← dispatches

Bill C-22 and the Encrypted Communications Gap

Bill C-22 — the Critical Cyber Systems Protection Act — received Royal Assent in June 2024. It establishes mandatory cybersecurity programs for designated operators of critical infrastructure in the finance, telecommunications, energy, and transportation sectors.

What C-22 Requires

Designated operators must:

The Gap It Exposes

C-22 mandates the what — secure communications, incident response, supply-chain controls — but doesn’t prescribe the how. Most organisations will reach for whatever is on the shelf. That means US-based platforms subject to the Cloud Act, Microsoft 365 tenants routed through American data centres, and Slack workspaces operating under American jurisdiction.

None of these satisfy a strict reading of the Canadian sovereignty requirement that C-22 implies for critical infrastructure communications.

Canium’s Position

Canium is built specifically for this gap. Post-quantum protected recovery architecture, Canadian infrastructure, no foreign cloud exposure, audit trails by design. We are in early access — if your organisation is planning its C-22 compliance program, reach out.