BLOG

Bill C-8 Cybersecurity Compliance in Canada

Most Canadian business owners first encountered Bill C-8 not through government communications, but through vendor security questionnaires issued by banks, telecom providers, and transportation operators.

For many SMBs, the legislation is not appearing as a direct legal requirement, but as a procurement and supply-chain enforcement mechanism—where compliance expectations are embedded into contracts, onboarding requirements, and insurance conditions.

This is how Bill C-8 is effectively being operationalized in 2026: not only as regulation for critical infrastructure operators, but as a cascading cybersecurity baseline across their entire supply chain.

What is Bill C-8? (CCSPA Explained)

Bill C-8, formally titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, introduces the Critical Cyber Systems Protection Act (CCSPA).

The framework strengthens cybersecurity protections for systems essential to national security and public safety.

It allows federal regulators to:

– mandate cybersecurity programs

– enforce incident reporting obligations

– issue binding cybersecurity directions

– regulate supply-chain cybersecurity risks

Enforcement is distributed across sector regulators including OSFI, Transport Canada, Canadian Energy Regulator, Canadian Nuclear Safety Commission, and Industry Canada.

Not sure whether Bill C-8 applies to your organization directly or through your supply chain? Armour’s Advisory Services can map your exposure in a single engagement.

Armour Cybersecurity’s Integrated compliance audit services take organizations from initial gap assessment to audit-ready in 4 to 6 weeks across SOC 2, ISO 27001, HIPAA, and emerging Canadian standards. See how it works →

Penalties and Enforcement Structure

Bill C-8 includes penalties such as:

– up to $10M per violation for corporations

– increased penalties for repeat breaches

– personal liability for directors and officers

– potential criminal penalties for serious violations

Executive accountability is significantly expanded.

Two features of this penalty structure deserve attention. First, penalties apply per violation, organizations with failures across multiple sections face compounding exposure rather than a single cap. Second, and more consequentially for executives: directors and officers of designated operators carry personal liability if they are found to have directed, authorized, or participated in violations or offences.

How Bill C-8 intersects with PIPEDA, Quebec Law 25, and OSFI

Bill C-8 does not replace PIPEDA. It overlays a cybersecurity-program obligation on top of the privacy framework that already exists. Canadian organizations navigating 2026 are operating under multiple overlapping regimes simultaneously:

• PIPEDA remains the federal private-sector privacy floor, covering breach notification obligations (real risk of significant harm threshold), accountability, and safeguards requirements
• Quebec Law 25 (Law 25) has been in full force since September 2024 and is the strictest practical national standard, carrying penalties up to CA$25 million or 4% of worldwide turnover, applying to any business that collects personal information about a Quebec resident
• OSFI’s B-13 Guideline applies to federally regulated financial institutions and requires a technology and cyber risk management framework with board-level oversight
• Bill C-8 / CCSPA applies its cybersecurity-program obligations to designated critical infrastructure operators and flows into SMB supply chains through procurement and contract requirements

For most Canadian organizations with a national customer base, Quebec Law 25 is the de facto strictest standard because it applies to any business handling information about Quebec residents — which is essentially every business operating nationally. Building your compliance posture to satisfy Law 25 will carry you most of the way toward Bill C-8 readiness as well.

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

Does Bill C-8 apply to my business if I am not in critical infrastructure?

Not directly. Bill C-8 creates obligations for designated operators in federally regulated sectors: telecom, banking, energy, transport, and nuclear. However, if your organization supplies services to any of those sectors, you will feel the legislation indirectly through vendor questionnaires, contract clauses, and insurance requirements. The practical impact on supply-chain participants is already arriving in the form of procurement gates.

What cybersecurity controls does Bill C-8 mandate?

The legislation requires designated operators to establish and implement a cybersecurity program that includes risk assessments, incident response procedures, supply-chain risk management, and record-keeping. The specific controls are expected to be aligned with frameworks such as NIST CSF or ISO/IEC 27001. Sector-specific regulations issued after royal assent will clarify the detailed requirements for each designated sector.

