Cyber Security & Surveillance Act

What It Does

Bill C-8 enacts the Critical Cyber Systems Protection Act, requiring operators of "vital services", such as banks, telecoms, energy, and healthcare, to comply with government cybersecurity directives. After significant pushback, the bill was amended to explicitly prohibit ministerial orders that would require decoding encrypted private communications (s. 15.2(2.1) of the Telecom Act and s. 20(1.1) of the CCSPA). It also clarifies that "interference with a system" excludes lawful expression and political debate. However, the Minister retains broad authority to issue directives, compel technical compliance measures, and access metadata, location data, and financial records. Passed the House on March 26, 2026, after five months and ten committee meetings; now before the Senate.

Primary Concerns

• Encryption protections were added reactively under pressure. "For greater certainty" provisions are a political concession, not a structural limit on ministerial power
• The Minister retains broad authority to compel technical compliance across banking, healthcare, and telecom. The surveillance infrastructure mandate is unchanged
• No meaningful warrant requirement for collection of metadata, location data, and financial records across vital services
• Ministerial directives can still be issued with minimal public transparency, and affected companies may be restricted from disclosing them
• Creates a permanent government access framework across the most sensitive sectors of Canadian life, outlasting any single government
• "For greater certainty" is a legislative term that acknowledges a power was already contested. It signals the government knew this needed justifying

Sources