Canada’s cybersecurity obligations just changed. On March 26, 2026, Bill C-8, the Critical Cyber Systems Protection Act (CCSPA), passed the House of Commons. It is now before the Senate, and when it receives Royal Assent, organizations across six regulated sectors will have 90 days to demonstrate compliance or face penalties starting at $15 million per day.
This is not a future-state policy discussion. It is active legislation with a hard clock. For CISOs, compliance officers, and business leaders in banking, telecommunications, energy, transportation, nuclear, and financial clearing, the question is no longer whether to act. The question is whether your current cybersecurity program can survive regulatory scrutiny within the compliance window.
This article explains what the CCSPA requires, who it covers, what the penalties look like, and what steps organizations in scope need to take right now.
The Critical Cyber Systems Protection Act is Canada’s first dedicated federal law governing cybersecurity for critical infrastructure. Prior to its passage, Canada had no single statute that required operators in key sectors to implement minimum cybersecurity controls, report cyber incidents, or protect supply chains from digital threats.
The legislation was designed in direct response to the reality that critical infrastructure is now among the most targeted categories of systems globally. Ransomware attacks on energy grids, telecommunications networks, and financial clearing systems have disrupted services for millions of people. Canada’s Cyber Centre has documented a sustained increase in state-sponsored and financially motivated attacks against these exact sectors.
Bill C-8 creates a regulatory baseline that every covered organization must meet, regardless of how its existing cybersecurity program is structured.
The CCSPA applies to designated operators in the following six sectors:
Designation is made by the relevant portfolio minister and applies to organizations whose systems are considered critical to national security, public health, or the Canadian economy. There is no small business exemption based on revenue or employee count. If your organization operates designated critical cyber systems in these sectors, the full weight of the legislation applies to you.
For organizations that are not direct operators but serve them as vendors or contractors, the supply chain provisions create indirect obligations. If your systems or services touch a designated operator’s critical infrastructure, you may be required to comply with their cybersecurity program requirements as a condition of contract. Financial institutions in particular should review existing cybersecurity compliance requirements for financial services in Canada alongside the new CCSPA obligations.
The legislation imposes four core obligations on designated operators:
Organizations must establish, implement, and maintain a cybersecurity program for their critical cyber systems. The program must be documented, reviewed regularly, and address identified risks. It must cover asset management, access controls, incident detection, and recovery procedures. A cybersecurity program that exists on paper but has not been operationalized will not satisfy this requirement.
Designated operators must report cyber incidents that affect or could affect critical cyber systems. Reports go to the Communications Security Establishment (CSE), the Canadian Cyber Centre’s parent organization. The reporting obligation applies even when the incident is contained. Failure to report is itself a violation. Organizations without a structured reporting process should review what a data breach response plan should include as a starting point.
Organizations must identify and mitigate cybersecurity risks in their supply chains and third-party service providers. This is one of the most operationally challenging requirements in the legislation. It means reviewing vendor contracts, assessing third-party security posture, and in some cases, replacing suppliers who cannot demonstrate adequate controls.
The relevant portfolio minister can issue directives requiring specific organizations to take immediate action to protect critical cyber systems. These directives are binding and can require implementation within very short timeframes.
The CCSPA carries some of the most significant cybersecurity penalties in Canadian legislative history. For organizations, the maximum penalty for non-compliance reaches $15 million per day. For individuals, including executives and board members with direct responsibility, the maximum is $1 million per day plus personal liability.
The inclusion of personal liability is a deliberate design choice. Legislators determined that corporate fines alone were insufficient to drive board-level attention to critical infrastructure cybersecurity. By exposing individual directors and officers to personal financial consequences, the CCSPA creates accountability that cannot be delegated downward or absorbed as a cost of business.
Violations include: failure to establish or maintain a cybersecurity program, failure to report a cyber incident, failure to comply with a ministerial directive, and obstruction of an authorized official conducting a review.
From the date of Royal Assent, designated operators have 90 days to demonstrate that a compliant cybersecurity program is in place. For organizations with mature security programs, that window is tight but achievable. For those without a documented program, 90 days is very short.
