Skip to main content

Canada’s Cybersecurity Legislation is Finally Moving Forward — Here’s What You Need to Know



By John Menezes, President & CEO Stratejm, a Bell Canada company

After many years of discussion and a previously failed attempt with Bill C-26, the Government of Canada has reintroduced long-overdue cybersecurity legislation with Bill C-8 – An Act Respecting Cyber Security. As someone who has spent three decades in the cybersecurity industry, I commend the government for taking this crucial step toward protecting our digital infrastructure.

But let’s be honest: it’s disappointing that we need legislation to force action. In my experience, organizations rarely invest proactively in cybersecurity—they only invest in compliance. That needs to change.

Why Bill C-8 Matters

Bill C-8 seeks to protect Canada’s critical infrastructure and telecommunications sectors from cyber threats by requiring baseline cybersecurity measures, timely reporting of incidents, and governance processes. It also gives regulators real teeth to enforce compliance—including severe financial penalties for failure to meet obligations.

Let me be clear: the requirements in this Bill are not excessive or unrealistic. They represent basic cyber hygiene—the very practices I’ve been advocating for decades:

  • Implementing cybersecurity policies and risk management programs
  • Incident detection and response protocols
  • Access control and network segmentation
  • System updates and vulnerability patching
  • Logging, monitoring, and regular assessments

These are not “nice to haves”—they are foundational, and the fact that legislation is needed to mandate them speaks volumes.

We’ve Been Doing This at Scale — Others Can Learn From It

As part of Bell Canada, the country’s largest telecommunications provider, our teams at Stratejm have already operationalized these best practices across complex critical infrastructure environments. Our customers include utilities, hospitals, airports, and governments—organizations where downtime and breaches have life-and-death consequences.

Stratejm’s expertise is built on real-world implementation, not just frameworks. Our Cybersecurity-as-a-Service (SECaaS) offering is built to deliver the outcomes that Bill C-8 will soon require—and do so in a way that is affordable, scalable, and manageable.

Don’t Just Buy — Manage and Maintain

One of the biggest misconceptions I see is the belief that buying tools equals being secure. It doesn’t. Security is not something you can check off once—it’s a continuous, living program. That’s why laws like Sarbanes-Oxley and PCI DSS have taught us that governance and monitoring matter more than the technology itself.

Under Bill C-8, you will be required not just to have the right technologies in place, but to prove that you are actively managing, monitoring, and maintaining them. That’s a different level of accountability.

Beyond Critical Infrastructure – Should This Go Further?

While the Bill currently targets sectors like telecommunications, banking, energy, and transportation, cyber threats don’t stop at sector boundaries. In an increasingly connected world, we need to consider extending these requirements to a broader swath of organizations.

Why? Because attackers aren’t waiting for regulations to catch up. Every organization—public or private—is now part of the broader threat landscape. We need to build a culture of cyber readiness, not just regulatory compliance.

Start Preparing Now – Don’t Wait for an Audit

If your organization falls under the scope of Bill C-8, the time to act is now. The penalties for non-compliance will be severe, but more importantly, the consequences of a successful attack can be catastrophic.

At Stratejm, our Security-as-a-Service platform is designed to simplify compliance and provide peace of mind. We don’t just install software—we partner with you to build and run an end-to-end cybersecurity program that aligns with regulatory requirements and industry best practices.

In Conclusion

Bill C-8 is a positive and necessary step—but let’s not make the mistake of seeing it only as a compliance checklist. Let’s treat it as the wake-up call it is: an opportunity to do cybersecurity right, before the regulators—and the attackers—come calling.

Cybersecurity is not a project. It’s a program. And the organizations that understand this will not only be compliant—they’ll be resilient.