I think it's working for everyone now.
You can start your introduction again, Mr. Bradley.
Evidence of meeting #18 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-8.
A recording is available from Parliament.
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
I think it's working for everyone now.
You can start your introduction again, Mr. Bradley.
President and Chief Executive Officer, Electricity Canada
Thank you.
Electricity Canada is the national voice for electricity in the country. Our members generate, transmit and distribute electricity in every province and territory.
Thank you very much for inviting me to testify on Bill C‑8. Last December, I testified before a committee of the other chamber about Bill C‑26.
The new cybersecurity obligations in Bill C‑8 apply to certain critical infrastructure under federal jurisdiction. In our sector, it's mostly international and interprovincial transmission lines, as well as nuclear power plants. Like several other witnesses, we recognize that there is a legislative gap in Canada's approach to cybersecurity. We therefore support the overall objectives of the bill. However, we do have some concerns, and we are proposing some amendments to better protect existing partnerships with federal agencies and enhance the security of our sector.
First, we recommend that Bill C-8 be amended to introduce clear protections and safe harbour provisions for organizations that voluntarily disclose cyber-incidents or vulnerabilities to the government. These protections should ensure that information shared in good faith by organizations is not used to initiate lawsuits or regulatory penalties. In our view, the absence of such protections is a major gap. Without them, operators will likely receive legal advice to share only the minimum information required to comply with the act, and nothing more.
As I discussed with regard to Bill C-26 on the same issue, this would result in a chilling effect on information sharing. This would be a missed opportunity to foster open collaboration and information sharing with government, both of which are essential to strengthening our collective resiliency.
A second concern relates to the potential risks Bill C-8 poses to the partnerships that critical infrastructure operators currently maintain with CSE's cyber centre. Today, our sector benefits from a collaborative relationship with the cyber centre, grounded in the confidence that information shared with it is not disclosed to regulators, enforcement bodies or other departments.
Bill C-8 could change this. It would require that CSE share incident reports with regulators, provide advice or services to regulators on operators' compliance with supply chain risk mitigation, and authorize CSE staff to share information with other government entities for the purposes of issuing cybersecurity directions. These new rules and responsibilities risk creating, as I said, a chilling effect, as operators may now hesitate to share information with the cyber centre if they fear it could later be used for regulatory enforcement.
To protect these vital partnerships, we recommend that Bill C-8 better define expected information sharing between CSE and the rest of government and protect information shared voluntarily with the cyber centre from being disclosed. A clear separation between the cyber centre's collaborative functions and CSE's new obligations could be adopted.
We can draw inspiration from a similar model that already exists in our sector between the North American Electric Reliability Corporation, or NERC, and the electricity information-sharing and analysis centre, or the E-ISAC. Although the E-ISAC is operated by NERC, it is kept organizationally isolated from enforcement activities, which preserves confidentiality and encourages open information exchange with electricity operators.
Finally, we're concerned that Bill C-8 could create a duplicative regulatory framework for cybersecurity in the electricity sector, which is already regulated through NERC standards and provincial regulators. The electricity sector is unique in that it adheres to NERC's critical infrastructure protection standards, which are adopted, enforced and audited by provincial bodies. These standards already ensure strong and comprehensive measures to secure the grid. Introducing new, potentially conflicting, federal requirements risks creating ambiguity, additional compliance burdens and regulatory misalignment, all of which could undermine the bill's objective of enhancing security.
To mitigate this risk, we propose including provisions that allow the federal regulator to recognize and accept compliance with equivalent frameworks, such as NERC's CIP. We'll also be ready to work with the government during the regulatory development process to ensure alignment and harmonization with existing frameworks.
While there are many other aspects of the bill that also deserve attention, that's all the time I have today—
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
You took the words right out of my mouth, Mr. Bradley. Your time is up.
We will now begin the first round of questions.
Mr. Lloyd, you have the floor for six minutes.
December 4th, 2025 / 12:25 p.m.
Conservative
Dane Lloyd Conservative Parkland, AB
Thank you to the witnesses.
