Page:Cybersecurity Act 2018.pdf/25

26 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.

(8) Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $2,500 for every day or part of a day during which the offence continues after conviction.

Cybersecurity exercises

16.—(1) The Commissioner may conduct cybersecurity exercises for the purpose of testing the state of readiness of owners of different critical information infrastructure in responding to significant cybersecurity incidents.

(2) An owner of a critical information infrastructure must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner.

(3) Any person who, without reasonable excuse, fails to comply with a direction under subsection (2) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000.

Appeal to Minister

17.—(1) The owner of a critical information infrastructure who is aggrieved by—
 * (a) the decision of the Commissioner to issue the notice under section 7(1) designating the critical information infrastructure as such;
 * (b) a written direction of the Commissioner under section 12 or 16(2); or