Most Canadian business owners first heard about Bill C-8 through a vendor questionnaire, not a government notice. A supplier to a federally regulated bank or a transport operator gets a 14-page security questionnaire with a 30-day deadline, and suddenly a piece of legislation they assumed had nothing to do with them is dictating what they must demonstrate to keep the contract. That is how Bill C-8 is landing for the majority of Canadian SMBs in 2026, not as a direct legal obligation, but as a procurement gate, an insurance condition, and a new baseline that regulated buyers are using to vet everyone in their supply chain.

This article explains what Bill C-8 actually requires, who it directly covers, and, critically, what it means for Canadian businesses that are not designated operators but work alongside those that are.

What is Bill C-8 and what does it create?

Bill C-8, formally titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced in the House of Commons on June 18, 2025. It passed Third Reading in the House on March 26, 2026 and received Senate First Reading the same day, a milestone its predecessor Bill C-26 never reached before dying on prorogation in January 2025.

The centrepiece of Bill C-8 is the Critical Cyber Systems Protection Act (CCSPA), which establishes a federal framework for protecting cyber systems that are vital to national security or public safety. It gives the federal government authority to require designated operators to run documented cybersecurity programs, report significant incidents, manage supply-chain risk, and comply with government-issued cybersecurity directions on short notice.

Enforcement sits with existing sector regulators: the Minister of Industry, the Minister of Transport, the Superintendent of Financial Institutions (OSFI), the Bank of Canada, the Canadian Energy Regulator, and the Canadian Nuclear Safety Commission. Each regulator applies the framework to operators in their domain.

Not sure whether Bill C-8 applies to your organization directly or through your supply chain? Armour’s Advisory Services can map your exposure in a single engagement.

Armour Cybersecurity’s Integrated compliance audit services take organizations from initial gap assessment to audit-ready in 4 to 6 weeks across SOC 2, ISO 27001, HIPAA, and emerging Canadian standards. See how it works →

Penalties: what non-compliance actually costs

The CCSPA introduces a penalty structure designed to be significant at the scale of Canadian critical infrastructure. Based on the legislation and Charter Statement published by the Department of Justice:

• Corporations: up to CA$10 million per violation, rising to CA$15 million for repeat contraventions
• Individuals (including directors and officers): up to CA$25,000 for a first violation, CA$50,000 for subsequent violations
• Criminal offences: fines and imprisonment of up to five years for serious violations

Two features of this penalty structure deserve attention. First, penalties apply per violation, organizations with failures across multiple sections face compounding exposure rather than a single cap. Second, and more consequentially for executives: directors and officers of designated operators carry personal liability if they are found to have directed, authorized, or participated in violations or offences.

How Bill C-8 intersects with PIPEDA, Quebec Law 25, and OSFI

Bill C-8 does not replace PIPEDA. It overlays a cybersecurity-program obligation on top of the privacy framework that already exists. Canadian organizations navigating 2026 are operating under multiple overlapping regimes simultaneously:

• PIPEDA remains the federal private-sector privacy floor, covering breach notification obligations (real risk of significant harm threshold), accountability, and safeguards requirements
• Quebec Law 25 (Law 25) has been in full force since September 2024 and is the strictest practical national standard, carrying penalties up to CA$25 million or 4% of worldwide turnover, applying to any business that collects personal information about a Quebec resident
• OSFI’s B-13 Guideline applies to federally regulated financial institutions and requires a technology and cyber risk management framework with board-level oversight
• Bill C-8 / CCSPA applies its cybersecurity-program obligations to designated critical infrastructure operators and flows into SMB supply chains through procurement and contract requirements

For most Canadian organizations with a national customer base, Quebec Law 25 is the de facto strictest standard because it applies to any business handling information about Quebec residents — which is essentially every business operating nationally. Building your compliance posture to satisfy Law 25 will carry you most of the way toward Bill C-8 readiness as well.

