The Impact of Bill C-26 for Energy & Utilities Companies in Canada

October 4, 2022

The Impact of Bill C-26 for Energy & Utilities Companies in Canada

October 4, 2022

utility powerline

Here’s how proposals for stricter cyber security regulations and oversight could change the Energy & Utilities landscape in Canada.

Danny Timmins, CISSP, is MNP Digital’s National Cyber Security and Privacy Leader. Danny and his team have extensive experience advising business leaders and boards of directors on cyber security risks, trends and opportunities and have helped many Canadian organizations improve their resilience to attacks.

Bill C-26, also known as An Act Respecting Cyber Security (ARCS), was introduced in June 2022. The bill contains two parts, both of which are generally designed to protect Canada’s cyber infrastructure from attackers or other system failures.

Part one is an amendment to the Telecommunications Act giving regulators more administrative and monetary authority to ensure the security of Canada’s telecommunications networks. Part two, which is the primary focus of this article, would enact the Critical Cyber Systems Protection Act (CCSPA), which gives special designation to four industries as being “vital to national security and public safety,” thus requiring companies in these sectors to adhere to stricter cyber security standards in Canada. They are:

  • Energy & Utilities
  • Telecommunications
  • Finance
  • Transportation

This means energy and utilities companies must act swiftly to prepare to navigate the changing cyber security landscape and remain compliant.

What’s changing

With the introduction of Bill C-26, there is much more focus on critical infrastructure when it comes to cyber security.

Consider the example of a cyber security breach, causing broad systems shutdowns, at a company that operates critical infrastructure like pipelines or power lines. Consider now that this infrastructure is connected by multiple provinces or even countries. With the advent of the CCSPA, the Government of Canada is signaling in no uncertain terms that protecting this kind of infrastructure is a top priority.

If you work in the energy and utilities industry, you should expect to be held to a higher standard of cyber resilience.


Designated operators must comply with four key requirements under CCSPA. You must:

Establish a robust cyber security program that is internally monitored and maintained

Report cyber security incidents such as breaches or compromised data

Comply with cyber security directions by the Canadian government and the regulator for your industry


Maintain records of compliance, including cyber security incidents and your company’s response


Each of Canada’s vital industries under the CCSPA has a designated regulator with broad authority to verify compliance and enforce new and existing mandates. For example, they can:

  • Make orders for companies to take specific actions to enhance cyber security
  • Share information with law enforcement and other branches of government
  • Issue monetary penalties and fines

For the energy and utilities industry, the regulators that hold this authority are the Canada Energy Regulator and the Canadian Nuclear Safety Commission.

The proposed Bill C-26 also has stricter provisions for security incident reporting. It’s mandatory to report all incidents that could impact your critical infrastructure to the Communications Security Establishment, as well as the regulator overseeing your industry.


Maximum penalties for non-compliance and violations of the CCSPA can reach $15 million, which is a significant fine. Beyond monetary penalties though, regulators can initiate investigations and proceedings that can lead to fines and even possible imprisonment.

The solutions

This is becoming an increasingly time-sensitive and urgent challenge for energy and utilities companies — your company cannot afford to be reactive if Bill C-26 is passed into law, nor can it afford to risk violating the stricter and more demanding cyber security requirements.

Fortunately, there are some things you can do now to prepare your business for this new cyber security landscape:

  • Cyber Security Assessment: Consider getting an unbiased, third-party assessment of your cybersecurity infrastructure and processes. Include in this assessment a review of the suppliers and vendors you do business with, since much of your exposure to cyber breaches lies with them.
  • Offensive Security Testing: You need to test your organization’s ability to resist attacks in real time. Only then can you assess gaps in your security, i.e., what areas require more attention. Test your people, networks, systems, and applications.
  • Cyber Security Incident Response Program: The organizations that are most prepared to handle a cyber breach are those that have a comprehensive incident response plan already in place and have tested their plan. Include reporting and communications strategies in your plan so you can act swiftly when an incident occurs. Not only will this minimize financial and reputational damage, but it will also show Canada’s regulatory bodies that you are serious about protecting your critical infrastructure.

Connect with us to get started

Our team of dedicated professionals can help you determine which options are best for you and how adopting these kinds of solutions could transform the way your organization works. For more information, and for extra support along the way, contact our team.