Canadian Critical Infrastructure

Bill C-8: Canada’s critical infrastructure cybersecurity law

Bill C-8 is Canada’s federal cybersecurity law for critical infrastructure. It received Royal Assent on June 16, 2026 and, through the Critical Cyber Systems Protection Act, requires designated operators to run cybersecurity programs, report incidents, and manage supply chain risk, with penalties up to $15 million per day. Those requirements extend to the AI systems operators now run.

This is the SecuritAI hub for Bill C-8: what it requires, who it covers, and the AI-layer controls a compliant cybersecurity program needs.

Book a Government Briefing For Government & Critical Infrastructure

⚡ Bill C-8 at a glance
Royal Assent: June 16, 2026
90 days to a program after designation
Up to $15M/day penalties
Directors personally liable

Bill C-8 created the Critical Cyber Systems Protection Act (CCSPA), Canada’s first dedicated cybersecurity law for critical infrastructure. It designates operators in telecommunications, banking, energy (pipelines, power, nuclear), and transportation, and requires them to establish cybersecurity programs, report significant incidents, comply with government cybersecurity directions, and address supply chain risk.

The four obligations

Designated operators must meet four core obligations, each backed by documented evidence: a cybersecurity program, incident reporting, readiness to act on government cybersecurity directions, and supply chain risk management. The cybersecurity program obligation extends to every critical system, and AI systems now qualify.

Why AI is the gap most programs miss

AI is operational in every designated sector: grid management in energy, fraud detection in banking, network optimization in telecom, logistics in transportation. These systems were never in scope for cybersecurity programs designed before AI became operational. A Bill C-8 program has to cover them, which means answering three questions for every AI system: what did you test it against, what protects it at runtime, and where are the audit logs.

How SecuritAI covers the AI layer of your Bill C-8 program

SecuritAI provides the two AI-specific controls a Bill C-8 cybersecurity program needs:

AI Red Teaming

Documented adversarial testing across the OWASP LLM Top 10, producing a findings report and remediation evidence your program can use for the security-testing obligation. Learn more →

AI Firewall

Runtime monitoring and blocking of AI attacks, with a full audit log of every prompt and response, exportable for incident reporting and regulatory review. Learn more →

For the full compliance program (policy documentation, evidence management, risk register), SecuritComply’s Bill C-8 platform covers all four obligations.

References

  1. Public Safety Canada, Royal Assent of Bill C-8 (June 2026)
  2. Canadian Centre for Cyber Security, National Cyber Threat Assessment 2025-2026
  3. Department of Justice Canada, Charter Statement on Bill C-8

Bill C-8 questions

What is Bill C-8?

Bill C-8 is Canada’s federal cybersecurity law for critical infrastructure, which received Royal Assent on June 16, 2026. Through the Critical Cyber Systems Protection Act, it requires designated operators in telecommunications, banking, energy, and transportation to establish cybersecurity programs, report incidents, comply with cybersecurity directions, and manage supply chain risk.

What are the penalties under Bill C-8?

The Critical Cyber Systems Protection Act sets administrative monetary penalties of up to $15 million per day for organizations and $1 million per day for individuals. Directors and officers can be held personally liable where they directed, authorized, or participated in a violation.

Does Bill C-8 apply to AI systems?

Yes. The cybersecurity program obligation extends to all critical systems, including AI systems operational in critical infrastructure. Operators must assess, test, protect, and document controls for any AI system that touches operations, data, or public-facing services.

How long do operators have to comply?

Once an operator is designated, it has 90 days to establish and implement its cybersecurity program. Operators in the named sectors should begin gap assessments now rather than waiting for designation.

Get your AI ready for Bill C-8

Book a 15-minute briefing to map your AI controls against Bill C-8 cybersecurity program requirements.

Book a Government Briefing Start Free


Scroll to Top