Bill C-26, the Critical Cyber Systems Protection Act (CCSPA), will mandate that operators in finance, telecommunications, energy, and transport sectors report cyber incidents to the Communications Security Establishment (CSE) and implement a cybersecurity program that meets prescribed safeguards within 90 days, with penalties of up to $1 million per violation per day for non-compliance.
For Canadian energy and utility organizations, this legislation transforms voluntary guidance into enforceable law. CyberSilo helps operators understand their obligations under Bill C-26, align with CCCS ITSG-33 controls, and build the defensible security posture that regulators will scrutinize.
Why Bill C-26 targets energy and utilities
Canada's energy infrastructure—hydroelectric dams, nuclear generating stations, natural gas pipelines, and provincial electrical grids—is increasingly targeted by state-sponsored and criminal threat actors. The energy and utilities sector operates industrial control systems (ICS) and operational technology (OT) that, if compromised, can cause cascading failures across provinces and international borders.
The Communications Security Establishment (CSE) reported a 350% increase in cyber incidents affecting Canadian critical infrastructure since 2020. Pipeline operators, provincial utilities, and independent power producers are now subject to mandatory reporting under Bill C-26. Unlike the United States' NERC CIP framework, which has governed bulk electric systems for two decades, Canada's approach is newer and demands immediate attention from operators who may not have previously faced federal cybersecurity regulation.
CCCS ITSG-33 alignment: Bill C-26 will likely adopt the Treasury Board of Canada Secretariat's ITSG-33 framework as the baseline for mandatory cybersecurity programs. ITSG-33 maps 114 security controls across management, operational, and technical categories—similar to NIST SP 800-53 but tailored to Canadian federal systems.
What Bill C-26 requires from energy operators
The Critical Cyber Systems Protection Act creates three primary obligations for designated operators in the energy sector:
- Cybersecurity program requirement: Operators must establish, implement, and maintain a cybersecurity program that identifies critical cyber systems, assesses risks, implements protective measures, and monitors for threats. The program must be reviewed annually and after every significant incident.
- Mandatory incident reporting: Any cyber incident that impacts or could impact the continuity of critical services must be reported to the CSE within 72 hours. A second report with root cause analysis is required within 30 days.
- Compliance and enforcement: The Governor in Council may designate a regulator (likely the Canada Energy Regulator for interprovincial pipelines and international power lines) to conduct audits, issue compliance orders, and levy administrative monetary penalties up to $1 million per violation per day.
These obligations apply to "designated operators" and "designated critical cyber systems"—terminology that will expand as the legislation's regulations are drafted. Operators should assume that any system supporting generation, transmission, distribution, or control of energy falls within scope.
How Bill C-26 differs from NERC CIP
Canadian operators who also own US assets under NERC jurisdiction will find both similarities and critical differences. NERC CIP focuses on bulk electric system cyber systems with specific control requirements (CIP-002 through CIP-014). Bill C-26 is outcomes‑based: it requires a cybersecurity program that meets unspecified "prescribed safeguards" rather than mandating particular controls. This gives operators flexibility but also uncertainty until regulations are published.
CyberSilo's Threat Exposure Management platform helps Canadian operators bridge this gap by continuously mapping controls against both CCCS ITSG-33 and emerging Bill C-26 requirements. When regulations are finalized, operators will already have the evidence base needed for compliance audits.
Is your energy organization ready for Bill C-26 enforcement?
Canadian utilities face up to $1 million per day in penalties. CyberSilo's Threat Exposure Management platform maps your critical cyber systems against CCCS ITSG-33 and emerging CCSPA requirements—so you can demonstrate compliance before regulators arrive.
The hardest controls for energy operators to implement
Bill C-26's prescribed safeguards will likely mirror the most demanding controls in ITSG-33 and the CSE's Top 10 security actions. For energy operators running OT/ICS environments, three areas present the greatest challenge:
Network segmentation and remote access
ITSG-33 control SC-7 (boundary protection) requires organizations to manage connections between security domains. For energy operators, this means isolating ICS networks from corporate IT networks, and controlling remote access for vendors, engineers, and control room staff. Many legacy ICS systems were designed without security boundaries and cannot be patched or reconfigured without impacting operations. Virtual LAN segmentation, unidirectional gateways, and application-level firewalls are typical mitigations, but each requires careful implementation to avoid disrupting critical processes.
