On June 4, 2026, the Senate of Canada gave third reading to Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. The bill — the successor to the previous Parliament's Bill C-26 — now awaits only royal assent before it becomes law (LEGISinfo, Parliament of Canada). Its goal is legitimate and overdue. Its design is not.
The case for acting
Start with the strongest version of the government's argument, because it is real. Canada's telecom backbone is genuinely exposed: state-linked intrusions into North American carriers, ransomware against critical operators, and the slow purge of high-risk vendor equipment from 5G cores are not hypotheticals. Most of Canada's allies — including the United States and the United Kingdom — already give regulators standing authority to compel carriers to patch, isolate, or rip out compromised gear on short notice. A minister who can only react after a breach is a minister who is always too late. Bill C-8's core ambition — a binding, mandatory cyber-security baseline for telecommunications, finance, energy, and transportation — is exactly the kind of proportionate, sector-wide floor that a serious digital economy needs.
The problem is not that Bill C-8 grants power. It is that it grants the wrong shape of power, stripped of the safeguards that distinguish network defence from network control.
A shutdown switch with the lights off
The amended Telecommunications Act will let the Governor in Council and the Minister of Industry issue binding orders to telecommunications service providers: prohibiting products from a specified supplier, compelling removal of equipment, or directing a provider to do — or stop doing — "anything" necessary to secure the system (JURIST). The Canadian Constitution Foundation reads that breadth plainly: the powers are wide enough that a minister could order a carrier to suspend or cut off phone and internet service to a person or institution on "reasonable grounds" of a threat to network security (CCF).
Three features turn that authority from defensible to dangerous.
- It can be secret, indefinitely. The bill's gag provisions are bounded neither in time nor in circumstance. An order can forbid a carrier from disclosing that it exists, with no sunset. The only public window is an annual report to Parliament stating the number of orders and the minister's own opinion that they were necessary (CCF).
- No judge signs off. A March 25, 2026 Speaker's ruling in the House stripped a proposed amendment that would have required prior judicial authorization. Citizen Lab, in its brief to the Senate national-security committee, flagged precisely this gap: orders issue on a "reasonable grounds" standard with no independent judicial check, a sharp departure from the warrant logic that governs comparable intrusions (Citizen Lab).
- No one pays for the damage. Carriers — and by extension their customers — bear the cost of compliance with no statutory entitlement to compensation, even where an order is later found to have been mistaken or is revoked (Citizen Lab).
Layered on top are administrative monetary penalties of up to $15 million per day for non-compliant corporations, which guarantees that a provider receiving a secret order will obey first and ask questions never.
Secrecy plus no review is the failure mode
None of the individual ingredients is unique to Canada. Plenty of democracies let regulators compel network changes. What makes Bill C-8 an outlier is the combination: a broad threshold, secret orders, no prior judicial authorization, no compensation, and ruinous fines for non-compliance. Remove any one of those and the regime self-corrects. Keep all five and there is no point at which an erroneous, overbroad, or politically motivated disconnection order is forced into daylight.
The Office of the Privacy Commissioner — which welcomed several late amendments, including a requirement that measures be "reasonable in relation to the gravity" of the threat — still warned that the legal thresholds for exercising these powers "remain too broad" (OPC). That is the assessment of the government's own privacy watchdog, not an advocacy group.
History supplies the cautionary case. The CCF points to the 2022 Emergencies Act invocation, when bank accounts were frozen during the Freedom Convoy protests — measures a Federal Court later found unconstitutional. Emergency powers are most likely to be abused precisely when officials feel most justified in using them, and "that kind of damage isn't easily repaired."
A proportionate fix is still available
Nothing here requires Canada to abandon mandatory cyber-security standards. The repair is modest and well-mapped by the bill's own critics: require either judicial pre-authorization or an automatic, expedited judicial review of any order that suspends service; time-limit the secrecy provisions and require eventual notice to affected parties; and restore a compensation pathway for losses caused by erroneous orders. These changes would leave the minister's defensive toolkit intact while reattaching the accountability that separates a cyber-security regime from a connectivity kill-switch.
Royal assent is now a formality, but implementing regulations and the Critical Cyber Systems Protection Act's rollout are not. Canada can still build the oversight back in at the regulatory stage. It should — before the first secret order is ever written.