Back to Bills

Stronger Cyber Rules for Critical Infrastructure

Full Title:
An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

Summary#

  • This bill aims to strengthen Canada’s cyber security, especially for telecom networks and other key services like banking, energy, transport, and nuclear.
  • It gives the federal government new powers to order telecom providers to block or remove high‑risk equipment or services, and to set security rules.
  • It creates a new law (the Critical Cyber Systems Protection Act) that makes operators in vital sectors build strong cyber programs, report incidents quickly, manage supply‑chain risks, and follow government directions.

Key changes

  • Telecom: Cabinet or the Industry Minister can order providers to stop using, remove, or not buy certain products or services; or to suspend service to a named company or person if needed for security. Orders can include confidentiality (gag) rules.
  • Critical sectors: Banks, clearing and settlement systems, telecom, interprovincial/international pipelines and power lines, nuclear, and federally regulated transport must set up cyber security programs, review them regularly, mitigate third‑party risks, keep records, and report cyber incidents (within up to 72 hours) to the Communications Security Establishment (CSE) and their regulator.
  • Government directions: Cabinet can issue binding cyber security directions to operators in vital sectors. It must consider operational, safety, financial, and consumer impacts. Operators generally cannot disclose these directions.
  • Information sharing: The bill allows sharing of security‑related information among federal security and regulatory agencies and, in some cases, with provinces and international partners, with confidentiality protections.
  • Penalties: Large administrative fines for non‑compliance (up to $10–15 million for companies; lower for individuals) and, in serious cases, criminal penalties. Company directors and officers can be held liable.
  • Oversight: Annual reports to Parliament on orders and directions; notice to national security review bodies when secret orders are used. Private communications interception is not allowed under these powers.

What it means for you#

  • Consumers and small businesses

    • Networks and key services (internet, phones, banking, energy, transport) are intended to be more secure and reliable, with fewer outages and data breaches.
    • If a provider must quickly remove high‑risk equipment or suspend service to a company, there could be short‑term service changes or delays.
    • Providers are not entitled to federal compensation for removal orders, so costs could be passed on through rates.

  • Workers in vital sectors (banking, energy, telecom, transport, nuclear)

    • Expect stricter security rules, training, audits, and incident reporting.
    • Your organization will need formal cyber programs, regular reviews, and documented supply‑chain vetting.

  • Suppliers and third‑party vendors

    • More security screening and contract conditions. High‑risk products or services can be barred or removed.
    • Contracts may be ended if a risk is found or a government order requires it.

  • Telecom providers

    • Must follow government security orders, which can require removing certain equipment or stopping services to specified parties. Some orders may include gag rules.
    • Need security plans, vulnerability assessments, standards, and backup systems.
    • Face significant fines for non‑compliance; daily penalties can add up.

  • Privacy and transparency

    • The bill allows security‑related information sharing among federal agencies; confidential information is protected, and the Privacy Act continues to apply to certain parts.
    • Some orders and directions may not be public to avoid tipping off attackers, but the government must report aggregate use to Parliament and notify national security review bodies.

Expenses#

Estimated annual cost: No publicly available information.

Proponents' View#

  • Canada’s critical services face real cyber threats; this bill lets government act fast to stop high‑risk vendors and practices before damage occurs.
  • Mandatory incident reporting and common standards reduce outages, fraud, and cascading failures across sectors.
  • Clear powers and strong penalties push companies to take security seriously, including in supply chains and third‑party tools.
  • Aligns Canada with allies that have similar telecom security and critical‑infrastructure rules.
  • Confidentiality around sensitive orders helps prevent tipping off attackers and protects national security.

Opponents' View#

  • Powers are broad and can be exercised through secret orders, raising concerns about transparency, due process, and limited ability to challenge decisions.
  • No compensation for “rip‑and‑replace” orders could shift large costs to carriers and, ultimately, consumers through higher prices.
  • Heavy compliance burdens may hit smaller operators and vendors hardest and could reduce competition or slow innovation.
  • Expanded information sharing may raise privacy concerns, despite confidentiality rules.
  • Strong penalties and inspection powers could be seen as excessive if guidance and timelines are unclear or if directions change quickly.

Timeline

Jun 18, 2025 • House

First reading

Oct 3, 2025 • House

Second reading

Nov 6, 2025 • House

Consideration in committee

National Security
Technology and Innovation
Infrastructure