Page:Cybersecurity Act 2018.pdf/19

20 Codes of practice and standards of performance

11.—(1) The Commissioner may, from time to time—
 * (a) issue or approve one or more codes of practice or standards of performance for the regulation of the owners of critical information infrastructure with respect to measures to be taken by them to ensure the cybersecurity of the critical information infrastructure; or
 * (b) amend or revoke any code of practice or standard of performance issued or approved under paragraph (a).

(2) If any provision in any code of practice or standard of performance is inconsistent with this Act, such provision, to the extent of the inconsistency, does not have effect.

(3) Where a code of practice or standard of performance is issued, approved, amended or revoked by the Commissioner under subsection (1), the Commissioner must—
 * (a) publish a notice of the issue, approval, amendment or revocation (as the case may be) in such manner as will secure adequate publicity for such issue, approval, amendment or revocation;
 * (b) specify in the notice the date of the issue, approval, amendment or revocation (as the case may be); and
 * (c) ensure that, so long as the code of practice or standard of performance remains in force, copies of that code or standard, and of all amendments to that code or standard, are available free of charge to the owner of a critical information infrastructure to which that code or standard applies.

(4) None of the following has any effect until the notice relating to it is published in accordance with subsection (3):
 * (a) a code of practice or standard of performance;
 * (b) an amendment to a code of practice or standard of performance;