Bill C-8 passed the House of Commons March 26, 2026 and is before the Senate. Once Royal Assent is granted, designated operators have 90 days to establish a cybersecurity program, must report incidents to the CSE within 72 hours, and face fines up to $15 million per day. If you're in a designated sector, the time to start is now.
Bill C-8, formally An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, is the 45th Parliament successor to the former Bill C-8 (44th Parliament, which died on the order paper when Parliament was prorogued). Sponsored by the Minister of Public Safety and re-introduced in the 45th Parliament, it passed the House of Commons Standing Committee on Public Safety and National Security with amendments, completed report stage and third reading on March 26, 2026, and received first reading in the Senate the same evening.
Bill C-8 introduces mandatory cybersecurity obligations for designated operators of critical cyber systems - systems that are essential for transmitting, processing, or storing information across Canada's most critical sectors. The legislation aims to detect, identify, manage, and mitigate cybersecurity risks for these systems. Unlike the voluntary guidance that preceded it, this is binding law with among the highest administrative penalties in Canadian regulatory history.
Building a Bill C-8 compliant cybersecurity program from scratch typically takes 6-18 months. Once Royal Assent is granted and designation regulations come into force, the 90-day clock begins immediately. Organizations that wait for their formal designation notice before starting will find 90 days impossible to meet without groundwork already laid. ThreeShield recommends beginning a gap assessment now.
Designated operators must establish a cybersecurity program within 90 days of classification. The program must include a thorough assessment of organizational cyber risks, explicitly including risks arising from supply chains and third-party vendors. This is not a checklist - regulators expect a program reflecting your actual environment and risk profile.
Cybersecurity incidents that affect critical cyber systems must be reported to the Communications Security Establishment (CSE) within 72 hours of discovery. The clock starts at discovery, not at the time of the incident. Pre-built detection and notification workflows are essential - organizations cannot construct these under pressure during an active incident.
The cybersecurity program must specifically address supply chain and third-party vendor risks. Vendor security assessments, contractual security requirements, and ongoing monitoring of critical suppliers are required program elements. For telecom operators, this has direct implications for network equipment procurement decisions.
The government retains authority to issue binding cybersecurity directions to designated operators - requiring specific actions, including potentially removing specific vendors or products from critical systems. Non-compliance with a direction is an offence under the Act, not merely a regulatory finding.
Bill C-8 applies to designated operators of critical cyber systems in federally regulated sectors.
Canadian telecom carriers and broadcasting distribution undertakings. Bill C-8 amends the Telecommunications Act directly, giving the government authority to issue cybersecurity directions to carriers - including supply chain decisions affecting network equipment vendors.
Sector regulator: CRTC
Banks, trust companies, life insurance companies, and financial market infrastructure under OSFI supervision - including clearing and settlement system operators. Canada's major banks and federally regulated financial institutions are expected to be designated.
Sector regulator: OSFI
Nuclear power plants, uranium processing facilities, and radioactive waste management facilities regulated under the Nuclear Safety and Control Act. The Canadian Nuclear Safety Commission (CNSC) is the sector regulator.
Sector regulator: CNSC
Federally regulated pipeline operators under the Canada Energy Regulator Act - interprovincial and international oil and gas pipelines. This is the primary Bill C-8 obligation for the oil and gas sector. The Canada Energy Regulator (CER) is the sector regulator. Calgary-headquartered pipeline companies are directly in scope.
Sector regulator: Canada Energy Regulator (CER)
Federally regulated railways, airlines, and marine operators under Transport Canada jurisdiction. National rail operators, air carriers, and marine shipping companies with critical infrastructure designations face C-8 program requirements.
Sector regulator: Transport Canada
Federal departments and Crown corporations operating critical cyber systems. Parallel obligations exist under Treasury Board cybersecurity directives and the Canadian Centre for Cyber Security's baseline controls for government institutions.
Oversight: Treasury Board / CSE
All of the following must be in place within 90 days of designation.
A thorough assessment of organizational cybersecurity risks - threats, vulnerabilities, and potential impacts specific to your critical cyber systems. Not a generic template; regulators expect evidence of assessment against your actual environment.
Explicit identification and assessment of risks from supply chains and third-party vendors. Vendor security questionnaires, contractual protections, and monitoring of high-risk suppliers. Bill C-8 reflects the SolarWinds-to-MOVEit lesson: critical infrastructure is breached through suppliers.
Formal identification of which systems qualify as "critical cyber systems" under the Act. Scoping errors create compliance gaps or unnecessary burden. This is the highest-stakes step - get it wrong and everything downstream is wrong.
Pre-built technical and procedural capability to detect incidents, classify severity, and execute a CSE notification within 72 hours of discovery. This is only possible if you have continuous monitoring - Lavawall® detects; ThreeShield's runbooks direct the response and notification.
Security safeguards appropriate to the risk profile of your critical cyber systems: access controls, network segmentation, patch management, encryption, endpoint protection. Lavawall® provides continuous monitoring of these controls against compliance baselines.
The program must be documented and subject to regular review. Significant technology changes, new vendors, and incident lessons learned must feed back into the program. Regulators will request documentation during examinations.
