Furnishing of information relating to critical information infrastructure
10.—(1)  The Commissioner may by notice given in the prescribed form and manner, require the owner of a critical information infrastructure to furnish, within a reasonable period specified in the notice, the following:
(a)information on the design, configuration and security of the critical information infrastructure;
(b)information on the design, configuration and security of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure;
(c)information relating to the operation of the critical information infrastructure, and of any other computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure;
(d)any other information that the Commissioner may require in order to ascertain the level of cybersecurity of the critical information infrastructure.
(2)  Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with a notice mentioned in subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both and, in the case of a continuing offence, to a further fine not exceeding $5,000 for every day or part of a day during which the offence continues after conviction.
(3)  The owner of a critical information infrastructure to whom a notice is issued under subsection (1) is not obliged to disclose any information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information, except that the performance of a contractual obligation is not an excuse for not disclosing the information.
(4)  The owner of a critical information infrastructure is not treated as being in breach of any contractual obligation mentioned in subsection (3) for doing or omitting to do any act, if the act is done or omitted to be done with reasonable care and in good faith and for the purpose of complying with a notice issued under subsection (1).
(5)  If a material change is made by or on behalf of the owner of a critical information infrastructure to the design, configuration, security or operation of the critical information infrastructure after any information has been furnished to the Commissioner pursuant to a notice mentioned in subsection (1), the owner of the critical information infrastructure must notify the Commissioner of the change not later than 30 days after the change is made.
(6)  For the purposes of subsection (5), a change is a material change if the change affects or may affect the cybersecurity of the critical information infrastructure or the ability of the owner of the critical information infrastructure to respond to a cybersecurity threat or incident affecting the critical information infrastructure.
(7)  Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (5) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $25,000 or to imprisonment for a term not exceeding 12 months or to both.