Canada's Bill C-8, enacted as part of the Budget Implementation Act, introduced a significant new cybersecurity mandate for federal institutions and designated government entities. The legislation requires these organisations to implement cybersecurity standards aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0, establishing a consistent and robust approach to cybersecurity across the Canadian federal landscape.
This article explains what Bill C-8 requires, who it applies to, the NIST CSF 2.0 framework it mandates, practical implementation steps, and how organisations can achieve and demonstrate compliance. While this is a Canadian legislative requirement, organisations in other jurisdictions — particularly those that do business with the Canadian government, provide services to Canadian federal institutions, or operate under comparable procurement frameworks — should understand its implications, as compliance obligations may flow through procurement contracts and supply chain requirements.
What Is Bill C-8?
Bill C-8 is an omnibus Budget Implementation Act that includes a range of provisions, including amendments to the Financial Administration Act and the establishment of new cybersecurity requirements for the Government of Canada. The cybersecurity provisions mandate that federal institutions implement cybersecurity standards and practices that are aligned with the NIST CSF 2.0.
The Bill empowers the Treasury Board of Canada Secretariat to designate which federal institutions are subject to these requirements and to issue binding directives on cybersecurity standards and practices. Non-compliance can result in increased exposure to cyber threats and reputational damage, and institutions that fail to implement adequate controls may face scrutiny from the Treasury Board, the Office of the Auditor General, or parliamentary committees.
It is important to note that Bill C-8 applies to federal institutions and designated government entities within Canada — it is not a general law applying to all Canadian private sector organisations. However, its influence extends through the government's procurement and contracting power: suppliers to federal institutions may be required to demonstrate alignment with the same standards as part of their contractual obligations.
What Is NIST CSF 2.0?
The NIST Cybersecurity Framework (CSF) 2.0 is the latest version of the widely accepted international cybersecurity framework developed by the US National Institute of Standards and Technology. Published in February 2024, CSF 2.0 updated the original 2014 framework (CSF 1.1) with significant enhancements.
The CSF 2.0 is structured around six core functions, expanded from the original five:
- Govern (GV) — new in CSF 2.0. Covers the establishment of cybersecurity strategy, policy, roles, and responsibilities. This function addresses the governance context that was implicit in earlier versions but is now explicitly recognised as foundational.
- Identify (ID) — understand the organisation's cybersecurity risk to assets, systems, data, and capabilities. Includes asset management, risk assessment, and supply chain risk management.
- Protect (PR) — implement safeguards to ensure delivery of critical services. Covers identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
- Detect (DE) — identify the occurrence of a cybersecurity event. Includes continuous monitoring, detection processes, and anomaly detection.
- Respond (RS) — take action regarding a detected cybersecurity incident. Covers incident response planning, communications, analysis, mitigation, and improvements.
- Recover (RC) — restore capabilities or services that were impaired by a cybersecurity incident. Includes recovery planning, communications, and post-incident improvements.
Each function is divided into categories and subcategories, with implementation examples and references to other standards including ISO 27001, NIST SP 800-53, and CIS Controls. This interoperability is one of the framework's key strengths — organisations already using other standards can map their controls to CSF 2.0 without starting from scratch.
The introduction of the Governance function in CSF 2.0 is particularly significant. It establishes that cybersecurity governance is a leadership responsibility, not something that can be delegated exclusively to technical teams. This aligns with broader trends in cybersecurity regulation globally, including the FCA's operational resilience framework, the UK's push for board-level cyber accountability through the CSRB, and similar developments in Australia, Singapore, and the EU.
CSF 2.0 and the NIST Privacy Framework
For organisations that process personal data, it is worth noting that the NIST Privacy Framework (published alongside the CSF) can be used as a complementary tool. While CSF 2.0 addresses cybersecurity risk, the Privacy Framework addresses privacy risk arising from data processing activities. The two frameworks are designed to work together, and organisations subject to both Bill C-8 cybersecurity requirements and Canadian privacy law (PIPEDA) may benefit from an integrated approach.
