Canada’s Bill C-8: what businesses need to know about the new cybersecurity framework

Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, establishes the most significant federal cybersecurity framework Canada has enacted. The Bill creates a dual regime: it expands the federal government’s power to secure Canada’s telecommunications system, and it imposes mandatory, enforceable cybersecurity obligations on operators of critical cyber systems across federally regulated sectors.

Bill C-8 is the successor to Bill C-26, which was introduced in the previous Parliament but did not become law before Parliament was prorogued. It was reintroduced last year in substantially similar form as Bill C-8 in the 45th Parliament. The Bill reached a significant milestone on June 16, 2026, when received royal assent. Having now completed its passage through Parliament, its substantive provisions will come into force on a day or days to be fixed by order of the Governor in Council, with many operational details to follow by regulation.

The legislation responds to an evolving threat landscape — rising incident frequency, lateral movement across networks, and the targeting of service providers — and brings Canada’s approach closer to those of key allies, including the United States (Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)), the European Union (NIS2 Directive), and the United Kingdom (Network and Information Systems Regulations 2018 (NIS Regulations)). This Update summarizes the key provisions, their privacy and commercial implications, and practical steps organizations should consider.

Read our article on this topic available on Osler’s website (French version of the article to come).

This content has been updated on June 17, 2026 at 13 h 11 min.