunications system.

Recommendations

If entered into force, Bill C-8 will represent a major transformation in Canada’s cybersecurity framework, introducing broad new authorities and responsibilities under the amendments to the Telecommunications Act and the enactment of the CCSPA. First, the proposed amendments to the Telecommunications Act will grant the federal government enhanced powers to act on national security concerns within telecommunication services. Second, the CCSPA will impose new obligations on Designated Operators in critical sectors, such as banking, telecommunications and transportation.

If you are a provider of a vital service, as described in Bill C-8, the implications may be substantial. We recommend that you consider taking the following steps to improve your cybersecurity to address the above noted anticipated changes:

• ensure that your contracts contain sufficient cybersecurity provisions to protect all parties in the supply chain; and
• prepare a refreshed compliance strategy for the proposed changes by reviewing your cybersecurity programs.

For more information, businesses are encouraged to reach out to Roland Hung or  Laura Crimi in the Technology and Privacy & Data Management Groups at Torkin Manes LLP. 

The authors would like to acknowledge Torkin Manes Articling Student, David Macy, for his contribution to drafting this article.