A CCSPA cyber security program is a documented set of reasonable steps to identify and manage cyber security risk, protect critical cyber systems, detect incidents, and respond and recover. Every designated operator, an organization in a Schedule 2 class that runs a critical cyber system in one of six Schedule 1 sectors, must establish one within 90 days of designation and file it with its regulator.
CCSPA cybersecurity program at a glance
- What it requires: a documented cyber security program setting out reasonable steps to identify and manage risk, protect critical cyber systems, detect incidents, and respond and recover
- Who must build one: designated operators, organizations in a Schedule 2 class that run a critical cyber system in one of six Schedule 1 sectors
- Deadline: 90 days from designation to establish the program, notify the regulator, and provide it
- Review cadence: at least annually and on prescribed triggers, with the regulator notified of changes
- Companion duties: supply-chain risk mitigation, incident reporting (capped at 72 hours), compliance with confidential directions, and records kept in Canada
- Status: enacted June 16, 2026 as Part 2 of Bill C-8; not yet in force, awaiting a coming-into-force order, Schedule 2 designation, and regulations
The five obligations in full:
| # | Obligation | Deadline | Owed to | Status as of July 2026 |
| 1 | Establish a cyber security program, notify the regulator, and provide the program | 90 days after designation | Sector regulator | Enacted, not in force |
| 2 | Take reasonable steps to mitigate identified supply-chain and third-party risks | As soon as a risk is identified | Sector regulator (via records) | Enacted, not in force |
| 3 | Report cyber security incidents to the CSE Cyber Centre, then notify the regulator | Period to be set by regulation, capped at 72 hours | CSE Cyber Centre and regulator | Enacted, not in force; deadline awaits regulations |
| 4 | Comply with cyber security directions and keep them confidential | As specified in the direction | Governor in Council / regulator | Enacted, not in force |
| 5 | Keep prescribed records in Canada | Ongoing | Sector regulator | Enacted, not in force; manner and place await regulations |
Who owes CCSPA obligations, and when does the clock start?
CCSPA obligations attach only to designated operators: organizations that belong to a class listed in Schedule 2 and that operate a critical cyber system supporting one of the six vital services and systems in Schedule 1.
The six Schedule 1 vital services and systems
- Telecommunications services
- Interprovincial or international pipeline and power line systems
- Nuclear energy systems
- Federally regulated transportation systems
- Banking systems
- Clearing and settlement systems
The Governor in Council can add to both schedules without new legislation, so coverage will grow.
Regulators in these sectors already treat a documented program, proof that it operates, and records that survive scrutiny as table stakes. The CCSPA takes that expectation and writes it into federal statute for every designated operator.
Part 1 of Bill C-8, which amends the Telecommunications Act, took effect at Royal Assent. Part 2, the CCSPA itself, comes into force only on a day fixed by order of the Governor in Council, and the obligations below bind a given organization only once its class is added to Schedule 2 by an order published in the Canada Gazette, Part II.
That publication starts the 90-day program clock. No coming-into-force date had been announced as of early July 2026, which means the window between now and designation is preparation time that operators control.
Obligation 1: What must a cyber security program include, and how long do operators have?
A designated operator must establish a cyber security program within 90 days of becoming a member of a designated class, notify its regulator that the program exists, and provide the program to that regulator. Ninety days is enough time to document a program that already exists in substance. It is not enough time to build one from nothing, and that gap between owning security tools and owning a security program is exactly where organizations will feel this law first.
