A plain-English breakdown of what Bill C-8 requires, which sectors it covers, and what designated operators must do now.
By Krikor Tengerian · Co-founder, SecuritAI Technologies Ltd. · Updated June 21, 2026

Bill C-8 at a glance
Bill C-8 is Canada’s federal cybersecurity law for critical infrastructure. It received Royal Assent on June 16, 2026, and through the Critical Cyber Systems Protection Act it requires designated operators to establish and maintain cybersecurity programs, report significant cyber incidents, and protect their systems, and their supply chains, from cyber threats. It is the most significant cybersecurity compliance obligation Canadian critical infrastructure operators have faced, and most organizations are not yet ready.
The timing is not academic. The Canadian Centre for Cyber Security names ransomware as the top cyber threat to Canada’s critical infrastructure. In 2025 a ransomware attack on Nova Scotia Power exposed the Social Insurance Numbers of roughly 140,000 customers. The average Canadian data breach now costs about USD 4.66 million. Bill C-8 turns cybersecurity from a best practice into a legal obligation with penalties measured in millions of dollars per day.
Bill C-8 targets the sectors the federal government has designated as critical to national security and public safety. The primary sectors are:
Provincial utilities, healthcare, and municipal governments are not directly covered by federal C-8 legislation but face parallel pressures from sector-specific regulators and procurement requirements that mirror C-8 obligations.
Designated operators under Bill C-8 must fulfill four core obligations:
A documented cybersecurity program covering risk identification, protection measures, incident detection and response, and recovery. The program must address the organization’s supply chain, not just its own systems.
Significant cyber incidents must be reported to the relevant regulatory authority. The reporting timelines are tight, operators must have detection and escalation processes in place before an incident occurs, not after.
The government can issue binding cybersecurity directions, specific technical or operational requirements, to designated operators when a threat to critical systems is identified. Non-compliance carries serious penalties.
Operators must assess and address cybersecurity risks that originate in their supply chain, vendors, technology providers, and third-party services that have access to or integrate with critical systems.
This is the question most operators have not yet asked, and it is urgent. AI is now operational in every designated sector. Energy companies use AI for grid management and predictive maintenance. Banks use it for fraud detection. Telecom operators use it for network optimization and customer systems. Transportation operators use it in logistics and routing.
None of these AI systems were in scope for traditional cybersecurity programs designed before AI became operational. Bill C-8’s cybersecurity program requirements extend to all critical systems, and AI systems that touch operations, data, or public-facing services qualify. That means operators need to answer: what did you test your AI against? What protects it at runtime? Where are the audit logs?
For a detailed breakdown of AI-specific C-8 obligations, see our guide: How Bill C-8 applies to AI systems in critical infrastructure.
The practical starting point is a gap assessment across three areas:
For compliance program documentation and evidence management, SecuritComply’s Bill C-8 compliance platform is built specifically for this. For AI security testing and runtime protection, SecuritAI’s government and critical infrastructure platform provides the adversarial testing evidence and firewall controls that a C-8 cybersecurity program needs at the AI layer.
Book a 15-minute briefing to see how SecuritAI maps to your Bill C-8 cybersecurity program requirements.
Bill C-8 is Canada’s federal legislation requiring designated operators of critical infrastructure, in telecommunications, banking, energy, and transportation, to establish cybersecurity programs, report significant incidents, comply with cybersecurity directions, and protect their supply chains from cyber threats.
Designated operators in federally regulated critical infrastructure sectors: telecommunications carriers, federally regulated banks and financial institutions, interprovincial energy pipelines and nuclear facilities, and federal transportation operators (airports, rail, marine). The government can add sectors through regulation.
The Critical Cyber Systems Protection Act sets administrative monetary penalties of up to $15 million per day for organizations and $1 million per day for individuals. Directors and officers can be held personally liable where they directed, authorized, or participated in a violation. Penalties apply to failures such as not establishing a cybersecurity program, not reporting incidents in time, or not complying with a government cybersecurity direction.
Bill C-8 received Royal Assent on June 16, 2026. The Critical Cyber Systems Protection Act is being phased in by regulation. Once an operator is designated, it has 90 days to establish and implement its cybersecurity program. Operators in the named sectors should begin gap assessments now rather than waiting for designation.
Yes. Bill C-8’s cybersecurity program requirements extend to all critical systems, including AI systems that are operational in critical infrastructure sectors. Operators must assess, protect, and document security controls for any AI system that touches operations, data, or public-facing services.
Start with a gap assessment: document your current cybersecurity program coverage, identify critical systems (including AI), assess incident reporting readiness, and map supply chain risks. SecuritComply provides a structured compliance platform for C-8 documentation and evidence management. SecuritAI provides the AI-layer security testing and runtime protection your C-8 program needs for AI systems.
Krikor Tengerian
Co-founder, SecuritAI Technologies Ltd.
Krikor Tengerian is the co-founder of SecuritAI Technologies and has over 25 years of experience in cybersecurity and IT infrastructure. He leads the company’s AI security platform and works with Canadian organizations and government bodies to secure their AI deployments against adversarial threats.