Canada's Bill C-8 and the Critical Cyber Systems Protection Act: what CISOs at designated operators must build in 2026

On 16 June 2026, Bill C-8 (An Act respecting Cyber Security, the legislative successor to the previous Parliament's Bill C-26) received Royal Assent. Part 1 amends the Telecommunications Act with immediate effect; Part 2 enacts the Critical Cyber Systems Protection Act (CCSPA), which binds designated operators across telecommunications, finance, energy, and federal transportation.

For CISOs at federally regulated entities, the regime is no longer theoretical. Administrative monetary penalties reach $15 million per violation for corporations, each day of continuing non-compliance counts as a separate violation, and directors carry personal criminal exposure. The Communications Security Establishment (CSE) becomes the central incident-reporting node, with the statutory ceiling for notification fixed at 72 hours.

What does "designated operator" actually require in operational terms? Which sector regulator will examine you? What evidence will your auditor or your sector regulator expect to see inside a 90-day program standup? This post answers those questions, maps CCSPA to the Cyber Centre's published technical baseline, and outlines what a credible gap-analysis project looks like for a Canadian CISO sitting in front of a board this quarter.

Federal cyber-security reform has been waiting in the legislative queue for several years. The previous Bill C-26 died at prorogation on 6 January 2025 alongside Bill C-27 (the CPPA, PIDPTA, and AIDA package). Bill C-8 was tabled to revive the cyber-security half of the agenda and was reported by Fasken and BLG as a near-identical reboot of C-26's two-part structure.

Royal Assent on 16 June 2026 closed the drafting cycle. Part 1 of the Act amends the Telecommunications Act to add a national-security purpose, allowing the Governor in Council and the Minister of Industry to order Canadian carriers to do or refrain from doing anything necessary to secure the Canadian telecommunications system. AMP ceilings under that Part run to $10 million for a first violation and $15 million for any subsequent violation for corporations. Part 2 enacts the standalone Critical Cyber Systems Protection Act.

The political driver for the accelerated passage was disclosed by the Cyber Centre in August 2025: three Cisco IOS XE network devices belonging to a Canadian telecommunications carrier had been compromised in mid-February 2025 by the People's Republic of China state-sponsored actor known as Salt Typhoon, exploiting CVE-2023-20198 to deploy GRE tunnels for traffic collection. The Five Eyes joint advisory that followed reframed the risk model: a non-telecom enterprise whose traffic transits a compromised carrier has to assume metadata visibility by a sophisticated nation-state.

Two months later, the joint 26 November 2025 statement from the Cyber Centre, the RCMP, and CSIS confirmed that hacktivists had tampered with internet-exposed ICS at a Canadian municipal water plant, an oil and gas operator, and a grain-drying farm. Public Safety Canada explicitly framed those incidents as justification for the CCSPA framework about to come into force. The combination of nation-state telco intrusion plus opportunistic OT tampering gave the Government the political cover to move Bill C-8 through both chambers in a single session.

CCSPA does not regulate "critical infrastructure" as a generic concept. It regulates specific classes of vital service and vital system, and within those classes it regulates only operators that the Governor in Council designates by order. As Osler summarises in its July 2025 explainer, six classes of vital service are listed in the schedule: telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems within federal jurisdiction, banking systems, and clearing and settlement systems.

Each class is assigned to a sector regulator:

• Telecommunications: Minister of Industry
• Interprovincial / international pipelines and power lines: Canadian Energy Regulator
• Nuclear energy: Canadian Nuclear Safety Commission
• Federal transportation: Minister of Transport
• Banking: Office of the Superintendent of Financial Institutions (OSFI)
• Clearing and settlement: Bank of Canada

This split matters because the supervisory culture inside OSFI (principles-based, examiner-led, B-13 aligned) is materially different from the CNSC (prescriptive, licence-condition-led) and from the Canadian Energy Regulator (audit-and-order model). A bank that has spent two years aligning to OSFI Guideline B-13 will recognise much of what CCSPA expects. A pipeline operator examined by the CER will not have that head start.

Designation is not automatic. The Act gives the Governor in Council power to issue designation orders naming specific operators. Until the first wave of orders is published, an organisation can credibly estimate its likely status by looking at whether it operates a system the Schedule identifies as vital. For the largest Canadian banks, designated payment systems, the incumbent national carriers, the major railways and ports, the federally regulated nuclear licensees, and the CER-regulated pipelines and power lines, the answer is effectively "yes, plan as if you are in." Smaller players and provincially regulated utilities will need to monitor the Canada Gazette.

CCSPA requires every designated operator to establish a documented cybersecurity program within 90 days of being designated. The program must identify and document the operator's critical cyber systems, then describe how the operator will (a) identify and manage organisational cybersecurity risks including supply-chain and third-party risks, (b) protect its critical cyber systems, (c) detect cybersecurity incidents affecting those systems, and (d) minimise the impact of incidents that do occur.