The Act specifies what the program must contain. It must set out reasonable steps to:
| Required element | What the Act asks for | Where it likely already lives |
| Identify and manage risk | Identify and manage organizational cyber security risks, expressly including supply-chain and third-party product and service risks | ISO 27001 clause 6 risk assessment and treatment; SOC 2 CC3 risk assessment criteria |
| Protect | Protect critical cyber systems from being compromised | ISO 27001 Annex A technological and access controls; SOC 2 CC6 logical and physical access |
| Detect | Detect cyber security incidents affecting, or with the potential to affect, critical cyber systems | ISO 27001 A.8.15 and A.8.16 logging and monitoring; SOC 2 CC7.1 and CC7.2 |
| Respond and recover | Minimize the impact of cyber security incidents | ISO 27001 A.5.24 to A.5.27 incident management; SOC 2 CC7.3 to CC7.5 |
| Prescribed elements | Anything added by regulation | To be confirmed when regulations are published |
The program is a living obligation, not a filing. Operators must review it annually (and on prescribed triggers), and notify the regulator of changes. The evidence a regulator will expect is therefore the same evidence an ISO 27001 auditor expects of an ISMS:
- the program document itself
- a maintained risk register
- control implementation records
- review minutes with dates
- a change log showing the program moved when the environment did
The mapping to existing certifications is genuinely useful but incomplete. An ISO 27001 ISMS scoped to the critical cyber system covers the identify, protect, detect, and respond categories in substance; a SOC 2 report covers much of the same ground for the audited system. What neither provides automatically is the CCSPA's scoping (the critical cyber system as the law defines it, not the certification boundary the company chose), the regulator notification workflow, or the elements regulations will prescribe. We maintain a detailed crosswalk between the CCSPA program elements and ISO 27001, NIST CSF, and CPCSC for teams doing that gap analysis, and the same logic that maps SOC 2 work onto CPCSC applies here: reuse the control substance, re-cut the scope and the paperwork.
Obligation 2: What must operators do about supply-chain and third-party risk?
Separate from the program requirement, the CCSPA imposes a standing duty: as soon as a designated operator identifies a cyber security risk associated with its supply chain or its use of third-party products and services, it must take reasonable steps to mitigate that risk. Regulations may prescribe what those steps include. This is one of the duties whose breach can be prosecuted as an offence, not only penalized administratively.
The operative standard is reasonable steps, documented and defensible. The Act binds only designated operators, not their vendors. But an operator that must mitigate identified vendor risk, keep records of the mitigation in Canada, and preserve a due diligence defence has one practical instrument for all three: the contract.
Law-firm analyses of the Act converge on the same expectation we see in regulated procurement generally, that operators will push requirements downstream through security clauses, audit rights, incident-notification terms, vendor questionnaires, and ongoing monitoring of third-party products. Vendors selling into the six sectors should read the breakdown of what Bill C-8 means for vendor security requirements; the flow-down pattern will look familiar to anyone who has watched supply-chain requirements cascade through the CPCSC defence framework.
Evidence for this duty looks like:
- a third-party inventory tied to the critical cyber system
- vendor risk assessments with dates
- contract clauses or attestations on file
- remediation or compensating-control records for each identified risk
- a log connecting risk identified to step taken
Organizations running a third-party risk management program for ISO 27001 (A.5.19 to A.5.23) or SOC 2 (CC9.2) already produce this trail. The CCSPA change is that the trail becomes a statutory record a federal regulator can demand, rather than an audit artifact reviewed once a year.
The revenue consequence lands here for companies that are not operators at all. When six federally regulated sectors are obliged, on penalty, to manage vendor risk, the security questionnaire stops being a formality and becomes the operator's own compliance evidence. Vendors who can answer it with certified, verifiable proof will clear procurement while competitors stall in security review.
Obligation 3: How must operators report cyber security incidents?
A designated operator must report a cyber security incident affecting a critical cyber system to the CSE's Canadian Centre for Cyber Security, and immediately after that must notify its regulator that a report was made, providing a copy on request.
The trigger is broader than a breach. A reportable incident is one that interferes with, or could interfere with, the continuity or security of a vital service or system, or the confidentiality, integrity, or availability of the critical cyber system. The words could interfere capture near misses and credible potential impact, so the reporting decision requires severity-assessment judgment, not a simple were we breached test.
The exact deadline does not live in the Act. The Act requires reporting within a period prescribed by regulation, and the regulations are unwritten. What the statute fixes is a ceiling: the prescribed period may not exceed 72 hours, a cap first introduced by committee amendment to Bill C-26 and carried into C-8 from introduction. Until the regulations are published, operators must be ready to report in at most 72 hours, and possibly faster.
