On June 18, 2025, the Minister of Public Safety introduced Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-8). If passed, Bill C-8 would enact the Critical Cyber Systems Protection Act (CCSPA), which was introduced in the previous Parliament under Bill C-26. The CCSPA aims to protect critical cyber systems considered integral to Canadian infrastructure and public safety.
The CCSPA would impose a series of cybersecurity-related obligations on industries providing “vital services” or “vital systems” including:
- Telecommunications services
- Interprovincial or international pipeline and power line systems
- Nuclear energy systems
- Transportation systems within the legislative authority of Parliament
- Banking systems
- Clearing and settlement systems
Designated operators of these vital services and systems would be required to, among other things:
- Establish, implement and regularly review a cybersecurity program, which must include steps to identify and manage organizational cybersecurity risk
- Mitigate any cybersecurity risk associated with its supply chain or third-party products and services that it identifies
- Notify the appropriate regulator of any material change of ownership or control, or any material change in the designated operator’s supply chain or use of third-party products and services
- Comply with a cybersecurity direction issued by either the federal Cabinet or the appropriate regulator and not disclose the direction’s existence or content
- Keep records regarding the implementation of its cybersecurity program and any cybersecurity incident, and such records must be stored within Canada
Bill C-8 is nearly identical to Bill C-26, save for some updates to the procedural requirements in the judicial review process regarding the issuance of a cybersecurity direction. Bill C-26 made it to the third reading of the Senate but died on the Order Paper, when Parliament was prorogued in January 2025.
Despite the similarities between Bill C-8 and Bill C-26, Bill C-8 must complete the entire legislative process before it becomes law. This includes completing its second and third readings in the House of Commons, the consideration in committee and report stages, as well as passing three readings in the Senate. However, given the similarities between C-8 and C-26, and the progress Bill C-26 made in the legislative process, Bill C-8 may pass quickly.
For our prior analysis on Bill C-26, which is applicable to Bill C-8, please see our previous bulletins, House of Commons Introduces Bill C-26: Proposed Federal Cybersecurity Legislation and Canadian Cybersecurity Law Update: Bill C-26 Gains Momentum in the House of Commons.
For more information, please contact the authors or any member of our Cybersecurity group.
More insights
Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue. We would be pleased to provide additional details or advice about specific situations if desired.
For permission to republish this content, please contact the Blakes Client Relations & Marketing Department at [email protected].
© 2025 Blake, Cassels & Graydon LLP
