Bill C-26 — An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts — received Royal Assent in 2024 after a protracted legislative process. The bill does two things. Part 1 amends the Telecommunications Act to give the federal government explicit authority to direct telecommunications service providers to secure their networks, including ordering the removal of equipment from specified suppliers. Part 2 enacts the Critical Cyber Systems Protection Act, creating a new regulatory framework for cybersecurity across federally regulated critical infrastructure sectors.

For most organizations in the affected sectors — telecommunications, finance, energy, transportation — the immediate attention has focused on the compliance mechanics. Incident reporting timelines. Cybersecurity program requirements. The administrative penalty structure. These are important. They are also not the most consequential dimension of the legislation.

The most consequential dimension is the communications security obligation that follows logically from the regulatory framework — an obligation the legislation creates but does not fully specify.

What the Legislation Actually Requires

The Critical Cyber Systems Protection Act requires designated operators to establish and implement cybersecurity programs that meet regulatory standards. These programs must address the protection of critical cyber systems, including the detection and management of cybersecurity risks, the mitigation of supply chain and third-party risks, and the reporting of cybersecurity incidents to the Communications Security Establishment.

The Telecommunications Act amendments go further for the telecom sector specifically. The Governor in Council and the Minister of Innovation, Science and Industry now have the authority to issue orders to telecommunications service providers prohibiting the use of specified products or services, directing the removal of equipment, and imposing conditions on network architecture — all in the interest of securing the Canadian telecommunications system.

The immediate application of this authority was understood before the bill passed. It provides the legal basis for restricting high-risk vendor equipment in Canadian telecommunications infrastructure, following the pattern established by allied nations. But the authority is not limited to equipment procurement decisions. It extends to any measure the government considers necessary to secure the telecommunications system.

"Bill C-26 does not merely suggest that critical infrastructure operators should secure their communications. It creates the legal mechanism to compel them to do so — and the penalty structure to enforce it."

The Communications Security Gap

Here is the operational reality that Bill C-26 exposes. Most critical infrastructure operators — including those in the designated sectors — rely on commercial communications platforms for their most sensitive internal and external communications. Email through major US-headquartered cloud providers. Video conferencing on platforms whose servers span multiple jurisdictions. Messaging through consumer applications that were never designed for the threat environment these organizations actually face.

Under the new regulatory framework, these organizations are required to implement cybersecurity programs that address the protection of their critical cyber systems. Their communications infrastructure is a critical cyber system. The platforms they use for those communications are third-party services whose security posture, jurisdictional exposure, and supply chain integrity are largely outside the operator's control.

This creates a specific tension. The legislation requires operators to manage third-party and supply chain cybersecurity risks. The communications platforms most operators depend on represent exactly the kind of third-party risk the legislation is designed to address — platforms operated in foreign jurisdictions, subject to foreign intelligence collection authorities, built on supply chains the operator has no visibility into.

The compliance question becomes pointed: can an organization credibly claim to have implemented a cybersecurity program that addresses third-party risk when its most sensitive communications travel through infrastructure it does not control, in a jurisdiction whose legal intercept authorities it cannot influence?

The CSE Reporting Dimension

Bill C-26 requires designated operators to report cybersecurity incidents to the Communications Security Establishment. This is not a passive reporting relationship. CSE has the mandate and the technical capability to assess the security posture of the systems being reported on. Incident reports that reveal communications flowing through infrastructure with known jurisdictional or supply chain vulnerabilities will not go unnoticed.

More importantly, the regulatory framework gives the government the authority to issue cybersecurity directions — specific orders to designated operators regarding the security of their critical cyber systems. These directions can require operators to take specific measures, and non-compliance carries administrative monetary penalties of up to $15 million per violation for individuals and higher for organizations.

The enforcement trajectory is clear. As the regulatory apparatus matures, the expectations around communications security for critical infrastructure operators will become more specific. Organizations that wait for explicit direction before addressing their communications infrastructure will find themselves responding to regulatory orders rather than operating ahead of them.

What Sovereignty Has to Do with Compliance

The word sovereignty does not appear in Bill C-26. But the intent of the legislation is fundamentally about sovereignty — ensuring that Canada's critical infrastructure is not dependent on, or vulnerable to, foreign actors whose interests may diverge from Canada's own.

For communications infrastructure specifically, sovereignty means three things. First, that encryption keys are held by the organization or a custodian operating in Canadian jurisdiction under Canadian law — not by a foreign platform provider subject to foreign intelligence authorities. Second, that communications are routed through infrastructure whose physical location and legal jurisdiction are deliberate choices, not incidental consequences of a vendor's server architecture. Third, that the cryptographic protections applied to those communications are designed for the actual threat environment — including the post-quantum threat that makes current encryption a depreciating asset.

Organizations that address their Bill C-26 communications security obligations through sovereign, post-quantum encrypted infrastructure are not merely compliant. They are positioned ahead of where the regulatory framework is going. The legislation creates the obligation. The implementation of that obligation is a choice about what kind of communications infrastructure an organization is willing to depend on.

For critical infrastructure operators in the designated sectors — and for any organization that recognizes the direction of Canadian cybersecurity regulation — the question is not whether communications security will become a compliance requirement. It already is. The question is whether your organization will address it proactively or wait for the directive that makes it unavoidable.

If your organization is navigating Bill C-26 compliance and evaluating sovereign communications infrastructure, we'd like to hear from you.

Get in Touch