2026-06-01
Bill C-22 and the Encrypted Communications Gap
Bill C-22 — the Critical Cyber Systems Protection Act — received Royal Assent in June 2024. It establishes mandatory cybersecurity programs for designated operators of critical infrastructure in the finance, telecommunications, energy, and transportation sectors.
What C-22 Requires
Designated operators must:
- Establish and maintain a cybersecurity program
- Implement supply-chain security measures
- Report cyber incidents within defined timeframes
- Comply with cybersecurity directives issued by the Governor in Council
The Gap It Exposes
C-22 mandates the what — secure communications, incident response, supply-chain controls — but doesn’t prescribe the how. Most organisations will reach for whatever is on the shelf. That means US-based platforms subject to the Cloud Act, Microsoft 365 tenants routed through American data centres, and Slack workspaces operating under American jurisdiction.
None of these satisfy a strict reading of the Canadian sovereignty requirement that C-22 implies for critical infrastructure communications.
Canium’s Position
Canium is built specifically for this gap. Post-quantum protected recovery architecture, Canadian infrastructure, no foreign cloud exposure, audit trails by design. We are in early access — if your organisation is planning its C-22 compliance program, reach out.