Bill C-8 was introduced in the House of Commons on June 18, 2025. This bill amends the Telecommunications Act and creates a new legal framework called the Critical Cyber System Protection Act (CCSPA).
The main objective of this bill is to protect critical digital systems from growing threats in cyberspace, while giving the government more robust legal tools to intervene when a risk is identified.
Bill C-8 has a dual purpose. On the one hand, it strengthens federal authority over telecommunications by allowing the government to order service providers or operators to take or avoid specific measures to secure networks against interference, manipulation, or disruption. Second, it establishes mandatory cybersecurity obligations for designated operators of systems deemed “critical” to the public interest or national security—particularly in the telecommunications, transportation, energy, and banking sectors.
The bill primarily targets organizations under federal jurisdiction - for example, telecom service providers, financial institutions, interprovincial transportation networks, and energy system operators. These entities, known as “designated operators,” will be required to develop, implement, and maintain a structured cybersecurity program, promptly report incidents, and manage risks related to their technical supply chain.
For Quebec companies, even non-federal ones, this could have a significant indirect impact.
For example, if a Quebec company provides services or products to a designated operator (e.g., software, cloud services, technical components), it may be required to meet compliance requirements imposed on its federal customer (documentation requirements, audits, specific security measures).
This may result in additional cybersecurity investments, changes to internal practices, and increased collaboration with federal partners.
Specific examples of how this might work include requiring a big network provider to set up a formal cybersecurity program within 90 days, report incidents to federal authorities within 72 hours, and manage risks related to foreign suppliers identified as potentially vulnerable. Significant financial penalties—up to millions of dollars per violation—are planned for non-compliance.
In summary, Bill C-8 marks an important step toward mandatory and regulated cybersecurity in Canada.
Quebec companies, even if they are not themselves designated, must monitor these legislative developments, as their business relationships with federal operators or their own security strategies could be affected.
Sébastien Lafond
Practice Leader - Technologies and Cyberrisks, Lussier
