Canada’s PQC Framework: Sound Design, Stalled Execution — What the Bill C-8 Senate Debate Reveals

This is an update to my earlier analysis: No Single Law, No Single Excuse: How Canada Regulates PQC Without Saying “Quantum.”

In June 2022, I was a cybersecurity partner at PwC Canada when the Minister of Public Safety introduced Bill C-26 in the House of Commons. My team was among the first to analyze its implications for critical infrastructure operators, and my assessment at the time was that this was one of the strongest cybersecurity bills proposed by any G7 government. The Critical Cyber Systems Protection Act (CCSPA) it contained gave regulators real enforcement teeth: mandatory cybersecurity programs, incident reporting to the Canadian Centre for Cyber Security, ministerial power to compel operators to harden specific systems, and penalties of up to $15 million per day for non-compliance. For those of us who had spent years watching Canada trail its Five Eyes allies on critical infrastructure cybersecurity regulation, this felt like a genuine inflection point.

Four years later, Bill C-26’s successor (Bill C-8, nearly identical) has finally passed the Canadian Senate. Royal Assent is imminent. But not a single dollar in penalties has been levied. Not a single critical infrastructure operator has been compelled to do anything under the CCSPA, because the CCSPA does not yet exist as enforceable law. And the regulatory clock that matters for quantum has not started.

And the word “quantum” has barely been spoken in the entire four-year legislative journey.

The Senate debate: June 3, 2026

On June 3, Senator John McNair moved third reading of Bill C-8 in the Senate. His speech laid out the cyber threat facing Canada in appropriately urgent terms: over 1,400 incidents against critical infrastructure in 2024-25 (roughly four per day), ransomware increases of 159% in IT and 157% in finance year-over-year, $5 billion in annual economic damage. He quoted Bruce Power’s CISO, CIGI’s Aaron Shull, and former Biden administration cyber official Philip Stupak. The message was unanimous: pass this now.

Near the end of the question period, Senator Mohamed-Iqbal Ravalia asked the only quantum-related question of the entire debate:

“Senator McNair, during the formulation of this bill, was there any discussion about quantum computers and the severe threat that they pose, potentially using quantum technology to break standard encryption? And how might we protect against this on a go-forward basis?”

McNair’s response:

“There was no direct discussion at the committee level, but there was discussion among people on artificial intelligence and quantum computing. The point about this bill is that it’s robust enough and not specific — it’s generic at this stage — so the regulatory process can deal with issues around quantum computing and artificial intelligence.”

One question. No committee discussion. A response that amounts to “we’ll deal with it later in regulations.”

On Canada’s most important cybersecurity bill. In 2026. Two years after NIST finalized post-quantum cryptography (PQC) standards.

My Analysis

A four-year legislative odyssey

The timeline tells its own story. Bill C-26 was introduced on June 14, 2022. It was referred to committee nine months later, in March 2023. The House amended it 37 times. By late 2024, it had reached third reading in the Senate, where a procedural error forced it back to the House. Then Trudeau resigned, Parliament was prorogued in January 2025, and the bill died on the Order Paper.

The Carney government reintroduced it as Bill C-8 on June 18, 2025, nearly identical to its predecessor. Despite broad cross-party support, the bill had to restart the full legislative process from scratch. It entered House committee study in October 2025, eventually made it back to the Senate, and passed third reading on June 4, 2026. Royal Assent is expected within weeks.

Four years from introduction to passage. For context, NIST’s PQC standards (ML-KEM, ML-DSA, SLH-DSA) were finalized in August 2024. The Harvest Now, Decrypt Later threat has been active the entire time. The Trust Now, Forge Later authentication threat has been accumulating exposure for every certificate signed with classical cryptography during this period.

The timeline arithmetic

With Senate passage complete, Royal Assent is now weeks away rather than months. The Minister of Public Safety told the Senate committee that Part 1 regulations (telecom security orders) would take 6 to 12 months to develop. Part 2 regulations (CCSPA, covering critical infrastructure across energy, finance, transportation, and telecom) would take 12 to 24 months.

