Bill C-8
Bill C-8 (formerly Bill C-26) enacts Canada's Critical Cyber Systems Protection Act, imposing mandatory cybersecurity obligations on telecoms, finance, energy and transport critical infrastructure and granting binding executive powers to prohibit high-risk supplier equipment; cleared the Senate in June 2026.
Last refreshed: 14 June 2026 · Appears in 1 active topic
What does Canada's Bill C-8 require critical infrastructure operators to do?
Timeline for Bill C-8
Cleared the Canadian Senate awaiting Royal Assent, mirroring the UK bill's passage
Cybersecurity: Threats and Defences: UK cyber bill drops payment regime- What is Canada's Bill C-8 cyber security law?
- Bill C-8, the Critical Cyber Systems Protection Act, imposes mandatory cybersecurity obligations and incident reporting on Canadian critical infrastructure operators in telecoms, finance, energy and transport. It cleared the Senate in June 2026.Source: event
- What is the difference between Bill C-8 and Bill C-26?
- They are the same legislation. Bill C-26 was the designation in the 44th Parliament; the bill was reintroduced as Bill C-8 in a subsequent Parliament and advanced to Senate clearance in June 2026.
- Does Canada's cyber bill ban Huawei?
- Bill C-8 grants ministers power to direct critical infrastructure operators to stop using specific products or services on national security grounds, a provision designed in part to address supply-chain risks associated with high-risk vendors including Huawei.
- How does Canada's cyber law compare to the UK's Cyber Security and Resilience Bill?
- Both impose mandatory reporting and security standards on critical infrastructure operators and cleared major legislative milestones in the same week of June 2026. The UK bill also covers managed service providers and cloud services, giving it a wider scope than Canada's sector-specific framework.Source: event
Background
Bill C-8, formally the Critical Cyber Systems Protection Act, cleared Canada's Senate in June 2026 after a lengthy legislative journey that began under the earlier designation Bill C-26 in the 44th Parliament. The legislation imposes mandatory cybersecurity obligations on operators of critical infrastructure across four sectors: telecommunications, banking and financial services, energy, and transport. It also grants federal ministers binding powers to issue directions prohibiting the use of specific supplier products or services deemed a national security risk. Royal Assent follows Senate passage.
The bill's design reflects Five Eyes coordination: it passed in the same week as the UK Cyber Security and Resilience Bill's Commons third reading, establishing near-parallel critical infrastructure cyber obligations across two G7 members. Both frameworks concentrate on mandatory incident reporting, baseline security standards, and executive powers to exclude high-risk vendors, though the UK bill's scope extends to managed service providers and cloud services in ways the Canadian text does not directly mirror. The Canadian framework notably includes fines for non-compliance and a civil liability carve-out for operators who follow a ministerial direction in good faith.
For multinational operators, Bill C-8 creates a new regulatory layer alongside existing US CISA obligations and the EU's NIS 2 Directive. Compliance programmes will need to reconcile differing incident-reporting timelines and sector definitions across jurisdictions. The supply-chain security provisions (principally the power to exclude specific vendors) have been the most commercially sensitive element, drawing comparisons with US actions against Huawei equipment in telecommunications networks.
