Minister of Public Safety Gary Anandasangaree at a press conference in the House of Commons foyer on March 23, 2026 (The Hill Times photograph by Andrew Meade).
Cybersecurity regulations not yet ‘ready to go’ under Bill C-8, says public safety minister
Regulatory | |May 5, 2026
As the Liberal government’s cybersecurity bill steadily progresses through Parliament, the corresponding regulations have not yet been finalized, likely delaying the law’s full implementation.
Appearing before the Senate’s national security committee on May 4, Public Safety Minister Gary Anandasangaree said the regulatory framework enabled by Bill C-8 is not “ready to go.”
C-8, introduced by Anandasangaree (Scarborough—Guildwood—Rouge Park, Ont.) last June, would give Ottawa new authorities over the country’s telecommunications system that allows cabinet to make orders requiring individual service providers to make cybersecurity upgrades or other infrastructure changes.
It’s the government’s second attempt to legislate on cybersecurity, as Justin Trudeau’s administration brought forward Bill C-26 in 2022, which virtually mirrors the legislation currently before the Senate.
The Trudeau-era bill was accompanied by a promise to ban Chinese tech companies Huawei and ZTE from Canada’s 5G networks, a pledge recently repeated by Industry Minister Mélanie Joly (Ahuntsic—Cartierville, Que.).
Despite C-26 passing through both chambers of Parliament, the Senate offered amendments to the bill that were not addressed before Trudeau prorogued earlier last January, leaving the legislation to die on the Order Paper.
Considering C-8 revives much of what was included in C-26, Ontario Sen. Andrew Cardozo asked the public safety minister if the eventual regulations had already been drafted, considering a previous iteration of this bill had already been studied.
“At this point…, I think there’s been changes to the bill,” said Anandasangaree. “But, as soon as this bill passes, we will be able to move on regulations quite fast.”
All government regulations must be published in the Canada Gazette, which generally gives 30 days for Canadians to provide comments, before they are finalized.
Colin MacSween, a senior official at Public Safety Canada, later clarified that the “regulatory process is incredibly well-defined,” and the government aim is to move as “quickly as we possibly can within the confines of that process.”
When pressed by Saskatchewan Sen. Denise Batters on whether the full process will take approximately two years, MacSween insisted the regulatory process “can be shorter.”
“You can do it in 12 to 18 months, easily,” said MacSween.
According to analysis conducted by the Library of Parliament, the forthcoming regulations will determine the general scope of Bill C-8, and include cybersecurity programs, internal auditing measures, reporting mechanisms, notification timelines, as well as maximum penalties for non-compliance.
As the bill is currently written, these regulations will take precedence over previous decisions by the governor-in-council or CRTC, including those made under the Radiocommunication Act.
There’s no timeline for Bill C-8 to receive royal assent, but it has already passed through the House of Commons and appears likely to clear the Upper Chamber before Parliament hits pause for the summer next month.
CTA calls for compensation, ‘safe harbour’ provisions
During Monday’s marathon meeting, which lasted for more than four hours, senators also heard from Eric Smith, senior vice-president of the Canadian Telecommunications Association (CTA), who raised concerns about potential costs the proposed legislation could inflict on telecom providers.
“Under Bill C-8, telecommunications providers will be responsible for implementing government orders that may have significant operational and financial implications,” Smith told the senators.
“Ensuring the legislation addresses this reality is critical to its effectiveness.”
During a House committee appearance in January, Joly emphasized that the government would not compensate companies for costs associated with technological changes, infrastructure upgrades, or any other actions necessitated by government orders under the law.
Unless that changes, Smith continued, the telecoms sector could be considerably damaged by the legislation.
“These are not routine operational expenditures… [and] they’re incurred in the broader public interest of national security,” he said. “Failure to address the impact of extraordinary costs will have real consequences.”
In particular, Smith said the impact will be “acute” for smaller and regional providers, some of whom may have to shutter if C-8 doesn’t include an avenue for compensatory recourse.
“[This could] result in broader knock-on effects for competition, resilience and service availability,” he said, suggesting an amendment that would allow cabinet to consider compensation for service providers on a case-by-case basis.
Smith suggested any compensation could be drawn from spectrum auction proceeds, which are collected by Innovation, Science and Economic Development Canada.
The CTA executive also advocated for a ‘safe harbour’ provision that protected companies from legal attacks stemming from changes implemented under government orders.
“Service providers could face liability… for when compliance affects service levels, contractual obligations, or other regulatory requirements,” said Smith. “This creates risk at precisely the moment that decisive action is required.”
As such, added Smith, C-8 should be altered to safeguard companies and individual workers from liability “when acting in good faith and complying with government orders.”
The Senate committee’s study of Bill C-8 is set to continue on May 25.
