Bill C-8 promises a new era of mandatory cyber obligations for federally regulated sectors - but does compliance really translate to security for Canadian operational technology environments?

This session examines what Bill C-8 actually requires, how it intersects with Quebec’s evolving regulatory landscape, and where gaps remain for unregulated or partially regulated OT industries. The expert panelists will explore the risk of “checkbox compliance,” the practical challenge of operationalizing requirements across IT and OT, and how boards, CISOs and operators can go beyond minimum standards by drawing on frameworks such as NIS2, CISA guidance and the EU Cyber Resilience Act.

In this insightful discussion, the panelists will discuss:

• What Bill C-8 changes in practice for OT operators?
• The limits of compliance: avoiding false assurance and ensuring requirements are truly operationalized in OT;
• How Canadian organizations can leverage NIS2, CISA and internal standards to build security beyond regulatory baselines.