01-27 GENERALS WINTER25 FINAL EDIT (JAN 25) - Flipbook - Page 16
INNOVATION
BILL C-8 AND THE CANADIAN
CONSTRUCTION INDUSTRY
What Construction Companies Need to Know About Canada's New Cybersecurity
Compliance Regime
By ANTHONY CURCURUTO, Miele Technologies International Ltd.
SEISMIC SHIFT is coming to Canadian
cybersecurity regulation. Bill
C-8, introduced in Parliament
this past June, is poised to fundamentally change how critical
infrastructure operators—and
their suppliers—approach digital security.
For construction companies working with
telecommunications, energy, financial
services, transportation, and nuclear sectors, the message is clear: cybersecurity
compliance is no longer optional, and the
penalties for getting it wrong are severe.
While construction doesn't appear on
Bill C-8's list of directly regulated sectors,
the industry's deep integration into critical
infrastructure supply chains means
thousands of Canadian construction
昀椀rms will face indirect but signi昀椀cant
compliance obligations. And with
penalties reaching $15 million per day for
organizations and personal liability for
directors and of昀椀cers, the stakes couldn't
be higher.
A
Bill C-8 moves cybersecurity
from best practices to
federally mandated oversight,
incident reporting, and supply
chain accountability.
within 72 hours, and actively manage
supply chain risks—including assessing
and monitoring their construction
vendors.
The legislation builds on Bill C-26,
which nearly passed before Parliament
was prorogued in January 2025. With broad
political support and pressing national
security concerns, experts anticipate
Bill C-8 will move swiftly through the
legislative process.
Understanding Bill C-8
Bill C-8, formally titled "An Act
respecting cyber security, amending the
Telecommunications Act and making
consequential amendments to other
Acts," enacts the Critical Cyber Systems
Protection Act (CCSPA). This legislation
marks Canada's transition from a
voluntary, best-practices approach to
cybersecurity toward mandatory federal
compliance and enforcement.
The bill targets "designated operators"
in six critical sectors: telecommunications,
昀椀nancial services (banking and payment
systems), energy, transportation, nuclear
facilities, and clearing and settlement
systems. These organizations will be
required to implement comprehensive
cybersecurity programs, report incidents
16 the generals • WINTER 2025/2026
THEGENERALS.NET
