I'd leave the sanctions in place. Your point is a good one. There's almost an internal inconsistency in the bill, because they say that the administrative monetary penalties are to encourage compliance, but those penalties can be up to $15 million a day. This is not meant to be punitive, but they can fine you $15 million a day. It sounds pretty punitive when you think about it that way.
All that is to say I would leave the penalty structure in place as currently defined for critical infrastructure providers. I would add on the incentive structure for small and medium-sized enterprises that do not fall within the statutory definition of critical infrastructure providers.