Commonwealth Consolidated Acts Commonwealth Consolidated Acts(1) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:
(a) undertake, or cause to be undertaken, a vulnerability assessment in relation to:
(i) the system; and
(ii) all types of cyber security incidents; and
(b) do so within the period specified in the notice.
(2) The Secretary may, by written notice given to an entity that is the responsible entity for a system of national significance, require the entity to:
(a) undertake, or cause to be undertaken, a vulnerability assessment in relation to:
(i) the system; and
(ii) one or more specified types of cyber security incidents; and
(b) do so within the period specified in the notice.
(3) In deciding whether to give a notice to an entity under subsection (1) or (2), the Secretary must have regard to:
(a) the costs that are likely to be incurred by the entity in complying with the notice; and
(b) the reasonableness and proportionality of the requirement in the notice; and
(c) such other matters (if any) as the Secretary considers relevant.
(4) Before giving a notice to an entity under subsection (1) or (2) in relation to the system of national significance, the Secretary must consult:
(a) the entity; and
(b) if there is a relevant Commonwealth regulator that has functions relating to the security of that system--the relevant Commonwealth regulator.