Canada’s New Cybersecurity Framework: What Service Providers Should Expect Following The Adoption Of Bill C-8

Since the publication of our telecommunications Regulatory Trends to Watch in February 2026, Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-8), has steadily progressed through the House of Commons and the Senate to receive Royal Assent on June 16, 2026. As we highlighted in February, national security, network resilience and cybersecurity have emerged as central policy priorities for the Canadian telecommunications sector. The adoption of Bill C-8 represents the most significant legislative milestone in advancing these priorities to date.

With the enactment of Bill C-8, telecommunications service providers (TSPs) and the broader universe of electronic communications service providers (collectively, ESPs) should prepare for the launch of a range of regulatory processes required to implement the newly adopted legislative frameworks. In this article, we review key changes introduced by Bill C-8 and highlight several upcoming implementation initiatives that ESPs will wish to monitor in the coming months.

Security becomes a telecommunications policy objective

At its core, Bill C-8 cements security as a pillar of Canadian telecommunications policy by amending the policy objectives of the Telecommunications Act to expressly include the promotion of the security of the Canadian telecommunications system alongside the more traditional objectives of competition, affordability and consumer protection.

While this amendment may appear largely symbolic, the policy objectives set out in the Telecommunications Act play an important role in shaping regulatory decision-making and government policy development. By expressly incorporating security as an objective of the Telecommunications Act, Parliament has provided a statutory foundation for future regulatory and policy measures intended to strengthen the resilience, integrity and security of Canadian telecommunications networks. ESPs should therefore expect security considerations to increasingly inform future regulatory and policy initiatives of both the Canadian Radio-television and Telecommunications Commission and Innovation, Science and Economic Development Canada.

New powers to regulate TSP networks and services for security reasons

Bill C-8 further establishes new authorities within the Telecommunications Act that permit the Governor in Council (GIC) and the Minister of Industry (Minister) to issue orders to TSPs where they have reasonable grounds to believe it is necessary to secure the Canadian telecommunications system against threats.

Most notably, the GIC and Minister are empowered to prohibit TSPs from using products or services supplied by specified vendors within their telecommunications networks and facilities and to direct their removal. The Minister is also granted broader authorities to impose conditions respecting the use of products and services, to regulate the provision of telecommunications services to specified persons, and to require TSPs to undertake activities intended to identify, assess and mitigate security risks. These activities may include preparing security plans, conducting security assessments, implementing specified standards and taking other measures designed to address vulnerabilities affecting telecommunications networks and services.

While public discussion surrounding these new order-making powers has often focused on prohibiting the use of equipment supplied by Huawei and other high-risk suppliers in mobile wireless networks, the authorities created by Bill C-8 are considerably broader and grant the GIC and Minister significant discretion to address a wide range of cybersecurity, supply chain and national security risks affecting Canada's telecommunications infrastructure. These powers are supported by a new enforcement regime that provides for significant administrative monetary penalties, including penalties of up to CA$10 million for a first violation by a corporation.

The Critical Cyber Systems Protection Act and associated implementation processes

Bill C-8 also enacts the Critical Cyber Systems Protection Act (CCSPA), which establishes a cybersecurity framework for designated operators in federally-regulated critical infrastructure sectors, including telecommunications.

The CCSPA empowers the GIC to designate classes of operators that own or operate cyber systems supporting services or systems that are vital to national security or public safety. Once designated, operators will be required to establish and maintain cybersecurity programs designed to identify, assess and mitigate cybersecurity risks and to comply with incident reporting and other regulatory requirements. The framework also contemplates the issuance of cybersecurity directions requiring designated operators to implement specific measures to address identified threats and vulnerabilities.

The details of the CCSPA framework are largely left to be determined through regulations and other implementation initiatives. Unlike the amendments to the Telecommunications Act, which came into force upon the enactment of Bill C-8, the CCSPA will come into force on a future date or dates to be fixed by the GIC, presumably once the framework has been further developed. Broadly speaking, ESPs should expect consultations to be launched in the coming months concerning the following topics:

• Designation of operators;
• Establishment of cybersecurity program requirements;
• Development of incident reporting processes;
• Issuance of guidance on mitigating risks associated with the use of third-party products and services; and
• Potential cybersecurity directions addressing specific threats or vulnerabilities.

Once implemented, the CCSPA will provide regulators, including the Minister, with compliance and enforcement tools, including information-gathering powers, inspection authorities, compliance orders and administrative monetary penalties of up to CA$15 million per violation.

Given the potential for the CCSPA framework to impose significant new compliance obligations on the sector, both TSPs and the broader class of ESPs should closely monitor future implementation initiatives and consider participating in relevant consultation processes.