Protecting Critical Infrastructure: Preparing for Bill C-26 and Canada’s New Cyber Rules
The Critical Cyber Systems Protection Act is coming. Operators in finance, telecom, energy, and transportation will face mandatory cybersecurity programs, incident reporting, and supply chain oversight.
Here is how to prepare now.
The Wake-Up Call for Critical Infrastructure
May 2024. A major Canadian pharmacy chain was hit by ransomware. Seventy-nine stores closed. Vital prescriptions went unfilled. Employee data was leaked.
October 2023. The Toronto Public Library the busiest urban library system in the world had its systems encrypted. It took four months to recover.
March 2024. The City of Hamilton lost multiple online services to ransomware. Critical systems weren’t affected this time. But the warning was clear.
November 2020. The City of Saint John disconnected itself from the entire world. A ransomware attack forced them to build a completely new network from scratch. The city manager’s warning still echoes: “It is no longer a question of ‘if’ a corporation or entity will be attacked, but rather ‘when.'”
This is not isolated.
Bill C-26 is the government’s response.
What Is Bill C-26? (The Non-Technical Overview)
Bill C-26, An Act respecting cyber security, is actually two complementary legislative initiatives in one package.
| Part | Focus Area | Key Impact |
|---|---|---|
| Part 1 | Telecommunications Act amendments | Adds security as a policy objective; empowers government to address high-risk suppliers (e.g., Huawei, ZTE) |
| Part 2 | Critical Cyber Systems Protection Act (CCSPA) | Creates regulatory framework for finance, telecom, energy, transportation sectors |
While Bill C-26 died on the order paper during the 2025 parliamentary prorogation, a substantially similar bill—Bill C-8—was introduced in June 2025 and is now proceeding through Parliament.
The core requirements remain consistent. This is coming.
Who Is Affected?
The CCSPA applies to “designated operators” in federally regulated sectors that provide “vital services” or operate “vital systems.”
| Sector | Examples |
|---|---|
| Telecommunications | Service providers, network operators |
| Energy | Interprovincial pipeline and power line systems, nuclear energy systems |
| Finance | Banking systems, clearing and settlement systems |
| Transportation | Systems within federal jurisdiction (rail, air, marine) |
The Governor in Council can add or remove services and systems over time. Health systems have already been flagged as a potential future addition.
What Are the Key Requirements?
Designated operators must:
| Requirement | What It Means |
|---|---|
| Establish a cybersecurity program | A formal program that identifies risks, protects systems, detects incidents, and minimizes impacts |
| Address supply chain and third-party risks | Your vendors and suppliers are your problem too |
| Report cybersecurity incidents | Mandatory notification to the Canadian Centre for Cyber Security and your sector regulator |
| Maintain records in Canada | All program documentation and incident records must be kept on Canadian soil |
| Comply with cyber security directions | The government can compel specific actions to address threats |
Incident Reporting Timeline
The proposed reporting requirement is 72 hours from the time the operator detects the incident.
This aligns with U.S. standards and is meant to enable “one organization’s detection another’s prevention.”
Penalties for Non-Compliance
| Entity | Maximum Penalty |
|---|---|
| Individuals | Up to $1 million |
| Corporations | Up to $15 million |
These are administrative monetary penalties separate from other legal liability.
The Four Pillars of Compliance
Pillar 1: Cybersecurity Program
The CCSPA requires a cybersecurity program including steps to:
| Component | What It Means |
|---|---|
| Identify and manage organizational cybersecurity risks | Risk assessment, asset inventory, threat identification |
| Protect critical cyber systems from compromise | Technical controls, access management, encryption |
| Detect cybersecurity incidents | Monitoring, alerting, threat detection |
| Minimize the impact of incidents | Incident response, business continuity, recovery |
This is not a one-time exercise. The program must be maintained, updated, and effective.
Pillar 2: Supply Chain and Third-Party Risk Management
The CCSPA explicitly focuses on supply chain risk. Designated operators must notify regulators of material changes and mitigate risks in third-party relationships.
Pillar 3: Incident Reporting
The 72-hour reporting requirement is designed to give the Canadian Centre for Cyber Security real-time visibility.
Be ready to report:
- Nature of the incident
- Systems affected
- Impact on operations
- Steps taken to respond
- Threat actor information (if known)
Why it matters: the government can provide timely threat intel and mitigations to help other operators.
Pillar 4: Record-Keeping
Records related to your cybersecurity program and incidents must be kept in Canada. This impacts global tooling and cloud providers your data must remain on Canadian soil.
The Telecommunications Angle: High-Risk Suppliers
Part 1 amends the Telecommunications Act to add security as a key policy objective, enabling the government to:
- Prohibit use of products/services from certain entities
- Require network/facility reviews
- Mandate security plans
Real-world impact: explicit authority to address high-risk suppliers like Huawei and ZTE.
For telecom operators, expect:
- Potential requirements to remove/replace equipment
- Increased scrutiny of supply chain decisions
- New compliance obligations around network security
The Compliance Timeline: When Does This Happen?
The CCSPA comes into force on a day (or days) fixed by order. Regulations will follow a consultative process.
| Phase | Timeline | Action |
|---|---|---|
| Regulatory development | Ongoing | Government consultation with industry stakeholders |
| Designation of operators | TBD | Schedule identifies classes of operators |
| Compliance deadlines | TBD | Regulations specify implementation timelines |
The NIST Connection: A Ready-Made Framework
The CCSPA doesn’t prescribe a specific framework. The clear answer: NIST CSF 2.0.
