Critical Cyber Systems Protection Act (CCSPA)

On this page you will read detailed information about Critical Cyber Systems Protection Act (CCSPA).

Canada’s effort to set binding, cross-sector cybersecurity rules for critical infrastructure has been in motion for several years. The original vehicle—Bill C-26—would have enacted the CCSPA and amended the Telecommunications Act, but it died on the Order Paper when Parliament was prorogued in January 2025.

In June 2025, the government re-introduced the package as Bill C-8 (formally, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts). Bill C-8 aims to enact the CCSPA and revive the telecom security powers from C-26. As of late 2025 it has advanced to second reading in the House of Commons.

Bottom line: the CCSPA isn’t law yet, but it is moving again—and the substance is largely the same as C-26. If passed, it will create Canada’s first federal, cross-sector cybersecurity obligations for designated critical infrastructure operators.

Table of Contents

What the CCSPA is trying to do

The CCSPA would establish a regulatory framework to protect the “critical cyber systems” of vital services and systems—so that outages, intrusions, and supply-chain compromises don’t cascade across the economy. Its stated purpose includes identifying and managing cyber risks (including third-party and supply-chain risks), protecting systems from compromise, and supporting continuity of vital services.

It dovetails with a companion set of powers (in the same bill) that would let the federal government order telecom providers to implement security measures or remove risky equipment—intended to harden a backbone sector that other industries depend on.

Who would be in scope?

Under Bill C-8, “designated operators” in federally regulated, vital sectors must comply. Draft schedules and summaries list, among others:

Telecommunications services
Energy (interprovincial/international pipelines and power lines; nuclear)
Transportation within federal jurisdiction
Banking, clearing and settlement systems

The Governor in Council can add other vital services/systems by regulation. Sector regulators include OSFI, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator, the Minister of Transport and the Minister of Industry (depending on the operator).

What designated operators would have to do

While details will be fleshed out in regulations, Bill C-8 and official summaries set out the backbone obligations:

1) Build and maintain a Cyber Security Program (CSP)

Operators must establish, implement, and maintain a documented program that manages risks to their critical cyber systems—covering governance, safeguards, detection, response, recovery, and continuous improvement. They must review it at least annually and notify their regulator about changes after each review within the set time window.

2) Mitigate supply-chain and third-party risk

Operators must take reasonable steps—and any steps prescribed by regulation—to mitigate supply-chain and third-party risks “as soon as” they are discovered. They must also notify regulators of material changes in ownership/control or in their use of third-party products and services within prescribed timelines.

3) Report cyber security incidents

A designated operator must report a cyber security incident to the Communications Security Establishment (CSE) within a period set by regulation, not to exceed 72 hours, then notify its appropriate regulator and share the report. (Earlier drafts used “immediately”; Bill C-8 confirms the ≤72-hour outer limit.)

4) Comply with Cyber Security Directions (CSDs)

The government may issue confidential directions requiring specific security actions. Operators must comply, even when directions are sensitive or classified in nature.

5) Keep records—stored in Canada

Operators must maintain comprehensive records of their CSP, incident reports, mitigation steps, and implementation of directions—kept in Canada in the prescribed manner/location (unless regulations say otherwise).

How this interacts with the Telecommunications Act changes

Part I of Bill C-8 (the telecom piece) adds security of the Canadian telecom system as a policy objective and gives the government order-making powers for telecom carriers (e.g., prohibit specified equipment, compel security measures). This is separate from, but complementary to, the CCSPA framework for other vital sectors.

Penalties and enforcement

Bill C-8/CCSPA would bring serious consequences for non-compliance. Current analyses and the legislative summary point to an administrative monetary penalty (AMP) regime that can reach:

Individuals: up to $25,000 for a first contravention and $50,000 for subsequent ones;
Organizations: up to $10 million, rising to $15 million for subsequent contraventions.

Some legal commentaries frame these as per-violation (potentially per-day) maximums under the AMP scheme—underscoring that repeated or continuing non-compliance could rapidly become very costly. Directors and officers could also face exposure if complicit.

