Canada: Introduced Critical Cyber Systems Protection Act (C-8) including security obligations

On 18 June 2025, the Minister of Public Safety introduced the Bill on respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts (Critical Cyber Systems Protection Act/ Bill C-8). The Bill includes amendments to the Telecommunications Act and measures on the enactment of the Critical Cyber Systems Protection Act (CCSPA). The Bill would give the Governor-in-Council and the Minister of Industry authority to issue orders aimed at safeguarding the telecommunications system from interference, manipulation, or disruption. It also sets out a regulatory framework for the private sector considered essential to national security and public safety. The CCSPA would impose obligations on operators designated as vital services or systems, such as telecommunications, pipelines, nuclear energy, transport, banking, and clearing and settlement systems. The designated operators would be required to establish a cybersecurity programme within 90 days of receiving an order, maintain and review the programme annually. Additionally, they would be required to implement measures to manage risks related to supply chains and third-party services and report significant changes in ownership or cybersecurity operations to regulators.