Commercial CCTV & Video Surveillance: A Canadian Business Guide

Commercial CCTV and video surveillance is the layered combination of IP cameras, recording infrastructure (NVR or VMS), network design, storage, and operational policy that lets a Canadian business see, record, review, and act on activity across its sites. Done well, it deters incidents, accelerates investigations, supports insurance and compliance requirements, and feeds adjacent systems like access control and alarm verification. Done poorly, it produces unusable footage, privacy exposure, and ongoing cost without clear return.

This guide walks through how commercial video surveillance actually works in Canadian business environments, the decisions that matter most, and what to verify before you sign a quote.

What "commercial CCTV" actually means in 2026

The term "CCTV" still gets used, but most modern commercial systems are fully IP-based. Cameras are network devices that stream encoded video (typically H.265) over Ethernet, powered through PoE or PoE+ (IEEE 802.3af/at) and, for higher-draw PTZ or heated units, PoE++ (802.3bt). Footage is written to either an on-premise NVR, a server-based VMS, a cloud platform, or a hybrid of the two.

Three things distinguish a commercial-grade deployment from a consumer kit:

• Engineering: camera selection, lens choice, mounting height, and field-of-view are designed against a written objective (deter, detect, identify, or court-grade evidence).
• Continuity: power, network, and storage are sized so the system keeps recording during outages, peak motion, and concurrent reviews.
• Operations: someone owns retention, user access, firmware updates, and incident workflow — not just the install.

The four objectives every camera should serve

Before you specify a single camera, decide what each location needs to accomplish. This is the single biggest driver of cost, lens choice, and resolution.

| Objective | Typical pixel density (px/ft on target) | Example use | |---|---|---| | Monitor / situational awareness | ~20 | Wide parking lot overview | | Detect (motion / presence) | ~25 | Perimeter, loading dock | | Recognize (known person) | ~50 | Employee entrance | | Identify (court-usable) | ~80+ | POS, cash room, main door |

A camera that "looks fine" on a sales-demo monitor can still be useless in court if pixel density on the subject's face is too low. Specifying the objective per camera is what separates an engineered system from a guessed one.

Cloud vs on-premise vs hybrid: how to choose

There is no universally correct answer — the right architecture follows the site, the bandwidth available, and the operational team.

• On-premise (NVR/VMS): lowest recurring cost, full control of footage, no upload bandwidth required. Trade-off: you own backups, hardware refresh, cybersecurity patching, and physical security of the recorder itself.
• Cloud-managed: predictable subscription, automatic updates, easier multi-site administration, footage survives a recorder being stolen or damaged. Trade-off: ongoing cost, sustained upload bandwidth (especially with high-resolution streams), and dependence on the vendor's roadmap.
• Hybrid: local recording for full-resolution archive, cloud for remote access, alerts, and off-site copies of critical clips. Often the most resilient model for multi-site Canadian businesses.

For a deeper comparison, see our breakdown of [cloud vs on-premise video surveillance](/services).

Storage and retention: the math people skip

Storage is where projects most often go over budget. A rough estimate for an H.265 IP camera at 4 MP, 15 fps, medium motion is roughly 6–10 GB per camera per day [VERIFY against your specific codec, bitrate, and scene]. Multiply by camera count and retention days, then add 20–30% headroom.

Retention length itself is a business and legal decision, not a technical one:

• Short retention (7–14 days) reduces storage cost but can miss incidents discovered late (inventory shrink, harassment complaints, slip-and-fall claims that surface weeks later).
• Long retention (60–90+ days) supports investigations and insurance subrogation but increases storage and privacy exposure.
• Under Canadian privacy law (PIPEDA federally, plus provincial equivalents in Quebec, B.C., and Alberta), personal information — including identifiable video — should be kept only as long as necessary for the stated purpose, and that purpose should be documented [VERIFY with legal counsel for your jurisdiction and sector].

Network, power, and resilience

A surveillance system inherits the reliability of the infrastructure beneath it.

• Dedicated VLAN for cameras keeps surveillance traffic off the general business LAN and reduces the attack surface.
• PoE budget: confirm your switches deliver enough wattage across all simultaneously powered ports — not just the per-port rating.
• UPS backing the NVR/VMS, switch, and modem keeps recording alive through short outages; generator backup matters for sites where extended outages are a risk.
• Outdoor cable runs should use direct-burial or in-conduit cable rated for the environment, with surge protection on long copper runs.

