March 20, 2026 Compliance 10 min read

What Canadian Businesses Need to Know About Bill C-26

By Cybersecurity Canada Editorial Team | Published March 20, 2026

Canada is strengthening its cybersecurity laws. Bill C-26 — originally introduced in 2022 and containing the Critical Cyber Systems Protection Act (CCSPA) — represented the most significant federal cybersecurity legislation Canada had proposed to date. Although Bill C-26 passed both chambers of Parliament in late 2024, it did not receive Royal Assent before Parliament was prorogued in January 2025 and died on the Order Paper. Its provisions were subsequently reintroduced as Bill C-8 in June 2025.

The legislation targets operators of critical infrastructure — telecommunications, finance, energy, and transportation — but its implications extend to businesses of all sizes that operate within or supply services to these sectors.

For Canadian small and medium businesses, understanding this legislation is important even if your business is not directly subject to its requirements. It signals the clear direction of federal cybersecurity policy and establishes expectations that may broaden over time.

What Is Bill C-26

Bill C-26 contains two main components:

Part 1: Amendments to the Telecommunications Act

Part 1 gives the federal government new powers to direct telecommunications service providers to take specific actions to secure Canada's telecommunications infrastructure. This includes the authority to prohibit the use of specific products or services from designated suppliers — a provision widely understood to address concerns about equipment from vendors with ties to foreign governments.

For most small businesses, Part 1 is relevant primarily as context: the federal government is taking an active role in securing the telecommunications networks that Canadian businesses depend on.

Part 2: The Critical Cyber Systems Protection Act (CCSPA)

Part 2 is the core of Bill C-26 for business purposes. The CCSPA creates a new regulatory framework that imposes cybersecurity obligations on operators of "critical cyber systems" — systems associated with services and infrastructure deemed vital to national security or public safety.

The sectors designated under the CCSPA include:

• Telecommunications — Internet and phone service providers
• Finance — Federally regulated banks, insurance companies, and clearing houses
• Energy — Interprovincial and international pipeline operators, nuclear energy facilities, and electricity systems
• Transportation — Federally regulated air, rail, and marine transportation systems

The Governor in Council may designate additional sectors and services through regulation, meaning the scope of the law could expand over time.

What the CCSPA Requires

Designated operators under the CCSPA will be required to:

Establish a Cybersecurity Program

Operators must implement and maintain a cybersecurity program that includes measures to:

• Identify and manage cybersecurity risks to their critical cyber systems
• Protect those systems from compromise
• Detect cybersecurity incidents
• Minimize the impact of incidents that do occur

This framework closely mirrors the structure of established cybersecurity standards like the NIST Cybersecurity Framework and aligns with the principles behind the Canadian Centre for Cyber Security's Baseline Controls — identify, protect, detect, and respond.

Report Cybersecurity Incidents

Operators must report cybersecurity incidents to the Canadian Centre for Cyber Security (CCCS) and to the appropriate sector-specific regulator. The reporting requirements include:

• Mandatory reporting of incidents that affect or have the potential to affect critical cyber systems
• Timely notification — the specific reporting timelines will be established through regulation, but the intent is to ensure that the government is informed of significant incidents quickly enough to coordinate a response
• Information sharing — reported information may be shared between government agencies for national security purposes

Comply with Government Directives

The CCSPA gives the Governor in Council the authority to issue cybersecurity directions requiring designated operators to take specific actions or refrain from specific actions to protect critical cyber systems. These directions can be issued in response to specific threats or on a preventive basis.

Importantly, these directions can be kept confidential — operators may be prohibited from disclosing that a direction has been issued. This provision has raised concerns from privacy and civil liberties organizations, though the government has argued it is necessary to prevent adversaries from learning about defensive measures.

Maintain Records and Undergo Audits

Operators must maintain records of their cybersecurity programs, risk assessments, and incident reports. Regulators will have the authority to conduct compliance audits, and operators must cooperate with these audits.

Penalties for Non-Compliance

The CCSPA introduces significant penalties:

• Individuals: Fines up to $1 million and/or imprisonment for up to five years for certain offences
• Organizations: Fines up to $15 million per violation
• Administrative monetary penalties (AMPs): Up to $1 million for individuals and $15 million for organizations, which can be imposed without court proceedings

These penalties are designed to ensure that cybersecurity is treated as a serious regulatory obligation, comparable to financial regulation or environmental compliance.

Why This Matters for Small Businesses

If your business does not operate critical infrastructure, you may not be directly subject to the CCSPA. However, there are several reasons why Bill C-26 is relevant to Canadian SMBs.

Supply Chain Requirements Will Flow Downstream

Designated operators will be required to manage cybersecurity risks across their supply chains. If your business provides products, services, or IT support to a telecommunications company, bank, energy company, or transportation operator, you may be asked to demonstrate that your own cybersecurity practices meet a minimum standard.

This is already happening in other jurisdictions. In the United States, defence contractors must comply with the Cybersecurity Maturity Model Certification (CMMC), and their subcontractors must as well. Bill C-26 creates the foundation for similar requirements in Canada.

For small businesses that serve enterprise or government clients, this means your cybersecurity posture is increasingly a factor in your ability to win and retain contracts. The Canadian Centre for Cyber Security's Baseline Controls provide a practical, government-backed framework for demonstrating due diligence.