Continuous monitoring in OT environments
Traditional agent‑based monitoring tools cannot run on many PLCs, RTUs, or legacy SCADA servers. Operators must deploy passive network monitoring, protocol-aware anomaly detection, and physical security controls to meet monitoring requirements. Bill C-26 will likely require 24/7 monitoring of critical cyber systems, which for many Canadian utilities means building a Security Operations Centre (SOC) capability that understands both IT and OT threats.
Incident response planning for cascading failures
OT incidents can cause physical damage—blackouts, equipment destruction, environmental release—that IT incident response plans do not address. Bill C-26 will require operators to maintain incident response plans that coordinate with provincial emergency management organizations, the CSE's Canadian Centre for Cyber Security, and potentially cross-border partners under the Canada-US Critical Infrastructure Cross-Border Dependencies initiative.
Canadian-specific risk: Canadian energy operators increasingly share cyber threat intelligence through the Canadian Cyber Threat Sharing Alliance (CCTSA) and the Electricity Information Sharing and Analysis Center (E‑ISAC). Bill C-26 may require participation in government‑designated information sharing arrangements as part of the mandatory cybersecurity program.
How CyberSilo's Threat Exposure Management meets Bill C-26 requirements
Bill C-26 demands three things that many energy operators struggle to provide: continuous visibility of critical cyber systems, auditable evidence of controls, and rapid incident reporting. CyberSilo's Threat Exposure Management platform was designed for these exact challenges.
The platform continuously discovers and classifies OT/ICS assets across generation, transmission, and distribution environments. It maps each asset to ITSG-33 controls and CCSPA criticality classifications, giving operators a single pane of glass that answers the regulator's first question: "What are your critical cyber systems, and how are they protected?"
For incident reporting, Threat Exposure Management automatically captures the timeline, affected systems, and observed impact required by Bill C-26's 72‑hour notification window. When an incident occurs—whether a ransomware attack on the corporate network or an anomalous ICS command from a compromised vendor laptop—the platform generates the structured report that the CSE will expect.
The platform also supports the annual program review requirement by generating compliance heat maps that show control gaps, overdue assessments, and risk trends over time. Canadian operators can present these to regulators as evidence of a functioning, continuously improving cybersecurity program.
CyberSilo integrates with existing SIEM tools like ThreatHawk SIEM for organizations that want to maintain a centralized SOC while adding OT‑specific monitoring. For operators with limited in-house expertise, CyberSilo offers managed SOC services in Canada staffed by analysts who understand both IT and OT threat landscapes.
Bill C-26 compliance checklist for energy operators
Use this checklist to assess your organization's readiness. Each item maps to a likely CCSPA requirement or ITSG-33 control.
- Critical cyber system inventory: Have you identified all systems that, if compromised, could impact the continuity of energy generation, transmission, or distribution? Include both IT and OT assets.
- Risk assessment methodology: Do you use a documented risk assessment process aligned with ITSG-33 or ISO 31000? Can you demonstrate that risk assessments are reviewed annually and after significant changes?
- Network segregation: Are ICS/OT networks isolated from corporate IT networks? Are remote access connections controlled with multi-factor authentication and session logging?
- Continuous monitoring: Do you have 24/7 monitoring of critical cyber systems? Can you detect anomalous behaviour in OT protocols (Modbus, DNP3, IEC 61850)?
- Incident response plan: Does your incident response plan address both IT and OT scenarios? Have you coordinated with provincial emergency management and the CSE/CCCS?
- Training and awareness: Have operators, engineers, and control room staff received role‑specific cybersecurity training? Are vendors and contractors subject to security requirements?
- Third-party risk management: Do you assess the cybersecurity posture of vendors who access critical systems remotely? Are remote access sessions logged and audited?
- Records of compliance: Can you produce evidence of all the above—audit logs, risk assessments, training records, incident reports—within 72 hours of a regulator's request?
