Canada's Bill C-8 will enact the Critical Cyber Systems Protection Act (CCSPA), the country's first mandatory cybersecurity framework for federally regulated critical infrastructure. For operators of industrial and essential systems, it's a shift from voluntary best practice to enforceable obligation. That means cybersecurity programs, supply chain risk controls, incident reporting within 72 hours, and penalties that reach personal liability for directors and officers.

The catch is that the legislation is intentionally high-level. It defines what outcomes designated operators must achieve, not how to achieve them — leaving security and OT leaders to translate broad mandates into defensible, auditable programs across complex, frequently unmonitored industrial networks.

Sandeep Lota breaks down what C-8 demands, then maps the path from directive to defense: full OT/IT asset visibility, risk prioritization, and the continuous monitoring and incident detection the CCSPA requires.

Attendees will learn:

• What Bill C-8 and the CCSPA actually require — and which obligations carry the hardest deadlines and steepest personal liability
• Why complete OT/IT asset visibility is the foundation every other requirement depends on
• A risk-based method for prioritizing remediation and security investment across converged environments
• How to operationalize continuous monitoring and 72-hour incident reporting, not just promise it
• Where Nozomi Networks accelerates each step from initial assessment to audit-ready compliance

‍