NIST CSF 2.0 is structured around six core functions:
| Function | Purpose |
|---|---|
| Govern | Strategy, expectations, policy, accountability |
| Identify | Context, assets, risks |
| Protect | Safeguards and controls |
| Detect | Monitoring and detection |
| Respond | Action and containment |
| Recover | Restoration and resilience |
The new Govern function is particularly relevant: it covers supply chain risk management, roles and responsibilities, policy, oversight, and continuous improvement.
Other Relevant Frameworks
| Framework | Best For |
|---|---|
| CIS Controls | Technical control implementation |
| ISO 27001 | Formal ISMS certification |
| NIST SP 800-53 | Federal / high-security environments |
The key is not which framework you choose it’s that you choose one and implement it consistently.
What This Means for Your Organization
For CEOs and Boards
| Implication | Action |
|---|---|
| Cybersecurity is now a regulatory compliance issue | Board oversight and regular reporting |
| Non-compliance carries significant penalties | Allocate appropriate resources |
| Supply chain risk is your risk | Elevate vendor governance and monitoring |
For CISOs and Security Leaders
| Implication | Action |
|---|---|
| Formal cybersecurity program required | Document program, roles, controls, evidence |
| 72-hour incident reporting | Build detection + reporting workflows |
| Supply chain risk management is explicit | Assess vendors, contract controls, ongoing monitoring |
For Compliance Officers
| Implication | Action |
|---|---|
| New regulatory framework to manage | Track requirements, deadlines, obligations |
| Records must be kept in Canada | Validate data residency and cloud contracts |
| Potential cyber security directions | Prepare for government-mandated actions |
For IT and Operations
| Implication | Action |
|---|---|
| Critical cyber systems must be protected | Inventory, classify, secure |
| Detection capabilities required | Monitoring, alerting, logging |
| Incident response must be tested | Drills, playbooks, coordination |
The 12-Month Preparedness Roadmap
| Quarter | Focus | Key Activities |
|---|---|---|
| Q1 | Inventory & Assessment | Identify critical systems, assess against NIST CSF 2.0, document gaps |
| Q2 | Program Development | Formalize program, policies, governance structure |
| Q3 | Supply Chain | Inventory vendors, assess third-party risks, update contracts |
| Q4 | Incident Readiness | Build 72-hour reporting capability, test IR, document evidence |
This roadmap keeps you moving regardless of regulatory timelines.
The 5 Things You Can Do Right Now
1. Know Your Critical Cyber Systems
You cannot protect what you don’t know. Start with an inventory of:
- Systems that could impact vital services if compromised
- Supporting infrastructure (IT, OT, cloud)
- Dependencies and interconnections
2. Map Against NIST CSF 2.0
Use NIST CSF 2.0 as a self-assessment tool. For each function, ask:
- Do we have this capability?
- Is it documented?
- Is it tested?
- Can we prove it?
3. Document Your Program
The CCSPA requires a formal cybersecurity program not just controls. That means:
- Written policies and procedures
- Assigned roles and responsibilities
- Regular review and updates
- Evidence of implementation
4. Assess Your Supply Chain
Start building your vendor risk management program:
- Inventory third parties with access to systems or data
- Assess their security posture
- Require security controls contractually
- Monitor for material changes
5. Test Your Incident Response
The 72-hour clock starts when you detect an incident. Test your ability to detect, assess impact, report on time, and document everything.
How Canadian Cyber Helps
Canadian Cyber’s SharePoint ISMS platform gives you the structure to build CCSPA compliance that lasts.
| CCSPA Requirement | How Our Platform Helps |
|---|---|
| Cybersecurity program | Pre-built policy framework, risk register, control library mapped to NIST CSF 2.0 |
| Supply chain risk management | Vendor register, assessment workflows, contract tracking, expiry alerts |
| Incident reporting | IR playbooks, 72-hour reporting templates, evidence collection |
| Record-keeping in Canada | Your data stays in your Canadian tenant—no cross-border issues |
| Documentation | Version control, approval workflows, audit trails |
| Continuous improvement | Automated reviews, dashboards, gap analysis |
“We knew Bill C-26 was coming. We used the runway to build our program in SharePoint. When regulations finalize, we’ll be ready—not scrambling.”
The 15-Minute Readiness Assessment
You don’t need to guess whether your organization is ready for Canada’s new cyber rules.
We’ll tell you:
- Which CCSPA requirements you already satisfy (most organizations are 30–40% there without knowing it)
- Where your biggest gaps are (based on the proposed framework)
- One thing you can do this week to move toward compliance
This is not a sales pitch. It’s a readiness check.
The Question Every Leader Must Answer
“If Bill C-26 took effect tomorrow, would our organization be compliant?”
For most operators in finance, telecom, energy, and transportation, the honest answer is “no” or “I’m not sure.”
- The regulations are coming, but they’re not here yet.
- The requirements are clear, even if the details aren’t final.
- The frameworks exist (NIST CSF 2.0, CIS, ISO 27001).
- The time to act is now.
Be the former. Use the runway.
Conclusion: From Uncertainty to Readiness
Bill C-26 represents a fundamental shift in how Canada protects its critical infrastructure.
- Mandatory cybersecurity programs will become the norm.
- Supply chain risk will be regulated.
- Incident reporting will be required.
- Government directions will compel action.
This is not overreach. It is response response to a threat environment that has already demonstrated its ability to disrupt essential services, compromise sensitive data, and threaten public safety.
The path forward is clear:
- Use NIST CSF 2.0 as your framework
- Document your program
- Know your supply chain
- Test your incident response
- Keep records in Canada
Start now. Your future self and your future compliance team will thank you.
Follow Canadian Cyber
Get practical playbooks, audit-readiness tips, and compliance workflows.
