Is your organisation ready for Bill C-26?
Bill C-26 is now law in Canada as Bill C-8, enacting the Critical Cyber Systems Protection Act. If you run or supply a federally regulated system in finance, telecom, energy, or transportation, new duties apply. This 2-minute check gives you an honest readiness tier.
Bill C-26 (now Bill C-8) readiness assessment
What is Bill C-26?
Bill C-26 was Canada's federal cyber security bill. It died at prorogation in January 2025 and was reintroduced as Bill C-8, which received Royal Assent on 2026-06-16 (S.C. 2026, c. 9). It amends the Telecommunications Act and enacts the Critical Cyber Systems Protection Act for critical infrastructure.
Who does the CCSPA apply to?
The Critical Cyber Systems Protection Act applies to designated operators of critical cyber systems in four federally regulated sectors: finance, telecommunications, energy, and transportation. Government sets the specific operator classes by regulation. Vendors aren't bound directly, but the duties reach them through contracts with designated operators.
What are the obligations under the CCSPA?
A designated operator must establish a documented cyber security program (within 90 days of designation), report incidents to the Communications Security Establishment within a window not to exceed 72 hours, manage supply-chain and third-party risk, comply with cyber security directives, and keep records. Penalties run high for non-compliance.