It Signals the Direction of Federal Policy

Bill C-26 is the beginning, not the end, of Canada's cybersecurity regulatory journey. The CCSPA allows for additional sectors to be designated over time, and the federal government has indicated interest in broader cybersecurity standards across the economy.

Businesses that invest in foundational cybersecurity practices now — incident response planning, patch management, access control, multi-factor authentication — will be better positioned to adapt as regulations expand.

Breach Reporting Norms Are Converging

The CCSPA's incident reporting requirements add to the existing breach notification obligations under PIPEDA and provincial privacy laws. For businesses in regulated sectors, this means potentially reporting the same incident to multiple authorities.

For all businesses, the trend is clear: mandatory incident reporting is becoming the norm across Canadian law. Having an incident response plan that includes clear reporting procedures is no longer just a best practice — it is increasingly a legal expectation.

Cybersecurity Is Becoming a Governance Issue

Bill C-26 signals that cybersecurity is transitioning from a purely technical concern to a governance and compliance issue. Business owners and boards of directors will be expected to understand their organizations' cybersecurity risks and ensure adequate measures are in place.

For small business owners, this means cybersecurity needs to be part of business planning — not delegated entirely to an IT provider without oversight.

What Canadian SMBs Should Do Now

Even if your business is not directly regulated under the CCSPA, these steps will position you well as cybersecurity expectations continue to rise across the Canadian business landscape.

Understand the Baseline Controls

The Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations provide a practical framework that aligns with the principles underlying Bill C-26. The 13 control areas cover the fundamentals — from network security to data backup to security awareness training.

Our free cybersecurity assessment evaluates your business against these controls and provides specific, actionable recommendations.

Document What You're Doing

If you're already taking security measures — using MFA, running backups, keeping software updated — make sure these practices are documented. As supply chain requirements flow down from regulated entities, you may be asked to demonstrate your cybersecurity posture to clients or partners. Having documentation ready is significantly easier than building it from scratch under a deadline.

Prepare for Incident Reporting

Regardless of your sector, having a clear process for identifying, assessing, and reporting cybersecurity incidents prepares your business for both current obligations under PIPEDA and any future requirements that may emerge from Bill C-26's regulatory framework.

Stay Informed

The CCSPA's specific requirements will be detailed in regulations that are still being developed. The Canadian Centre for Cyber Security and the Office of the Privacy Commissioner are the authoritative sources for guidance as these regulations take shape.

The Connection to AI and Emerging Threats

Bill C-26 arrives at a time when the threat landscape is evolving rapidly. AI-powered phishing and automated attack tools are making it easier for threat actors to target organizations of all sizes. The legislation recognizes that cybersecurity is a shared responsibility — critical infrastructure operators cannot be secure if their vendors, suppliers, and partners are not.

For small businesses, this reinforces a message that runs through all of Canada's cybersecurity guidance: the fundamentals matter. Strong passwords, multi-factor authentication, employee training, and incident response readiness are not just technical best practices — they are becoming the cost of doing business in Canada's digital economy.

Frequently Asked Questions

Does Bill C-26 apply to my small business?

Bill C-26's mandatory requirements under the CCSPA apply specifically to operators of critical cyber systems in designated sectors — telecommunications, finance, energy, and transportation. Most small businesses are not directly subject to these requirements. However, if your business provides services to organizations in these sectors, you may face cybersecurity requirements through supply chain contracts. The scope of designated sectors may also expand through future regulation.

When does Bill C-26 come into effect?

Bill C-26 passed both chambers of Parliament in late 2024 but did not receive Royal Assent before Parliament was prorogued in January 2025. Its provisions were reintroduced as Bill C-8 in June 2025, which is currently progressing through the legislative process. The specific requirements under the CCSPA will be defined through regulations that are still being developed. Designated operators should monitor the Canada Gazette and guidance from sector-specific regulators for implementation timelines. Small businesses should use this period to strengthen their cybersecurity posture proactively.

What are the penalties under Bill C-26?

The CCSPA provides for fines of up to $15 million per violation for organizations and up to $1 million for individuals, as well as potential imprisonment of up to five years for certain offences. Administrative monetary penalties can be imposed without court proceedings. These penalties apply to designated operators who fail to establish cybersecurity programs, report incidents, or comply with government directives.

How does Bill C-26 relate to PIPEDA?

Bill C-26 and PIPEDA address different but overlapping concerns. PIPEDA requires organizations to protect personal information and report breaches involving personal data to the Office of the Privacy Commissioner. The CCSPA requires designated operators to protect critical cyber systems and report cybersecurity incidents to the Canadian Centre for Cyber Security. A single incident could trigger reporting obligations under both laws. Aligning your cybersecurity and privacy practices ensures you can meet both sets of requirements efficiently.

What cybersecurity framework should I follow to prepare?

The Canadian Centre for Cyber Security's Baseline Cyber Security Controls for Small and Medium Organizations are the most practical starting point for Canadian SMBs. These controls align with the principles underlying Bill C-26 and are designed to be achievable for organizations with limited resources. For businesses seeking a more comprehensive framework, the NIST Cybersecurity Framework and CIS Controls are widely recognized internationally and referenced by Canadian government guidance.