If your mandatory requirement was flouted what would you do? Impose fines of course.
Well actually I was thinking more along the lines of removing the company's right to operate. That might make the shareholders sit up and take notice.
The problem at the moment is that the fines are imposed on the imprecise notion of "cyber-security" which is always open to interpretation. If there was a clearly defined mandatory requirement which stated that there should be NO Internet connectivity to any CNI and any breach would lead to an immediate loss of operating rights, then the issue is clear cut.