Canadian Government Cybersecurity Certification (CPCSC)
Bill C-8 is complemented by the Canadian Program for Cyber Security Certification (CPCSC), which provides a mechanism for third-party verification of cybersecurity controls. The CPCSC enables federal institutions and their suppliers to engage accredited certification bodies to assess and certify compliance with defined security requirements. While CPCSC certification is not yet mandatory for all entities affected by Bill C-8, the program is expected to become an increasingly important compliance tool as the government matures its cybersecurity oversight framework.
Practical Implementation Steps for NIST CSF 2.0 Alignment
For organisations required to align with NIST CSF 2.0 under Bill C-8 — or those choosing to adopt the framework voluntarily — the implementation process involves several stages:
1. Establish Governance
Given that CSF 2.0 now explicitly includes a Governance function, this is the logical starting point. Define cybersecurity roles and responsibilities, establish a cybersecurity risk management policy, ensure board-level or senior leadership oversight, and define the organisation's cybersecurity strategy. The governance framework should align with the organisation's overall risk management approach.
2. Conduct a Risk Assessment
Identify and prioritise cybersecurity risks based on the organisation's mission, assets, and threat landscape. The risk assessment should cover: critical assets and systems, threat sources and events relevant to the organisation's operating context, vulnerabilities in systems, processes, and supply chains, the likelihood and impact of potential risk events, and risk treatment priorities. The risk assessment should be updated periodically and whenever significant changes occur.
3. Perform a Gap Analysis
Assess the organisation's current cybersecurity posture against the CSF 2.0 target profile. For each subcategory, determine whether the organisation has implemented controls, and if so, whether they are operating effectively. The gap analysis produces a roadmap for implementation.
4. Develop and Implement a Target Profile
Define the organisation's target cybersecurity posture — which CSF 2.0 subcategories are in scope and at what level of maturity. Then implement the controls needed to close the gaps identified in the analysis. This is an iterative process; most organisations start with the highest-priority subcategories and expand over time.
5. Monitor and Improve
Cybersecurity is not a one-time project. CSF 2.0 emphasises continuous improvement through ongoing monitoring, periodic reassessment, and updating of target profiles as the organisation's risk landscape evolves. Organisations should conduct annual reviews and refresh their risk assessments and profiles.
Common Implementation Pitfalls
- Treating CSF 2.0 as a compliance checklist — the framework is designed as a risk management tool, not a pass/fail checklist. Organisations that focus on ticking boxes without understanding their risk context will not achieve the security outcomes the framework is designed to deliver.
- Ignoring the Governance function — CSF 2.0's explicit inclusion of Governance is a deliberate response to the industry's experience that cybersecurity programmes without executive sponsorship and governance structures fail. Failing to establish governance undermines the entire framework.
- Attempting full compliance in one pass — CSF 2.0 covers an enormous range of controls. Most organisations cannot address all categories to full maturity in a single implementation cycle. Prioritise based on risk.
- Overlooking supply chain risk — CSF 2.0 includes supply chain risk management as a key category within the Identify function. Federal institutions and their suppliers must address third-party and supply chain risks as part of their implementation.
How Our Consultants Support NIST CSF 2.0 Compliance
Our team has deep experience with the NIST Cybersecurity Framework across multiple versions and implementation contexts. We provide gap assessments against CSF 2.0, current and target profile development, implementation roadmaps, governance framework design, and CPCSC certification preparation support. For organisations based outside Canada that supply or seek to supply Canadian federal institutions, our team helps bridge the gap between your existing compliance frameworks — whether ISO 27001, SOC 2, or Cyber Essentials — and the CSF 2.0 requirements mandated by Bill C-8. Through our fractional vCISO service, we provide ongoing cybersecurity leadership that keeps your programme aligned with federal requirements and evolving global standards.
Our consultants bring experience working with organisations in the UK, Canada, the US, and Australia, enabling us to support multi-jurisdictional compliance programmes that satisfy multiple regulatory frameworks simultaneously.