The New Cyber Law Critics Didn’t Want Passed

Canada’s new cyber law hands sweeping order powers to Ottawa while leaving key privacy guardrails in doubt.

Story Snapshot

Bill C-8 makes cybersecurity rules mandatory across major Canadian sectors ^[1]^[5].
Privacy watchdog warns government powers still have broad thresholds ^[6]^[9].
Companies face 72-hour incident reporting and steep fines for violations ^[3].
Law passed with royal assent on June 15, 2026 ^[7].

What Bill C-8 Changes for Critical Infrastructure

Parliament in Canada passed Bill C-8 to impose a mandatory cybersecurity regime on core services. The law targets banking, telecommunications, transportation, energy, and some water systems. It ends the old model of voluntary steps and sets national rules. Operators must build formal programs, manage supplier risks, and report cyber incidents. Government can issue binding orders to secure networks and remove risky gear. The goal is stronger defenses against rising attacks on key systems ^[1]^[2]^[5].

Designated operators face firm timelines and penalties. Guidance highlights a 90-day window to stand up a Cyber Security Program after being designated. It also states a 72-hour deadline to alert federal cyber authorities when an attack occurs. Penalties can be severe for ignoring orders or failing to comply. Corporate fines can climb into very high daily amounts, with personal exposure also possible in serious cases. The risk calculus for leaders and boards changes fast under this law ^[3].

Order Powers and Privacy Tension

The Office of the Privacy Commissioner of Canada supports stronger cyber defenses but flags gaps. The Commissioner says legal thresholds for using new government powers remain too broad. The office also points to the lack of a firm rule to notify it about major breaches. Finally, it warns of weak minimum standards for sharing data with foreign governments. These are not minor notes. These are core checks that build public trust in any security regime ^[6]^[9].

The law’s backers say the bill balances security with privacy. They note clauses that protect private encrypted communications and legal privilege. Supporters also cite added guardrails when ministers issue orders. Still, outside experts and civil groups warn about mission creep. They argue that broad order powers and information sharing could grow over time. That growth could reach personal data if oversight and limits are weak or unclear ^[1]^[5]^[11].

What Sectors Must Do Now

Banks, telecom providers, and energy firms must act first. Leaders should map their “critical cyber systems” and assign accountable owners. Teams must update risk registers, supplier vetting, and incident response. They also need playbooks to meet the 72-hour report clock. Clear logs, evidence handling, and legal review will matter. Firms should train staff on new duties and practice tabletop drills. These steps cut downtime, lower fines, and show regulators good faith under the new regime ^[3]^[10].

Alt ACTUAL reality for the infosec practitioners, hackers, IR’s and intel agency SOC’s of the world: Policy frameworks are often and very much just words on paper when they lack grounding in harsh technical realities that we see everyday. The REALITY is that high-level concepts… https://t.co/DbR0w1HEnf

— Laura Love (@Panopticonomy) June 26, 2026

Companies should also prepare for government orders. Ministers can require the removal of high-risk vendors from networks. They can direct specific actions to harden systems. That will affect budgets, timelines, and supply chains. Before an order, decision makers must weigh operational, financial, service, and privacy impacts. Documentation and board minutes should reflect that review. Strong records help show reasonableness if an action is later challenged in court or by investors ^[5]^[10].

Why This Matters to U.S. Readers

American families rely on cross-border energy, banking, and telecom links. A cyber shock in Canada can ripple into our markets and grids. Canada’s shift to mandatory rules mirrors moves across the Group of Seven. This trend raises real questions for liberty and security. Strong defenses are needed. So are strict guardrails on data use, encryption, and oversight. The United States should watch how Canada implements reporting, audits, and due process under Bill C-8 ^[2]^[3]^[5].

Bottom Line for Freedom and Security

Cyber defenses must be tough, but the rules must respect privacy. Canada’s new law sets hard duties and empowers the state to act. The Privacy Commissioner’s warnings outline the missing brakes that keep power in bounds. Clear thresholds, mandatory breach notice to the watchdog, and tight limits on foreign data sharing would help. U.S. policymakers should push allies to fix these gaps. Strong walls matter. So do doors with locks and clear keys ^[6]^[9].