Key takeaways
What’s happened?
The Carney government has revived expansive cyber security rules under Bill C-8, which aims to strengthen the compliance requirements for federally regulated critical infrastructure sectors, including banking, transportation, energy, and telecommunications.
Why does it matter?
The cyber protection obligations for “designated operators” that carry out vital services or systems are stringent and broad. Once passed, they’ll require organizations to maintain comprehensive cyber security programs; identify material changes to systems (particularly those that have national security implications); and immediately report breaches. Violations could result in fines of $15 million per day for organizations.
What can you do?
Critical infrastructure organizations should take proactive steps and engage external resources to help meet the bill’s cyber security obligations, which are expected to be passed quickly when Parliament resumes in the fall. These measures include mapping vital systems; understanding new powers of applicable regulators; developing and implementing the necessary plans and training to improve cyber resilience; and, creating capacity to respond to both breaches and ensuing investigations to limit risk and liability.
On June 18, 2025, Bill C-8, an Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced in the House of Commons to address gaps in the federal government’s ability to protect critical infrastructure systems. Bill C-8 notably revives the sweeping cyber security obligations and regulatory powers first proposed under Bill C-26 (which was tabled three years earlier but never enacted).
While largely identical to Bill C-26 (which BLG previously commented on in this June 2022 Insight), C-8 introduces several key changes. These include revised judicial review procedures and the removal of consequential amendments to the Canada Evidence Act (aimed at protecting sensitive information filed during judicial reviews or appeals).
Although Bill C-8 has to go through the full legislative process, both its similarities with C-26 and the fact that the predecessor bill almost passed before Parliament was prorogued suggest it could move swiftly through Parliament. Organizations in federally regulated sectors including banking, transportation, energy, and telecommunications should prepare now for these significant changes.
Compliance obligations…
Privacy 2024 Recap – some significant decisions, slow progress for reform
The past year saw a few court decisions of note as well as halting progress toward privacy…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
