Bill C-8 is Canada’s federal cybersecurity law for critical infrastructure. It received Royal Assent on June 16, 2026 and, through the Critical Cyber Systems Protection Act, requires designated operators to run cybersecurity programs, report incidents, and manage supply chain risk, with penalties up to $15 million per day. Those requirements extend to the AI systems operators now run.
This is the SecuritAI hub for Bill C-8: what it requires, who it covers, and the AI-layer controls a compliant cybersecurity program needs.
Book a Government Briefing For Government & Critical Infrastructure
Bill C-8 created the Critical Cyber Systems Protection Act (CCSPA), Canada’s first dedicated cybersecurity law for critical infrastructure. It designates operators in telecommunications, banking, energy (pipelines, power, nuclear), and transportation, and requires them to establish cybersecurity programs, report significant incidents, comply with government cybersecurity directions, and address supply chain risk.
Designated operators must meet four core obligations, each backed by documented evidence: a cybersecurity program, incident reporting, readiness to act on government cybersecurity directions, and supply chain risk management. The cybersecurity program obligation extends to every critical system, and AI systems now qualify.
AI is operational in every designated sector: grid management in energy, fraud detection in banking, network optimization in telecom, logistics in transportation. These systems were never in scope for cybersecurity programs designed before AI became operational. A Bill C-8 program has to cover them, which means answering three questions for every AI system: what did you test it against, what protects it at runtime, and where are the audit logs.
Three in-depth guides covering the law, the checklist, and the AI layer.
Overview
Which sectors it covers, the four obligations, the penalties, and where AI fits in.
Read guide →
Checklist
All four obligations as action items, including the AI controls most programs miss.
Read guide →
AI Layer
The AI-specific controls regulators will expect, and why traditional programs don’t cover them.
Read guide →
SecuritAI provides the two AI-specific controls a Bill C-8 cybersecurity program needs:
Documented adversarial testing across the OWASP LLM Top 10, producing a findings report and remediation evidence your program can use for the security-testing obligation. Learn more →
Runtime monitoring and blocking of AI attacks, with a full audit log of every prompt and response, exportable for incident reporting and regulatory review. Learn more →
For the full compliance program (policy documentation, evidence management, risk register), SecuritComply’s Bill C-8 platform covers all four obligations.
Bill C-8 is Canada’s federal cybersecurity law for critical infrastructure, which received Royal Assent on June 16, 2026. Through the Critical Cyber Systems Protection Act, it requires designated operators in telecommunications, banking, energy, and transportation to establish cybersecurity programs, report incidents, comply with cybersecurity directions, and manage supply chain risk.
The Critical Cyber Systems Protection Act sets administrative monetary penalties of up to $15 million per day for organizations and $1 million per day for individuals. Directors and officers can be held personally liable where they directed, authorized, or participated in a violation.
Yes. The cybersecurity program obligation extends to all critical systems, including AI systems operational in critical infrastructure. Operators must assess, test, protect, and document controls for any AI system that touches operations, data, or public-facing services.
Once an operator is designated, it has 90 days to establish and implement its cybersecurity program. Operators in the named sectors should begin gap assessments now rather than waiting for designation.
Book a 15-minute briefing to map your AI controls against Bill C-8 cybersecurity program requirements.