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

Does Bill C-8 apply to my business if I am not in critical infrastructure?

Not directly. Bill C-8 creates obligations for designated operators in federally regulated sectors: telecom, banking, energy, transport, and nuclear. However, if your organization supplies services to any of those sectors, you will feel the legislation indirectly through vendor questionnaires, contract clauses, and insurance requirements. The practical impact on supply-chain participants is already arriving in the form of procurement gates.

What cybersecurity controls does Bill C-8 mandate?

The legislation requires designated operators to establish and implement a cybersecurity program that includes risk assessments, incident response procedures, supply-chain risk management, and record-keeping. The specific controls are expected to be aligned with frameworks such as NIST CSF or ISO/IEC 27001. Sector-specific regulations issued after royal assent will clarify the detailed requirements for each designated sector.

Most Canadian business owners first heard about Bill C-8 through a vendor questionnaire, not a government notice. A supplier to a federally regulated bank or a transport operator gets a 14-page security questionnaire with a 30-day deadline, and suddenly a piece of legislation they assumed had nothing to do with them is dictating what they must demonstrate to keep the contract. That is how Bill C-8 is landing for the majority of Canadian SMBs in 2026, not as a direct legal obligation, but as a procurement gate, an insurance condition, and a new baseline that regulated buyers are using to vet everyone in their supply chain.

This article explains what Bill C-8 actually requires, who it directly covers, and, critically, what it means for Canadian businesses that are not designated operators but work alongside those that are.

What is Bill C-8 and what does it create?

Bill C-8, formally titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced in the House of Commons on June 18, 2025. It passed Third Reading in the House on March 26, 2026 and received Senate First Reading the same day, a milestone its predecessor Bill C-26 never reached before dying on prorogation in January 2025.

The centrepiece of Bill C-8 is the Critical Cyber Systems Protection Act (CCSPA), which establishes a federal framework for protecting cyber systems that are vital to national security or public safety. It gives the federal government authority to require designated operators to run documented cybersecurity programs, report significant incidents, manage supply-chain risk, and comply with government-issued cybersecurity directions on short notice.

Enforcement sits with existing sector regulators: the Minister of Industry, the Minister of Transport, the Superintendent of Financial Institutions (OSFI), the Bank of Canada, the Canadian Energy Regulator, and the Canadian Nuclear Safety Commission. Each regulator applies the framework to operators in their domain.

Not sure whether Bill C-8 applies to your organization directly or through your supply chain? Armour’s Advisory Services can map your exposure in a single engagement.

Armour Cybersecurity’s Integrated compliance audit services take organizations from initial gap assessment to audit-ready in 4 to 6 weeks across SOC 2, ISO 27001, HIPAA, and emerging Canadian standards. See how it works →

Penalties: what non-compliance actually costs

The CCSPA introduces a penalty structure designed to be significant at the scale of Canadian critical infrastructure. Based on the legislation and Charter Statement published by the Department of Justice:

• Corporations: up to CA$10 million per violation, rising to CA$15 million for repeat contraventions
• Individuals (including directors and officers): up to CA$25,000 for a first violation, CA$50,000 for subsequent violations
• Criminal offences: fines and imprisonment of up to five years for serious violations

Two features of this penalty structure deserve attention. First, penalties apply per violation, organizations with failures across multiple sections face compounding exposure rather than a single cap. Second, and more consequentially for executives: directors and officers of designated operators carry personal liability if they are found to have directed, authorized, or participated in violations or offences.

