C-8 (45-1) - An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts
Chamber
commons
Stage
3rd Reading
Introduced
Jun 18, 2025
Progress
This bill creates new laws to protect Canada's telecommunications networks and critical digital systems from cyber threats.
Key Changes
- Adds 'security of the Canadian telecommunications system' as an official goal of Canadian telecommunications policy
- Gives Cabinet and the Minister of Industry power to order telecom companies to ban or remove specific products or suppliers deemed security threats
- Creates the Critical Cyber Systems Protection Act, a new law requiring operators of vital services (banking, energy, nuclear, transport, telecom) to build and maintain cybersecurity programs
- Requires designated operators to report cyber security incidents to the Communications Security Establishment (CSE) within 72 hours
- Establishes fines up to $15 million for corporations and up to $1 million for individuals who violate the new cybersecurity rules
- Requires the Minister to report annually to Parliament on orders issued and their necessity and effectiveness
Gotchas
- Orders can be kept secret: the government can prohibit companies from even disclosing that an order was issued, though the National Security and Intelligence Committee of Parliamentarians must be notified within 90 days
- No compensation clause: companies are explicitly not entitled to financial compensation from the government if they suffer losses due to being ordered to remove products or stop using certain suppliers
- The bill exempts security orders from the Statutory Instruments Act, meaning they are not subject to the usual scrutiny and publication requirements that apply to most government regulations
- Directors and officers of companies can be personally held liable for violations, even if the company itself is not prosecuted
- The bill explicitly states that orders cannot require companies to intercept private communications, preserving existing privacy protections under the Criminal Code
- Schedule 2, which lists the specific classes of operators subject to the new cybersecurity rules, is left blank in the bill — the actual companies covered will be determined later by Cabinet order, meaning the full scope of who is regulated is not yet defined
Who's Affected
- Telecommunications service providers (internet and phone companies)
- Banks and financial institutions
- Energy companies operating interprovincial pipelines and power lines
- Nuclear energy operators
- Federally regulated transportation companies
- Clearing and settlement system operators
- Foreign technology suppliers whose products may be banned from Canadian networks
Vibes
0 responses
Gotchas
- Orders can be kept secret: the government can prohibit companies from even disclosing that an order was issued, though the National Security and Intelligence Committee of Parliamentarians must be notified within 90 days
- No compensation clause: companies are explicitly not entitled to financial compensation from the government if they suffer losses due to being ordered to remove products or stop using certain suppliers
- The bill exempts security orders from the Statutory Instruments Act, meaning they are not subject to the usual scrutiny and publication requirements that apply to most government regulations
- Directors and officers of companies can be personally held liable for violations, even if the company itself is not prosecuted
- The bill explicitly states that orders cannot require companies to intercept private communications, preserving existing privacy protections under the Criminal Code
- Schedule 2, which lists the specific classes of operators subject to the new cybersecurity rules, is left blank in the bill — the actual companies covered will be determined later by Cabinet order, meaning the full scope of who is regulated is not yet defined
Summary
Bill C-8 has two main parts. The first part updates the Telecommunications Act to make security of Canada's phone and internet networks an official government goal. It gives the federal Cabinet and the Minister of Industry new powers to order telecom companies (like internet and phone providers) to remove or stop using products or services from specific companies if those products are considered a security threat. For example, the government could order a telecom company to remove equipment made by a foreign company it considers risky. Companies that break these orders can face large fines or criminal charges. The second part creates a brand new law called the Critical Cyber Systems Protection Act. This law sets up a framework to protect the computer systems that run Canada's most important services — things like banking, pipelines, nuclear energy, transportation, and telecommunications. Companies that operate these critical systems (called 'designated operators') must create cybersecurity plans, report cyber attacks within 72 hours, manage risks from their suppliers, and follow government directions during a cyber emergency. Multiple regulators — including the Bank of Canada, the Canadian Energy Regulator, and the Canadian Nuclear Safety Commission — are each responsible for overseeing companies in their sector. This bill was introduced in response to growing concerns about foreign interference in Canadian infrastructure and the increasing threat of cyberattacks on essential services. It is meant to bring Canada in line with similar cybersecurity laws in other countries.
Automatically generated from bill text using Claude
Vibes
0 responses