Yes, I think that's a valid point.
When we reviewed the draft wording, that was one of the unintended consequences that was raised. It could leave crucial aspects of Canada's cybersecurity and the timeliness of cyber-incident reporting up to the discretion of the operators themselves.
In a scenario based on previous amendments.... Even in a scenario where this wasn't the case, if there was some concern about the operators, the due diligence offence would still apply.
To make a long story short, I think your concern is quite valid.