Bill C-8 is Canada’s federal cybersecurity law for critical infrastructure. It received Royal Assent on June 16, 2026 and, through the Critical Cyber Systems Protection Act, requires designated operators in telecommunications, banking, energy, and transportation to run documented cybersecurity programs, report significant incidents, and manage supply chain cyber risk. Penalties reach 15 million dollars per day, and the obligations flow down to the vendors those operators rely on.
If you run or supply a critical infrastructure business in Canada, Bill C-8 changes what is expected of your cybersecurity. This guide covers who the law affects, the four obligations it creates, the penalties, and how a managed security service provider gets Toronto and GTA businesses ready without building a security team from scratch.
What is Bill C-8?
The law created the Critical Cyber Systems Protection Act, Canada’s first dedicated cybersecurity legislation for critical infrastructure. It requires designated operators to protect the systems Canadians depend on for essential services. The reason is not hard to find. The Canadian Centre for Cyber Security names ransomware as the top cyber threat to this infrastructure, and 2025 made the point: a ransomware attack on Nova Scotia Power exposed the Social Insurance Numbers of roughly 140,000 customers. The average Canadian data breach now costs about 4.66 million US dollars.
Who has to comply with Bill C-8?
The law directly designates large operators in four sectors:
- Telecommunications: carriers and network operators
- Banking and finance: banks and clearing and settlement systems
- Energy: interprovincial and international pipelines, power lines, and nuclear systems
- Transportation: federal rail, air, and marine operators
Not a designated operator? You are still in scope, just indirectly. The Act requires those operators to assess and address cyber risk in their supply chain, so they push security requirements down to the smaller businesses that supply, service, or integrate with them. Most Toronto and GTA companies will first meet C-8 as a security questionnaire or a clause buried in a contract from a larger client.
The four obligations under Bill C-8
Designated operators must meet four core obligations, each backed by documented evidence:
1. Establish a cybersecurity program
A documented program covering risk identification, protection, detection, response, and recovery. It has to address the supply chain, not just the operator’s own systems.
2. Report cyber incidents
Significant incidents must be reported to the relevant regulator within tight timelines. Detection and escalation have to be in place and tested before an incident happens, not improvised after.
3. Comply with cybersecurity directions
The government can issue binding technical directions, and organizations must be able to act on them quickly.
4. Manage supply chain risk
Operators must assess and address cyber risk from vendors and third parties. This is the obligation that reaches small and mid-sized suppliers across the GTA.
How managed cybersecurity gets you Bill C-8 ready
The cybersecurity program the law describes is, in plain terms, the service a managed security provider delivers every day. Instead of hiring and keeping an in-house security operations centre, you get continuous coverage and the documented evidence regulators and prime contractors expect.
- 24/7 monitoring and detection: a managed cybersecurity service watches your network, endpoints, and cloud around the clock, which is the detection requirement at the core of the program.
- Incident response and reporting: defined escalation, tested playbooks, and documentation aligned to regulator timelines.
- Vulnerability management and testing: scheduled assessments with findings and remediation evidence.
- Supply chain assessments: vendor security reviews and the paperwork that lets you answer a designated operator’s questionnaire with confidence.
For a Toronto or GTA business, this turns a daunting piece of legislation into a managed, predictable program, with the evidence trail that proves it.
What to do now
Start with a gap assessment. Document your current controls, find where you fall short of a C-8 style program, and map which of your clients are designated operators that will push requirements down to you. Secur-IT Data Solutions runs a no obligation assessment for Toronto and GTA businesses, then builds a managed program that closes the gaps and keeps the evidence current.
References
- Public Safety Canada, Royal Assent of Bill C-8
- Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025-2026
- Department of Justice Canada, Charter Statement on Bill C-8
Ready to get Bill C-8 ready?
Secur-IT Data Solutions is a Toronto-based MSSP providing enterprise-grade cybersecurity for Canadian businesses. Whether you need a cybersecurity program, incident response, supply chain assessments, or full managed security services, our team is ready to help. Get a free consultation:
📞 Call us: +1 (647) 948-6768
📧 Email: info@securitdata.ca
🌐 Book a free security assessment →
Bill C-8 frequently asked questions
Does Bill C-8 apply to small and mid-sized businesses?
Bill C-8 directly designates large operators in telecommunications, banking, energy, and transportation. Small and mid-sized businesses are affected indirectly but materially, because Bill C-8 requires designated operators to assess and address supply chain cyber risk. That means they pass security requirements down to the vendors and service providers they rely on. If your business supplies or integrates with a designated operator, expect to prove your security posture.
When did Bill C-8 become law and what is the deadline?
Bill C-8 received Royal Assent on June 16, 2026. The Critical Cyber Systems Protection Act it created is being phased in by regulation. Once an operator is designated, it has 90 days to establish and implement a cybersecurity program, so designated operators and their suppliers should begin gap assessments now.
What are the penalties under Bill C-8?
Bill C-8 sets administrative monetary penalties of up to 15 million dollars per day for organizations and 1 million dollars per day for individuals. Directors and officers can be held personally liable where they directed, authorized, or participated in a violation.
How does a managed security service provider help with Bill C-8?
Bill C-8 requires a documented cybersecurity program with continuous monitoring, incident detection and reporting, and supply chain risk management. A managed security service provider delivers these capabilities as a service: 24/7 SOC monitoring, incident response, vulnerability management, and the documented evidence regulators and prime contractors expect, without the cost of an in-house security operations centre.
What sectors does Bill C-8 cover?
Bill C-8 covers federally regulated critical infrastructure: telecommunications carriers, banking and clearing and settlement systems, interprovincial and international pipelines and power lines, nuclear energy systems, and transportation systems. The government can designate additional operators through regulation.
Krikor Tengerian is the CEO and founder of Secur-IT Data Solutions, a Toronto-based cybersecurity firm focused on helping Canadian organizations secure their infrastructure and critical systems. With over 25 years of experience across cybersecurity and IT infrastructure, he has supported organizations in hardening networks, protecting critical workloads, and aligning security controls with business and regulatory requirements.
Krikor actively shapes the direction and themes of Secur-IT’s educational content, collaborating with AI tools to structure, refine, and expand articles while providing the real-world context, use cases, and review to keep them accurate and practical for readers. He regularly shares insights on OT security, threat detection, incident response, and Canadian cybersecurity compliance to help industrial and commercial organizations better understand and reduce their cyber risk.
