Only if this actually gets treated as an attack though, which I haven't seen happen in similar cases in the past.

Sony BMG with the hidden DRM rootkit malware on their music CDs got some civil penalties but no criminal prosecution. Sony with the Playstation OtherOS removal had to pay a ridiculously low class action, no criminal prosecution. Lenovo got a slap on the wrist for putting an adware firmware bootkit into the machines, again civil only.

A lot of companies are still getting away with exfiltrating memory dumps by default as part of their error reporting, selling your location data, etc.

The only criminal prosecution (as in "butt in jail") for similar behavior that I'm aware of is Volkswagen's Dieselgate, and that was only prosecuted because it was seen as screwing over the US government, not consumers.

This law is specifically for attacks against energy production infrastructure, and it’s state level. If there are other similar laws, they have to buy off multiple prosecutors to avoid charges.