November 12, 2025
Bill C-8 establishes the Critical Cyber Systems Protection Act (CCSPA) and enhances federal oversight of telecommunications to protect Canada’s critical infrastructure from cyber threats. DIACC recognizes the urgent need to protect vital systems underpinning our digital economy while maintaining the trust foundations essential to Canada’s prosperity.
Key Provisions
Bill C-8 establishes mandatory cybersecurity obligations for designated operators in telecommunications, banking, energy, transportation, and nuclear sectors:
- Cybersecurity programs are required within 90 days, with annual reviews
- Incident reporting to the Communications Security Establishment within 72 hours
- Supply chain risk management and record-keeping in Canada
- The federal government may issue confidential, binding directions without prior consultation
- Penalties up to $15 million per violation for organizations
Critical Considerations
Encryption and Privacy Protections
Provisions grant broad powers to direct telecommunications providers “to do anything or refrain from doing anything.” The Privacy Commissioner noted Bill C-8 could result in the collection of subscriber information, communication data, metadata, and location data. The Intelligence Commissioner questioned whether warrantless seizure of information can be constitutionally justified.
Technical experts warn these powers could require weakening encryption standards. Encryption is foundational infrastructure for digital trust, protecting financial transactions, healthcare communications, and secure authentication systems that enable digital identity solutions.
Transparency and Accountability
The bill authorizes confidential directions without requiring consultation with affected operators or notification to the privacy oversight body. The Privacy Commissioner recommended that government institutions notify his Office of cybersecurity incidents involving material privacy breaches. The absence of privacy impact assessment requirements represents a significant safeguard gap.
Interoperability and Standards
Cybersecurity measures should align with frameworks, including DIACC’s Pan-Canadian Trust Framework (PCTF), which provides consensus-based protocols for digital identity and authentication. Consistency between federal cybersecurity requirements and provincial privacy regimes is essential for seamless digital services and interprovincial trade.
Economic Impact
Limited implementation detail exists, with specifics deferred to future regulations. The absence of exemptions for organizations with mature cybersecurity protocols and the lack of financial incentives for proactive investments may disproportionately impact small and medium enterprises. Requirements diverging from international standards could affect Canada’s competitiveness as a trusted destination for digital business.
DIACC’s Recommendations
DIACC encourages policy frameworks that:
- Strengthen security without compromising privacy: Preserve encryption standards and privacy-enhancing technologies, enabling trusted digital interactions
- Promote transparency and accountability: Implement privacy impact assessments and meaningful consultation with oversight bodies.
- Ensure interoperability: Align federal requirements with provincial frameworks and international standards
- Balance security with civil liberties: Maintain robust Charter rights protections while securing critical infrastructure.
- Foster innovation: Enable Canadian organizations to compete globally while maintaining high security standards
Canada can establish cybersecurity governance that protects critical infrastructure while preserving trust, privacy, and innovation. DIACC encourages ongoing consultation to ensure Bill C-8 achieves security objectives while maintaining digital trust foundations essential to Canada’s economic prosperity and democratic values.
Joni Brennan
President, DIACC
