Bill C-8: Cybersecurity or Overreach? Canada’s New Law Under Scrutiny
From sweeping ministerial powers to secrecy, here’s what Canadians need to know — and why this bill could reshape rights, infrastructure, and oversight in the digital age
In an era when cyberattacks, supply chain threats, and state-backed hacking loom daily, Canada faces a stark choice: build stronger defenses — or risk collapse from within. Bill C-8, tabled June 18, 2025, positions itself as a sweeping response to those risks. But make no mistake — beneath its declared aims of protection lies the possibility of profound expansion of state power over private infrastructure, communications, and corporate operations.
This isn’t just a law for telecom companies and railway operators. Bill C-8 has the potential to reshape how Canadians receive internet service, how critical industries operate under direction, and how much hidden authority the federal government may wield. The question at the heart of the debate is simple but urgent:
Can you have security without surrendering accountability?
In what follows, this article will unpack:
- What Bill C-8 is — the legal architecture, obligations, and enforcement powers lurking within its text.
- Where the risks lie — the clauses that grant secret order powers, limit disclosure, and stretch oversight.
- How Canada compares — how other democracies handle cybersecurity laws, and where C-8 diverges.
- What’s at stake for rights, privacy, and public trust — especially if orders go unchecked or become normalized.
- What Canadians and organizations must demand — transparency, limitations, review mechanisms, and guardrails.
Because the potential is real: this bill could either become a model for resilient infrastructure — or a blueprint for unchecked executive control in the digital realm. The difference will depend not on how the bill is written today, but on how we insist it be constrained tomorrow.
What Is Bill C-8?
Bill C-8 is the federal government’s new cybersecurity and telecommunications bill. It’s designed to give Ottawa more power to protect what it calls “critical infrastructure” — the systems that keep Canada running, like power grids, pipelines, banks, transportation networks, and the internet.
It actually contains two parts rolled into one law:
Telecommunications Security Changes
This section updates Canada’s Telecommunications Act, adding a new goal: keeping our communications systems secure.
It gives the federal cabinet and the Minister of Industry broad powers to:
- Order telecom companies to remove or block certain technology (for example, equipment from high-risk suppliers).
- Demand changes to how networks are built or operated if security is at risk.
- Issue some of these orders in secret — meaning the public or even Parliament might not always know what actions were taken or why.
- Fine or prosecute companies that refuse to comply.
Critics argue that while national security is important, secret orders and limited oversight could set a risky precedent for government control of communications.
The Critical Cyber Systems Protection Act (CCSPA)
This is the bigger and newer part of the bill. It targets major industries that keep Canada’s economy and daily life running — think energy, telecom, finance, and transportation.
It would require these operators to:
- Create and maintain cybersecurity programs that meet federal standards.
- Report any cyber-attacks or breaches to government authorities within strict time limits.
- Follow government “directions” about how to respond to threats or improve security.
- Share information with Ottawa (sometimes confidentially) so the government can monitor compliance.
The idea is to prevent large-scale cyber incidents that could shut down hospitals, power grids, or banking systems.
But many legal experts and civil-rights groups warn that:
- The bill grants sweeping powers to ministers with little transparency.
- Companies might be barred from disclosing when they’ve been ordered to take certain actions.
- There’s no independent watchdog built into the law to oversee those powers.
Who Would Be Affected?
- Federally regulated sectors — energy, telecom, banking, transportation, and others that cross provincial or national borders.
- Companies that supply or manage digital systems considered “vital” to Canada’s economy or public safety.
- Potentially, smaller businesses that connect to those systems through supply chains.
In Short
Bill C-8 aims to modernize Canada’s cybersecurity laws — but it does so by giving the government broad authority to act behind closed doors. Supporters call it essential for national security in an age of rising cyber threats. Critics call it a potential overreach with serious implications for privacy, accountability, and democratic oversight.