BLG and Fasken both note that the 90-day window starts on designation, not on Royal Assent, and that substantive Part 2 provisions phase in through Governor-in-Council orders. The practical implication is that the gap-analysis and program-design work has to be done now so that designation does not catch the CISO with a blank page.

The Cyber Centre's National Cyber Threat Assessment 2025-2026 and the December 2025 Ransomware Threat Outlook 2025-2027 set the threat model that any credible program has to answer. Ransomware is named as the top cybercrime threat to Canadian critical infrastructure, Canadian ransomware incidents grew on average 26% per year from 2021 to 2024, and the Cyber Centre forecasts more aggressive multi-extortion behaviour through 2027.

A program that fails to address ransomware-specific controls (immutable backups tested for restoration, segmentation between corporate IT and OT or production banking systems, privileged access controls, endpoint detection and response with response capability, exfiltration detection on egress) will not survive a sector-regulator examination, regardless of how elegantly the policy documents are written. Continuous control testing through VAPT services and attack simulation is the evidence layer that turns a policy binder into a defensible program.

The program must also describe supply-chain and third-party cyber risk management. CCSPA makes this a freestanding pillar rather than a sub-clause, reflecting the lesson from the Salt Typhoon intrusion and the 23andMe credential-stuffing incident that the perimeter is wherever a vendor sits.

CCSPA requires a designated operator to report a cybersecurity incident affecting any of its critical cyber systems to the Communications Security Establishment (CSE) "as soon as feasible" after the operator becomes aware that an incident has occurred, within a period prescribed by regulation. The Act fixes the statutory ceiling at 72 hours; the regulations have not yet been published as of mid-2026 and may set a shorter clock.

This is the single requirement most likely to be misread. The clock starts on awareness, not on confirmation. It runs against the operator regardless of whether the operator believes the report is "complete." Late or absent reports are themselves violations subject to AMPs of up to $15 million per day for corporations.

For federally regulated banks, the CCSPA clock layers on top of the existing OSFI Technology and Cyber Security Incident Reporting Advisory, which sets a 24-hour reporting threshold for material incidents. A bank suffering a ransomware encryption event will therefore have to report to OSFI within 24 hours and to CSE under CCSPA within (at most) 72, plus consider PIPEDA breach reporting to the Office of the Privacy Commissioner under section 10.1 where there is a real risk of significant harm, plus any CSA continuous-disclosure obligation if the incident is material to the reporting issuer.

The operational answer is a single internal incident-classification runbook that triggers all four reporting pathways from one declaration. CISOs who keep separate incident response playbooks for OSFI, CSE, the OPC, and the CSA will miss a clock. A consolidated runbook backed by 24x7 monitoring built around a multi-jurisdiction trigger map is now the minimum operational baseline.

CCSPA's penalty structure is, by Canadian standards, severe. Administrative monetary penalties reach $1 million per violation for individuals and $15 million per violation for corporations. Each day of continuing violation counts as a separate violation, which means a designated operator that misses the 72-hour clock and remains in non-compliance for a month is, on its face, exposed to a number in the hundreds of millions before the regulator exercises any mitigation discretion.

The Telecommunications Act amendments in Part 1 carry parallel AMP ceilings of $10 million for a first violation and $15 million for any subsequent violation for corporations. Both regimes also preserve criminal liability. Directors and officers who knowingly authorise, permit, or acquiesce in a contravention can be held personally liable, and the Act includes due-diligence defences but no automatic safe harbour for delegated decisions.

For boards, this is the inflection point that PIPEDA never provided. The Office of the Privacy Commissioner has no AMP power under PIPEDA; it relies on public findings, compliance agreements, and Federal Court applications (the OPC's ongoing enforcement action against Aylo, operator of Pornhub, is the current test case for how far that toolkit can be pushed). Under PIPEDA, even the 23andMe credential-stuffing finding (PIPEDA Findings #2025-001, published June 2025) drew zero monetary penalty in Canada despite the UK ICO's parallel £2.31 million fine. CCSPA changes that calculus completely for the six vital sectors.

The practical board-level question becomes: does the audit committee have a defensible record of cyber-program oversight, an approved risk appetite that names CCSPA exposure, an evidenced testing programme through penetration testing services, and a documented decision trail for any residual risk acceptance? Without those four artefacts, a director facing a CCSPA proceeding has no due-diligence defence to put on the table.

The Canadian Centre for Cyber Security (CCCS, part of CSE) publishes the technical baseline that any credible CCSPA program will end up referencing. Its Top 10 IT Security Actions guidance sets the foundation; the CCCS Baseline Cyber Security Controls add the SME variant; and the Cross-Sector Cyber Security Readiness Goals published jointly with CISA give the cross-jurisdictional ICS / OT mapping that water utilities and energy operators have been asking for since the November 2025 incidents.

For OT-heavy operators, the baseline maps cleanly to the IEC 62443 family and to the Purdue Enterprise Reference Architecture for segmentation between process / control layers and operations / enterprise layers. The November 2025 hacktivist incidents at the municipal water plant, the oil and gas operator, and the grain-drying farm all shared the same root cause: internet-exposed OT devices with weak authentication and no segmentation. Closing that gap is now table-stakes for any operator in the energy or federal transportation classes.