Enforcement would be led by the appropriate sector regulators (e.g., OSFI for banks), with CSE in the loop for incident intake/advice.

What this means for operators in 2025 (even before passage)

Even while the bill moves through Parliament, many organizations are acting now—both because obligations echo global norms, and because the runway to compliance will be short once regulations land. Practical steps:

Run a gap assessment against CCSPA pillars. Do you have a board-level owner, documented CSP, and evidence of effectiveness? Map controls to recognized frameworks (e.g., ISO 27001/27002, NIST CSF) to speed alignment once sectoral rules publish.
Inventory “critical cyber systems.” Identify the networks, assets, and SaaS/OT/ICS components that support your vital services; define risk tiers.
Tighten third-party governance. Catalogue critical vendors, require cyber assurances, right-to-audit, breach-notice timelines, and software supply-chain controls (SBOMs, vulnerability management).
Prepare 72-hour reporting. Build a playbook that routes incidents to CSE and your regulator within the deadline, with triage criteria, legal review, and secure evidence handling.
Plan for confidential directions. Establish a secure, need-to-know process to receive and implement government directions without broad internal exposure.
Localize records. Ensure your record-keeping can meet the “in Canada” storage requirement; confirm your document repositories and SIEM/log archives comply.
Engage your regulator. Follow guidance from OSFI, Transport, Energy/Nuclear regulators, and the Canadian Centre for Cyber Security for sector specifics. (Many will reference Bill C-8 while it’s in debate.)

In the previous post, we had shared information about Personal Information Protection and Electronic Documents Act (PIPEDA), so read that post also.

How CCSPA compares internationally

Canada’s push mirrors global moves to harden critical infrastructure:

The EU’s NIS2 sets mandatory risk management and reporting across essential/important sectors; some member states can require use of certified ICT under the EU Cybersecurity Act. lop.parl.ca
The U.S. relies on a mix of sectoral directives, incident reporting rules, and voluntary frameworks, with growing mandatory pieces for critical infrastructure.

For multinational operators, aligning with 72-hour reporting, supply-chain controls, and board-level accountability provides a common denominator.

Likely timeline and what to watch

Bill C-8 must complete Second Reading → Committee → Report Stage → Third Reading, then repeat the process in the Senate, and receive Royal Assent. The core obligations will rely on regulations (e.g., incident definitions, reporting forms, review cadence), which could phase in after passage. Keep an eye on:

Parliamentary committee amendments (e.g., transparency around directions, judicial review tweaks);
Sector schedules and regulator designations;
Draft regulations defining what counts as a “reportable” incident and confirming the ≤72-hour clock;
AMP guidance explaining calculation methods (per-day vs per-occurrence).

Conclusion

Canada is on the cusp of a mandatory cybersecurity regime for critical infrastructure. The CCSPA (via Bill C-8) would force designated operators to prove they can prevent, detect, respond to, and report incidents—while managing supply-chain risk and implementing confidential directions. With hefty penalties and regulator oversight on the table, the safest strategy is to treat CCSPA readiness as a 2025 project, not a future problem.

Disclaimer

The information and services on this website are not intended to and shall not be used as legal advice. You should consult a Legal Professional for any legal or solicited advice. While we have good faith and our own independent research to every information listed on the website and do our best to ensure that the data provided is accurate. However, we do not guarantee the information provided is accurate and make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of any information on the Site. UNDER NO CIRCUMSTANCES SHALL WE HAVE ANY LIABILITY TO YOU FOR ANY LOSS OR DAMAGE OF ANY KIND INCURRED AS A RESULT OR RELIANCE ON ANY INFORMATION PROVIDED ON THE SITE. YOUR USE OF THE SITE AND YOUR RELIANCE ON ANY INFORMATION ON THE SITE IS SOLELY AT YOUR OWN RISK. Comments on this website are the sole responsibility of their writers so the accuracy, completeness, veracity, honesty, factuality and politeness of comments are not guaranteed.

So friends, today we talked about Critical Cyber Systems Protection Act (CCSPA), hope you liked our post.

If you liked the information about Critical Cyber Systems Protection Act (CCSPA), then definitely share this article with your friends.

Post Views: 18