How Bill C-8 intersects with PIPEDA, Quebec Law 25, and OSFI

Bill C-8 does not replace PIPEDA. It overlays a cybersecurity-program obligation on top of the privacy framework that already exists. Canadian organizations navigating 2026 are operating under multiple overlapping regimes simultaneously:

• PIPEDA remains the federal private-sector privacy floor, covering breach notification obligations (real risk of significant harm threshold), accountability, and safeguards requirements
• Quebec Law 25 (Law 25) has been in full force since September 2024 and is the strictest practical national standard, carrying penalties up to CA$25 million or 4% of worldwide turnover, applying to any business that collects personal information about a Quebec resident
• OSFI’s B-13 Guideline applies to federally regulated financial institutions and requires a technology and cyber risk management framework with board-level oversight
• Bill C-8 / CCSPA applies its cybersecurity-program obligations to designated critical infrastructure operators and flows into SMB supply chains through procurement and contract requirements

For most Canadian organizations with a national customer base, Quebec Law 25 is the de facto strictest standard because it applies to any business handling information about Quebec residents — which is essentially every business operating nationally. Building your compliance posture to satisfy Law 25 will carry you most of the way toward Bill C-8 readiness as well.

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

Does Bill C-8 apply to my business if I am not in critical infrastructure?

Not directly. Bill C-8 creates obligations for designated operators in federally regulated sectors: telecom, banking, energy, transport, and nuclear. However, if your organization supplies services to any of those sectors, you will feel the legislation indirectly through vendor questionnaires, contract clauses, and insurance requirements. The practical impact on supply-chain participants is already arriving in the form of procurement gates.

What cybersecurity controls does Bill C-8 mandate?

The legislation requires designated operators to establish and implement a cybersecurity program that includes risk assessments, incident response procedures, supply-chain risk management, and record-keeping. The specific controls are expected to be aligned with frameworks such as NIST CSF or ISO/IEC 27001. Sector-specific regulations issued after royal assent will clarify the detailed requirements for each designated sector.

Most Canadian business owners first heard about Bill C-8 through a vendor questionnaire, not a government notice. A supplier to a federally regulated bank or a transport operator gets a 14-page security questionnaire with a 30-day deadline, and suddenly a piece of legislation they assumed had nothing to do with them is dictating what they must demonstrate to keep the contract. That is how Bill C-8 is landing for the majority of Canadian SMBs in 2026, not as a direct legal obligation, but as a procurement gate, an insurance condition, and a new baseline that regulated buyers are using to vet everyone in their supply chain.

This article explains what Bill C-8 actually requires, who it directly covers, and, critically, what it means for Canadian businesses that are not designated operators but work alongside those that are.

What is Bill C-8 and what does it create?

Bill C-8, formally titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, was introduced in the House of Commons on June 18, 2025. It passed Third Reading in the House on March 26, 2026 and received Senate First Reading the same day, a milestone its predecessor Bill C-26 never reached before dying on prorogation in January 2025.

The centrepiece of Bill C-8 is the Critical Cyber Systems Protection Act (CCSPA), which establishes a federal framework for protecting cyber systems that are vital to national security or public safety. It gives the federal government authority to require designated operators to run documented cybersecurity programs, report significant incidents, manage supply-chain risk, and comply with government-issued cybersecurity directions on short notice.

Enforcement sits with existing sector regulators: the Minister of Industry, the Minister of Transport, the Superintendent of Financial Institutions (OSFI), the Bank of Canada, the Canadian Energy Regulator, and the Canadian Nuclear Safety Commission. Each regulator applies the framework to operators in their domain.

Not sure whether Bill C-8 applies to your organization directly or through your supply chain? Armour’s Advisory Services can map your exposure in a single engagement.

Armour Cybersecurity’s Integrated compliance audit services take organizations from initial gap assessment to audit-ready in 4 to 6 weeks across SOC 2, ISO 27001, HIPAA, and emerging Canadian standards. See how it works →

Penalties: what non-compliance actually costs

The CCSPA introduces a penalty structure designed to be significant at the scale of Canadian critical infrastructure. Based on the legislation and Charter Statement published by the Department of Justice:

• Corporations: up to CA$10 million per violation, rising to CA$15 million for repeat contraventions
• Individuals (including directors and officers): up to CA$25,000 for a first violation, CA$50,000 for subsequent violations
• Criminal offences: fines and imprisonment of up to five years for serious violations

Two features of this penalty structure deserve attention. First, penalties apply per violation, organizations with failures across multiple sections face compounding exposure rather than a single cap. Second, and more consequentially for executives: directors and officers of designated operators carry personal liability if they are found to have directed, authorized, or participated in violations or offences.