For IT-heavy operators (banking, clearing and settlement, telecommunications), the baseline maps to OSFI Guideline B-13's three domains (governance and risk management; technology operations and resilience; cybersecurity) and to established control frameworks (ISO/IEC 27001, NIST CSF, CIS Controls). The Cyber Centre updated its voluntary self-assessment tool in 2025; a sensible gap-analysis project starts there and uses the output as the input to the CCSPA program design document.

Where AI systems sit inside critical cyber systems, the picture is messier. Federal AI legislation (the former AIDA in Bill C-27) died at prorogation in January 2025 and Osler's 2026 outlook judges federal AI law unlikely before 2027. In the interim, the OPC's TikTok finding (PIPEDA Findings #2025-003, 23 September 2025) signals that the Privacy Commissioner is willing to treat AI profiling and biometric analytics as sensitive processing subject to PIPEDA's necessity and proportionality test. An AI risk assessment aligned to recognised AI governance standards is the cleanest current evidence trail.

The Act gives a designated operator 90 days from designation to stand up a program. That is the work-pace a gap analysis has to support. A realistic 12-week project breaks into four phases.

Weeks 1-3, scope and inventory. Identify which of the operator's systems meet the statutory definition of a critical cyber system. Map each to its sector regulator (OSFI, CER, CNSC, Minister of Industry, Minister of Transport, or Bank of Canada). Inventory third parties whose compromise could affect a critical cyber system, including hyperscaler dependencies. The CLOUD Act question (whether foreign legal access to data hosted on a US-headquartered cloud is a supply-chain risk the operator must mitigate under CCSPA) is unresolved in the regulations, but a defensible program documents the residual risk explicitly rather than ignoring it.

Weeks 4-6, controls baseline. Map current controls to the Cyber Centre's Top 10 IT Security Actions, the Cross-Sector Cyber Security Readiness Goals, OSFI B-13 (for FRFIs), and the IEC 62443 zone-and-conduit model (for OT). Surface gaps. The most common gaps seen across Canadian and India-cross-border programs are: incomplete OT asset inventory, untested backup restoration, vendor right-to-audit clauses that exclude sub-processors, and SaaS administrative privileges that are not subject to the same access review cadence as on-premises privileged accounts.

Weeks 7-9, incident response and reporting. Build the single consolidated runbook that fires the OSFI 24-hour notice (where applicable), the CCSPA 72-hour CSE notice, the PIPEDA section 10.1 OPC notice (where personal information is in scope), and the CSA continuous-disclosure path (for reporting issuers). Tabletop the runbook with the audit committee in the room.

Weeks 10-12, evidence and remediation roadmap. Stand up the document set (program document, risk register, third-party register, control matrix, reporting runbook, board reporting pack). Schedule the first independent attestation cycle. Sequence remediation by AMP exposure, not by IT priority.

The CCSPA picture for a Canadian designated operator over the next eighteen months is straightforward to describe and operationally demanding to execute. The Act is in force, the threat model has been pre-validated by Salt Typhoon and the November 2025 ICS incidents, the AMP exposure is material at board level, and the sector regulators will examine on evidence rather than intent.

Three immediate actions are defensible regardless of when designation orders are published:

1. Commission a CCSPA gap analysis now against the Cyber Centre baseline and the relevant sector regulator's existing guidance (OSFI B-13 for banks, CER cyber expectations for energy, CNSC requirements for nuclear).
2. Consolidate incident reporting into a single runbook with named decision-makers for the OSFI, CSE, OPC, and CSA pathways, and tabletop it with the board.
3. Treat third-party and cloud supply-chain risk as a freestanding program pillar with documented mitigation rather than a contractual checkbox.

For Canadian CISOs whose budgets are already stretched across cyber-insurance premium increases, OSFI B-13 attestation costs, and the cost of standing up new programs, the economics of an India-based CERT-In empanelled VAPT, SOC, and compliance partner matter. Certbar runs continuous penetration testing, 24x7 SOC monitoring, and regulator-mapped audit evidence delivery from Surat and Mumbai for Canadian designated operators and their downstream MSP supply chain. The time-zone offset gives genuine follow-the-sun SOC coverage; the CERT-In empanelment gives equivalent rigour to a Canadian or US firm at materially lower cost; and the evidence packaging is built around what an OSFI, CER, or CSE examiner will actually ask to see. For organisations also handling personal information of Indian data principals, the same engagement extends to DPDP Act 2023 compliance consulting.

The CCSPA is the most significant change to the Canadian cyber-regulatory perimeter in a decade. Operators that treat the 90-day clock as a real deadline, build the consolidated reporting runbook, and put a third-party evidence file in front of the audit committee will be in a defensible position when the first designation orders are published. Operators that wait for the regulations will be writing a program document under examination pressure.