Bill C-8 Reboots Canada’s Cybersecurity Legislation for the Telecommunications Sector and Other Critical Infrastructure

On June 18, 2025, the Honourable Gary Anandasangaree, Minister of Public Safety, tabled Bill C-8, An Act respecting cyber security, amending the Telecommunications Act. The bill has now advanced to second reading in the House of Commons.

Nearly identical to its predecessor, Bill C-26 (introduced in 2022 and analyzed by Fasken at that time), Bill C-8 signals that the federal government remains committed to strengthening the resilience of Canada’s critical infrastructure and digital systems. Bill C-26 died on the Order Paper when Parliament was prorogued at the beginning of 2025.

If enacted, Bill C-8 would:

1. Amend the Telecommunications Act, to expand federal oversight of telecommunications networks in the interest of national security; and
2. Enact the Critical Cyber Systems Protection Act (“CCSPA”), introducing mandatory cybersecurity obligations for operators of vital services and systems.

Amendments to the Telecommunications Act

Bill C-8 would give the Governor in Council and the Minister of Industry broad authority to issue binding orders to telecommunications service providers.

These powers would include the ability to:

• Prohibit the use of products and services from specified suppliers;
• Direct the removal of high-risk equipment from telecommunications networks; and
• Require prior approval for procurement, upgrades, or service agreements involving designated technologies.^[1]

These powers are intended to safeguard telecommunications infrastructure against interference, manipulation or disruption. Non-compliance would carry significant penalties:

• Individuals: up to $25,000 for the first violation, and $50,000 for subsequent violations;
• Corporations: up to $10 million, increasing to $15 million for repeat offences.^[2]

Critical Cyber Systems Protection Act

The CCSPA would apply to federally regulated organizations that support prescribed vital services or systems, such as telecommunications, energy, transportation, banking, and nuclear facilities. The initial list of vital services and systems is set out in the Schedule 1 to the CCSPA and includes sectors under federal jurisdiction (e.g., interprovincial pipelines and transportation undertakings subject to Parliament’s legislative authority). If passed, the legislation will allow the federal government to designate classes of operators of prescribed vital services or systems to which obligations would apply (“designated operators”) and assign regulators to each sector.

Among other things, designated operators under the CCSPA would be required to:

• Establish, implement, and maintain a cybersecurity program within 90 days^[3] of designation, notify the appropriate regulator that such a program has been established, and provide the appropriate regulator with the program;
• Conduct annual reviews of their cybersecurity program and notify regulators of any changes;
• Manage and mitigate risks related to third-party service providers and supply chains;
• Report cybersecurity incidents to the Communications Security Establishment and notify their regulators;
• Comply with confidential cybersecurity directions issued by the federal government; and
• Maintain all cybersecurity records in Canada, in a prescribed manner and location.^[4]

Compliance and Enforcement under the CCSPA

The CCSPA would grant regulators extensive powers to verify compliance, including the authority to conduct audits, issue compliance orders, and enter premises.

Enforcement would include both administrative and criminal measures:

• Administrative penalties: monetary penalties, compliance agreements, and personal liability for directors and officers,
• Criminal Offences: fines and imprisonment for up to five years for serious violations.^[5]

Next Steps

Telecommunications service providers and other operators of prescribed critical infrastructure should begin reviewing their cybersecurity procedures, policies, agreements, and incident response processes in anticipation of new requirements to maintain comprehensive cybersecurity programs.

For further background, see our earlier bulletin:Fasken - Bill C-26: New Cybersecurity Requirements in Critical Infrastructure.