Last week, the federal government introduced Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. Bill C-8 bears the same title as, and is nearly identical in content to, last Parliamentary session’s Bill C-26. This includes the introduction of the Critical Cyber Systems Protection Act (CCSPA) and a number of amendments to the Telecommunications Act.
The proposed CCSPA imposes obligations on certain classes of organizations that provide services or operate systems that are “vital” to national security or public safety. The presently designated Vital Services and Vital Systems are as follows:
Most obligations under the CCSPA would apply to “designated operators” within these sectors that own, control or operate a “critical cyber system”. While no classes of designated operators are listed in the current draft, a cyber system would qualify as a “critical cyber system” where “if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system”.
Under the CCSPA, a designated operator would be required to:
Additional obligations may be imposed by regulation.
Bill C-8 grants extensive powers to designated regulatory authorities to enforce the requirements of the CCSPA. Currently, the designated regulatory authorities include the Office of the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator and the Minister of Transport. Their powers include the authority to:
Bill C-8 would also amend the Telecommunications Act to give the Minister of Industry the power to prohibit a telecommunications service provider from using products or services provided by a specified person, or from providing certain products or services to a specified person. Such orders would only be made if there are reasonable grounds to believe that they are necessary to secure the Canadian telecommunication system against any threat, and such orders must be proportionate to the gravity of the threat. As under the CCSPA, penalties for non-compliance would be as high as $15,000,000.
While Bill C-8 has only just been introduced, companies governed by the Telecommunications Act and that are likely to be subject to the CCSPA should be as proactive as possible with respect to three matters in particular.
First, companies should give significant consideration to how they will protect information subject to solicitor-client, litigation, and other legal privileges. Protecting privilege could be particularly challenging in the event of a cybersecurity incident given the extensive enforcement (including search and seizure) powers afforded to regulators, the record-keeping requirements imposed on designated operators to demonstrate compliance, and the requirement to immediately notify the CSE and appropriate regulator upon discovering a cybersecurity incident.
Second, companies should plan to review and update their incident response plans and cybersecurity policies in accordance with Bill C-8’s reforms. Current and upcoming reviews should consider third-party and supply chain risks, including those posed by critical service providers (particularly those providing IT services), key suppliers, and device or product manufacturers. Once more information is provided, companies will also want to explore the extent to which their “critical cyber systems” can be segregated from other systems and whether doing so would assist in streamlining compliance efforts.
Third, companies subject to Bill C-8’s reforms should consider how these new requirements could or should be reflected when contracting for services with third parties. Likewise, service providers should expect increasing cybersecurity standards from regulated customers, particularly when such services relate to critical cyber systems.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2025 by Torys LLP.
All rights reserved.