From Bill C-26 to C-8: Canada's cyber law reboot explained

Canada's push for mandatory cybersecurity standards in critical infrastructure has been a saga of delays, amendments, and parliamentary resets. Here's how Bill C-8 came to be.

Originally introduced as Bill C-26 in June 2022, the legislation aimed to amend the Telecommunications Act and enact the Critical Cyber Systems Protection Act (CCSPA) to secure telecom networks and vital systems in finance, energy, transport, and telecom.

On June 14, 2022, then Innovation Minister François-Philippe Champagne introduced C-26 following the government's May 2022 announcement banning Huawei and ZTE from 5G networks, aligning with Five Eyes allies (Australia, Canada, New Zealand, the United Kingdom, and the United States).

Part one empowered the Governor in Council and Minister to order telecom providers to mitigate threats from "high-risk suppliers" like Huawei, with information-sharing and enforcement powers. Part two created the CCSPA, allowing designation of "critical cyber systems" operators with obligations for cybersecurity programs, supply-chain risk mitigation, and incident reporting.

The bill advanced slowly through the House of Commons Standing Committee on Public Safety and National Security (SECU). By April 8, 2024, SECU completed a clause-by-clause study with amendments strengthening personal data handling, transparency, and a "due diligence" defence for operators. It passed the House on June 19, 2024, with cross-party support.

The Senate completed the third reading in December 2024.

Just when Bill C-26 seemed poised for passage, a technical glitch noticed by Sen. Hassan Yousuff nearly derailed its core cybersecurity provisions. A House of Commons committee amendment had renumbered clauses in the bill's second part - the Critical Cyber Systems Protection Act (CCSPA) - without updating cross-references in related legislation.

"We are in a place where human beings are involved in drafting legislation, but equally, I'm hoping that, once we're aware of something wrong, we can take the necessary steps to remedy it. I don't believe anyone was at fault in making this error. It was an oversight and was caught in time for us to do our work appropriately. Unfortunately, this bill will have to go back to the House so they can ensure that it complies with other pieces of legislation that were passed recently," said Yousuff in the meeting.

The problem stemmed from Bill C-70, the fast-tracked foreign interference law passed in spring 2024. C-70 was explicitly designed to repeal and supersede one specific section of C-26 related to information-sharing between government agencies. But the renumbering meant C-70's repeal clause would, without any change to its text, wipe out the entire second half of C-26, annulling the CCSPA the moment it received Royal Assent.

Senate amendments in December 2024 fixed the numbering mismatch, preserving the bill's substance. 

But on January 6, 2025, prorogation, followed by a federal election, killed C-26 and dozens of other bills on the Order Paper.

The revival

Following Mark Carney's Liberals' win in March of that year, the new government reintroduced nearly identical provisions to Bill C-8 on June 18, 2025, signalling urgency for digital defence amid rising threats. C-8 mirrored C-26's dual structure: telecom security enhancements and CCSPA for baseline protections in vital sectors.

C-8 passed second reading and entered the Standing Committee on Public Safety and National Security (SECU) study in October 2025. Industry Canada briefing notes emphasised its role in closing gaps in threat response, with the expected passage expected to bring mandatory reporting and guidance for operators.

As of February 2026, C-8 (née C-26) continues to operate through SECU, with KPMG analysts noting an expanded scope across finance, energy, and transport. The framework promises enforceable directions to designated operators, addressing ransomware and state threats highlighted in the National Cyber Threat Assessment 2025-2026.