30CBApplication of statutory incident response planning obligations—determination by the Secretary

#### 30CB Application of statutory incident response planning obligations—determination by the Secretary (1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, determine that the statutory incident response planning obligations apply to the entity in relation to: (a) the system; and (b) cyber security incidents. (2) A determination under this section takes effect at the time specified in the determination. (3) The specified time must not be earlier than the end of the 30‑day period that began when the notice was given. (4) In deciding whether to give a notice to an entity under this section in relation to a system of national significance, the Secretary must have regard to: (a) the costs that are likely to be incurred by the entity in complying with Subdivision B; and (b) the reasonableness and proportionality of applying the statutory incident response planning obligations to the entity in relation to: (i) the system; and (ii) cyber security incidents; and (c) such other matters (if any) as the Secretary considers relevant. (5) Before giving a notice to an entity under this section in relation to a system of national significance, the Secretary must consult: (a) the entity; and (b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system—the relevant Commonwealth regulator. (6) A determination under this section is not a legislative instrument.