What Bill C-8 Means for Critical Infrastructure CISOs in Canada
Bill C-8 received Royal Assent on June 15, 2026. That matters because Canadian critical infrastructure cybersecurity is moving out of the world of voluntary best practice and into a world where designated operators will need to prove that cyber risk is being managed, not merely discussed.
For CISOs, the real question is not whether the organization has a security policy. The question is whether the organization can show how critical cyber systems are identified, protected, monitored, recovered, and governed when a regulator, board, or customer asks for evidence.
This is not legal advice. It is a practical GreenHat Security briefing for critical infrastructure CISOs, risk leaders, and security teams who need to translate Bill C-8 into operating work.
What Bill C-8 does in plain language
Bill C-8 is Canada's federal cybersecurity law for critical cyber systems. It amends the Telecommunications Act and creates the Critical Cyber Systems Protection Act, often shortened to CCSPA. The point is simple: if a cyber system supports a service that is vital to national security or public safety, the operator may be required to maintain a real cybersecurity program around it.
The law is aimed at resilience. It focuses on identifying and managing cyber risk, protecting critical systems, detecting incidents, minimizing impact, managing supply-chain risk, reporting cyber incidents, and following cyber security directions where they apply.
The useful CISO translation is this: Bill C-8 is less about having a binder and more about proving that security routines operate when the system matters. If your evidence lives in scattered tickets, tribal knowledge, vendor spreadsheets, and heroic incident response, now is the time to clean that up.
Who is directly in scope
Bill C-8 does not automatically turn every Canadian company into a regulated critical infrastructure operator. The direct obligations apply to designated operators of critical cyber systems in federally regulated vital services and vital systems.
The initial vital services and systems identified by the federal materials include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems, banking systems, and clearing and settlement systems. Public Safety Canada also frames the core sectors as finance, telecommunications, energy, and transportation.
That scope detail matters. A software vendor, managed service provider, AI platform, industrial supplier, or cloud service provider may not be directly designated, but it can still feel the law through customers. Critical infrastructure companies will push requirements down into contracts, security questionnaires, incident notification clauses, audit rights, recovery commitments, and evidence requests. Use GreenHat's Vendor Security Assessment Questionnaire Template as a practical way to turn those customer asks into reusable supplier evidence.
- Direct scope starts with designated operators, not every business in Canada.
- Indirect scope reaches vendors and suppliers that support designated operators.
- The board-level question becomes whether critical systems and dependencies are visible enough to defend.
What changes for CISOs
The biggest change for CISOs is accountability for operating proof. A mature-looking program that cannot show current system scope, control ownership, vendor dependencies, incident paths, recovery assumptions, and evidence history will struggle under a Bill C-8 lens.
A CISO should expect more pressure around the basics that usually break during real incidents: who owns each critical service, which systems are truly critical, who has privileged access, which suppliers can affect availability, how quickly incidents are detected, who notifies whom, and what evidence shows that controls are actually running.
This is also a governance problem. Security teams cannot carry Bill C-8 alone. Legal, procurement, operations, privacy, engineering, compliance, executive leadership, and the board all need a shared operating model. The CISO's job is to make the risk visible enough that the business can make decisions before the incident.
CISO readiness checklist
- Confirm designation exposureIdentify whether your organization, subsidiaries, services, or customers are likely to fall under a designated sector or operator model.
- Map critical cyber systemsList the systems that support continuity, safety, customer delivery, identity, payments, operations, and incident response.
- Assign accountable ownersName business, technical, legal, and executive owners for each critical service before a crisis forces the conversation.
- Validate reporting pathsDocument who decides whether an event is reportable, who notifies regulators or customers, and what evidence is needed.
- Review vendor dependenciesClassify suppliers by operational dependency, not just spend, contract value, or procurement category.
- Prepare board-ready evidenceTurn control work into plain-language proof of scope, gaps, owners, timelines, decisions, and accepted risk.
30/60/90 day CISO plan
The first move is not buying another tool. The first move is building a defensible map of critical cyber systems and the operating evidence around them. If the organization is eventually designated, that map becomes the starting point. If it is not directly designated, the same map helps answer customers and regulated partners.
Start with the services that would create the most operational, safety, customer, or regulatory pain if they failed. For each one, identify the business owner, technical owner, supporting vendors, privileged access paths, data dependencies, and recovery assumptions.
The goal is not a perfect asset inventory. It is a board-usable map of the systems that matter and the dependencies that could make a cyber incident bigger than the security team.
CISO outputs
- Critical service and system map
- Named owners for each critical service
- Top vendor dependency list
- Initial evidence gap register
Run a tabletop around a critical system outage or compromise. Focus less on whether people know the policy and more on whether they can make decisions quickly with incomplete information.
