Critical Infrastructure

What is Bill C-8? Canada’s critical infrastructure cybersecurity law explained

A plain-English breakdown of what Bill C-8 requires, which sectors it covers, and what designated operators must do now.

By Krikor Tengerian · Co-founder, SecuritAI Technologies Ltd. · Updated June 21, 2026

Bill C-8 Canada critical infrastructure cybersecurity

Bill C-8 at a glance

  • Status: Received Royal Assent on June 16, 2026. It is now law.
  • What it creates: the Critical Cyber Systems Protection Act (CCSPA), phased in by regulation.
  • Who it covers: designated operators in telecommunications, banking, energy (pipelines, power, nuclear), and transportation.
  • Deadline: a cybersecurity program must be in place within 90 days of being designated.
  • Penalties: up to $15 million per day for organizations and $1 million per day for individuals. Directors and officers can be held personally liable.

Bill C-8 is Canada’s federal cybersecurity law for critical infrastructure. It received Royal Assent on June 16, 2026, and through the Critical Cyber Systems Protection Act it requires designated operators to establish and maintain cybersecurity programs, report significant cyber incidents, and protect their systems, and their supply chains, from cyber threats. It is the most significant cybersecurity compliance obligation Canadian critical infrastructure operators have faced, and most organizations are not yet ready.

The timing is not academic. The Canadian Centre for Cyber Security names ransomware as the top cyber threat to Canada’s critical infrastructure. In 2025 a ransomware attack on Nova Scotia Power exposed the Social Insurance Numbers of roughly 140,000 customers. The average Canadian data breach now costs about USD 4.66 million. Bill C-8 turns cybersecurity from a best practice into a legal obligation with penalties measured in millions of dollars per day.

Which sectors does Bill C-8 cover?

Bill C-8 targets the sectors the federal government has designated as critical to national security and public safety. The primary sectors are:

  • Telecommunications, carriers, internet providers, and network operators
  • Banking and finance, federally regulated financial institutions
  • Energy and utilities, pipelines, nuclear facilities, and electricity operators
  • Transportation, federal airports, rail, and marine operators

Provincial utilities, healthcare, and municipal governments are not directly covered by federal C-8 legislation but face parallel pressures from sector-specific regulators and procurement requirements that mirror C-8 obligations.

What does Bill C-8 require?

Designated operators under Bill C-8 must fulfill four core obligations:

1. Establish a cybersecurity program

A documented cybersecurity program covering risk identification, protection measures, incident detection and response, and recovery. The program must address the organization’s supply chain, not just its own systems.

2. Report cyber incidents

Significant cyber incidents must be reported to the relevant regulatory authority. The reporting timelines are tight, operators must have detection and escalation processes in place before an incident occurs, not after.

3. Comply with cybersecurity directions

The government can issue binding cybersecurity directions, specific technical or operational requirements, to designated operators when a threat to critical systems is identified. Non-compliance carries serious penalties.

4. Protect the supply chain

Operators must assess and address cybersecurity risks that originate in their supply chain, vendors, technology providers, and third-party services that have access to or integrate with critical systems.

What does Bill C-8 mean for AI systems?

This is the question most operators have not yet asked, and it is urgent. AI is now operational in every designated sector. Energy companies use AI for grid management and predictive maintenance. Banks use it for fraud detection. Telecom operators use it for network optimization and customer systems. Transportation operators use it in logistics and routing.

None of these AI systems were in scope for traditional cybersecurity programs designed before AI became operational. Bill C-8’s cybersecurity program requirements extend to all critical systems, and AI systems that touch operations, data, or public-facing services qualify. That means operators need to answer: what did you test your AI against? What protects it at runtime? Where are the audit logs?

For a detailed breakdown of AI-specific C-8 obligations, see our guide: How Bill C-8 applies to AI systems in critical infrastructure.

What should designated operators do now?

The practical starting point is a gap assessment across three areas:

  • Program documentation, does a written cybersecurity program exist that meets C-8 scope and depth requirements?
  • Incident reporting readiness, are detection, escalation, and reporting processes in place and tested?
  • AI coverage, are AI systems in scope identified, tested, and protected by the cybersecurity program?

For compliance program documentation and evidence management, SecuritComply’s Bill C-8 compliance platform is built specifically for this. For AI security testing and runtime protection, SecuritAI’s government and critical infrastructure platform provides the adversarial testing evidence and firewall controls that a C-8 cybersecurity program needs at the AI layer.

Assess your C-8 AI security posture

Book a 15-minute briefing to see how SecuritAI maps to your Bill C-8 cybersecurity program requirements.

Book a Government Briefing

Bill C-8 questions

What is Bill C-8 in Canada?

Bill C-8 is Canada’s federal legislation requiring designated operators of critical infrastructure, in telecommunications, banking, energy, and transportation, to establish cybersecurity programs, report significant incidents, comply with cybersecurity directions, and protect their supply chains from cyber threats.

Who must comply with Bill C-8?

Designated operators in federally regulated critical infrastructure sectors: telecommunications carriers, federally regulated banks and financial institutions, interprovincial energy pipelines and nuclear facilities, and federal transportation operators (airports, rail, marine). The government can add sectors through regulation.

What are the penalties for non-compliance with Bill C-8?

The Critical Cyber Systems Protection Act sets administrative monetary penalties of up to $15 million per day for organizations and $1 million per day for individuals. Directors and officers can be held personally liable where they directed, authorized, or participated in a violation. Penalties apply to failures such as not establishing a cybersecurity program, not reporting incidents in time, or not complying with a government cybersecurity direction.

When did Bill C-8 become law and when do operators have to comply?

Bill C-8 received Royal Assent on June 16, 2026. The Critical Cyber Systems Protection Act is being phased in by regulation. Once an operator is designated, it has 90 days to establish and implement its cybersecurity program. Operators in the named sectors should begin gap assessments now rather than waiting for designation.

Does Bill C-8 apply to AI systems?

Yes. Bill C-8’s cybersecurity program requirements extend to all critical systems, including AI systems that are operational in critical infrastructure sectors. Operators must assess, protect, and document security controls for any AI system that touches operations, data, or public-facing services.

How do I start a Bill C-8 compliance program?

Start with a gap assessment: document your current cybersecurity program coverage, identify critical systems (including AI), assess incident reporting readiness, and map supply chain risks. SecuritComply provides a structured compliance platform for C-8 documentation and evidence management. SecuritAI provides the AI-layer security testing and runtime protection your C-8 program needs for AI systems.


KT

Krikor Tengerian

Co-founder, SecuritAI Technologies Ltd.

Krikor Tengerian is the co-founder of SecuritAI Technologies and has over 25 years of experience in cybersecurity and IT infrastructure. He leads the company’s AI security platform and works with Canadian organizations and government bodies to secure their AI deployments against adversarial threats.



LinkedIn

← Back to the blog


Scroll to Top