Regulatory Compliance

Bill C-26 Readiness

Canada's Critical Cyber Systems Protection Act is coming. Make sure your organization is prepared.

Legislative Update — April 2026

Bill C-26 passed the House of Commons in June 2024 but died on the Order Paper in January 2025 following prorogation. The successor legislation, Bill C-8, was reintroduced in June 2025 with substantially identical provisions. Bill C-8 passed Third Reading in the House of Commons on March 26, 2026 and is now before the Senate. Organizations in designated sectors should begin preparing now.

The Critical Cyber Systems Protection Act (CCSPA), introduced through Bill C-26 and now carried forward as Bill C-8, represents the most significant Canadian cybersecurity legislation in a generation. It establishes mandatory cybersecurity obligations for operators of critical infrastructure across federally regulated sectors.

For the first time, Canadian law will require designated operators to establish formal cybersecurity programs, report incidents to the Communications Security Establishment (CSE), manage supply chain cyber risks, and comply with government directives — or face severe financial penalties.

Timeline

Legislative Progress

June 2022
Bill C-26 introduced in the House of Commons
June 2024
Bill C-26 passed Third Reading in the House with cross-party support
December 2024
Senate completed Third Reading with amendments to fix numbering issues
January 2025
Bill C-26 died on the Order Paper following prorogation and federal election
June 2025
Bill C-8 introduced with substantially identical CCSPA provisions
March 2026
Bill C-8 passed Third Reading in the House of Commons; now before the Senate
Expected 2026
Royal Assent and proclamation — designated operators will have 90 days to establish cybersecurity programs
Who is Affected

Designated Sectors

The CCSPA applies to operators in six federally regulated critical infrastructure sectors.

📡

Telecommunications

Telecom service providers and network operators

Energy & Pipelines

Interprovincial/international pipeline and power line systems

🏧

Banking & Finance

Banks and clearing and settlement systems

🚌

Transportation

Federally regulated transportation systems

Nuclear Energy

Nuclear energy systems and facilities

🌐

Federal Systems

Other critical services within federal jurisdiction vital to national security

What You Must Do

Key Requirements

The CCSPA imposes five core obligations on designated operators.

Non-Compliance Risk

Penalties

The CCSPA establishes significant penalties for non-compliance. Each day a violation continues constitutes a separate offence.

$15M
Maximum administrative monetary penalty per violation for organizations
Per day of continued violation
$500K
Maximum penalty for individuals (directors and officers)
As amended by Bill C-8 (reduced from $1M)
Summary
Criminal offences for failure to comply with cybersecurity directions or reporting obligations
Including potential imprisonment
Solution Mapping

How Bedrock Safeguard Helps

Our existing threat intelligence capabilities map directly to CCSPA requirements.

CCSPA Requirement

Establish and maintain a cybersecurity program

Bedrock Capability

Continuous Threat Monitoring

24/7 monitoring across 10+ intelligence sources, automated IOC tracking, and security posture scoring for your domains and assets.

CCSPA Requirement

Report cybersecurity incidents

Bedrock Capability

Incident Detection & Alerting

Real-time breach detection, credential exposure monitoring, and automated alerting via Slack, email, and webhooks to support rapid incident identification.

CCSPA Requirement

Identify and manage cyber risks

Bedrock Capability

Risk Assessment Tools

Domain security scoring, exposure scanning, vulnerability detection, and SSL/DNS/header analysis to identify and quantify your risk surface.

CCSPA Requirement

Manage supply chain cybersecurity risks

Bedrock Capability

Threat Intelligence Feeds

STIX/TAXII feeds, IOC export, and vendor comparison tools to assess and monitor the security posture of your supply chain partners.

CCSPA Requirement

Maintain records and support audits

Bedrock Capability

Reporting & Documentation

PDF security reports, historical threat data, IOC logs, and white-label documentation to support compliance record-keeping and regulatory audits.

Compliance Packages

CCSPA Readiness Plans

Purpose-built packages to help your organization meet CCSPA requirements. All plans include our core threat intelligence platform.

Baseline
Compliance Starter
$49.99 /mo
For organizations beginning their CCSPA compliance journey.
  • Vanguard threat intelligence platform
  • Security posture scoring for 3 domains
  • Breach monitoring for 25 emails
  • Monthly compliance status reports
  • CCSPA requirements checklist
  • Email support (same day)
Get Started
Recommended
Compliance Professional
$199 /mo
Full compliance support for designated operators preparing for CCSPA requirements.
  • Everything in Compliance Starter
  • Unlimited domain and email monitoring
  • Supply chain risk assessment for vendors
  • Incident response playbook templates
  • STIX/TAXII threat feed integration
  • Weekly compliance status reports
  • Dedicated analyst consultation (2 hrs/mo)
  • Priority phone and video support
Request Consultation
Enterprise
Compliance Enterprise
$499 /mo
White-glove compliance support with dedicated threat analyst and incident response retainer.
  • Everything in Compliance Professional
  • Dedicated threat analyst
  • Incident response retainer (4 hrs/mo)
  • Custom YARA rules and detection logic
  • SIEM integration support
  • Board-ready compliance reporting
  • Regulatory liaison support
  • Annual tabletop exercise facilitation
Contact Us
Free Tool

CCSPA Readiness Assessment

Answer 8 questions to gauge your organization’s preparedness for CCSPA requirements. Takes less than 2 minutes.

01 Does your organization have a documented cybersecurity program?
02 Do you have an incident response plan that includes procedures for reporting cybersecurity incidents to external authorities?
03 Do you monitor for data breaches and credential exposures affecting your organization?
04 Do you conduct regular vulnerability assessments or penetration testing?
05 Do you assess and manage cybersecurity risks from your supply chain and third-party vendors?
06 Do you monitor your domain’s security posture (SSL/TLS, DNS, security headers)?
07 Do you have threat intelligence feeds integrated into your security operations?
08 Do you maintain records and documentation sufficient to demonstrate cybersecurity compliance to a regulator?
Your Answers

Recommended Actions

    Disclaimer: The information on this page is provided for general informational purposes only and does not constitute legal advice. Bedrock Safeguard Inc. is a cybersecurity services provider, not a law firm or compliance auditor. The legislative summary reflects our understanding of Bill C-26 and Bill C-8 as of April 2026 and may not reflect subsequent amendments or final regulations. Organizations should consult qualified legal counsel for advice on their specific compliance obligations under the Critical Cyber Systems Protection Act. The self-assessment tool provides a general indication of preparedness and should not be relied upon as a definitive compliance evaluation.

    Don’t Wait for Royal Assent

    Organizations that start preparing now will be in the strongest position when the CCSPA takes effect. Let us help you build a compliance-ready cybersecurity posture.

    Take the Assessment Request Consultation