In Development

Canada's federal cybersecurity certification for critical infrastructure.

Bill C-26 introduces mandatory cybersecurity requirements for federally regulated critical infrastructure. Vimy is building CPCSC alignment into the platform so you're ready when the standard is finalized.

Join Early Access → See All Frameworks →

Critical Infrastructure Focus 100% Canadian Infrastructure In Development

What is CPCSC?

Mandatory cybersecurity obligations for Canada's most critical operators.

Bill C-26 — the Critical Cyber Systems Protection Act — introduces mandatory cybersecurity requirements for federally regulated critical infrastructure sectors: finance, telecommunications, energy, and transportation.

The CPCSC certification program aligns with NIST CSF and establishes baseline security expectations for operators of designated systems. Under Bill C-26, covered organizations must establish and maintain a cybersecurity program, report cyber incidents to the government, and manage supply chain security risks.

Bill C-26 received Royal Assent in June 2024. Specific obligations for designated systems are being defined through regulations. Organizations in the four covered sectors should begin building alignment now.

Four regulated sectors

Finance, telecommunications, energy (including pipelines and nuclear), and transportation (rail, air, marine) are the initial scope under the Act.

Mandatory cybersecurity programs

Covered operators must implement documented cybersecurity programs, keep them up to date, and demonstrate compliance to the relevant regulator.

Cyber incident reporting

Organizations must report cyber incidents affecting designated critical cyber systems to the government — with timelines and formats still being defined through regulation.

Key Requirements

What CPCSC will require of covered operators.

While specific regulatory requirements are still being finalized, Bill C-26 establishes four core program areas that operators of designated critical cyber systems must address.

Cyber Incident Reporting

Operators must report cyber incidents affecting designated critical cyber systems to the relevant government authority. Timelines and notification thresholds will be defined through regulations. Evidence of detection, containment, and resolution must be maintained.

Security Program Requirements

Covered operators must establish, implement, and maintain a documented cybersecurity program. The program must be kept current and include policies, risk assessments, incident response plans, and controls aligned to the CPCSC standard.

Supply Chain Risk Management

Bill C-26 explicitly addresses supply chain cybersecurity. Covered operators must identify and mitigate cyber risks originating from their suppliers and third-party service providers — a requirement that extends beyond most existing frameworks.

Designated Systems Compliance

Once systems are formally designated under the Act, operators have obligations tied specifically to those systems. Compliance must be demonstrable to regulators — through audit trails, evidence of controls, and continuous monitoring records.

How Vimy Helps

Built for CPCSC before it's mandatory.

Vimy is building CPCSC alignment into the platform. Security operations, posture monitoring, and evidence collection that already satisfy SOC 2, ISO 27001, and NIST CSF will map directly to CPCSC requirements when the standard is finalized.

You won't be starting from scratch. You'll be activating a mapping that's already been done.

Continuous Posture Monitoring

Vimy monitors your security posture in real time against control frameworks. As CPCSC requirements are confirmed, posture checks will extend automatically — no re-implementation required.

Automated Evidence Collection

Every security operation generates an evidence trail. Incident detection, access reviews, configuration changes, and patch records are captured automatically — ready for regulator review.

Incident Reporting Workflows

Vimy's Threat Response Objects (TROs) document every incident with full timeline, affected systems, containment actions, and resolution. When CPCSC reporting requirements are confirmed, your records will already be structured to meet them.

Supply Chain Visibility

Vimy's integration layer and subprocessor tracking give you a live view of third-party access, data flows, and vendor security posture — the foundation for the supply chain risk management CPCSC requires.

Multi-Framework Mapping

NIST CSF, SOC 2, ISO 27001, PIPEDA, and CPCSC are tracked simultaneously from the same data. A single security action satisfies obligations across all frameworks — no duplicate work, no duplicate cost.

100% Canadian Infrastructure

Vimy runs entirely on Canadian infrastructure with zero US subprocessors. For operators of designated critical systems, keeping security operations data sovereign is not optional — Vimy delivers it by default.

Framework Overlap

If you're already on NIST CSF, you're closer than you think.

CPCSC draws heavily from NIST CSF 2.0. Organizations already compliant with SOC 2 or NIST CSF will have significant overlap with CPCSC requirements when the standard is finalized. The coverage is not identical — supply chain and incident reporting obligations under CPCSC are more prescriptive — but the foundational work is shared.

Vimy tracks all three simultaneously. A single security posture check, incident record, or control attestation feeds NIST CSF, SOC 2, and CPCSC at the same time. No duplicate work.

FAQ

Common questions about CPCSC.

What is CPCSC and when does it take effect?

CPCSC — the Canadian Program for Cyber Security Certification — is a federal certification framework established under Bill C-26 (the Critical Cyber Systems Protection Act). Bill C-26 received Royal Assent in June 2024. The specific certification requirements and designated system designations are still being developed through regulations. Finalized obligations for operators are expected to roll out through 2025 and 2026.

Who does CPCSC apply to?

CPCSC applies to federally regulated critical infrastructure operators in four sectors: finance (banks, insurance, payment systems), telecommunications, energy (pipelines, nuclear), and transportation (rail, air, marine). If you operate or rely on a "designated critical cyber system" as defined under the Act, you will have mandatory cybersecurity program obligations. Provincial-only entities and private-sector organizations outside these four sectors are not directly covered by the Act.

How does CPCSC relate to NIST CSF?

CPCSC draws heavily from NIST CSF 2.0. The framework's Govern, Identify, Protect, Detect, Respond, and Recover functions map closely to CPCSC's required cybersecurity program elements. Organizations already aligned with NIST CSF will have significant coverage head-start when CPCSC requirements are finalized. Vimy tracks NIST CSF and CPCSC simultaneously — see our NIST CSF coverage for details.

If we're already SOC 2 compliant, how much overlap is there with CPCSC?

Significant. SOC 2's Common Criteria cover access control, incident response, availability, and change management — all of which align with CPCSC's cybersecurity program requirements. Supply chain risk management and cyber incident reporting are areas where CPCSC extends beyond a standard SOC 2 scope. Vimy tracks both simultaneously so you're not starting from scratch. See our SOC 2 coverage page for details.

Be ready when CPCSC
is finalized.

Join the early access list and we'll map your current compliance posture to CPCSC requirements as the standard evolves.

NIST CSF overlap tracked now CPCSC mapping in progress 100% Canadian infrastructure