Canada strengthens cyber security laws to protect critical infrastructure

Key Insights

• New cyber security legislation in Canada has received Royal Assent
• After a four year process, the country has established new requirements to improve national security, network resilience and cybersecurity over critical services
• Securing the Canadian telecommunications sector is a focus of Bill C-8, the Act Respecting Cyber Security (ARCS)
• Aim is to "protect critical infrastructure against cyber threats that are growing in frequency and sophistication"
• The Critical Cyber Systems Protection Act will designate services and systems that are vital to national security or public safety and mandate additional security measures

Canada moves to strengthen cyber security

A little over a year ago, we compared the 'Critical Five' countries and how they decided what needed protecting the most against evolving cyber security threats.

Canada was in the process of modernising its approach to critical infrastructure with Bill C-26 slowly working its way through Parliament since 2022.

Last week, new legislation (Bill C-8) received Royal Assent and started the process of helping the North American powerhouse respond to a rapidly evolving threat landscape.

Amid rising incident frequency, lateral movement across connected networks, and the increased targeting of supply chains and service providers, this new Government push brings the country's approach to CNI much closer to those of key allies, including the United States (the Cyber Incident Reporting for Critical Infrastructure Act of 2022), the European Union (NIS2 Directive), and the UK (Network and Information Systems Regulations 2018 (NIS Regulations) and proposed updates).

It makes Canada’s most significant cybersecurity regulation for critical infrastructure a reality.

In practical terms, the country will move from a largely voluntary, guidance-based approach to a mandatory regulatory regime for cybersecurity in critical sectors.

ARCS creates the Critical Cyber Systems Protection Act (CCSPA) which, following further consultation, will require a number of new compliance activities:

• Designated operators in critical sectors must implement cybersecurity programmes
• There will be mandated reporting of significant cyber incidents
• Management of supply-chain and third-party risks will be included
• There will be Government-issued Cyber Security Directions (CSDs) to address threats
• And, expanded government powers under the Telecommunications Act to address national security risks in networks.

Closing longstanding protection gaps

The legislation addresses longstanding gaps in the Canadian Government’s ability to protect vital services and systems and will apply to 'designated operators' in four priority sectors: finance, energy, telecommunications, and transport.

The law as defined takes in critical energy pipelines, power systems and nuclear assets. And the Governor General of Canada will have the authority to add or remove sector-specific services and broaden the number of organisations brought into scope over time.

A designated operator who fails to comply with a CSD could be subject to a monetary penalty or face a regulatory offence that could lead to fines or imprisonment via a formal compliance and enforcement regime.

Implementation Timeline

Not all requirements set out this month apply immediately.‍

The Telecommunications Act amendments are effective immediately upon Royal Assent (June 2026).

The CCSPA obligations will be implemented gradually through regulations and sector-specific designation of operators. CNI organisations in the sectors identified should expect further guidance on reporting thresholds, compliance expectations, and implementation dates in the second half of this year.

The result is a substantial shift toward a mandatory cybersecurity compliance framework for critical infrastructure operators, similar in direction to the EU's NIS2 regime and other critical-infrastructure cybersecurity laws internationally.

Compliance requirements under CCSPA

The practical implications of this legislation will require designated operators to have a suitable cybersecurity programme up and running within 90 days with documentation showing compliance and audits possible to verify steps taken.‍

Once implemented, the CCSPA will provide cyber security regulators with compliance and enforcement capabilities such as information-gathering powers, inspection rights, compliance orders and monetary penalties of up to CA$15 million per violation of the law.

On this basis, the security framework will mean significant new compliance obligations on the selected sectors and CNI operators should closely follow developments as specifics emerge.

Formal, structured cybersecurity governance, effective risk management and timely incident reporting readiness will be key. At Overcyte, we'll be watching to see how the regulatory landscape in Canada evolves.