// Blog / News

Canada's Bill C-8 is now law: what it means for your small business

Compliance 5 min read intrasec

Canada just passed its biggest cybersecurity law in years. On June 16, Bill C-8, the Critical Cyber Systems Protection Act, received Royal Assent. If you run a small business, your first question is fair: does this apply to me? Mostly not, directly. But it's still likely to land on your desk, just through a side door.

What the law actually does

C-8 forces operators of Canada's critical infrastructure, the banks, telecoms, energy and pipeline systems, nuclear facilities, and federally regulated transportation the country can't function without, to run formal cybersecurity programs and report serious incidents to the federal Cyber Centre within 72 hours. It also requires them to manage cyber risk in their supply chains, following government guidance, and the penalties for those regulated operators are steep (up to $15 million per violation for a company). One important caveat: it is now law, but most of the operational requirements switch on later, once the government finalizes the regulations that spell out exactly who is covered and what they must do.

Why a small business should care anyway

You're almost certainly not a "designated operator." But the law still reaches you indirectly:

  • It flows downhill through contracts. The regulated operators have to manage supply-chain risk, which means they push cybersecurity requirements onto their vendors, and their vendors' vendors. If you sell to or service a bank, telecom, utility, or carrier, expect C-8-shaped clauses in your next contract or renewal.
  • It hardens the baseline everyone is measured against. As critical-infrastructure security expectations rise, they become the reference point insurers, larger clients, and partners use to judge everyone else.
  • Insurers are watching. Cyber-insurance underwriting already leans on these standards, and the bar only goes one way.
  • It's the direction of travel. C-8 is part of a clear trend: solid cybersecurity is moving from "nice to have" to "required to do business," especially with bigger or regulated partners.

What to do

Nothing is urgent here, but a few moves put you ahead of it:

  • If you sell into regulated industries, expect the questions. Security questionnaires and contract clauses are how this reaches you; get ahead of them with our guide on answering a client security questionnaire.
  • Make your fundamentals real, not aspirational. MFA, patching, tested backups, and an incident plan are exactly what flows down, and they start with the basics.
  • Treat your own vendors the way C-8 treats theirs. Know who holds your data and what their security looks like.

Source:Osler, Canada's Bill C-8: what businesses need to know about the new cybersecurity framework

Need to meet the security bar your customers are starting to demand?

Talk to us

Related

Guide Compliance

Does Quebec's Law 25 apply to your business?

Canada's toughest privacy law is already in force, and it can reach you even from outside Quebec. Who it covers, and what to do.

Read article →
Guide Compliance

How to answer a client security questionnaire

The deal gate where requirements like C-8's flow down to you. How to answer honestly, fast, and turn gaps into a plan.

Read article →
Service

Cybersecurity Strategy

We get your security to the level customers and insurers expect, and help you prove it when they ask.

Learn more →