The evidence and machinery this duty demands:
- an incident response plan with CCSPA reporting criteria built into triage
- severity definitions that encode the could interfere threshold
- a tested escalation path that can produce a Cyber Centre report and a regulator notification inside the window
- post-incident records (which feed Obligation 5)
Teams that have operationalized ISO 27001's incident management controls or SOC 2's CC7 criteria have the skeleton; the additions are the two-destination reporting workflow and the clock. Organizations that already handle breach notification under PIPEDA or Law 25 should note the difference in trigger and audience; the comparison of Canada's privacy-law reporting regimes is a useful companion here, because a single incident can engage both regimes at once.
Obligation 4: What are cyber security directions, and why are they confidential?
The Governor in Council may issue a cyber security direction requiring a designated operator, or a class of operators, to implement specified measures to protect a critical cyber system within a specified time. Non-compliance is both a violation and an offence, and disclosing the existence or the contents of a direction is itself an offence. An operator served with a direction cannot mention it in a press release, a customer notice, or, in some configurations, a board pack that travels beyond those with a need to know.
Committee amendments to Bill C-8 added guardrails to the order-making powers, including reasonableness and necessity standards and transparency reporting at the aggregate level, but the confidentiality of individual directions survived into the enacted text. Operators cannot generate evidence for this obligation in advance, because directions do not exist until issued.
What they can build is the capability the obligation assumes: a change-management process that can take an externally imposed requirement from receipt to implementation on a deadline, with records of the measures taken, and an internal handling protocol that restricts knowledge of a direction to those who need it. Treat it as a fire drill for a fire that arrives by registered letter.
Obligation 5: What records must operators keep, and where?
Designated operators must keep records documenting four things: implementation of the cyber security program, every cyber security incident reported, steps taken to mitigate supply-chain and third-party risks, and measures taken to implement any cyber security direction, plus anything regulations add. The Act requires these records to be kept in Canada, in the manner and place the regulations will prescribe.
The data-residency requirement is the operational wrinkle. Compliance records at many companies live wherever the SaaS stack puts them: a ticketing system in one region, a GRC platform in another, a document store in a third. GRC platforms such as Vanta, Drata, and Secureframe remain the right infrastructure for collecting this evidence continuously; the CCSPA question to put to the stack is where the records physically reside and whether a Canadian-resident copy can be produced in the prescribed manner. That is a configuration and architecture question, and it is far cheaper to answer before designation than after.
Record-keeping is also where the whole Act concentrates. Each of the four record categories corresponds to one of the other obligations, which means the records duty is effectively the enforcement surface for everything else. An operator that did the work but cannot produce the records is, from the regulator's chair, an operator that did not do the work. Auditors have run on that logic for decades. The CCSPA gives it statutory teeth.
What does non-compliance cost under the CCSPA?
The CCSPA enforces these obligations with administrative monetary penalties of up to $15 million per violation for organizations, and up to $500,000 per violation for individuals, a ceiling committee amendments reduced from the $1 million figure carried over from Bill C-26. The multiplier is the continuing-violation rule: a violation that continues over multiple days is a separate violation for each day. Up to $15 million per day is accurate shorthand for a continuing corporate violation, and it is the number boards should hear. These figures are the CCSPA scheme only; Part 1 of Bill C-8 carries a separate penalty scheme for telecom security orders, which the Bill C-8 guide covers alongside the full enforcement picture.
The number boards should hear
Because each day a violation continues is a separate violation, up to $15 million per day is accurate shorthand for a continuing corporate breach, on top of $500,000 per violation for individuals and, for serious contraventions, up to five years' imprisonment on indictment.
Serious contraventions, including failing to establish or implement the cyber security program, failing to mitigate supply-chain risk, breaching a direction, or disclosing a direction's existence, can also be prosecuted as offences, with individuals facing up to five years' imprisonment on indictment. Directors and officers who direct, authorize, assent to, acquiesce in, or participate in a violation are parties to it whether or not the organization itself is proceeded against. Two counterweights matter: the Act states that the purpose of the penalty regime is to promote compliance rather than to punish, and a due diligence defence is available. Both point the same direction. The defensible position under this law is a documented, operating program, which returns every enforcement question to Obligations 1 through 5.
What should operators do before the regulations land?
