Back to all posts

Between compliance and complexity: Canada’s new cybersecurity law deciphered

(Cybersecurity Bill C-26)

Cybersecurity Act in Canada in 2025

Why is the Cybersecurity Act useful?

  • No longer be satisfied with technical recommendations or scattered policies
  • The need to adopt a legal and proactive approach, hence the birth of Bill C-26 (Cybersecurity Act)

Problem: Today, what is the level of adoption of the Cybersecurity Act?

Canadian legal framework, trends and statistics

-Introduced in 2022, Bill C-26 aims to strengthen the cybersecurity of critical infrastructure by introducing obligations for so-called strategic companies and amending:

  • Laws on communication, on emergency managementn des urgences

-Key objectives of Bill C-26:

  • Enforce the application of minimum protection measures for critical systems
  • Request cybersecurity incident reports (Generally 24-hour complaint deadline)
  • Require immediate patches for critical vulnerabilities

-Entities concerned: Telecommunications – Energy (electricity, oil, gas) – Transport (rail, maritime, air) – Financial services – Health – etc.

According to the CCC (Canadian Centre for Cybersecurity), more than 40% of targeted entities have not yet implemented cybersecurity program measures in accordance with minimum requirements.

Risks, real cases, consequences

-We have recorded several major incidents in recent years:

  • Ransomware Attack on the Newfoundland Health Authority (2021)
  • Attempts to Infiltrate Telecommunications Networks (2022-2023)
  • Hacking of a Rail Transportation Provider’s Database (2024)

-These incidents revealed:

  • Lack of intersectoral coordination
  • Delays in detection and response
  • Lack of awareness of the legal framework by many subcontracting SMEs

Consequences: Under Bill C-26, failure to comply with the requirements may result in sanctions, court orders, or even the suspension of certain operations.

Key Recommendations

For Large Enterprises / Critical Infrastructure:

  • Develop a clear, concise and rapid incident reporting procedure
  • Conduct a C-26 compliance audit annually
  • Appoint a cybersecurity officer (CISO) and implement appropriate governance
  • Comply with the Canadian Centre for Cyber ​​Security Guidelines (CCS Framework)

For SMEs or Subcontractors:

  • Update internal security policies
  • Establish an incident log and response plan
  • Ensure that systems are patched, segmented and continuously monitored
  • Regularly seek expert advice as needed

Bill C-26 marks a strategic shift in the posture of the digital landscape in Canada by imposing an unprecedented level of vigilance, traceability and increased preparation.

MORE POSTS...