Powers & Oversight Concerns
Bill C-8 gives the government wide-ranging powers to issue cybersecurity and telecom “orders” — and many of those orders can be kept secret. That opens the door to serious concerns about accountability, transparency, and overreach.
Here are the biggest “watchpoints”:
Secret Orders, Hidden Authority
- Under the bill, some directives may be barred from public disclosure — meaning the public might never know they even existed. The government can require companies to obey, yet not allow the company to talk about those orders.
- Unlike some laws where secret government actions eventually become publicly known, Bill C-8 does not mandate automatic disclosure or review for these “secret” orders.
- The only formal oversight of secret directives is that the National Security & Intelligence Committee of Parliamentarians (NSICOP) and the National Security & Intelligence Review Agency (NSIRA) must be notified when a secret order is issued — but they do not have the same power to nullify or force public disclosure.
- Because orders can persist indefinitely without built-in expiration (“sunset”) clauses or regular review schedules, a single secret directive could remain in force for years without public scrutiny.
- In short: the law could let the government act unilaterally, behind closed doors, with minimal external check.
Judicial Review & Legal Safeguards
- One of the biggest criticisms of the earlier version (Bill C-26) was that the government could defend its orders in court using evidence that the company was never allowed to see (“secret evidence”). Bill C-8 removes that secret evidence privilege — ensuring companies may see the evidence in judicial review cases.
- However, many orders and directions made under Bill C-8 remain excluded from public record, meaning the public won’t always see how courts have handled these cases or the arguments used.
- There is no guarantee that all orders will be reviewed by an independent court or that a judge can overturn them. The bill provides for review in specified circumstances, but those pathways may be limited in practice.
- Also, the law does not currently require a robust, independent regulatory body to oversee or audit government use of its new powers — leaving much of the oversight in the hands of those who issue the orders.
Risk of Surveillance via “Compliance” Channels
- Because companies are required to report cybersecurity incidents, share vulnerability data, and comply with orders,
there is a worry that these “compliance obligations” can be used as a backdoor for intelligence or law enforcement access. - Bill C-8 does not explicitly limit how much data can be shared, how it may be used, or for how long it may be retained.
- The legislation does not explicitly prohibit directions to weaken encryption or require “backdoors,”
which could undercut user privacy and security — leaving systems more vulnerable to misuse. - The concern is that in the name of “security,” the law could allow some clandestine weakening of protective barriers.
Accountability, Transparency & Democratic Control
- The bill lacks key accountability features: there is no mandatory public reporting of orders,
no requirement for periodic expiring of those orders, and no independent body with full authority to audit or challenge them. - Because secret orders may bypass public debate or scrutiny, the risk is that government power becomes normalized in the shadows,
without the checks democracy demands. - The law empowers the executive branch (Cabinet and Ministers) to issue sweeping orders — which means the balance between
security and civil liberties depends heavily on the goodwill, integrity, and restraint of officials. - In democracies, transparency is crucial. When actions happen behind closed doors, trust can erode — even if the intent was benign.

Powers & Oversight Concerns
While Bill C-8 is designed to protect national cybersecurity, its structure gives the federal government the ability to act in ways that may intersect — or conflict — with fundamental rights guaranteed under the
Canadian Charter of Rights and Freedoms. The challenge is finding the line between legitimate protection and unchecked authority.
Privacy: What Data Could Be Exposed
- The bill gives designated operators — such as telecom providers, banks, utilities, and transport networks — an obligation to
share cybersecurity-related data with government agencies. - Nowhere does the legislation clearly limit
how much information can be collected or how long it can be stored. - There are no explicit requirements that such data be anonymized, nor are there strong independent mechanisms to prevent its use for intelligence gathering or law enforcement beyond cybersecurity.
- Because the bill allows orders and directives that can be
classified, Canadians might never know when — or how — their information is being accessed through these channels.
➡️ In effect, this places considerable trust in government discretion and internal policy rather than enforceable privacy law.