Cyber security: cameras are computers

Every IP camera, NVR, and VMS is a networked computer with credentials, firmware, and open ports. Treating them as appliances is how breaches happen.

Baseline hygiene:

• Change default credentials at commissioning. Use unique, long passwords per device, stored in a password manager.
• Disable services you do not use (UPnP, P2P, ONVIF if not required, FTP).
• Keep firmware current on a scheduled cadence.
• Segment the camera VLAN from the corporate network and from the internet; expose remote access only through a hardened gateway or vendor cloud, never direct port-forwarding.
• Log who accesses footage, when, and what they exported.

For Canadian buyers, also consider NDAA Section 889 [VERIFY current scope]: it restricts certain U.S. federal contracts from using surveillance equipment from specific manufacturers. If your business sells into U.S. federal supply chains or to clients who do, hardware origin matters at the specification stage, not after installation.

What a properly engineered project actually includes

A serious commercial CCTV proposal should describe, in writing:

1. Site walk findings and a camera plan with objective per camera.
2. Lens calculations and expected pixel density on target.
3. Network changes: VLAN, switch port count and PoE budget, cable paths.
4. Storage sizing tied to chosen retention and a documented bitrate assumption.
5. UPS sizing and runtime.
6. Cybersecurity baseline applied at commissioning.
7. User roles, access policy, and footage-export procedure.
8. Warranty, response-time SLA, and what is excluded.

If a quote skips any of these, you are buying boxes, not a system. See [what's typically not included in a security installation quote](/services) for the common gaps.

How CCTV fits with the rest of your security stack

Video is most valuable when it is not standing alone:

• With intrusion alarms, cameras provide video verification, which dispatch centres and police increasingly require to prioritize response.
• With [access control](/services), event-driven recording at doors creates a single timeline of who entered, when, and what happened next.
• With remote video monitoring, trained operators can intervene in real time on overnight events instead of reviewing them the next morning.

This is the core of integrated security: the same event surfaces in every system, with one audit trail.

Common mistakes that quietly cost money

• Buying on resolution alone, ignoring lens and mounting.
• No documented retention policy, then storing footage indefinitely.
• Mounting cameras too high for identification at the door.
• Leaving the NVR on the corporate LAN with default credentials.
• No written procedure for footage requests from police or insurers.
• Skipping annual review of camera coverage as the site changes.

FAQ

How many cameras does a typical small commercial site need? There is no fixed number. A small retail unit may need 4–8 cameras to cover entry, POS, sales floor, back-of-house, and rear exit. The real driver is the number of objectives (entry identification, POS oversight, perimeter detection) — not square footage alone.

Is cloud video surveillance secure? A reputable cloud platform can be more secure than a poorly maintained on-premise NVR, because patching and access logging are managed. Security depends on vendor practices, encryption in transit and at rest, your account-level controls (MFA, role-based access), and your network hygiene — not on "cloud" or "on-prem" as labels.

How long should we keep CCTV footage in Canada? Long enough to meet your documented business purpose and any insurance, contractual, or sector-specific requirements, but no longer. Many commercial sites land between 30 and 90 days. Confirm specifics with legal counsel for your jurisdiction and industry [VERIFY].

Do we need a separate alarm system if we have cameras? Usually yes. Cameras record and can verify, but a monitored intrusion alarm is what triggers a dispatched response. Insurers often require monitored alarms regardless of camera coverage.

Can footage from our cameras be used in court? Yes, when the recording quality, time sync, chain of custody, and retrieval process meet evidentiary standards. This is why "identify-grade" pixel density at key points and a documented export procedure matter at the design stage.

Where to go next

If you are planning a new system, replacing aging analog cameras, or consolidating multi-site surveillance, the highest-leverage step is a written objective per camera before any hardware is quoted. From there, the architecture, storage, and integration decisions follow logically.

Fortega designs and installs integrated commercial video surveillance across Canada, including hybrid cloud-and-on-prem deployments and integration with [access control](/services) and monitored alarms. To scope a system against your specific sites, [request a security consultation](/contact).