Canadian organizations are already dealing with ransomware, supply chain compromise, AI-enabled phishing, regulatory pressure, cyber insurance scrutiny, and growing expectations from boards and customers. Bill C-8 adds another layer to that environment, but it also signals something larger: cybersecurity has grown from an internal IT governance concern into a core element for national infrastructure policy.
For CISOs, risk leaders, privacy officers, and executive teams, the practical questions are straightforward:
- What’s in force now, and what’s still coming?
- Which organizations fall within scope – and who else will feel the effects?
- What should we be doing now that it’s law?
This article focuses on those questions through a cybersecurity and operational risk lens.

Bill C-8 Is Law: What Changes Now?
As of June 15, 2026, Bill C-8 is law. It is being implemented in two stages: the portion that amends the Telecommunications Act – adding security as an explicit objective and giving the government new powers over the telecom sector – took effect on Royal Assent, so those obligations are live now. The rest, the Critical Cyber Systems Protection Act, sets mandatory requirements for designated operators in critical infrastructure and will be phased in through regulations still to come.
The legislation builds on years of federal concern over critical infrastructure security, foreign interference, and telecom risk, and it mirrors the move toward mandatory cyber governance already underway in the European Union, the UK, and the United States. It is intended to strengthen the security of critical cyber systems while balancing privacy and constitutional considerations, and it requires significant cyber incidents to be reported.
The more important reality for most organizations is that cybersecurity expectations are clearly rising now that the law is in place, and with the sector regulations still to come, they will only grow. Regulators, insurers, customers, and boards are already converging on the same goal: demonstrable cyber resilience.
It’s worth noting that a late-March Speaker’s ruling removed provisions that would have required prior judicial authorization before the government could issue cybersecurity directions – restoring ministerial authority subject only to after-the-fact judicial review. That outcome has implications for how organizations should think about government powers under this framework.
Why CISOs and Risk Leaders Are Paying Attention
Bill C-8 places mandatory cybersecurity obligations on designated operators in federally regulated critical infrastructure: sectors deemed essential to national security and economic stability.
From a practical perspective, the legislation has several key themes:
- Mandatory cybersecurity programs
- Formal incident reporting obligations
- Stronger supply chain oversight
- Government authority to issue cybersecurity directions
- Increased executive accountability
None of those concepts are entirely new. What changes is the degree to which they become enforceable and measurable.
Many organizations have security controls. Far fewer have governance and response processes that hold up well during a serious cyber incident.
Nitin Bedi, Vice President, Services ISA Cybersecurity“The organizations that struggle most during incidents are usually the ones making governance decisions for the first time in the middle of a crisis.”
Bill C-8 Arrived Before the AI Acceleration Curve
One of the more interesting aspects of Bill C-8 is its timing. Much of the framework was developed before today’s wave of Frontier AI capabilities entered mainstream cybersecurity discussions. Yet in many ways, the legislation anticipated the uncertainty organizations are now feeling.
AI-enabled phishing, synthetic identity fraud, autonomous attack simulation, and rapidly evolving offensive tooling are compressing the time between vulnerability discovery, exploitation, and detection. Capabilities once associated with sophisticated state actors are becoming cheaper, faster, and more accessible. The challenge for organizations is no longer just preventing compromise, but maintaining operational resilience in an environment where attack speed and scale continue to accelerate.
That context helps explain why Bill C-8 focuses so heavily on preparedness, incident reporting, and critical infrastructure protection. The legislation is less about reacting to any single technology trend and more about acknowledging a broader reality: organizations may not always be able to prevent disruption, particularly as attribution becomes more difficult and automated attacks become more adaptive. Increasingly, regulators want assurance that essential services can continue operating – even in the face of multiple, simultaneous incidents.
Does Bill C-8 Apply to Your Organization?
Some organizations will clearly fall within scope. Others may not be directly regulated but will still feel downstream pressure through procurement, cyber insurance, customer expectations, or contractual obligations.
If you operate within, support, or provide services to any of the following areas, Bill C-8 is likely to affect your organization in some way:
- Telecommunications
- Energy and utilities
- Transportation
- Financial services
- Managed service providers
- Cloud and infrastructure providers
- Critical supply chain vendors
Even organizations outside formal designation may find that clients begin requesting stronger evidence of cyber maturity as these standards propagate through the ecosystem. That is already happening in practice: defence sector suppliers and their subcontractors face a parallel set of requirements under the Canadian Program for Cyber Security Certification (CPCSC). The CPCSC launched its first certification level in April 2026, with requirements set to appear in select defence contracts beginning this summer. That’s a reminder that mandatory cyber governance is arriving from multiple directions at the same time.