Most organizations in the six sectors already run firewalls, monitoring, and incident response. What the statute demands, and what many have yet to assemble, is the documented, evidenced, regulator-facing program that connects those capabilities into something an outsider can inspect. Buying tools without building that program is a well-worn pattern across every compliance framework, and the CCSPA turns it from an audit finding into legal exposure.
The preparation window is open now and will close abruptly when Schedule 2 orders publish. Five moves fit inside it:
- Determine exposure. Map the organization against Schedule 1's six sectors and watch for the Schedule 2 designation orders in the Canada Gazette. Vendors should assess which customers will be designated, because the requirements arrive by contract either way.
- Define the critical cyber system. Inventory the systems whose compromise would affect the vital service, including the third-party dependencies underneath them. Every other obligation scopes to this boundary.
- Run the gap analysis against the four program elements. Use an existing ISO 27001 or SOC 2 control set as the baseline and identify what the CCSPA adds. The CCSPA framework crosswalk exists for exactly this exercise.
- Rehearse 72-hour reporting. Tabletop an incident against the could interfere trigger, produce a mock Cyber Centre report, and time the path. Fix whatever made it slow.
- Locate the records. Confirm where program, incident, vendor-risk, and change records live today, and what it would take to keep them in Canada.
Organizations that also sell into Canada's defence supply chain should read this alongside the CPCSC certification guide: CPCSC gates contract awards through certification against ITSP.10.171, while the CCSPA regulates designated operators directly, and the side-by-side comparison of the two mandates covers which one applies when. The strategic read is the same for both: Canada now writes cybersecurity obligations into the conditions of doing business, and the organizations that treat the program as infrastructure rather than paperwork will clear those conditions as a byproduct of security work they should be doing anyway.
The 90-day clock has not started. That is the preparation window.
Take the checklist with you. The CCSPA Program Obligations Checklist condenses this article into one page: every obligation, the evidence to produce, and a suggested owner for each row.
If the organization operates in one of the six Schedule 1 sectors, or sells to companies that do, and the question is how far existing ISO 27001 or SOC 2 work carries toward these obligations, that is a scoping conversation we run regularly. We built and operated security programs inside two of the sectors this law now covers. Book a scoping call and we will map the gap between the program you have and the program the CCSPA will ask your regulator to inspect.
Build the CCSPA program before designation
Truvo turns your existing ISO 27001 or SOC 2 controls into an effective security program your regulator can inspect.
Frequently Asked Questions
What must a CCSPA cyber security program include?
The program must set out reasonable steps to identify and manage cyber security risks, including supply-chain and third-party risks; protect critical cyber systems from compromise; detect incidents; and minimize their impact. Operators establish it within 90 days of designation, review it at least annually, and notify the regulator of changes.
Who must build a CCSPA cyber security program?
Only designated operators: organizations in a class the Governor in Council adds to Schedule 2 that operate a critical cyber system supporting one of six Schedule 1 vital services, namely telecommunications, pipelines and power lines, nuclear energy, federally regulated transportation, banking, and clearing and settlement. Being in a listed sector alone creates no obligation.
How long do operators have to establish the program?
Ninety days from the day their class is designated in Schedule 2, published in the Canada Gazette, Part II. That publication starts the clock. No coming-into-force date had been announced as of early July 2026, so the window before designation is preparation time operators control.
How quickly must a cyber security incident be reported?
The Act does not fix the deadline; it caps it. Regulations will set a reporting period that may not exceed 72 hours. Operators report to the CSE's Canadian Centre for Cyber Security, then notify their regulator. The trigger covers incidents that interfere, or could interfere, with a critical cyber system.
What does non-compliance cost?
Administrative monetary penalties reach $15 million per violation for organizations and $500,000 for individuals, and each day a violation continues is a separate violation. Serious contraventions can be prosecuted as offences, with individuals facing up to five years' imprisonment on indictment. A due diligence defence is available.
Does existing ISO 27001 or SOC 2 work count toward the CCSPA?
Substantially. An ISO 27001 ISMS or a SOC 2 report covers the identify, protect, detect, and respond categories in substance. What neither supplies automatically is the CCSPA's scoping to the critical cyber system, the regulator notification workflow, and any elements the regulations prescribe.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
How Ready Are You for SOC 2?
Score your security program in under 5 minutes. Free.
Take the Scorecard