Clause 13

in subsection (1)(a), after “with this Act”, insert “, any prescribed technical or other standards relating to cybersecurity that are to be maintained in respect of the provider‑owned critical information infrastructure,”; and

replace subsection (4) with —“(4) Where it appears to the Commissioner that —

the owner of a provider‑owned critical information infrastructure has not complied with a provision of this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance; or

any information provided by the owner of a provider‑owned critical information infrastructure under section 10 is false, misleading, inaccurate or incomplete,the Commissioner may for the purpose of ascertaining the owner’s compliance with this Act, a prescribed technical or other standard relating to cybersecurity, or an applicable code of practice or standard of performance, or ascertaining the accuracy or completeness of the information (as the case may be) —

by order require an audit in respect of the provider‑owned critical information infrastructure to be carried out by an auditor appointed by the Commissioner, and the cost of such audit must be borne by the owner; or

authorise the Deputy Commissioner, an Assistant Commissioner, a cybersecurity officer or an authorised officer to carry out an inspection of the provider‑owned critical information infrastructure.”.