What Organizations Should Be Doing Now
The good news is that most preparation effort maps directly to established cybersecurity best practices, which means it holds its value regardless of how the supporting regulations are ultimately written. For many Canadian organizations, the harder gaps to close are in coordination, governance, visibility, and response maturity – not in the tools themselves.
1. Incident response readiness
One of the clearest themes in Bill C-8 is the expectation for rapid incident reporting and operational coordination.
That raises several practical questions:
- Can you detect material incidents quickly?
- Is escalation clearly defined?
- Are legal, communications, privacy, and executive teams integrated into response planning?
- Can forensic evidence be preserved while operations continue?
Tabletop exercises and attack simulations remain one of the most effective ways to identify weaknesses before regulators or attackers do.
2. SOC maturity matters more than SOC ownership
Bill C-8 does not require organizations to build a 24/7 in-house Security Operations Centre. What matters is whether those capabilities actually work during an incident. For many organizations, partnering with a managed SOC or MDR provider may be the most realistic and effective path to improving monitoring, detection, response coordination, and reporting readiness.
Boards increasingly care less about whether security operations are internal or outsourced. They care whether the capability is reliable, measurable, and defensible during a crisis.
3. Supply chain security is becoming a board-level issue
The legislation also reinforces growing concern around third-party and supply chain risk.
Security and risk teams should expect greater scrutiny around:
- Vendor access
- Managed service dependencies
- Clear articulation of responsibilities
- Telecommunications infrastructure
- Software provenance
- Cloud concentration risk
For CISOs, this means vendor governance can no longer sit entirely inside procurement workflows. Security architecture, legal review, operational resilience, and executive risk appetite all intersect here.
Nitin Bedi, Vice President, Services ISA Cybersecurity“Cyber incidents rarely stay contained within IT. Legal, communications, operations, leadership, and third parties all become part of the response very quickly.”
How Do I Prepare Before the Regulations Are Finalized?
Some organizations hesitate to act because the supporting regulations are not yet finalized. That approach carries its own risk. The basic principles of Bill C-8 are clear, even if the regulatory details aren’t:
- Stronger cyber governance
- Faster incident reporting expectations
- Greater accountability
- More scrutiny of critical systems
- Increased operational resilience requirements
Organizations that move now will have more time to strengthen governance, refine response procedures, and address operational gaps before those weaknesses are exposed during a regulatory review or live incident. That will be even more important as Frontier AI collapses the time organizations have to respond to attacks.
In practice, organizations that align to recognized frameworks such as NIST CSF, ISO 27001, CIS Controls, and modern incident response practices are going to benefit from their cyber investments regardless of the detail in the eventual regulations.

Moving Forward
Bill C-8 is part of a broader shift in how governments view cybersecurity risk. The conversation is moving beyond technical controls toward resilience, governance, accountability, and national economic stability. Canadian organizations should expect continued pressure to strengthen cyber preparedness, incident response, and executive oversight.
Preparing now is key, even before the supporting regulations are settled. Organizations that strengthen governance, clarify incident authority, mature detection and response processes, and improve cross-functional coordination will benefit regardless of the final regulatory detail. Those investments improve resilience under regulatory scrutiny, during cyber insurance reviews, and in the middle of real-world incidents when seconds really count.
Now is the time to evaluate, identify gaps, and build a realistic roadmap for compliance and resilience. ISA Cybersecurity has decades of experience helping organizations assess their exposure, improve incident readiness, mature their SOC capabilities, and prepare for regulatory change. Contact us today to learn more.




