Navigating Bill C-8

In June 2025, the Government of Canada introduced Bill C‑8, formally titled An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, as a crucial step to protect the country’s critical infrastructure against cybersecurity threats. The proposed bill builds on and expands the policy framework introduced by Bill C-26 in 2022, even though Bill C-26 did not pass before Parliament was prorogued.

In simple terms, Bill C-8 provides a legal framework that requires designated operators (DOs) in critical sectors to enhance their cybersecurity strategies, report incidents quickly and comply with the new federal standards to strengthen national security.

The emphasis this legislation puts on resiliency and the ability of organizations to withstand an incident and to keep operating at the same time is especially welcome. Why? Because that’s the “name of the game” when it comes to cyber resilience. This legislation signals a meaningful shift in how cybersecurity will be governed and enforced in Canada.

Bill C-8 applies to organizations operating in federally regulated sectors critical to Canada’s infrastructure, including telecommunications, financial services, energy, transportation and clearing systems. These are the DOs. Additional entities may be designated by regulation or ministerial order. These sectors are identified not only for their economic significance, but also for their potential impact on public safety and national resilience in the event of a cyber incident.

If you are a DO, here is what you need to know and act on:

1. Develop a mandatory cybersecurity program

Within 90 days of being notified, your organization must design and implement a Cyber Security Program (CSP) and submit it to the Canadian Centre for Cyber Security (CCCS) for annual review.

Key parts of a CSP include:

• Identification and mitigation of internal and external cyber risks
• Assessment and management of supply chain vulnerabilities
• Protocols for detection, containment and recovery of cyber incidents
• Data retention and access policies
• Procedures for governance oversight and periodic review (this includes the Board).

Tip: Pay extra attention to third-party and supply chain risks since these create major vulnerabilities.

2. Quickly report cyber incidents

One of the most significant developments under Bill C-8 is the centralization of incident reporting and oversight under the CCCS. This move consolidates what was previously a fragmented regulatory landscape into a unified federal framework.

You must alert the CCCS within 72 hours when a cyberattack occurs, ensuring alignment with existing reporting requirements in your sector (e.g., banks adhering to OSFI B-13 guidelines or energy firms reporting to the Canadian Energy Regulator). This dual requirement may necessitate your compliance, legal and IT teams to collaborate.

Tip: Form the relationship and communication path with CCCS before an incident actually occurs.

3. Follow cybersecurity directions (CSDs)

Under Bill C-8, ministers may issue confidential, legally binding directives to your organization requiring actions like disabling or removing specific technologies. These can significantly impact daily operations without compensation, and you must stay alert to evolving mandates and potential penalties.

Tip: Stay abreast of what is happening in your industry and peers. Leverage cyber threat intelligence.

4. Avoid hefty penalties

Non-compliance is costly. Corporations could face strict penalties of up to $15 million/day and $1 million/day for individuals with possible criminal liability for obstruction or intentional non-compliance. Directors may also face personal accountability, and violations can be made public.

Tip: Check your compliance readiness and be prepared.

Start by assessing your existing cybersecurity program and identifying any gaps. For instance:

• Is your organization considered a digital operator? Have you mapped all critical systems, services and operations?
• Does your organization have an established governance framework with clear roles, responsibilities and implemented procedures to meet compliance obligations?
• Does your organization possess internal capacity to effectively respond to breaches, regulatory inspections, audits and compliance orders?
• Do your cybersecurity measures account for both internal and external risks?
• Have vulnerabilities within your supply chain been investigated and are robust third-party risk management strategies established?
• Is your reporting framework aligned with dual-reporting requirements, ensuring streamlined processes for mandatory and voluntary disclosures?

KPMG supports DOs across critical sectors (telecom, energy and financial services) by aligning cybersecurity programs with leading frameworks such as NIST, ISO, OSFI B-13 and DORA, helping organizations build resilience and readiness. Our offerings include:

• Cyber resilience strategies: Tailored frameworks to strengthen organizational resilience.
• Regulatory readiness assessments: Benchmarking against Bill C-8 to guide compliance and resilience.
• Third-party risk management: Governance of vendor ecosystems to ensure supply chain integrity.
• Incident response planning: Playbooks, exercises and regulatory coordination for real-world preparedness.

Bill C-8 signals a new era in Canada’s cybersecurity landscape, with DOs at the forefront. By adapting to these changes proactively, your organization will not only meet the legal requirements but also enhance its reputation and preparedness for future challenges. KPMG is committed to helping organizations navigate this transition with clarity, confidence and resilience.