Canada Bill C-26 (CCSPA): What Critical Infrastructure Operators Must Do

Canada's Bill C-26, formally the Critical Cyber Security Posture Act (CCSPA), represents a significant shift in how the country regulates cybersecurity for critical infrastructure. Enacted in 2023 and with operational requirements ramping throughout 2025–2026, this legislation establishes mandatory security baselines and reporting obligations for operators of essential services. If your organization operates critical infrastructure in Canada—whether in energy, transportation, telecommunications, finance, or water systems—understanding and acting on Bill C-26 requirements is no longer optional.

This guide outlines the core obligations, compliance timelines, and practical steps your organization should take now to meet CCSPA requirements.

What is Bill C-26 (CCSPA)?

Bill C-26 amends Canada's Cybersecurity Act to introduce the Critical Cyber Security Posture Act. The legislation mandates that critical infrastructure operators implement and maintain cybersecurity controls, report security incidents to the federal government, and cooperate with national incident response activities. The law is administered by the Treasury Board of Canada Secretariat (TBS), with sector-specific guidance developed in collaboration with Public Safety Canada and sector regulators.

Unlike previous guidance that was largely advisory, Bill C-26 creates legal obligations backed by enforcement powers and potential penalties for non-compliance.

Who Must Comply?

Bill C-26 applies to operators of critical infrastructure in the following sectors:

• Energy: Electric utilities, oil and gas production and distribution
• Transportation: Air traffic control, rail operators, port authorities
• Telecommunications: Internet service providers, mobile carriers, telecom network operators
• Finance: Banks, payment processors, securities exchanges
• Water: Water treatment and distribution systems
• Government: Federal departments managing critical functions
• Health: Major hospital systems and health authorities

The Act defines "critical infrastructure" by both sector and consequence threshold. Your organization is subject to Bill C-26 if you operate infrastructure whose failure would likely result in a serious adverse effect on public health and safety, the environment, or Canada's economy or security.

Core Requirements Under Bill C-26

1. Implement Prescribed Security Controls

Bill C-26 requires operators to implement cybersecurity controls aligned with a federally prescribed baseline. Treasury Board of Canada Secretariat has issued the Cyber Security Baseline Controls, which draw on frameworks such as NIST Cybersecurity Framework, CIS Controls, and ISO 27001 principles. Key control domains include asset management, access control, data protection, incident response, and supply chain security.

Organizations must demonstrate that controls are technically deployed, regularly tested, and integrated into operational processes—not merely documented in policy.

2. Maintain and Document Cyber Posture

Operators must develop and maintain a Cyber Security Assessment that documents:

• Current state of critical assets and systems
• Identified vulnerabilities and risk ratings
• Deployed controls mapped to TBS baseline requirements
• Remediation plans for gaps and findings
• Governance and roles/responsibilities

This assessment should be updated at least annually, or more frequently if material changes occur (e.g., new systems, breach incidents, organizational restructuring).

3. Report Cyber Security Incidents

Critical infrastructure operators must report cyber security incidents to the federal government within prescribed timeframes. An "incident" is any event that compromises or threatens the confidentiality, integrity, or availability of an information system or data.

Reporting obligations include:

• Immediate notification: Suspected incidents affecting critical functions
• Formal incident report: Detailed technical and business information within 72 hours
• Ongoing updates: Material developments during investigation and remediation

Operators report to Canadian Centre for Cyber Security (CCCS), part of the Communications Security Establishment (CSE).

4. Participate in Government-Led Response Activities

When requested, operators must cooperate with federal incident response, recovery, or resilience activities. This includes providing technical access, system information, forensic data, and personnel for coordinated response efforts.

Compliance Timeline and Key Milestones

Bill C-26 has been phased in over several years. As of 2026, the following timeline applies:

• 2024: TBS issued sector-specific baseline guidance and assessment frameworks
• 2025: Operators should have completed initial cyber security assessments and identified control gaps
• 2026: Compliance enforcement begins; audits and inspections are underway. Operators must demonstrate that prescribed controls are deployed and functioning
• Ongoing: Annual assessments, incident reporting, and continuous monitoring required

Organizations still in the planning phase should accelerate readiness activities immediately. Federal enforcement activity is active, and penalties for non-compliance can include fines and director liability.

