On June 18, 2025, the government introduced Bill C-8, an Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, in the House of Commons.

It shares the same name of its predecessor, Bill C-26, which was introduced by the Trudeau Government in 2022. Up until now, it was unclear whether the new government would resurrect the Bill C-26 which died on the order paper with the dropping of the writ for a federal election earlier this year.

Like its predecessor, Bill C-8 has two purposes:

  • First, the bill would amend the Telecommunications Act to empower the government to stop telecommunications service providers from using or providing products and services posing security risks. Practically speaking, this would allow the government to order companies not to use products or services from, for example, certain Chinese-controlled companies. Providers could be ordered to remove such equipment even if already installed.
  • Second, the bill would impose minimal cyber security obligations on organizations in certain critical infrastructure sectors under federal jurisdiction (including transport, energy, and banking) through a new Critical Cyber Systems Protection Act (CCSPA).

C-8 is substantially identical to the last published version of C-26 from June 2024. The Summary paragraphs describing the effects of each bill are identical save for the fact that Bill C-8 makes no mention of an amendment to the Canada Evidence Act, and indeed that amendment, which in Bill C-26 gave the Federal Court jurisdiction over certain matters, is gone from Bill C-8. The tables of provisions are also identical except for the omission of the Canada Evidence Act amendments, and the addition of a new section 146 (discussed below).

Key features of Bill C-8

Bill C-8 closely mirrors the June 2024 version of Bill C-26, with only a few key differences:

  • Omission of Canada Evidence Act amendments: Bill C-8 no longer includes the consequential amendment to the Canada Evidence Act that was present in C-26.
  • Correction of drafting errors: The new bill corrects structural and cross-referencing issues that previously nullified enforcement provisions under the CCSPA.
  • Refined scope of threats: Section 15.1(2) now limits the types of threats that can trigger government orders to “interference, manipulation, disruption, or degradation,” removing the broader, non-exclusive list used in C-26.
  • Judicial review reforms: Section 15.9(1) of the Telecommunications Act and Section 145 of the CCSPA have been revised to eliminate procedural elements that previously allowed the government to make confidential submissions and withhold full disclosure under national security grounds. These changes aim to enhance transparency in judicial review processes.
  • New appeal provision: Section 146 of the CCSPA introduces a mechanism for appealing judicial decisions made during review proceedings.

Notably absent from the new bill are any attempt to address concerns about high compliance costs for small businesses subject to the CPPSA, exemptions for mature organizations that adhere to cyber security programs that significant exceed the requirements of Bill C-8 and are at least arguably better equipped to assess their own cyber security posture than their own regulators, or any positive incentives for organizations to invest in better cyber security (though these may crop up in other aspects of new federal policy aimed at improving national security).

The reintroduction of what was essentially the same Bill toward the end of its tenure in the legislature confirms the new federal government intends to continue the course set by the last government in respect of cyber security policy, at least in the short term. Hopefully, it also indicates an intention to pursue the same goals with greater urgency and speed.

For any questions about Bill C-8, please contact one of the authors of a member of Gowling WLG’s Privacy & Cyber Security team.