Bill C-8 revives Canadian cyber security reform | BLG

Canada’s Carney government has revived expansive cybersecurity rules under Bill C-8, strengthening compliance requirements for federally regulated critical infrastructure sectors including banking, transportation, energy, and telecommunications. The bill imposes stringent obligations on “designated operators” to maintain comprehensive cybersecurity programs, report material system changes with national security implications, and immediately report breaches within 72 hours to the Communications Security Establishment. Violations could result in fines up to $15 million per day for organizations and $1 million per day for individuals, with directors and officers potentially held personally liable. The bill delegates broad enforcement powers to sector-specific regulators who can conduct inspections, order audits, and issue binding compliance orders, while the government can issue confidential cybersecurity directions without consultation. Organizations should proactively prepare by mapping vital systems, understanding regulatory oversight, developing compliance frameworks, and building incident response capacity as the bill is expected to pass quickly when Parliament resumes.​​​​​​​​​​​​​​​​