Charter Implications
- Section 8 (Unreasonable Search and Seizure): Mandated disclosure of data or network access could be challenged as a form of warrantless search if used improperly.
- Section 2(b) (Freedom of Expression): Orders to restrict or suspend telecom services in the name of security could — if misapplied — limit communication rights, especially if such orders remain secret.
- Section 7 (Life, Liberty, and Security of the Person): If these powers were used to suspend access to digital infrastructure, banking systems, or communications, individuals could argue that their liberty or security was infringed.
While such outcomes are hypothetical, the bill does
not include clear Charter-proof safeguards or mandatory judicial oversight before action is taken — only the option of judicial review
after the fact.
Transparency vs Security
Every democracy faces the balance between transparency and secrecy. Bill C-8 leans heavily toward secrecy — with limited mandatory public reporting or external oversight.
This makes it difficult for civil society or journalists to evaluate whether security powers are being used proportionately.
Even the Office of the Privacy Commissioner (OPC) has raised concerns in similar legislation (e.g., Bill C-26) about the potential for
mission creep — where emergency powers slowly become normalized, eroding privacy over time.
Global Comparisons
- Australia’s “Critical Infrastructure Act” grants comparable emergency powers but includes
independent review clauses and detailed privacy-impact reporting obligations. - The U.S. “CISA” framework (Cybersecurity and Infrastructure Security Agency) emphasizes voluntary information sharing and clearer
liability protections for private operators. - By contrast, Bill C-8 remains more discretionary and less transparent, with broad ministerial control and fewer checks.
The Core Concern
Cybersecurity is crucial — but so is democratic oversight. A law that strengthens digital defenses while weakening public accountability risks trading one vulnerability for another.
Without strong privacy guarantees, clear reporting, and transparent oversight, Bill C-8 could blur the boundary between
protection and power.

Economic & Operational Impacts
Bill C-8 won’t only affect big telecom or energy companies — it has serious implications for any organization tied into critical systems, downstream vendors, or supply chains. The costs, risks, and shifts are real. Here’s what to watch:
Compliance Costs & Overhead
- Organizations deemed “designated operators” under the new law must build or upgrade cybersecurity programs, conduct regular audits, and maintain detailed records. This requires staffing, tooling, training, and ongoing reviews.
- Small and medium enterprises (SMEs) embedded in the supply chains of telecom, transportation, energy, or financial sectors might find themselves pressured to meet “compliance standards” even if they are not directly regulated under C-8.
- In some cases, costs could balloon: forced removal of equipment, upgrades to systems, contract changes, or changes in vendor relationships might require capital investment with no guarantee of reimbursement. (Under the bill, in telecom orders, losses incurred by mandated actions are not compensable.)
- High penalties for noncompliance — potentially tens of millions per day for corporations — make not preparing a serious financial risk rather than an optional cost.
Operational Disruptions & Unintended Consequences
- A sudden directive might require network providers or operators to remove certain technologies/vendors quickly, possibly disrupting service or creating backlogs as infrastructure is reconfigured.
- An order could force immediate change, even in the middle of operating cycles, placing stress on continuity plans, maintenance windows, and rollback capabilities.
- Because orders may be secret, operators may not know in advance what is expected until compliance is demanded — reducing planning flexibility.
- The requirement to report “material changes” in systems, ownership, or third-party dependencies adds further regulatory risk to mergers, acquisitions, or vendor changes.
Effects on Supply Chains & Vendor Ecosystems
- Many small tech vendors, software providers, and subcontractors will become de facto partners to regulated industries. Their security posture, contractual guarantees, and compliance records may become conditions for doing business.
- Vendors that cannot or will not comply with the higher standards may be dropped, reducing competition or pushing smaller providers out.
- Cross-border vendors could face restrictions or be excluded based on “security” clauses, limiting options or increasing costs.
- Organizations might impose stricter due diligence, auditing, or contractual oversight on third parties, which in turn increases administrative overhead.
