// BILL C-26

Is your organisation ready for Bill C-26?

Bill C-26 is now law in Canada as Bill C-8, enacting the Critical Cyber Systems Protection Act. If you run or supply a federally regulated system in finance, telecom, energy, or transportation, new duties apply. This 2-minute check gives you an honest readiness tier.

Bill C-26 (now Bill C-8) readiness assessment

What's bringing you to Bill C-26 today?

What is Bill C-26?

Bill C-26 was Canada's federal cyber security bill. It died at prorogation in January 2025 and was reintroduced as Bill C-8, which received Royal Assent on 2026-06-16 (S.C. 2026, c. 9). It amends the Telecommunications Act and enacts the Critical Cyber Systems Protection Act for critical infrastructure.

Who does the CCSPA apply to?

The Critical Cyber Systems Protection Act applies to designated operators of critical cyber systems in four federally regulated sectors: finance, telecommunications, energy, and transportation. Government sets the specific operator classes by regulation. Vendors aren't bound directly, but the duties reach them through contracts with designated operators.

What are the obligations under the CCSPA?

A designated operator must establish a documented cyber security program (within 90 days of designation), report incidents to the Communications Security Establishment within a window not to exceed 72 hours, manage supply-chain and third-party risk, comply with cyber security directives, and keep records. Penalties run high for non-compliance.

Common questions

The Telecommunications Act amendments took effect on Royal Assent (2026-06-16). The CCSPA's substantive operator obligations phase in by Governor in Council order, with specific classes, thresholds, and timelines through regulations still being developed. Preparing now is reasonable, because the core program duties are already defined in the Act.

The Act binds designated operators, not their vendors, directly. But operators carry a legal duty to manage supply-chain and third-party risk. In practice that flows to suppliers through contract terms, security questionnaires, and audit rights. If you serve a designated operator, expect their obligations to land on you.

Designated operators must report a cyber security incident affecting a critical cyber system to the Communications Security Establishment within a window not to exceed 72 hours of discovery. Immediately after, the operator must also notify its sector regulator.

The CCSPA carries administrative monetary penalties up to $1 million per violation for individuals and $15 million for organisations, with each day of non-compliance treated as a separate violation. Regulatory offences can add fines and imprisonment, and directors or officers can be held personally liable.

LET'S CONNECT

A senior engineer replies within an hour, 24/7.