When it comes to cyber security, we all know it’s no longer about best practice. It’s a regulatory must-have. 

Bill C-8, called An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, introduces a federal cyber security framework aimed at safeguarding Canada’s critical infrastructure and telecommunications systems.

While its primary focus is cyber security, the legislation has important implications for sectors already subject to anti-money laundering and anti-terrorist financing obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. 

On June 8, 2025, the Ministry of Public Safety introduced Bill C-8 to strengthen our country’s defence of critical infrastructure against cyber threats.

This bill has two major components:

Cyber security is recognized as a policy objective under the act. The Governor in Council and the Minister of Industry gain the authority to issue directives to telecommunications providers, enforce compliance, and levy significant penalties for non-compliance, including Administrative Monetary Penalties (AMPs).

This new framework requires “designated operators” of the prescribed “vital services” or “vital systems” to:

• Establish and maintain cyber security programs
• Report cyber incidents promptly to the Communications Security Establishment (CSE) and appropriate regulators
• Mitigate third-party and supply-chain cyber security risks
• Maintain detailed records and demonstrate compliance during audits and inspections

Penalties are steep — up to $15 million — and directors and officers can face personal liability, including potential imprisonment.

Bill C-8 isn’t a totally new federal initiative; it builds upon a previously tabled bill. Bill C-26 reached its third reading in the Senate before dying on the Order Paper when Parliament was prorogued in January 2025. Certain refinements have been made in Bill C-8. For instance, Bill C-8 narrows the scope of government intervention triggers to cases of “interference, manipulation, disruption, or degradation” and removes certain amendments to the Canada Evidence Act that raised transparency concerns in Bill C-26.

Bill C-8 directly impacts federally regulated sectors that underpin Canada’s economic and social fabric. Set out in Schedule I of the bill, and defined as vital services or vital systems, these sectors include:

• Telecommunications services
• Interprovincial or international pipelines and power line systems
• Nuclear energy systems
• Federally regulated transportation systems
• Banking systems
• Clearing and settlement systems

As defined in the CCSPA, a designated operator is one who owns, controls, or operates a critical cyber system. They must comply with the requirements of the CCSPA and the regulations with respect to that critical cyber system.

The bill outlines the following core obligations for operators:

1. Established cyber security program: Within 90 days of designation, organizations must implement a formal program, subject to ongoing updates and reviews.
2. Supply chain risk management: Operators must identify and manage any organizational cyber security risks, including risks associated with the designated operator’s supply chain and its use of third-party products and services.
3. Incident reporting: Cyber incidents must be reported to the CSE within a prescribed timeframe (it’s expected to not exceed 72 hours).
4. Record keeping: Robust documentation of cyber security measures and incidents must be retained and recorded within Canadian jurisdiction.
5. Regulatory oversight: Sectoral regulators (Like the Office of the Superintendent of Financial Institutions, Bank of Canada, Transport Canada, and Canadian Nuclear Safety Commission) will have inspection and enforcement powers, including administrative penalties and orders.

For telecommunications companies, the scope is even broader, ranging from equipment bans to procurement restrictions, with little to no opportunity for compensation.

Although Bill C-8 lists a defined set of vital systems and services, the ripple of effects will extend much further. Here’s a list of sectors that may soon feel the impact:

Critical suppliers and vendors: Third-party technology providers, managed service providers, and contractors will be pulled into compliance obligations through supply chain requirements.

Adjacent industries: Financial technology firms, payment processors, and logistics networks — though not explicitly named — will face increased scrutiny if they support or interconnect with designated operators.

Global alignment: Canada is moving in step with international trends (e.g., EU’s NIS2 Directive and U.S. cyber incident reporting rules), signalling that cyber resilience is a regulatory expectation — not just a best practice.

For decision-makers, the key takeaway is that Bill C-8 won’t remain confined to a handful of sectors. Its obligations and expectations will likely cascade across the Canadian economy.

Bill C-8 doesn’t amend the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. However, if enacted, its requirements intersect with AML compliance in several ways:

• Just as AML programs require know-your-customer (KYC) and third-party due diligence, Bill C-8 requires operators to assess cyber risks in their vendor relationships. This is timely in light of the recently published RCMP Advisory on North Korean information technology (IT) workers, dated July 16, 2025. This underscores the importance of reviewing critical risks across KYC, third-party risk management, and supply chain and vendor management with utmost due diligence.
• Organizations will need to merge their financial crime and cyber due diligence practices to create a holistic risk profile of counterparties.

• AML programs already require suspicious transaction reporting to Canada’s Financial Intelligence Unit (FIU) — the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). Cyber incidents under Bill C-8 must also be reported to the CSE and relevant regulators. This convergence may result in a strengthened ability for Canada’s FIU and other regulators to work together and holistically to combat financial crime.
• Dual reporting streams mean organizations must develop integrated escalation protocols so that a single event (like a ransomware attack) doesn’t trigger disjointed or delayed responses.

• AML and cyber regimes both emphasize board-level accountability. Senior executives must be actively engaged in program governance, risk assessments, and resource allocation.
• Bill C-8 increases personal liability for executives and introduces AMPs for non-compliance. This echoes another bill currently in Parliament reading, called Bill C-2, which addresses stronger AML supervision, compliance, and enforcement, including increased civil and criminal penalties.

• In banking, clearing systems, and payment infrastructures, cyber disruptions can directly enable money laundering or terrorist financing schemes. This can occur through data manipulation, fraud, or transaction masking — to name a few.
• Resilience strategies must therefore integrate AML and cyber defences to close potential gaps.

Organizations in regulated sectors may face dual compliance pressure:

• Cyber security obligations under Bill C-8
• AML and anti-terrorist financing obligations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

This overlap underscores the need for integrated risk management frameworks that address both cyber threats and financial crime risks. Organizations should review their governance structures, update risk assessments, and ensure their cyber security measures support AML objectives, particularly in areas like data integrity, system resilience, and incident escalation protocols.