Sectoral Shifts & Market Impacts
- Stricter cybersecurity obligations could raise barriers to entry in infrastructure sectors. New players or disruptors may find compliance costs prohibitive.
- Some operators may choose to centralize cybersecurity functions or outsource to large specialist firms, which could concentrate power further in “trusted” vendors.
- If operators or telecom providers must remove or restrict foreign-sourced technology or hardware, that may shift vendor dynamics, favoring domestic providers or selected “trusted vendor lists.”
- The uncertainty of enforcement timing means that organizations may pre-emptively adopt overly cautious or restrictive security policies to avoid regulatory risk, rather than optimally balanced ones.
Risks to Investment & Innovation
- The threat of unpredictable orders, secrecy, and large penalties may make investors cautious in infrastructure-related sectors. Companies may delay expansion or innovation in regulated verticals.
- Innovation in emerging technologies (e.g. 5G, satellite communications, IoT) could slow if regulations are perceived as opaque or punitive rather than enabling security and growth.
- Smaller start-ups or challengers may struggle to allocate capital to compliance instead of R&D, which could stifle competition in critical services.
What Organizations Should Do Now
- Assess exposure: map whether your systems or services tie into “vital services” or critical networks.
- Conduct readiness audits: evaluate current cybersecurity posture, gaps, vendor dependencies, and incident response capabilities.
- Engage legal and compliance experts: understand which regulator may apply to your operations.
- Plan for reporting & record keeping: design systems that can log changes, maintain audit trails, and respond to orders.
- Negotiate vendor contracts: embed cybersecurity requirements, right-to-audit clauses, and change-order flexibility.
- Budget proactively: allocate resources for upgrades, personnel, and incident simulations.
- Advocate for transparency: during public consultation periods, push for clear rules, independent oversight, and disclosure requirements.

Benefits, Challenges & Trade-offs
Bill C-8 isn’t a cartoon villain — it was born from genuine concern.
Cyberattacks on hospitals, utilities, telecom networks, and government systems are increasing in both frequency and sophistication. The intent of the legislation is to make Canada’s digital infrastructure harder to compromise.
But the how — and who gets to decide — matters just as much as the why.
The Potential Benefits
1. Improved national cyber resilience
Centralized oversight could help Canada respond faster to coordinated cyber threats. It gives regulators tools to compel upgrades, monitor compliance, and intervene before a breach becomes catastrophic.
2. Stronger protection of critical infrastructure
From hospitals to power grids, consistent security standards could close gaps that currently depend on each operator’s internal policy or budget.
3. Greater accountability for large operators
Mandatory reporting and audits mean that major players can’t ignore vulnerabilities, conceal breaches, or defer security investment indefinitely.
4. A unified national framework
Until now, Canada has relied on a patchwork of voluntary cybersecurity guidelines. C-8 could, in theory, bring coherence — similar to the European Union’s NIS Directive, which harmonized critical infrastructure standards across sectors.
The Challenges
1. Broad and ambiguous powers
The bill gives ministers sweeping discretion to issue confidential directives — without independent oversight or judicial review. Critics, including the Canadian Constitution Foundation, warn that this undermines transparency and invites abuse.
2. Lack of public accountability
Orders can be classified. A company might have its operations restricted, or equipment seized, without the public ever knowing why. This erodes confidence in due process and democratic oversight.
3. Economic strain on smaller operators
The compliance burden could crush small service providers or subcontractors, concentrating market power among large incumbents who can afford the cost of compliance.
4. Privacy and data-sharing concerns
Broad cybersecurity mandates often require monitoring or sharing user data to detect “anomalies.” Without clear boundaries, this could expand government access to private networks or data.
5. Potential for misuse
Critics fear that under vague definitions of “national security” or “critical systems,” the bill could be used to silence platforms, restrict communication networks, or suppress technologies the government disfavors — all without public justification.
