I think there still needs to be clarity in terms of some of the definition issues. For equilibrium in terms of, for instance, sanctioning and fines, etc., there needs to be some level of consequence for negligence—for failure to implement a baseline cybersecurity standard.
There also needs to be encouragement for large critical infrastructure entities to ensure that their supply chain is secure. That means working closely with the small and medium-sized businesses.
The other thing I would add is that in the United States, the U.S. government has created a grant program to enable critical infrastructure entities to put in place certain baseline cybersecurity requirements. That could be another suggestion.
The last thing I would mention in terms of the right equilibrium is that this law pushes a prevention-first approach. We know that in medicine, prevention is oftentimes better than the cure. Let's get people to invest up front.