Duty to report cybersecurity incident in respect of critical information infrastructure, etc.
14.—(1)  The owner of a critical information infrastructure must notify the Commissioner of the occurrence of any of the following in the prescribed form and manner, within the prescribed period after becoming aware of such occurrence:
(a)a prescribed cybersecurity incident in respect of the critical information infrastructure;
(b)a prescribed cybersecurity incident in respect of any computer or computer system under the owner’s control that is interconnected with or that communicates with the critical information infrastructure;
(c)any other type of cybersecurity incident in respect of the critical information infrastructure that the Commissioner has specified by written direction to the owner.
(2)  The owner of a critical information infrastructure must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the critical information infrastructure, as set out in any applicable code of practice.
(3)  Any owner of a critical information infrastructure who, without reasonable excuse, fails to comply with subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 2 years or to both.