The Trade-offs
- Security vs. Freedom: Canada faces legitimate cyberthreats, but laws designed for protection can also be repurposed for control. The balance between vigilance and liberty is delicate — and easily lost.
- Centralization vs. Innovation: Central authority can coordinate responses but may also stifle the creativity and adaptability that make digital systems resilient.
- Short-term safety vs. Long-term trust: A country can’t legislate trust. If citizens and companies view cybersecurity enforcement as opaque or political, compliance becomes grudging and innovation retreats underground.
The Path Forward
C-8 could be a meaningful step toward modernizing Canada’s digital defense — if it evolves with the right safeguards:
- Parliamentary and judicial oversight of all secret orders.
- Clear limits on ministerial powers and transparent criteria for designating “critical” systems.
- Protection for whistleblowers and journalists investigating misuse.
- Provisions ensuring compliance doesn’t compromise privacy, competition, or civil rights.

What Canadians & Stakeholders Should Demand
Cybersecurity matters. But so does democratic oversight. If Bill C-8 is to protect Canadians rather than control them, the public must insist on clarity, accountability, and limits.
1️⃣ Transparency Before Trust
No law that grants secret powers should move forward without a clear mechanism for independent review.
If ministerial orders can cut off communications or direct private networks, then an impartial body — judicial or parliamentary — must have the legal right to scrutinize those actions. Without transparency, “security” becomes a shield for political convenience.
2️⃣ Privacy as a Core Principle, Not a Footnote
Cyber defense cannot come at the cost of citizen privacy. Canadians should demand explicit language defining what data can be collected, by whom, for how long, and under what oversight. Data protection and national security are not mutually exclusive — unless legislation makes them so.
3️⃣ Protection for Whistleblowers and Journalists
If Bill C-8 allows secret orders or mandates classified programs, there must be protections for those who expose misuse. Whistleblowers and investigative journalists are often the only line between necessary defense and silent overreach. Protecting them protects democracy.
4️⃣ Fair Implementation for Small and Mid-Sized Operators
Cybersecurity compliance cannot be structured to favor major telecoms and utilities alone. Smaller ISPs, regional service providers, and Indigenous or community-run networks must have scalable, financially realistic compliance pathways — or Canada risks centralizing its infrastructure under a few corporate giants.
5️⃣ Public Reporting and Measurable Results
Canadians deserve regular, declassified summaries of how this legislation is being used.
- How many orders were issued?
- What sectors were affected?
- Were any misuses identified?
Security without accountability isn’t safety — it’s secrecy.
6️⃣ An Ongoing National Dialogue
Cybersecurity is not a one-time debate — it’s an evolving social contract. Parliament must commit to open consultation with technology experts, civil-liberties organizations, privacy advocates, and citizens. The threats are real — but so are the risks of overreach.
🇨🇦 Democracy doesn’t defend itself — people do.
If Bill C-8 truly aims to safeguard Canada, it should withstand scrutiny, public dialogue, and reform. Anything less protects the system, not the citizens within it.
Vigilance Is the Price of Liberty
When governments say “trust us” while drafting laws that operate in secret, citizens have a duty to ask “why?”
Bill C-8 may have been born out of legitimate concern — a response to mounting cyber threats and an increasingly hostile digital world. But history teaches us that powers granted in crisis rarely disappear once the crisis does. Whether it’s surveillance, censorship, or control of communications infrastructure, the line between protection and intrusion blurs quickly when oversight fades.
Canada’s democracy depends not on blind trust, but on informed skepticism. If citizens disengage, legislation like Bill C-8 will pass quietly — and its implications will only surface once they’re impossible to undo. But if Canadians demand transparency, insist on accountability, and refuse to trade liberty for the illusion of safety, this country remains what it was meant to be: a society where the government serves the people, not the other way around.
Because cybersecurity matters. But so does democracy.
And without the latter, the former stops being protection — and starts being power.