Complete your Bill C-26 readiness assessment
Canadian energy operators face a compliance deadline that is already approaching. CyberSilo's Threat Exposure Management platform helps you build the evidence base, monitoring coverage, and reporting capability that Bill C-26 will require.
Implementation roadmap: 90 days to Bill C-26 readiness
Assuming Bill C-26 regulations are published with a 90‑day compliance window, Canadian energy operators should begin work now. CyberSilo recommends the following phased approach:
Days 1–15: Inventory and classification
Deploy asset discovery across all IT and OT networks. Classify each asset by criticality (Level 1: essential to grid reliability; Level 2: important supporting system; Level 3: all other). This inventory becomes the foundation of your cybersecurity program and incident reporting scope.
Days 16–30: Gap analysis against ITSG-33
Map your current controls to ITSG-33 security controls relevant to critical cyber systems. CyberSilo's Threat Exposure Management platform automates this mapping and produces a prioritized gap list. Focus first on controls for access control, configuration management, and incident response.
Days 31–45: Implement monitoring and logging
Enable passive network monitoring on OT segments, deploy endpoint detection on IT systems that communicate with critical systems, and centralize logs in a SIEM. Ensure logs capture remote access sessions, configuration changes, and authentication events for at least 90 days (retention period likely required by CCSPA).
Days 46–60: Incident response plan update
Update your incident response plan to include OT‑specific scenarios (e.g., ransomware affecting HMI, unauthorized ICS command injection, loss of communications with remote substations). Include notification procedures for CSE/CCCS, provincial regulators, and affected customers. Conduct a tabletop exercise before Day 60.
Days 61–75: Training and awareness
Deliver role‑specific training to control room operators, engineers, and IT staff. Operators should understand how to identify and report anomalous ICS behaviour; IT staff should understand that OT systems cannot be patched or rebooted without coordination. Document all training for compliance evidence.
Days 76–90: Final audit and reporting
Conduct a full compliance audit against your documented cybersecurity program, ITSG-33 controls, and Bill C-26 requirements. Generate the compliance report package that you would submit to a regulator. CyberSilo's platform can produce this report automatically, with evidence links for every control.
For organizations that need accelerated support, CyberSilo offers GRC services in Canada that provide dedicated compliance analysts who can build your entire Bill C-26 program on the Threat Exposure Management platform within the 90‑day window.
Bill C-26 compared to other Canadian energy compliance frameworks
Bill C-26 sits atop this regulatory landscape. For Canadian energy operators, compliance with CCSPA will likely be enforced by the Canada Energy Regulator or a designated federal authority, with the possibility of overlapping enforcement if an incident also exposes personal information (triggering PIPEDA) or affects US grid operations (triggering NERC CIP).
CyberSilo's Canada cybersecurity compliance services help operators navigate these overlapping requirements by mapping controls once and reporting against multiple frameworks simultaneously. This reduces compliance overhead while ensuring no obligation is overlooked.
Our Conclusion & Recommendation
Bill C-26 will fundamentally change how Canadian energy operators approach cybersecurity. What was once voluntary guidance under CCCS ITSG-33 will become enforceable law with penalties that can reach tens of millions of dollars per incident. Operators who wait for final regulations to be published will struggle to meet the 90‑day compliance window.
CyberSilo's Threat Exposure Management platform gives Canadian energy operators the visibility, control, and evidence needed to comply with Bill C-26 while improving operational resilience. The platform maps OT/ICS assets, monitors for threats, and generates the compliance reports that regulators will demand—all within a single integrated solution.
Next step for energy decision-makers: Schedule a confidential readiness assessment with CyberSilo's energy sector specialists. We will review your current cybersecurity program, identify gaps against likely CCSPA requirements, and provide a prioritized 90‑day implementation plan. Contact our team to begin your Bill C-26 compliance journey.
Start your Bill C-26 compliance journey today
Canadian energy operators face up to $1 million per day in penalties. CyberSilo's Threat Exposure Management platform is the fastest path to defensible compliance with Bill C-26, CCCS ITSG-33, and provincial requirements.
