Page:Cybersecurity Act 2018.pdf/21

22 :(d) such other matters as the Commissioner may consider necessary or expedient to ensure the cybersecurity of the critical information infrastructure.

(3) A direction under subsection (1) may be revoked at any time by the Commissioner.

(4) Before giving a direction under subsection (1), the Commissioner must, unless the Commissioner considers that it is not practicable or desirable to do so, give notice to the person or persons whom the Commissioner proposes to issue the direction—
 * (a) stating that the Commissioner proposes to issue the direction and setting out its effect; and
 * (b) specifying the time within which representations or objections to the proposed direction may be made.

(5) The Commissioner must consider any representations or objections which are duly made before giving any direction.

(6) Any person who, without reasonable excuse, fails to comply with a direction under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

Change in ownership of critical information infrastructure

13.—(1) Where there is any change in the beneficial or legal ownership (including any share in such ownership) of a critical information infrastructure, the relevant person must inform the Commissioner of the change in ownership not later than 7 days after the date of that change in ownership.

(2) Any person who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.