Criminal Penalties for Data Breaches

This provision imposes up to 7 years imprisonment for hosting critical data without accreditation and up to 5 years imprisonment for negligently causing cybersecurity breaches—treating data protection failures as serious crimes rather than regulatory violations. International standards like GDPR impose administrative fines, not criminal imprisonment, for negligent data protection failures. The provision also creates legal uncertainty by criminalizing "gross negligence" without defining the term, leaving data controllers uncertain about what conduct triggers criminal liability. The immediate suspension mechanism (97.7) allows ICT operations to be shut down without notice or hearing, potentially forcing abrupt cessation of data processing that could itself cause data protection failures.