What are the key provisions added or removed by bill c-8 in canada?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
Bill C‑8 would reintroduce a sweeping federal cybersecurity regime that (a) amends the Telecommunications Act and (b) enacts the Critical Cyber Systems Protection Act (CCSPA), making “designated operators” in sectors like banking, energy, telecom, transport and clearing/settlement subject to mandatory cyber requirements, incident reporting, vendor risk obligations and regulator powers to issue directions and penalties (including up to $15 million/day for corporates in some summaries) [1] [2] [3]. Compared with the earlier Bill C‑26, C‑8 removes the Canada Evidence Act amendment, revises judicial‑review procedures and restores some transparency in court process while keeping broad government ordering, information‑sharing and secrecy powers [4] [3] [5].
1. A two‑pronged architecture that rewrites who governs cyber risk
Bill C‑8 is structured in two parts: amendments to the Telecommunications Act to make telecom security a central policy objective, and the enactment of the CCSPA to create a regime for “critical cyber systems” overseen by existing sector regulators—OSFI for banking, the Bank of Canada for clearing/settlement, the Canadian Energy Regulator for energy, the CNSC for nuclear, etc.—assigning regulators the authority to designate operators and issue sector‑specific directions [1] [6] [5].
2. New obligations for designated operators: programs, reporting, records and vendor due diligence
Designated operators would be required to implement cybersecurity programs, keep records (notably stored within Canada), report incidents promptly, and assess cyber risks across vendor and supplier relationships. The law expressly contemplates obligations for incident logs, audits and proving compliance to regulators [7] [8] [2].
3. Strong compliance tools: orders, secrecy and monetary penalties
The bill gives ministers and regulators broad ordering powers over telecommunications service providers (TSPs) and DOs—orders can require removal or prohibition of specified products or services, require security plans or reviews, and impose conditions on service provision. The Governor in Council or Minister may prohibit disclosure of an order’s existence or contents; an administrative monetary penalty regime is added to promote compliance [9] [3] [7].
4. Expanded inspection and audit powers for regulators
Supervisory powers in the CCSPA permit regulators or their delegates to request information, enter premises (including conveyances) where regulated activities occur, and require audits and reports of results—tools aimed at verifying or preventing non‑compliance [10] [9].
5. Judicial review, secrecy and the removed Canada Evidence Act amendment
C‑8 keeps judicial‑review pathways but alters procedural elements from C‑26: it removes the consequential amendment to the Canada Evidence Act that would have explicitly governed sensitive evidence in Federal Court, and it revises judicial review procedures to increase some transparency (for instance, reducing the government’s ability to make wholly confidential filings). The Canada Evidence Act change present in C‑26 is omitted from C‑8 [4] [3] [5].
6. Continuity with Bill C‑26 but targeted edits
Multiple legal commentators say C‑8 is “nearly identical” to C‑26 with corrections of drafting errors and specific edits: omission of the Canada Evidence Act amendment, insertion of a new appeal provision (section 146 of the CCSPA) to permit appeals of judicial decisions made during review proceedings, and other procedural fixes [7] [4] [5].
7. Critics’ concerns: secrecy, potential for heavy‑handed controls and technical intrusion
Some analysts and opinion pieces flag that the bill’s powers to prohibit disclosure of orders, to compel removal of products or services, and to mandate interventions in vendor relationships could enable secret or intrusive measures—critics warn of potential backdoors, impacts on internet access for “specified persons,” and tension with privacy and international norms [3] [11] [12].
8. Supporters’ framing: aligning Canada with allies and protecting vital services
Legal and consulting firms framing C‑8 argue it aligns Canada with international trends (EU, UK, US, Australia), fills a regulatory gap for critical infrastructure resilience, and centralizes accountability by using sectoral regulators familiar with operational risks [6] [2].
9. What changed — concrete additions and removals to note
Concrete removals: the Canada Evidence Act amendment present in C‑26 is omitted in C‑8 [4]. Concrete additions/retentions: the CCSPA’s designation framework, mandatory cybersecurity programs and incident reporting, strong regulator ordering powers (including confidential orders), record‑localization expectations and an administrative monetary penalty regime remain core elements [1] [9] [7].
Limitations and next steps: available sources do not mention the final dollar figures for penalties consistently across all summaries—some summaries cite very large per‑day penalty examples while others describe an administrative monetary penalty regime without repeating the same amounts; readers should consult the full bill text on the Parliament of Canada site for precise clause‑level language and the exact penalty schedule [10] [9] [7].