A realistic 90-day sprint typically includes:
The supply chain component deserves particular attention. Completing a thorough third-party risk assessment across all vendors touching critical systems is not a task that can be compressed into a few weeks without dedicated resources and an established methodology.
The CCSPA does not prescribe a specific technical framework. It requires that your cybersecurity program be adequate, documented, and functional. What counts as adequate will be assessed against the nature of your critical systems and the regulatory expectations of your sector’s portfolio minister.
Most organizations in scope for the CCSPA already have some form of cybersecurity program. The challenge is typically documentation, formalization, and gap closure rather than starting from scratch. A qualified cybersecurity firm will bring a security program development framework that maps directly to regulatory requirements, so you are not building a parallel compliance structure on top of an existing security program.
The risk consulting and threat risk assessment component of CCSPA compliance requires identifying threats specific to your systems, assessing likelihood and impact, and documenting how controls address each identified risk. This is not a checkbox exercise. Regulators will expect to see evidence that your risk assessment methodology is rigorous and that your controls actually address the risks you have identified.
For the incident reporting obligation, your incident response capabilities need to extend beyond internal response to include structured external notification. Organizations without an existing incident response plan that covers regulatory reporting will need to build one before the 90-day window closes.
Brigient provides end-to-end cybersecurity services including security program development, threat risk assessment, and incident response planning for organizations across the GTA and Canada. For organizations in sectors covered by the CCSPA, this means working from a single provider who understands both the technical requirements and the Canadian regulatory environment, rather than assembling a compliance program from multiple disconnected vendors.
Possibly. The supply chain provisions require designated operators to manage cybersecurity risks from their vendors and contractors. If your products or services touch a designated operator’s critical cyber systems, that operator may impose CCSPA-aligned requirements on you as a contractual condition. Review your contracts and assess what systems your services interface with.
The 90-day window starts from Royal Assent, which occurs when the bill passes the Senate and receives Governor General approval. As of May 2026, Bill C-8 is before the Senate. Royal Assent could occur within weeks. If you are in a designated sector and have not begun your compliance assessment, the time to start is now.
PIPEDA is a privacy law that governs how organizations collect, use, and disclose personal information. The CCSPA is a cybersecurity law focused on protecting critical infrastructure systems from cyber threats. They are separate obligations. Organizations in designated sectors must comply with both: PIPEDA’s privacy breach reporting requirements and the CCSPA’s cybersecurity program and cyber incident reporting requirements.
The $15 million per day maximum is the ceiling for organizational penalties under the CCSPA. Actual penalties assessed will depend on the nature, severity, and duration of the violation. Penalties accrue daily for ongoing non-compliance, which means that a failure to establish a cybersecurity program could accumulate significant liability across the full period of non-compliance.
A critical cyber system is a computer system whose compromise could affect the continuity, security, or effectiveness of a critical service or critical infrastructure. The definition is sector-specific: for a bank, this could mean payment processing systems; for a telecom, core network infrastructure. Designated operators are expected to identify which of their systems meet this definition as part of establishing their cybersecurity program.
There is no size exemption in the CCSPA. If your organization is designated as a critical infrastructure operator, the full requirements apply regardless of revenue or employee count. Mid-size companies in banking, energy, telecom, and other covered sectors should not assume that designation is limited to national-scale operators.
The CCSPA represents a fundamental shift in how Canada enforces cybersecurity accountability for critical infrastructure. If your organization operates in one of the six designated sectors, the question is not whether you will need to comply, but whether your program will be ready before the penalties begin. With Royal Assent expected imminently and a 90-day window that does not pause for slow procurement decisions, the time to begin your gap assessment and program formalization is before the clock starts.
Brigient provides end-to-end cybersecurity services for organizations across the GTA and Canada, including security program development aligned to Canadian regulatory requirements, threat risk assessments, and incident response planning. Contact Brigient to discuss your CCSPA compliance readiness.
Let’s Talk About Your Project: Unleash Possibilities, Explore Solutions, and Forge a Brighter Digital Future Together.
Contact Us Today!
