Bill C-8 passed the House of Commons March 26, 2026. Once Royal Assent is granted, designated operators have 90 days to establish a cybersecurity program - and must report incidents to the CSE within 72 hours. ThreeShield delivers role-specific training so every team member knows what C-8 requires of them, right now.
A Bill C-8 compliant cybersecurity program isn't a document that lives on a SharePoint site. It requires people across the organization to understand and act on their specific obligations - from the board that bears accountability, to the IT team that builds the 72-hour detection and reporting capability, to the procurement team that must now assess vendor cybersecurity as a mandatory program element.
The 72-hour CSE reporting obligation is the most operationally demanding: if the person who discovers an incident doesn't know it needs to be escalated immediately to trigger a regulatory notification workflow, the clock runs and the organization is non-compliant before anyone in leadership is even aware. Every person who could be the first to discover an incident needs to know what to do next.
Bill C-8 requires a cybersecurity program that addresses organizational cyber risks comprehensively. Regulators interpret this to include staff awareness - an organization whose workforce doesn't understand the reporting obligations, the critical systems at stake, or the security behaviours required is not running a functioning cybersecurity program, regardless of what the documentation says.
Each audience has different obligations under Bill C-8 and needs different training content.
Duration: 60-90 minutes
What Bill C-8 creates at the board level: personal liability for directors and officers, the 90-day program deadline and what it requires of leadership, the $15M/day organizational penalty regime, incident response decision authority, and the board's ongoing oversight obligations for the cybersecurity program.
Audience: Board directors, CEO, CFO, COO, General Counsel
Duration: Half-day
Detailed walkthrough of Bill C-8 requirements: designation criteria and how to assess your organization's status; the 90-day program deadline and documentation requirements; the 72-hour CSE incident reporting obligation and what triggers it; cybersecurity direction compliance obligations; interaction with PIPEDA/C-27, NERC CIP, and sector-specific regulations; and penalty assessment framework.
Audience: Compliance officers, legal counsel, risk managers, regulatory affairs
Duration: Full day
Technical implementation of C-8 program requirements: critical cyber system identification and classification methodology; building a 72-hour incident detection and CSE notification workflow (the most technically demanding obligation); supply chain security assessment processes; Lavawall® deployment and configuration for C-8 continuous monitoring; patch management and access control requirements; and program documentation structure.
Audience: CISO, IT managers, security analysts, NOC/SOC staff, system administrators
Duration: 3 hours
C-8's explicit supply chain risk management requirements applied to procurement practices: how to conduct vendor security assessments as a program element; what contractual security requirements are needed for vendors with access to critical cyber systems; identifying high-risk suppliers; managing vendor access controls; and the implications for network equipment and software procurement decisions - especially relevant for telecom operators facing cybersecurity directions on supplier selection.
Audience: Procurement managers, vendor managers, contract managers, operations leads
Duration: 2 hours
Practical awareness for staff who operate critical systems: what a "critical cyber system" is in your organization's context; how to recognize indicators of a cybersecurity incident; the immediate steps to take when something looks wrong - especially the internal escalation that triggers the 72-hour CSE reporting clock; and secure practices for operating in an environment where cyber threats specifically target critical infrastructure.
Audience: Control room operators, field technicians, SCADA/ICS operators, OT staff
Duration: 1 hour
Organization-wide awareness of Bill C-8 and what it means for employees: what the Act requires of your organization; why cybersecurity is now a legal obligation, not just best practice; what each employee's role is in the cybersecurity program; and what to do if they encounter or suspect a security incident. Satisfies the awareness component of the cybersecurity program requirement.
Audience: All staff - administrative, financial, operational, management
An employee notices something anomalous - a SCADA system behaving unexpectedly, an unusual login alert from Lavawall®, a vendor reporting a compromise that may have affected your systems. The 72-hour clock starts now. If this employee doesn't know what to do immediately, hours are lost.
The discovering employee escalates through a pre-defined channel (not improvised). The security team begins initial assessment: is this a cybersecurity incident? Does it affect a critical cyber system? If yes, the formal notification workflow activates. Without training and pre-built runbooks, this step takes hours or days instead of minutes.
Parallel tracks: technical team investigates scope and impact while notification workflow prepares the CSE report. The report must contain specific information - incident description, affected systems, initial impact assessment - that can only be assembled quickly if the technical team already knows what's required.
Using a pre-built notification template and confirmed incident facts, the compliance team prepares the CSE notification. Legal review as needed. Without a template and a trained compliance team, this stage routinely takes longer than available time allows.
Notification submitted to the Communications Security Establishment within the 72-hour window. ThreeShield's training and runbooks make this achievable - without preparation, many organizations would fail this timeline on their first real incident.
Failure to report a cybersecurity incident affecting a critical cyber system within 72 hours is a violation of Bill C-8. Administrative penalties of up to $15 million per day for the organization and $1 million per day for responsible individuals apply. Penalties accrue daily for ongoing non-compliance. Missing the first reporting deadline and then failing to correct it within days creates compounding liability.
For organizations with internal training capability that need C-8 content and compliance tracking
ThreeShield delivers training; you coordinate participants and schedule
ThreeShield delivers training AND builds your C-8 cybersecurity program - addressing the 90-day deadline end to end
No - and this is the most common and costly mistake organizations in designated sectors make. The 90-day program deadline is extremely tight for organizations starting from scratch. Training the board, compliance team, and IT/security staff on C-8 obligations takes weeks to schedule and deliver. Beginning training before designation means your teams understand their obligations from day one of the 90-day clock, rather than spending the first month getting up to speed. The cost of training before designation is trivial compared to the cost of missing the deadline.
General security awareness training covers phishing, passwords, and basic incident reporting for IT systems. Bill C-8 training covers the regulatory compliance framework itself: what the law requires, what obligations apply to which roles, what the 72-hour reporting workflow requires in practice, and what it means to have a designated operator's accountability for critical infrastructure. It's regulatory education, not general cyber hygiene - both are needed, but they serve different purposes.
Yes. ThreeShield delivers training in person across Alberta and via virtual instructor-led sessions for distributed teams. For organizations with operations in multiple provinces or in multiple regulated sectors (e.g., a company with both pipeline and power generation operations), training content is tailored to the applicable regulatory regime for each group. We coordinate multi-session delivery schedules for large organizations.
Yes - and in the done-for-you engagement model, building the 72-hour CSE notification workflow is a core deliverable, not optional. The workflow includes: incident classification criteria (what triggers a mandatory notification), internal escalation chain, draft CSE notification template, and roles and responsibilities at each step. In the supported tier, ThreeShield guides your team through building it. Training without a tested workflow only solves half the problem.
The 72-hour reporting window and 90-day program deadline require that every person with a role in your cybersecurity program understands their obligations before the clock starts. ThreeShield delivers role-specific C-8 training for every audience - from board to field staff.
Book C-8 Readiness TrainingAlso see: Bill C-8 Compliance Details · Oil & Gas Security · IR Tabletop Exercise
(403) 538-5053 · Calgary, AB · Virtual delivery available