I saw a parallel when you said that a reprimand could be given through a regulation. It is not legally enforced. It's just a directive. The logic is the same, in that there is regulatory power, but no power to impose penalties.
Earlier, you talked about risk levels. We often read about a “serious breach”, for example. Could you explain to us what the various levels involve?