How Bill C-8 intersects with PIPEDA, Quebec Law 25, and OSFI

Bill C-8 does not replace PIPEDA. It overlays a cybersecurity-program obligation on top of the privacy framework that already exists. Canadian organizations navigating 2026 are operating under multiple overlapping regimes simultaneously:

• PIPEDA remains the federal private-sector privacy floor, covering breach notification obligations (real risk of significant harm threshold), accountability, and safeguards requirements
• Quebec Law 25 (Law 25) has been in full force since September 2024 and is the strictest practical national standard, carrying penalties up to CA$25 million or 4% of worldwide turnover, applying to any business that collects personal information about a Quebec resident
• OSFI’s B-13 Guideline applies to federally regulated financial institutions and requires a technology and cyber risk management framework with board-level oversight
• Bill C-8 / CCSPA applies its cybersecurity-program obligations to designated critical infrastructure operators and flows into SMB supply chains through procurement and contract requirements

For most Canadian organizations with a national customer base, Quebec Law 25 is the de facto strictest standard because it applies to any business handling information about Quebec residents — which is essentially every business operating nationally. Building your compliance posture to satisfy Law 25 will carry you most of the way toward Bill C-8 readiness as well.

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

5 steps Canadian organizations should take right now

1. Assess your current cybersecurity posture against a recognized framework. Most Canadian SMBs have significant gaps between what they believe their controls do and what those controls actually prevent. A structured assessment, aligned to NIST CSF, ISO 27001, or CIS Controls, gives you a documented baseline and a gap analysis you can act on.
2. Determine your Bill C-8 exposure profile. Identify whether your organization is a direct designated operator or an indirect supply-chain participant to one. If you provide services to telecom, banking, energy, or federal transport operators, review your existing contracts for cybersecurity requirements and anticipate that new ones are coming.
3. Build or update your incident response plan. The CCSPA requires designated operators to report significant incidents promptly to CSE and sector regulators. For supply-chain participants, your clients will require evidence of a tested response capability. Only 26% of Canadian businesses had a written cybersecurity policy as of the most recent Statistics Canada survey.
4. Document everything. Bill C-8 gives regulators the authority to audit, inspect, and demand records. Your cybersecurity activities, risk assessments, decisions made, controls implemented, incidents detected, need to be recorded and maintained in a form that survives regulatory scrutiny. Documentation is your legal defence.
5. Engage your board. Bill C-8 explicitly places accountability at the director and officer level. Boards need to understand what the legislation requires while ensuring appropriate cybersecurity services are in place to support ongoing compliance. what your organization’s current posture is, and what the remediation roadmap looks like. If you do not have a mechanism for that conversation, establish one.

Armour Cybersecurity’s Board Advisory service places senior cybersecurity consultants at the table with your leadership team — translating regulatory obligation into board-level understanding and defensible governance. Learn about Board Advisory →

Does Bill C-8 apply to my business if I am not in critical infrastructure?

Not directly. Bill C-8 creates obligations for designated operators in federally regulated sectors: telecom, banking, energy, transport, and nuclear. However, if your organization supplies services to any of those sectors, you will feel the legislation indirectly through vendor questionnaires, contract clauses, and insurance requirements. The practical impact on supply-chain participants is already arriving in the form of procurement gates.

What cybersecurity controls does Bill C-8 mandate?

The legislation requires designated operators to establish and implement a cybersecurity program that includes risk assessments, incident response procedures, supply-chain risk management, and record-keeping. The specific controls are expected to be aligned with frameworks such as NIST CSF or ISO/IEC 27001. Sector-specific regulations issued after royal assent will clarify the detailed requirements for each designated sector.