That puts enforceable CCSPA regulations at late 2027 to mid-2028 at the earliest. And McNair’s candid admission that quantum was not discussed at committee level makes it unlikely that PQC requirements will feature in the first regulatory tranche. Regulators will focus on baseline cybersecurity obligations first: incident reporting frameworks, minimum program requirements, compliance timelines. Quantum-specific requirements will be treated as a second-order problem.

Realistically, enforceable PQC migration obligations for Canadian critical infrastructure operators under the CCSPA are a 2028 to 2029 prospect. Possibly later.

The international comparison makes this gap concrete:

• CNSA 2.0 makes PQC mandatory for new US national security system acquisitions by 2027. Canadian operators working in integrated North American supply chains will face those requirements whether or not Ottawa mandates them.
• Google’s quantum research team recently estimated that quantum preparedness may be needed by 2029, based on a 20-fold reduction in the qubit resources required to break RSA-2048. That’s only three years from now.
• The EU’s NIS2 implementation is rolling, with PQC for high-risk critical infrastructure sectors targeted by 2030. The new EU-Canada strategic partnership explicitly calls for alignment of regulatory frameworks on emerging technologies including quantum.
• Canada’s own CCCS roadmap requires federal departments to have PQC migration plans by April 2026 and high-priority systems migrated by end of 2031. The CCSPA was supposed to extend that urgency to the private critical infrastructure sector. Instead, private operators are waiting for regulations under a law that has only just passed Parliament.

By the time CCSPA regulations address quantum, the rest of the G7 will be years into enforcement.

The SPIN is not holding

In my original article, I identified the Treasury Board SPIN (Security Policy Implementation Notice) as the sharpest near-term tool in Canada’s PQC kit. Since April 1, 2026, all new federal contracts with a digital component must include PQC procurement clauses. The SPIN was supposed to propagate quantum requirements through the vendor supply chain and create market pressure ahead of CCSPA regulations.

The SPIN also imposed a concrete internal deadline: by April 1, 2026, every federal department must have developed a high-level PQC migration plan. SSC, as the central IT provider for most of the federal government, had a parallel obligation: publish its own high-level PQC migration plan for the systems it operates and share it with departments so they could plan around SSC’s infrastructure dependencies.

SSC’s own published departmental plans tell us how that went.

The 2025-26 SSC Departmental Plan, published around January 2026, stated that SSC “will create a comprehensive quantum readiness action plan, outlining specific steps, timelines, resource requirements and key performance indicators.” Future tense. Three months before the SPIN deadline, the plan to make a plan did not yet exist.

The 2026-27 SSC Departmental Plan, published in April 2026 (the month the SPIN deadline arrived), states that “in 2026-2027, as part of the overarching Government plan, SSC will identify and prioritize changes that will be required to implement enhanced security measures and mitigate this future risk.” Still future tense. Still Phase 1 preparation language.

Compare that to what the SPIN required: a published migration plan, shared with departments, by April 1, 2026. What SSC’s own reporting describes is an organization that is still identifying what needs to change.

This matters because SSC manages the shared infrastructure that most federal departments run on. Every department’s PQC migration plan depends on knowing what SSC intends to do with the networks, hosting, and services they all share. If SSC’s plan does not exist, departmental plans built on top of it are building on air.

No public compliance statistics exist. TBS has published no reporting on how many departments submitted migration plans by the April deadline. The CCCS has published no progress dashboard. The reporting mechanism (annual submissions via the departmental plan on service and digital) has either not produced results or the results have not been made public. If the numbers are strong, publishing them would strengthen confidence in Canada’s quantum readiness. The silence does the opposite.

Reassessing “No Single Law, No Single Excuse”

My original thesis was generous, and I said so at the time. The architecture of Canada’s approach is a defensible model: procurement propagation through the SPIN, supervisory pressure through OSFI, and the CCSPA as the legislative enforcement backstop. On paper, it creates layered PQC obligations across different sectors without requiring a single dedicated quantum law. The design is sound.

