Again, it's a great question, Mr. Chair.
I'm personally a bit unconvinced by the regulatory burden argument. All the bill is saying is that if you work in critical infrastructure, you need to have a plan in place. You need to have a cybersecurity plan. The opposite of that is not having one, which is unsatisfactory. Then, if something happens, they have to report it. If they don't comply with that requirement, there's a penalty for not doing so.
While I appreciate that there is some regulatory burden, there is a lot of regulatory burden on businesses all over the place. In this one, you're providing a critical function in the economy and you need to have your crash helmet on. If not, there are consequences, because the role you're playing is just too important for it to be left alone.