Clause 19

The Commissioner may, from time to time —

issue or approve one or more codes of practice or standards of performance for the regulation of the following persons with respect to measures to be taken by them to ensure the cybersecurity of the computers or computer systems indicated:

owners of provider‑owned critical information infrastructure — the provider‑owned critical information infrastructure;

designated providers responsible for third‑party‑owned critical information infrastructure — the third‑party‑owned critical information infrastructure for which they are responsible;

owners of systems of temporary cybersecurity concern — the systems of temporary cybersecurity concern;

entities of special cybersecurity interest — the systems of special cybersecurity interest in relation to which they are designated;

major foundational digital infrastructure service providers — the major foundational digital infrastructure in relation to which they are designated; and

amend or revoke any code of practice or standard of performance issued or approved under paragraph (a).(2) If any provision in any code of practice or standard of performance is inconsistent with this Act, the provision, to the extent of the inconsistency, does not have effect.(3) Where a code of practice or standard of performance is issued, approved, amended or revoked by the Commissioner under subsection (1), the Commissioner must —

publish a notice of the issue, approval, amendment or revocation (as the case may be) in such manner as will secure adequate publicity for such issue, approval, amendment or revocation;

specify in the notice the date of the issue, approval, amendment or revocation (as the case may be); and

ensure that, so long as the code of practice or standard of performance remains in force, copies of that code or standard, and of all amendments to that code or standard, are available free of charge to a person to whom that code or standard applies.(4) None of the following has any effect until the notice relating to it is published in accordance with subsection (3):

a code of practice or standard of performance;

an amendment to a code of practice or standard of performance;

a revocation of a code of practice or standard of performance.(5) Any code of practice or standard of performance has no legislative effect.(6) Subject to subsections (4) and (7), every person mentioned in subsection (1) must comply with the codes of practice and standards of performance that apply to the person.(7) The Commissioner may, either generally or for such time as the Commissioner may specify, waive the application to a person of any code of practice or standard of performance, or any part of it.Appeal to Minister against decision, etc., under Parts 3, 3A, 3B, 3C and 3D, etc.35B.—

This section applies to appeals to the Minister against any decision, order or written direction of the Commissioner under Part 3, 3A, 3B, 3C or 3D set out in subsection (2), or any code of practice or standard of performance issued, approved or amended by the Commissioner.(2) A person who is aggrieved by —

the decision of the Commissioner to issue a notice under —

section 7(1) or (1A) designating the provider‑owned critical information infrastructure as such;

section 16A(1) designating the designated provider responsible for third‑party‑owned critical information infrastructure as such;

section 17(1) designating the system of temporary cybersecurity concern as such;

section 18(1) designating the entity of special cybersecurity interest as such; or

section 18G(1) designating the major foundational digital infrastructure service provider as such;

the decision of the Commissioner to issue a notice under —

section 9A(1) extending the designation of the provider‑owned critical information infrastructure as such;

section 16D(1) extending the designation of the designated provider responsible for third‑party‑owned critical information infrastructure as such;

section 17C(1) extending the designation of the system of temporary cybersecurity concern as such;

section 18C(1) extending the designation of the entity of special cybersecurity interest as such; or

section 18J(1) extending the designation of the major foundational digital infrastructure service provider as such;

an order of the Commissioner under section 16B(5), 16E(2), 16F(2) or (3), 16H(2), 16I(2) or 16J(2);

a written direction of the Commissioner under section 12(1), 16(2), 16G(1), 16L(2), 17E(1), 18E(1) or 18L(1); or

any provision in any code of practice or standard of performance issued or approved by the Commissioner that applies to the person, or any amendment made to it,may appeal to the Minister against the decision, order, direction, provision or amendment in the manner prescribed.(3) An appeal under subsection (2) must be made within 30 days after the date of the notice, order or direction, or the issue, approval or amendment (as the case may be) of the code of practice or standard of performance (as the case may be) or such longer period as the Minister allows in a particular case (whether allowed before or after the end of the 30 days).(4) Any person who makes an appeal to the Minister under subsection (2) must, within the period specified in subsection (3) —

state as concisely as possible the circumstances under which the appeal arises, and the issues and grounds for the appeal; and

submit to the Minister all relevant facts, evidence and arguments for the appeal.(5) Where an appeal has been made to the Minister under subsection (2), the Minister may require —

any party to the appeal; and

any person who is not a party to the appeal but appears to the Minister to have information that is relevant to the matters appealed against,to provide the Minister with all such information as the Minister may require, whether for the purpose of deciding if an Appeals Advisory Panel should be established or for determining the appeal, and any person so required must provide the information in such manner and within such period as may be specified by the Minister.(6) The Minister may dismiss an appeal of an appellant who fails to comply with subsection (4) or (5).(7) Unless otherwise provided by this Act or allowed by the Minister, where an appeal is lodged under this section, the decision, order, direction or other thing appealed against must be complied with until the determination of the appeal.(8) The Minister may determine an appeal under this section —

by confirming, varying or reversing a decision, notice, order, direction, provision of a code of practice or standard of performance, or an amendment to such code or standard; or

by directing the Commissioner to reconsider the Commissioner’s decision, notice, order, direction or provision of a code of practice or standard of performance, as the case may be.(9) Before determining an appeal under subsection (8), the Minister may consult any Appeals Advisory Panel established for the purpose of advising the Minister in respect of the appeal but, in making such determination, is not bound by the advice of the Panel.(10) The decision of the Minister in any appeal is final.(11) The Minister may make regulations in respect of the manner in which an appeal may be made to, and the procedure to be adopted in the hearing of any appeal by, the Minister under this section.Appeals Advisory Panel35C.—

Where the Minister considers that an appeal lodged under section 35B(2) involves issues the resolution or understanding of which require particular technical skills or specialised knowledge, the Minister may establish an Appeals Advisory Panel to provide advice to the Minister in respect of the appeal.(2) For the purposes of establishing an Appeals Advisory Panel, the Minister may do all or any of the following:

determine, and from time to time vary, the terms of reference of the Appeals Advisory Panel;

appoint persons possessing particular technical skills or specialised knowledge to be the chairperson and other members of an Appeals Advisory Panel;

at any time remove the chairperson or other member of an Appeals Advisory Panel from such office;

determine any other matter which the Minister considers incidental to or expedient for the proper and efficient conduct of business by the Appeals Advisory Panel.(3) An Appeals Advisory Panel may regulate its proceedings in such manner as it considers appropriate, subject to the following:

the quorum for a meeting of the Appeals Advisory Panel is a majority of its members;

a decision supported by a majority of the votes cast at a meeting of the Appeals Advisory Panel at which a quorum is present is the decision of that Panel.(4) The remuneration and allowances (if any) of a member of an Appeals Advisory Panel is to be determined by the Minister.(5) An Appeals Advisory Panel is independent in the performance of its functions.”.