Banking services, transport, energy, telecommunications… Following the example of NIS2 and DORA in Europe, the Canadian government is introducing Bill C-8. With unprecedented ambition, it aims to strengthen compliance requirements for the country’s most critical sectors, in a nation with many unique characteristics.

Is cybersecurity finally about to get serious in the land of the maple leaf? This will be one of the topics discussed at the next INCYBER Forum Canada, taking place in Ottawa from 1 to 3 December. Bill C-8 would, in any case, establish the most ambitious framework ever adopted in Canada. The text expands the powers of the federal government while introducing obligations for operators that may be subject to enforcement. Unsurprisingly, these future rules will apply to the country’s most critical sectors: telecommunications, finance, energy, transport and more. “In practice, this bill imposes detailed obligations on all operators,” says Pierre Lardin, a pentester at Genetec in Montreal, a global leader in video surveillance and access control. “They cover everything from risk assessment policies to system security and cybersecurity in relationships with third-party providers.” All that remains is a decree to bring it into force. In the event of non-compliance, fines could reach up to CAD 15 million — more than €9 million — per day.

Procedures in a binder

In practice, the number of organisations affected is far greater than those described above. “Europe now has some experience with NIS2 and DORA,” notes Lilian Dulau, president of Nexxo France, an IT services company for businesses. “Many companies believed they were compliant because they had an old certification or a few procedures in a binder, but when they were asked who was responsible for what, reality did not always match.” However, Bill C-8 differs from European directives in its more targeted and centralised approach. “While NIS2 covers a wide range of critical sectors and DORA establishes a highly prescriptive regime specific to the financial sector, Bill C-8 mainly targets infrastructure falling under federal jurisdiction,” explains Hélène Deschamps Marquis, a partner at Blake in Toronto. Moreover, according to the Office of the Privacy Commissioner of Canada, unlike NIS2, Bill C-8 does not explicitly require organisations to notify authorities of incidents that could result in a personal data breach.

Operational resilience

Other differences are geographical. In a country 18 times larger than metropolitan France, the importance of infrastructure — particularly telecommunications infrastructure — is far greater. In Canada, some towns are connected to the rest of the country by only one cable. This is particularly true of isolated communities in the Far North, many of them Indigenous. And when that single connection goes down, an entire region is cut off from the world, without internet or telephone services. “The priority is to ensure that when one link fails, everything else does not collapse behind it,” says Mr Dulau. “This geographic dispersion of critical infrastructure explains the emphasis placed on operational resilience,” adds Hélène Deschamps Marquis.

The weight of major operators

Another challenge is that, in Canada, a handful of very large companies provide most telephone and internet services. When just one of them experiences even a minor incident, millions of people are affected. This concentration creates a vulnerability that is less common in Europe, where there are more players. Bill C-8 nevertheless opens up a new market for consulting firms, GRC solution providers and managed cybersecurity service providers. This also forms part of a wider context of increasing related regulatory obligations, particularly in the field of AI.

Cascading pressure

While major players already have dedicated teams and experience, in mid-sized companies, by contrast, security often exists in practice only “because people do their jobs well every day”, with no formal doctrine written down anywhere. This is all the more concerning as ransomware attacks are rising sharply in Canada. Local organisations are known to be willing to pay “whatever it takes” to avoid having to stop operating. Not to mention what is perhaps the most underestimated — but fastest-growing — effect: these SMEs will face cascading pressure. Even if a small company is not directly covered by Bill C-8, as soon as it works with a major operator, that operator will pass its own obligations down throughout its supply chain.

Threats to privacy

The most pressing debate, however, currently concerns the powers the Canadian state is granting itself. Some fear that these prerogatives could go too far and ultimately threaten citizens’ privacy. “The most restrictive and complex measure for companies to implement is the obligation to actively cooperate with the government in the event of an incident,” says Mr Lardin. Europe has made a different choice with the GDPR, which much more strictly regulates the use of information provided by internet users. Bill C-8 also forms part of a broader national security context. “By granting authorities extensive powers, such as restricting the use of certain telecommunications suppliers considered to be risky, the government is seeking to build technological sovereignty,” notes Hélène Deschamps Marquis. As for dependence on technology giants, the difference is largely one of rhetoric: Europe speaks extensively about “digital sovereignty”, while Canada remains closer to the United States and is more open about it.

Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.
Stay tuned in real time
Subscribe to
the newsletter
By providing your email address you agree to receive the Incyber newsletter and you have read our privacy policy. You can unsubscribe at any time by clicking on the unsubscribe link in all our emails.