A New Cybersecurity Law Just Put Your Private Network on the Hook

3 Steps to Close the Gap Before Regulators Ask

Critical infrastructure operators have spent years hardening their OT environments. SCADA monitoring. Network segmentation. NERC CIP compliance programs. What most have not accounted for is the private wireless network running alongside all of it: the private LTE or 5G infrastructure connecting field devices, vehicles, and sensors across their operations. 

That network just became a documented regulatory obligation. 

On June 16, 2026, Canada’s Bill C-8 received Royal Assent, making it the most significant critical infrastructure cybersecurity law the country has ever passed. It covers energy, telecommunications, finance, and transportation. Designated operators must now establish documented cybersecurity programs, manage third-party risk inside their environments, detect and report cyber incidents, and respond to government directions on defined timelines. Non-compliance carries serious financial penalties. 

Private LTE and 5G networks are explicitly covered as third-party systems. This is not a gray area. The question is whether your program addresses it. 

What the Law Requires 

The Critical Cyber Systems Protection Act (CCSPA) creates five obligations every designated operator must meet. 

Establish a documented Cyber Security Program that describes how your critical systems are protected and kept resilient. Identify and mitigate risks from third-party vendors and systems operating inside your environment, not just at the perimeter. Implement measures to detect cyber security incidents on your critical systems. Report qualifying incidents to the Canadian Centre for Cyber Security. Respond to government-issued Cyber Security Directions within defined timeframes. 

The law took effect immediately. The broader CCSPA implementation is phased, which means operators are in the planning window right now. That window will not stay open indefinitely. Organizations that define their Cyber Security Program now will set the architecture on their own terms. The ones that wait will be reacting to regulators with gaps they cannot close quickly. 

Where Most Operators Have a Gap 

The third-party risk obligation is where most private cellular operators will find their exposure, and it is the one that catches people off guard. 

Nokia or Ericsson manages the network infrastructure. But the obligation is not about the vendor. It is about what runs through that infrastructure: which devices are on the network, who authorized them, and whether you can see and report on them. 

Traditional IT and OT security tools operate at the IP layer. When a device connects to a private LTE or 5G network, it authenticates via SIM card, not an IP credential. That process is completely invisible to the tools most operators already have in place. You can have strong perimeter controls and comprehensive SCADA monitoring and still have zero visibility into the cellular layer where your field devices actually connect. 

The mandatory incident reporting requirement makes that blind spot a legal liability. You cannot report what you cannot see. 

3 Steps to Close the Gap 

CCSPA implementation is phased, but the planning clock is running. Here is what getting ahead of this actually looks like. 

Visibility into every device on the network. You need continuous awareness of every device that presents to your private wireless network, not just the ones you provisioned. That means knowing what connected, when, what it is, and whether it was authorized. Without this foundation, you cannot meet the detection or reporting obligations the law requires. 

Policy enforcement, not just monitoring. Visibility alone does not satisfy compliance. You need the ability to control what is permitted to operate on the network, enforce access decisions in real time, and block unauthorized devices before they become reportable incidents. Monitoring without enforcement is observation. What regulators want to see is control. 

A complete audit trail for incident reporting. When something happens, you need to reconstruct it. That means mapping cellular identifiers, the IMSI tied to a SIM card and the IMEI identifying the physical device, to enterprise IP addresses. Without that mapping, incident reporting is guesswork. With it, your team can produce a clear, complete account of what happened, what was affected, and when. 

This is what OneLayer delivers for operators running private LTE and 5G in regulated environments: device-level visibility, real-time policy enforcement, and the audit trail your Cyber Security Program needs to cover the cellular layer. 

The Window Is Open. Act Now. 

The new law did not create a new problem. It put legal requirements around one that already existed. Private wireless networks inside critical infrastructure have always been a security boundary. Now they are also a documented regulatory obligation with reporting timelines and financial penalties attached. 

Every government managing critical infrastructure is working through the same challenge. Canada moved first, but the direction is clear. 

The operators who build their cellular security program now, while the planning window is open, will be the ones ready when their regulator comes asking. 

Get in touch with our team to understand what a Cyber Security Program for your private cellular network looks like.