On June 18, 2025, the Minister of Public Safety introduced the first reading of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-8).  If passed, Bill C-8 would, among other things, enact the Critical Cyber Systems Protection Act (CCSPA), which is substantially similar to the Critical Cyber Systems Protection Act introduced under the previous Bill C-26  (CCSPA 2023) (as previously reported by the E-TIPS® Newsletter here), which died on order paper. Bill C-8 is currently at its second reading in the House of Commons.

The CCSPA aims to safeguard critical cyber systems that are considered essential to Canada’s infrastructure. The CCSPA would establish a range of cybersecurity-related obligations to certain classes of federally regulated entities (Designated Operators) providing “vital services” and “vital systems”, namely:

  1. Telecommunications services;
  2. Interprovincial or international pipeline and power line systems;
  3. Nuclear energy systems;
  4. Transportation systems that are within the legislative authority of Parliament;
  5. Banking systems; and
  6. Clearing and settlement systems.

The CCSPA would impose new compliance and reporting duties to Designated Operators which include requirements to:

  1. Establish a cybersecurity program, which must include steps to:
    • Identify and manage any organizational cybersecurity risks, including risks associated with the Designated Operator’s supply chain and its use of third-party products and services;
    • Protect its critical cyber systems from being compromised;
    • Detect any cybersecurity incidents affecting, or having the potential to affect, its critical cyber systems; and
    • Minimize the impact of cybersecurity incidents affecting critical cyber systems.
  2. Notify the appropriate regulator of any material changes in the Designated Operator’s ownership or control, or any material change in the Designated Operator’s supply chain or in its use of third-party products and services; and
  3. Keep records in Canada related to the implementation of its cybersecurity program and any cybersecurity incidents.

Contravention of the CCSPA can trigger administrative monetary penalties of up to $1 million in the case of an individual and $15 million in any other case.

For more details, the full text of Bill C-8 is available here.

Summary By: Victoria Di Felice

 

E-TIPS® ISSUE

25 07 23

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

Victoria Di Felice
By Victoria Di Felice
July 23, 2025
Cybersecurity