Practical Steps to Achieve Compliance

Step 1: Conduct a Gap Assessment

Engage with your security team (or a qualified external firm) to assess your current security posture against the TBS baseline controls. Identify which controls are in place, which are partial or planned, and which are missing entirely. Document the findings in a formal report.

Step 2: Develop a Remediation Roadmap

Prioritize gaps based on risk and resource constraints. Controls that address high-impact, high-likelihood threats should be addressed first. Build a realistic timeline and secure executive and budget commitments.

Step 3: Strengthen Governance and Incident Response

Establish or reinforce an executive-level cybersecurity governance structure (e.g., CISO role, board-level oversight). Develop or update incident response procedures, including 72-hour reporting workflows and coordination with CCCS.

Step 4: Deploy and Test Controls

Implement technical and administrative controls (e.g., multi-factor authentication, encryption, vulnerability management, security monitoring, incident response playbooks). Conduct regular penetration testing and security assessments to validate control effectiveness.

Step 5: Document and Maintain Evidence

Compile your cyber security assessment and keep it current. Document control implementation, test results, training records, and incident logs. Prepare for government audits by organizing evidence in a structured format.

Common Misconceptions

• Myth: "Compliance with ISO 27001 or SOC 2 satisfies Bill C-26."
  Fact: While these frameworks overlap with TBS controls, Bill C-26 has specific sector and asset-focused requirements. Use these frameworks as a foundation, but map them explicitly to Bill C-26 baseline controls and address any gaps.
• Myth: "We only need to report major breaches."
  Fact: Bill C-26 requires reporting of cyber incidents that affect critical functions, even if they don't result in data loss. This includes attempted intrusions, malware detections, and prolonged service interruptions.
• Myth: "Compliance is a one-time project."
  Fact: Bill C-26 mandates continuous monitoring, annual assessments, and ongoing incident reporting. Cybersecurity posture must be actively maintained and improved over time.

Frequently Asked Questions

What if our organization operates in multiple Canadian provinces?

Bill C-26 is federal legislation; compliance is determined by whether your infrastructure meets the critical infrastructure definition under the Act, not by geography. Provincial regulators (e.g., energy regulators in Alberta, utilities commissions in Ontario) may issue complementary rules, but the CCSPA baseline is national. Ensure your compliance program addresses both federal requirements and applicable provincial/sector-specific rules.

Who should report an incident to CCCS—our CISO, legal team, or CEO?

Incident reporting to CCCS is typically coordinated by your cybersecurity team (CISO or incident response lead) in consultation with legal and senior management. The person initiating the report should have authority to disclose technical details and commit to follow-up communications. Define clear escalation and notification procedures before an incident occurs; test them regularly.

Are there exemptions or grace periods for smaller critical infrastructure operators?

Bill C-26 does not provide blanket exemptions based on organization size. However, the severity of required controls may scale based on risk and operational context. A small regional water utility may have simpler asset inventories and networks than a national telecom carrier, allowing for proportionate control implementation. TBS guidance includes risk-based assessment frameworks; engage with your sector regulator to discuss proportionality if applicable to your organization.

Moving Forward

Bill C-26 marks a watershed moment for Canadian critical infrastructure cybersecurity. The transition from advisory frameworks to mandatory legal obligations requires immediate action from operators who are not yet compliant. The investment in security controls, incident response capabilities, and governance structures is not only a regulatory requirement—it strengthens resilience and protects public safety.

If your organization has not yet begun Bill C-26 readiness activities, now is the time to start. Praxis-Q works with critical infrastructure operators across Canada to conduct gap assessments, design remediation programs, and prepare for compliance audits. Learn more about our Bill C-26 readiness services to accelerate your organization's path to compliance.