Bill C-26 and the CCSPA: What Canadian IT vendors need to know

Abhimanyu Grover
January 2, 2023


  • Bill C-26 is a proposed Canadian cyber security bill that seeks to address third-party liability in cyber security law, and companies involved in Canadian infrastructure should take note of its implications.
  • Bill C-26 seeks to protect Canadian networks and data from Chinese tech giant Huawei by amending the Telecommunications Act and enacting the Critical Cyber Systems Protection Act (CCSPA).
  • The CCSPA would increase transparency of incidents, secure supply chains, and give the government authority to require new security measures in response to known threats or preemptively.
  • Test Collab can help eligible organizations (in C-26 classes) avoid regulatory failures by having proper checks in places, and improve transparency in case of incident response.

What is Bill C-26 and CCSPA?

The Canadian government has introduced Bill C‑26,(1) including the Critical Cyber Systems Protection Act (CCSPA), which will regulate private critical cyber systems under federal oversight(2) and will stipulate severe penalties in case of non-compliance.

C-26 would raise cyber security standards by enacting the Critical Cyber Systems Protection Act (CCSPA). It defines a CCS as a system that could affect the continuity or security of a vital service or vital system. If enacted, organizations responsible for CCSs would be required to do certain things.

What do Bill C-26 and CCSPA propose?

Bill C-26 will primarily change incident reporting, supply chain regulations, and government control of cybersecurity.

Unified Incident reporting: Canadian legislators hope to keep the public and private sectors unified in their responses to cyber threats. The CCSPA requires designated operators to report any security incidents affecting CCS. The procedure and detail of such reports are yet to be determined, with the goal of tightening the response loop when vulnerabilities and breaches are discovered. 

Supply chain regulations: The CCSPA would increase security around designated operators' software supply chains. Companies operating critical cyber systems would need to take "reasonable action" when any threat or risk related to their third-party suppliers is discovered.

Legislators control: This act would change responses to third-party vulnerabilities and give Governors in Council authority to direct designated operators to take new cybersecurity measures in response to known threats or preemptively.

Test Collab as a solution

We can help eligible organizations (in C-26 classes) manage various regulatory checklists, and having these checklists shared across organizations. Different roles can signal which items of these checklists are passed/failed so that whole team stays in sync. 

In case of an incident, Test Collab also can be used to export various historical reports to produce evidence and compliance documentation.