The Bill-C-26 Regulation and Its Implications for The Critical Infrastructures’ Cybersecurity in Canada

Sponsored By: Fortinet

By Frank Lawrence and Eric Jensen, Fortinet

As the last G7 nation and one of the few G20 nations without a firm regulatory framework around cybersecurity, Canada must act to protect the Nation’s critical infrastructure assets.

In 2016 member states of the European Commission (EU) passed what was called the most comprehensive cybersecurity bill in the history of the EU; the bill was called the NIS Directive. The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive, ratified in 2023. NIS2 continues modernizing the legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape. Expanding the scope of the cybersecurity rules to new sectors and entities further improves the resilience and incident response capacities of public and private entities, competent authorities, and the EU as a whole. Most G7 member states are under the umbrella of the EU; the US, UK, and Japan have separately implemented cybersecurity regulations to differing degrees.

Canadian businesses continue to be impacted by malicious cyber activity, ranging from cyberattacks to ransomware. Many attacks, including those on critical infrastructure that accounts for nearly half, go unreported. Concerningly, the Canadian Centre for Cyber Security (CCCS) has identified attacks against OT networks as “the most pressing [threat] to the physical safety of Canadians” in their biennially published National Cyber Threat Assessments.

In this context, the Ministry of Public Safety acted to introduce new legislation, Bill C-26 An Act Respecting Cybersecurity. Bill C-26 passed its first step in Parliament in November of 2022 and went through its second reading on March 27th, 2023. Bill C-26 currently sits in committee and is believed to go into legislation and law in the calendar year of 2023.

The primary focus of Bill C-26 is to add teeth to the governance and compliance of cybersecurity, especially in the much-needed Operational Technology (OT) area where critical infrastructure lies. Although the Bill has not yet received royal assent (passing into law), between the absence of similar legislation in Canada and the trend towards increased cybersecurity regulation amongst our international peers, Canadian businesses would be wise to prepare.

Canada has yet to pass laws that govern cybersecurity, let alone require reporting vulnerabilities and critical infrastructure breaches; Bill C-26 would empower the regulators to impose fines or issue summary convictions to ensure governance and compliance.

Bill C-26, in its current form, includes four critical infrastructure sectors – Telecommunications, Finance, Energy, and Transportation. The requirement for organizations in these sectors is threefold:

  1. Implement, maintain, and report on a cybersecurity program to address risk across the organization, third-party services, and supply chains.
  2. Report any cyber incidents involving critical systems to the appropriate regulator and the Canadian Center for Cyber Security.
  3. Use, or discontinue any specified product, service, or supplier.

The intended outcome of these requirements is to improve the standard of cybersecurity amongst critical operators and deepen the level of visibility the federal government has into the security operations of these organizations. It is known today that certain companies that are considered high-risk and vital to national security would become the federal government’s focus.

Following the process of the proposed legislation (Bill C-26) and its passing, Federal Government departments will communicate with the companies impacted in the focused sectors with details on how breaches are to be reported and the required timeline for reporting. Furthermore, the companies must “keep records of how they implement their cybersecurity program, every cyber incident they have to report, any step taken to mitigate any supply-chain or third-party risks and any measures taken to implement a government-ordered action.”

Let’s be very clear, although only the four key sectors – Telecommunications, Finance, Energy, and Transportation – are considered in scope by Bill C-26, sectors such as agriculture and manufacturing are likely to be included later, as is the case in the EU. The Federal Government of Canada hopes this legislation will serve as a model for provinces and territories to implement similar legislation that regulates cybersecurity requirements for entities under their purview, including hospitals, police departments, and local governments.

To help companies comply with the requirements of Bill C-26, Fortinet has built a group of experts and a partner network in Canada to address these needs, with years of experience in helping global critical infrastructure organizations meet their cybersecurity compliance requirements. Fortinet’s security platform, the Security Fabric, enables the secure convergence of IT and OT infrastructures within organizations. This ecosystem of integrated security solutions at Fortinet is the much-needed answer to the needs of the Canadian marketplace in meeting the requirements of Bill C-26.

Frank Lawrence is Channel Account Manager for Operational Technology and Eric Jensen is Business Development Manager at Fortinet Canada.

Frank Lawrence, Channel Account Manager for Operational Technology
Eric Jensen, Business Development Manager at Fortinet Canada


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Sponsored By: Fortinet