Thank you, Madam Chair.
Mr. Bradley, is there a precedent for these safe harbour provisions you're proposing in other jurisdictions, and if so, in which jurisdictions?
President and Chief Executive Officer, Electricity Canada
That is an excellent question. I don't have a great deal of detail specifically with the safe harbour—
Conservative
Dane Lloyd Conservative Parkland, AB
Can you send that at a later time, then, if you can get a briefing on it?
President and Chief Executive Officer, Electricity Canada
We can.
I would also reference the witness you had previously from the CCTX, who spoke in detail about safe harbour provisions and has provided detail on that.
Conservative
Dane Lloyd Conservative Parkland, AB
Okay, thank you.
We want to give protections to the operators so they share information, but what if the case is that the operator was found to be grossly negligent in causing a cybersecurity incident? Would these safe harbour provisions protect them from criminal prosecution when they share that information with the government?
President and Chief Executive Officer, Electricity Canada
If you're talking about a case of clear.... I'm sorry; what was the term you used?
President and Chief Executive Officer, Electricity Canada
I don't believe that would apply when you're talking about safe harbour provisions.
Conservative
Dane Lloyd Conservative Parkland, AB
Thank you.
We don't want companies to use the safe harbour provisions to say you can't investigate them or charge them because they shared the information with you.
President and Chief Executive Officer, Electricity Canada
That's correct.
Conservative
Dane Lloyd Conservative Parkland, AB
Okay.
Do you agree with other industry stakeholders—we've received a brief from the electronic payments association—that the reporting requirements for all cybersecurity changes are too broad and could lead to a heavy reporting burden on operators without improving security outcomes?
President and Chief Executive Officer, Electricity Canada
We don't exactly know what the reporting burden is going to be, because we haven't seen the regulations. Our concern is about doubling and layering on. We already have an existing mandatory regime. That is unique for the electricity sector because of the NERC standards. We have mandatory reporting already in this sector. Our concern is not so much what that reporting regime is going to be. We already have one.
Conservative
Dane Lloyd Conservative Parkland, AB
Is there a legislative change that you think could help reduce this duplicative burden?
President and Chief Executive Officer, Electricity Canada
Yes. Right now, as the legislation is written, the order in council “may” identify equivalent standards. It should be that they “should” be identifying them. As opposed to making it optional, it should be mandatory that existing mandatory standards be regarded as equivalent.
Conservative
Dane Lloyd Conservative Parkland, AB
Thank you.
Can you tell us about any concerns pertaining to the administrative monetary penalties proposed in this legislation? Do you believe that monetary penalties are a constructive tool for driving compliance?
President and Chief Executive Officer, Electricity Canada
Monetary penalties already exist for our sector. With respect to CIP, there are monetary penalties in NERC CIP standards. We haven't seen major monetary penalties yet on Canadian entities, but on a North American basis, we have seen six-figure monetary penalties for CIP standards.
Conservative
President and Chief Executive Officer, Electricity Canada
I don't think they impact compliance.
Conservative
Dane Lloyd Conservative Parkland, AB
Do you have any concerns that the mandatory information-sharing provisions in the CCSPA could inadvertently lead to disclosure of sensitive commercial, operational or even personal employee data? If so, do you think the bill should be amended to better safeguard that information?
President and Chief Executive Officer, Electricity Canada
We already exchange very sensitive information on an ongoing basis. The protections that I believe are in place now are likely sufficient. Our concern is not so much the protection of the information, but the potential that information could be used for more than simply improving security. If it's used for penalty, if it's used by the regulator as opposed to the security people, that is where our concern would come in.
Conservative
Dane Lloyd Conservative Parkland, AB
Thank you.
The bill also proposes to introduce significant penalties and potential liability for officers and directors of designated entities. We've heard from other stakeholders that there isn't really precedent for this in other jurisdictions.
Do you have any thoughts on those provisions?
President and Chief Executive Officer, Electricity Canada
I do not know about other jurisdictions.