Back to all posts

Between compliance and complexity: Canada’s new cybersecurity law deciphered

(Cybersecurity Bill C-26)

Cybersecurity Act in Canada in 2025

Why is the Cybersecurity Act useful?

  • No longer be satisfied with technical recommendations or scattered policies
  • The need to adopt a legal and proactive approach, hence the birth of Bill C-26 (Cybersecurity Act)

Problem: Today, what is the level of adoption of the Cybersecurity Act?

Canadian legal framework, trends and statistics

-Introduced in 2022, Bill C-26 aims to strengthen the cybersecurity of critical infrastructure by introducing obligations for so-called strategic companies and amending:

  • Laws on communication, on emergency managementn des urgences

-Key objectives of Bill C-26:

  • Enforce the application of minimum protection measures for critical systems
  • Request cybersecurity incident reports (Generally 24-hour complaint deadline)
  • Require immediate patches for critical vulnerabilities

-Entities concerned: Telecommunications – Energy (electricity, oil, gas) – Transport (rail, maritime, air) – Financial services – Health – etc.

According to the CCC (Canadian Centre for Cybersecurity), more than 40% of targeted entities have not yet implemented cybersecurity program measures in accordance with minimum requirements.

Risks, real cases, consequences

-We have recorded several major incidents in recent years:

  • Ransomware Attack on the Newfoundland Health Authority (2021)
  • Attempts to Infiltrate Telecommunications Networks (2022-2023)
  • Hacking of a Rail Transportation Provider’s Database (2024)

-These incidents revealed:

  • Lack of intersectoral coordination
  • Delays in detection and response
  • Lack of awareness of the legal framework by many subcontracting SMEs

Consequences: Under Bill C-26, failure to comply with the requirements may result in sanctions, court orders, or even the suspension of certain operations.

Key Recommendations

For Large Enterprises / Critical Infrastructure:

  • Develop a clear, concise and rapid incident reporting procedure
  • Conduct a C-26 compliance audit annually
  • Appoint a cybersecurity officer (CISO) and implement appropriate governance
  • Comply with the Canadian Centre for Cyber ​​Security Guidelines (CCS Framework)

For SMEs or Subcontractors:

  • Update internal security policies
  • Establish an incident log and response plan
  • Ensure that systems are patched, segmented and continuously monitored
  • Regularly seek expert advice as needed

Bill C-26 marks a strategic shift in the posture of the digital landscape in Canada by imposing an unprecedented level of vigilance, traceability and increased preparation.

MORE POSTS...

Cyber ​​risk & Humans

October 24, 2025

We see that in 2025, cybercriminals will target individuals more than systems with increasingly credible, personalized and localized phishing campaigns and the exploitation of human

Read more

Cyber ​​resilience & SMEs

October 24, 2025

Most SMEs don’t think they should aim for resilience because they believe it’s reserved for strategic organizations such as banks, hospitals, telecommunications companies, etc.

Read more

Cybersecurity and Insurance

October 24, 2025

Faced with the explosion of cyberattacks, organizations are increasingly subscribing to cyber insurance to protect themselves against financial losses.

Read more