To get ahead, organizations need to anticipate regulatory changes that are approaching, even if the details are not yet finalized. While the timing, scope, and final requirements of these regulations remain fluid, they are expected to materially influence business strategy once in effect.
Bill C-8: Raising the bar for cybersecurity compliance in Canada
Bill C-8, the Critical Cyber Systems Protection Act, proposes amending the Telecommunications Act to grant the government authority to issue binding directives to rapidly counter cybersecurity threats in critical infrastructure sectors, including telecommunications, banking, transportation, and energy. Designated operators would face stringent cybersecurity mandates and incident reporting obligations, with steep penalties for non-compliance that could apply to both the organization and the individuals responsible for oversight or execution.
The bill is in its final readings in the Senate and is expected to become law in 2026. For organizations already running cyber programs, Bill C-8 raises the bar for consistency, auditability, and cross-functional integration.
Even if your organization is not a designated operator, expect a halo effect:
- Supply chain pressure will rise. Regulated entities must demonstrate cyber maturity across their supply chain, and the most practical way they will meet that obligation is by pushing expectations downstream to maintain their own compliance. Vendors and third-party service providers should expect to face new contract terms and requirements related to cybersecurity.
- Boards in other industries will follow. Once cybersecurity obligations are codified in one sector, directors elsewhere will seek to adopt similar practices voluntarily to reduce operational risk.
Combined with earlier regulations like Bill S-211, the Fighting Against Forced Labour and Child Labour in Supply Chains Act, it’s clear that supply chain risk and cyber resilience are no longer peripheral issues. Moreover, Bill C-8 offers an opportunity to reassess existing controls, close gaps, and build more resilient cybersecurity practices. That inherent value is a reason to begin moving proactively, rather than waiting for deadlines to dictate the pace.
Bill C-27: AI and privacy compliance as table stakes
As technology advances, regulatory approaches are evolving to address the complexities and risks of its capabilities. Bill C-27, the Digital Charter Implementation Act, fell off the legislative agenda when Parliament was prorogued in early 2025, but a version of this bill is expected to be re-introduced in 2026, with regulatory measures around consumer privacy, data protection, and AI.
What’s clear is that market expectations are moving faster than legislation. ISO 42001, the emerging international standard setting the foundation for AI governance, is already being adopted by global players. Canadian organizations may not be required by law to comply, but competitive forces are likely to make the standard de facto table stakes for any organization deploying AI into global markets or offering AI-enabled services.
Build your responsible AI and data privacy strategy:
Explore the regulatory outlook
Select a category to explore regulatory developments by status and understand what they may mean for your organization.