At a bare minimum, organizations should be complying with all applicable regulations. This past year saw regulatory developments in Canada and the EU that will create new reporting obligations and affect how organizations shape their cybersecurity programs. For example, the EU’s Network and Information Security Directive (NIS2) mandates cyber risk governance, risk management and reporting requirements for certain European organizations. It was slated to be fully in force in 2025, but rollout has been uneven across member nations.
In Canada, Bill C-8 was introduced in June 2025. If passed, it will apply to organizations operating in critical sectors such as finance, telecommunications, utilities and transportation, requiring them to develop and implement a cybersecurity program that must be submitted for annual review. It will also require in-scope organizations to report cybersecurity incidents to the Canadian Centre for Cyber Security (CCCS) within 72 hours, allow the government to issue legally binding orders for organizations to take specific measures related to cybersecurity and impose significant penalties for non-compliance with the Bill.
Audit committees must keep…