Use the Vendor Security Assessment Questionnaire Template to check whether key suppliers can provide usable evidence around incident notification, access controls, resilience, monitoring, and subcontractors.
CISO outputs
- Incident reporting decision tree
- Tabletop findings and owner actions
- Vendor notification clause review
- Evidence package for one critical service
By 90 days, the CISO should be able to show a repeatable operating cadence: system inventory reviews, third-party risk reviews, privileged access recertification, backup and recovery evidence, exception handling, and board reporting.
This is where Bill C-8 readiness becomes security leadership. The organization should know what it owns, where it depends on others, what gaps remain, who accepted the risk, and what will change next.
CISO outputs
- Monthly critical system review cadence
- Board-ready risk and progress memo
- Control evidence collection routine
- Remediation plan with owners and dates
Supply chain and vendor risk
Bill C-8 explicitly brings supply-chain and third-party risk into the conversation. For CISOs, this is where the law becomes operational very quickly. A critical system is rarely just internal infrastructure. It is vendors, cloud services, managed service providers, identity platforms, payment systems, software libraries, telecom providers, support portals, and data flows.
The practical mistake is treating vendor risk like a procurement form. Critical infrastructure teams need to know which suppliers can affect continuity, confidentiality, integrity, recovery, or incident response. That means classifying vendors by operational dependency, not just contract size.
GreenHat's Vendor Security Assessment Questionnaire Template is a useful starting point for evidence requests. For AI vendors or automated systems connected to critical operations, pair that review with the AI Risk Questionnaire so data use, delegated access, logging, and human approval are explicit.
Questions the board will ask
Boards usually do not need a statutory interpretation of Bill C-8. They need to know whether the organization is exposed, whether management has a plan, whether the plan is funded, and whether the CISO can prove progress without drowning everyone in control language.
The CISO should be ready for five board questions: Are we likely to be designated? Which systems would matter most? Which vendors could take us down? How would we know and report a cyber incident? What evidence proves that our program works?
A good answer does not pretend everything is solved. It separates known controls from known gaps, names owners, attaches dates, and explains tradeoffs in business language. That is the difference between security theatre and security leadership.
Board briefing questions
- Are we likely to be in scope?Give directors a plain-language view of designation exposure, sector relevance, and customer-driven obligations.
- Which systems matter most?Show the services that would create material operational, safety, customer, or regulatory impact if disrupted.
- Which vendors could take us down?Name the suppliers tied to continuity, identity, payments, operations, monitoring, recovery, and support.
- How would we know and report?Explain detection paths, escalation criteria, reporting decision owners, and evidence capture expectations.
- What proof do we have?Separate current evidence from known gaps so the board can see progress, tradeoffs, and accountable owners.
- What needs funding or a decision?Bring forward the few decisions leadership must make instead of burying the board in technical control detail.
Bill C-8 FAQ for CISOs
These are the practical questions a CISO is likely to hear first from executives, customers, procurement teams, and internal risk owners.
Yes. Parliament's LEGISinfo page states that Bill C-8 received Royal Assent on June 15, 2026. The operating details still depend on orders, regulations, designation, and sector-specific expectations.
Not directly. The direct legal obligations apply to designated operators. Suppliers should still expect flow-down requirements when they support regulated customers or critical systems.
No. Treating Bill C-8 as a compliance-only project misses the point. The better lens is resilience: know the systems that matter, reduce preventable failure, detect incidents faster, report clearly, and recover in a way the board and regulator can trust.
Start with critical system mapping, owner assignment, vendor dependency review, and incident reporting decision paths. If those four pieces are weak, policy cleanup will not save the program.
Source notes
This page is based on current public materials from Parliament of Canada, the Department of Justice Charter Statement, and Public Safety Canada's Bill C-8 committee notes. It is written for CISO planning and security program execution. It is not legal advice.
Turn Bill C-8 into an operating plan
If your team operates critical infrastructure, sells into regulated operators, or needs to brief the board on Bill C-8 readiness, GreenHat can help map systems, vendors, evidence, reporting paths, and the security work that needs ownership now.
Related GreenHat Resources
GreenHat Link
Virtual CISO Services
CISO-level operating support for security programs, board reporting, vendor risk, and readiness work.
GreenHat Link
Vendor Security Assessment Questionnaire
Use the questionnaire to collect supplier evidence for critical third-party dependencies.
GreenHat Link
Compliance by Security
Build controls around real operating risk instead of staged compliance artifacts.
Source and further reading
This GreenHat page cites Bill C-8, 45th Parliament, 1st session from Parliament of Canada. Read the original source.