The problem is execution speed. Three things have become clear since March:

The “generic by design” argument is aging poorly. McNair framed Bill C-8’s technology-neutrality as a feature: the regulatory process can address quantum when the time comes. In legislative theory, this is correct. In practice, “generic” means critical infrastructure operators have no specific obligation to begin PQC migration planning until a regulation tells them to. For CISOs doing budget cycles and capacity planning, the absence of a specific requirement is functionally indistinguishable from the absence of urgency. The US understood this when it built CNSA 2.0 with named algorithms, named system categories, and named deadlines. That is not regulatory overreach. It is operational clarity.

The enforcement backstop is empty on quantum. The CCSPA’s $15 million daily penalties are the most powerful enforcement tool in Canada’s PQC kit. They are also meaningless without regulations that define what compliance looks like. Until those regulations arrive and explicitly address PQC, the penalty framework enforces nothing on quantum risk. I described the CCSPA as the piece that makes the whole layered model work. As of today, it does not work at all, because it does not exist as law.

The international gap is widening, not narrowing. When I wrote the original article, I argued that Canada’s approach was “the most principles-based but not the weakest” of the major jurisdictions. That characterization assumed the CCSPA would arrive promptly and its regulations would be informed by quantum awareness. The Senate debate suggests neither assumption was warranted. The EU has moved from principles to implementation timelines. The US continues to enforce through procurement mandates. Canada’s critical infrastructure operators sit in between, facing harder deadlines from their American supply chain partners than from their own federal government.

What I originally got right

OSFI’s work on financial sector quantum readiness remains the strongest piece of Canada’s PQC framework. Guideline B-13 is enforceable. The quantum preparedness questionnaire OSFI and FCAC issued in December 2023 created real supervisory expectations. Guideline B-10 extends quantum risk exposure through the vendor supply chain. For federally regulated financial institutions, quantum is not a hypothetical future concern; it is a present supervisory expectation.

The NRC’s Quantum Safe Technologies Initiative, launched in 2026, is building R&D capacity in quantum-safe applications for defence, finance, and telecom. The CCCS roadmap for federal systems provides a credible technical framework with clear milestones through 2035.

These pieces remain sound. The problem is that they cover the federal government’s own systems and the financial sector. Energy, telecom, transportation, and pipeline operators (85% of which are privately owned) are waiting for the CCSPA.

What would close the gap

None of this requires new legislation. Three actions would materially change the picture:

Prioritize quantum in the first CCSPA regulatory tranche. The minister has committed to a regulatory process with stakeholder consultation. That process needs to include PQC migration requirements from the start. The CCCS roadmap already provides the technical framework. The regulatory process should reference it directly rather than treating quantum as a topic for future rounds.

Enforce the SPIN. TBS has the policy instruments. If departmental PQC migration plans are not materializing, that is a compliance problem, not a policy gap. The SPIN was designed to create urgency ahead of CCSPA regulations. If departments are treating it as optional, the entire procurement-propagation strategy collapses.

Issue anticipatory guidance to CCSPA-designated operators now. Royal Assent is imminent, but the CCCS can issue guidance to critical infrastructure operators at any time without waiting for regulations. A clear signal that PQC migration will be a CCSPA regulatory requirement, with indicative timelines and alignment to CNSA 2.0 and NIST standards, would allow operators to begin planning before the regulations are finalized. This is exactly what OSFI did for financial institutions. It worked there. It would work here.

The bottom line

When I first analyzed Bill C-26 in 2022, I thought Canada was about to leapfrog most of its allies on critical infrastructure cybersecurity. The bill was strong. The policy intent was clear. The architecture was sound.

Four years later, that same bill — renamed, reintroduced, debated across two Parliaments — has finally passed. That is progress. But the enforcement mechanism that makes the whole PQC framework coherent remains years away from addressing quantum risk. SSC’s own departmental plans show the central IT provider still identifying what needs to change, months after its SPIN deadline. And in the final Senate debate, quantum was the subject of one question, answered with a reference to future regulations.

Canada has the right framework. It does not have the right pace. As I have argued elsewhere, the timeline for action is no longer set by Q-Day predictions. It is set by regulators, insurers, investors, and trading partners who are already imposing their own quantum deadlines. Canadian critical infrastructure operators who wait for CCSPA regulations to tell them what to do will find that their American counterparts, their European partners, and their own financial regulators got there first.

The framework exists. The execution needs to catch up.