Organizations with no existing security framework, no documented policies, and no continuous monitoring cannot build a compliant Bill C-8 program in 90 days from a cold start. Organizations that already have Lavawall® monitoring, a documented risk assessment, and basic incident response procedures can meet the deadline. ThreeShield's gap assessment tells you exactly how far you are from readiness - and what it takes to close that gap in the time available.
The maximum penalty for organizations that violate Bill C-8 - including failure to establish a cybersecurity program, failure to report incidents within 72 hours, or failure to comply with a cybersecurity direction. Penalties are assessed per day, meaning ongoing non-compliance accrues daily. This is among the highest administrative penalty regime in Canadian regulatory history.
Officers, directors, and employees responsible for violations face personal liability. This mirrors global trends: US SEC cybersecurity disclosure rules, EU DORA, and now Canadian CCSPA all create individual executive accountability. Boards and CISOs at designated operators cannot treat compliance as purely an IT function.
| Bill C-8 Requirement | Lavawall® Coverage | ThreeShield Expert Layer |
|---|---|---|
| Critical cyber system inventory | ⚑ IT asset discovery + cloud | OT/ICS scoping and classification |
| Cyber risk assessment | ⚑ Risk data and scoring | CISSP/CISA formal risk assessment document |
| Supply chain risk assessment | ⚑ Third-party monitoring | Vendor assessment methodology and reporting |
| Incident detection (72-hr clock starts at discovery) | ✓ Continuous monitoring and alerting | Incident classification runbooks |
| 72-hour CSE notification workflow | ⚑ Alert escalation framework | ThreeShield builds CSE notification runbooks |
| Patch and vulnerability management | ✓ Automated - 7,533+ applications | - |
| Access control monitoring (MFA, privileged access) | ✓ M365/Entra/Azure/AWS continuous | - |
| Encryption and data protection | ✓ Configuration monitoring | - |
| Program documentation | ⚑ Automated evidence collection | ThreeShield develops formal program documents |
| Annual program review | ✓ Continuous baseline for review | CISSP/CISA annual review service |
For designated operators with strong internal security teams who need continuous monitoring and compliance tooling to support their existing program
For organizations beginning their C-8 compliance journey who need CISSP/CISA expert guidance to build the required program in time
For designated operators who need a complete, regulator-ready C-8 program - especially those facing imminent 90-day deadlines
Yes. Bill C-8 passed third reading in the House of Commons on March 26, 2026 and is now before the Senate. Royal Assent could come within weeks. Once granted, sector-specific designation regulations come into force on a schedule set by each regulator. The 90-day program deadline runs from the date of designation - which could be very soon after Royal Assent for organizations already in clearly covered sectors. Building a compliant cybersecurity program takes 6-18 months from a cold start. Starting a gap assessment now is the only way to be ready in time.
The 72-hour clock starts at the point of discovery that an incident has affected a critical cyber system - not at the time the incident occurred. This means three things: (1) your incident detection must be capable of rapid discovery - Lavawall®-class continuous monitoring is essential; (2) you must have a pre-built definition of what "affects a critical cyber system" is, so classification doesn't consume time; and (3) your CSE notification workflow must be tested and ready to execute. ThreeShield builds both the detection capability and the notification runbook as part of the C-8 program.
Bill C-8 applies directly to federally regulated pipeline operators - companies operating interprovincial or international pipelines under Canada Energy Regulator jurisdiction. These are typically the large Calgary-headquartered pipeline companies and their regulated pipeline subsidiaries. Alberta upstream operators (wells, in-province production facilities, in-province pipelines) under AER jurisdiction are not directly in scope of Bill C-8, but face the AER's own evolving cybersecurity expectations. See our Oil & Gas Security page for the full regulatory landscape including CER, AER, and NERC CIP.
The program must specifically address risks arising from supply chains and third-party vendors. In practice: identify all vendors and service providers with access to or connections with your critical cyber systems; assess their security practices (questionnaires, certifications, audit rights); establish contractual security requirements; and identify high-risk suppliers requiring deeper assessment. This is a formal assessment methodology, not a spreadsheet of vendor names. ThreeShield has a standardized supply chain risk assessment process aligned to C-8 expectations.
Bill C-8 (45-1) is the direct successor to Bill C-26 (44-1), which died when Parliament was prorogued. The core framework - mandatory cybersecurity programs, incident reporting, supply chain risk management, and government direction-making powers - is substantially the same. The 45th Parliament bill incorporates committee amendments and updated language following two full committee study processes across both parliaments. Organizations that began C-26 readiness work are ahead; specific program requirements should be verified against the current C-8 text as enacted.
Bill C-8 uses the concept of "designated operators" - organizations specifically designated by their sector regulator. Not every company in a regulated industry will be designated. Designation criteria are set by each regulator and typically focus on operators whose systems, if compromised, could cause widespread harm. Smaller operators may not be directly designated - but may face C-8 requirements passed down through contracts from larger designated operators who must manage their supply chain risks. Contact ThreeShield for a designation assessment specific to your business.
The 90-day program deadline, 72-hour CSE reporting requirement, and $15M/day penalties are weeks from becoming law. ThreeShield delivers C-8 gap assessments and full program development for every covered sector - at the engagement level that fits your team and timeline.
Book a C-8 Readiness AssessmentAlso covers NERC CIP · PIPEDA/C-27 · NIST CSF · CIS Controls · Oil & Gas Security
(403) 538-5053 · Contact Us · Calgary, AB