Cybersecurity - Canada

Bill C-8 enacts the Critical Cyber Systems Protection Act, imposing mandatory cyber programs and incident reporting on designated operators in telecom, finance, energy and transport, plus Telecommunications Act amendments. It passed Third Reading in the House on March 26, 2026 and is before the Senate; it has not yet received Royal Assent, so the CCSPA is not in force.

The near-identical Bill C-26 passed both chambers in late 2024 but died on prorogation in January 2025; the government reintroduced it as Bill C-8 on June 18, 2025.

Since November 1, 2018, organizations subject to PIPEDA must report to the OPC and notify affected individuals of any breach of security safeguards posing a 'real risk of significant harm,' as soon as feasible, and must keep records of all breaches for 24 months. Knowing contravention is an offence subject to fines.

Guideline B-13 (Technology and Cyber Risk Management) took effect January 1, 2024 for federally regulated financial institutions, covering governance, operations/resilience, cyber security, and third-party/cloud risk. FRFIs must report cyber incidents to OSFI under its Technology and Cyber Security Incident Reporting Advisory.

Bill C-8's Telecommunications Act amendments would give the government formal authority to direct telecom providers to secure networks against threats; pending enactment, telecom security relies on existing measures and the prior policy direction barring high-risk vendors.

The Canadian Centre for Cyber Security (Cyber Centre), part of the Communications Security Establishment, is the national technical authority that issues guidance and would receive CCSPA incident reports once Bill C-8 is in force.