Page:Cybersecurity Act 2018.pdf/20

Rh :(c) a revocation of a code of practice or standard of performance.

(5) Any code of practice or standard of performance has no legislative effect.

(6) Subject to subsections (4) and (7), every owner of a critical information infrastructure must comply with the codes of practice and standards of performance that apply to the critical information infrastructure.

(7) The Commissioner may, either generally or for such time as the Commissioner may specify, waive the application to the owner of a critical information infrastructure of any code of practice or standard of performance, or any part of it.

Power of Commissioner to issue written directions

12.—(1) The Commissioner may, if the Commissioner thinks—
 * (a) it is necessary or expedient for ensuring the cybersecurity of a critical information infrastructure or a class of critical information infrastructure; or
 * (b) it is necessary or expedient for the effective administration of this Act,

issue a written direction, either of a general or specific nature, to the owner of a critical information infrastructure or a class of such owners.

(2) Without affecting the generality of subsection (1), a direction under that subsection may relate to—
 * (a) the action to be taken by the owner or owners in relation to a cybersecurity threat;
 * (b) compliance with any code of practice or standard of performance applicable to the owner;
 * (c) the appointment of an auditor approved by the Commissioner to audit the owner or owners on their compliance with this Act or any code of practice or standard of performance applicable to the owner or owners; or