Thank you, Chair.
Through you, to any of the officials who could answer this, would this effectively mean that designated operators could determine, themselves, if they meet the threshold, and therefore wouldn't be subject...?
I understand the intention. I just want to make sure there isn't a self-regulating thing like, “Oh, we have these cybersecurity policies, and therefore there's no need to look here.” That's how I am reading it, but perhaps you could elaborate if this is of concern.