C-8 (45-1) - An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts
Chamber
commons
Stage
3rd Reading
Introduced
Jun 18, 2025
Progress
This bill creates new laws to protect Canada's telecommunications networks and critical infrastructure like banks, pipelines, and nuclear systems from cyberattacks.
Key Changes
- Adds 'security of the telecommunications system' as an official goal of Canadian telecom policy under the Telecommunications Act.
- Gives Cabinet and the Industry Minister power to order telecom companies to remove or ban specific products or suppliers from their networks for security reasons, with no right to financial compensation.
- Creates the Critical Cyber Systems Protection Act, requiring operators of vital services (banks, pipelines, nuclear plants, transport) to build and maintain cybersecurity programs.
- Requires designated operators to report cyberattacks to the Communications Security Establishment (Canada's signals intelligence agency) within 72 hours.
- Sets fines up to $15 million per violation for corporations and up to $1 million for individuals who break the new cybersecurity rules, with personal liability for company directors and officers.
- Requires the government to report annually to Parliament on orders issued and their necessity, and to notify the National Security and Intelligence Committee of Parliamentarians of any secret orders within 90 days.
Gotchas
- Secret orders are allowed: Both the Cabinet and the Minister of Industry can issue orders that are kept secret from the public, including banning the existence of the order from being disclosed. Affected companies can be legally prohibited from telling anyone they received such an order. The government has up to 90 days to notify Parliament's security oversight bodies, and can delay or avoid publishing orders in the Canada Gazette.
- No compensation clause: If the government orders a telecom company to rip out equipment or stop using a supplier, the company gets no money from the government for any financial losses. This could be very costly for companies that have already invested heavily in specific technology.
- Broad ministerial powers with limited checks: The Minister of Industry can issue a wide range of orders to telecom companies — banning products, requiring security plans, mandating audits — without going through the normal regulatory process (the Statutory Instruments Act does not apply). Judicial review is available but the rules protect sensitive government information during those proceedings, which may limit a company's ability to challenge an order.
- Interception of communications is explicitly prohibited: The bill specifically states that neither the Cabinet nor the Minister can order a telecom company or critical infrastructure operator to intercept private communications. This is a notable civil liberties protection written directly into the bill.
- Schedule 2 (which lists the actual companies and industries covered by the new Critical Cyber Systems Protection Act) is blank in the bill as introduced — the specific classes of operators will be filled in later by Cabinet order, meaning the full scope of who is regulated is not yet defined and could expand significantly without new legislation.
- Information sharing with foreign governments is permitted: The bill allows the government to share information collected under these laws with foreign governments and international organizations, subject to written agreements, which raises potential privacy considerations for Canadians whose data may be held by regulated companies.
Who's Affected
- Telecommunications companies (phone and internet providers)
- Banks and financial institutions
- Pipeline and power line operators
- Nuclear energy facility operators
- Federally regulated transportation companies (airlines, railways, etc.)
- Clearing and settlement system operators
- Technology suppliers and third-party vendors to any of the above industries
- Corporate executives and directors of regulated companies
Vibes
0 responses
Gotchas
- Secret orders are allowed: Both the Cabinet and the Minister of Industry can issue orders that are kept secret from the public, including banning the existence of the order from being disclosed. Affected companies can be legally prohibited from telling anyone they received such an order. The government has up to 90 days to notify Parliament's security oversight bodies, and can delay or avoid publishing orders in the Canada Gazette.
- No compensation clause: If the government orders a telecom company to rip out equipment or stop using a supplier, the company gets no money from the government for any financial losses. This could be very costly for companies that have already invested heavily in specific technology.
- Broad ministerial powers with limited checks: The Minister of Industry can issue a wide range of orders to telecom companies — banning products, requiring security plans, mandating audits — without going through the normal regulatory process (the Statutory Instruments Act does not apply). Judicial review is available but the rules protect sensitive government information during those proceedings, which may limit a company's ability to challenge an order.
- Interception of communications is explicitly prohibited: The bill specifically states that neither the Cabinet nor the Minister can order a telecom company or critical infrastructure operator to intercept private communications. This is a notable civil liberties protection written directly into the bill.
- Schedule 2 (which lists the actual companies and industries covered by the new Critical Cyber Systems Protection Act) is blank in the bill as introduced — the specific classes of operators will be filled in later by Cabinet order, meaning the full scope of who is regulated is not yet defined and could expand significantly without new legislation.
- Information sharing with foreign governments is permitted: The bill allows the government to share information collected under these laws with foreign governments and international organizations, subject to written agreements, which raises potential privacy considerations for Canadians whose data may be held by regulated companies.
Summary
Bill C-8 does two main things. First, it updates the Telecommunications Act to make protecting Canada's phone and internet networks an official government goal. It gives the federal Cabinet and the Minister of Industry new powers to order telecom companies (like phone and internet providers) to remove or stop using equipment or services from specific companies if those products are seen as a security threat. Second, it creates a brand new law called the Critical Cyber Systems Protection Act, which sets rules for companies that run vital services like banks, pipelines, nuclear plants, and transportation systems. These companies must create cybersecurity plans, report cyberattacks to the government within 72 hours, and manage risks from their suppliers and outside technology providers. The bill was introduced because Canada's critical infrastructure — the systems that keep the country running — increasingly depends on digital technology, making it vulnerable to hacking, sabotage, or interference by foreign actors or criminals. The government wants to make sure companies running these vital systems take cybersecurity seriously and that the government has tools to respond quickly to threats. Companies that break the rules face serious fines — up to $15 million per violation for corporations — and in some cases, criminal charges. Individual executives can also be held personally responsible if they directed or allowed violations to happen.
Automatically generated from bill text using Claude
Vibes
0 responses