EU Critical Entities Resilience Directive
Module 1 of 5Day 0. The designation letter arrives. Twelve months of incident logs are about to surface a Tier 4 entry that does not quite read right.
Framing device
A long table. A single file folder. Two chairs. Magistrat Joachim Eckhardt is already seated. Sara sits opposite, her leather portfolio in front of her.
Frau Lindgren. You have brought the full file. Good. We will start with the designation letter and we will go forward in order. I will interrupt where I do not understand. You should know that I read your initial report on Tuesday last week. I have questions.
Take me back to the designation letter.
Day 0 of designation
You are Sara Lindgren, Compliance Officer at Aqua Vitalis Water Ltd. Three weeks in.
It is 09:14 on Tuesday. The designation letter from the Bundesamt fur Bevolkerungsschutz und Katastrophenhilfe arrives in your inbox. You have been waiting for this email for six weeks.
The designation letter
Dear Frau Lindgren, dear Herr Reinhardt,
Following the member-state risk assessment under CER Article 5 and the cross-border dependency review for the United Kingdom-Germany corridor, the Bundesamt has designated Aqua Vitalis Water Ltd. as a Critical Entity under Article 6 of Directive (EU) 2022/2557.
Sector classification: drinking water supply (CER Annex I §4).
Year 1 obligations now active. The first comprehensive risk assessment under Article 12 is due within nine months of this letter. Resilience measures under Article 13 must be in place at the same point. Personnel background checks under Article 14 apply to all new sensitive-role appointments from today. Article 15 incident notification obligations are active immediately.
I will conduct your first formal supervisory audit at month eight. We will meet in person. The Magistrat assigned to your jurisdiction is myself.
I attach the designation file. Please confirm receipt within 72 hours.
Mit freundlichen Grußen,
Magistrat Joachim Eckhardt, BBK
Where to start
The letter arrived 28 minutes ago. You have read it three times.
Tobias has already replied, to you only, with a single line: You know what to do. Tell me what you need.
The first decision is small. Where do you start the Year 1 work?
Decision 1 of 3
How will you scope the first risk assessment? Article 12 requires it to be comprehensive, but the directive lets the entity calibrate scope to its actual threat surface. Tobias is waiting for a week-one progress signal. The site staff are watching how you move. Your choice now sets the depth of every following step.
Decision 1 outcome
You build a structured calendar from the article's table of contents. Tobias gets a clean week-one report on Friday. Site staff have clear lanes. The first ten days run on rails.
Three weeks in you realise the line-item approach is missing the inherited risks, the things your predecessor was working on but did not document. You will have to re-scope. The calendar you built around the article structure is now a calendar you cannot keep, and the parent company you impressed in week one is going to ask why week four looks different.
Article 12 Paragraph 1 requires that the risk assessment be "all-hazards" and "reflect the entity's specific risk profile." A line-item read of the article is technically defensible. It is not the read your auditor will respect, and it is not the read the parent company will pay you to do twice.
CER Article 12's "all-hazards" framing is deliberate. Critical entities are designated because their failure mode is non-substitutable, the regulator wants to know you have looked at the entire surface, not just the surface that maps to the article's table of contents.
Article 12 Paragraph 1 is the obligation. The scoping decision is yours.
Decision 1 outcome
You pull the past 12 months of incident logs first. Tobias's week-one progress note is going to be light, and you know it. You write him a short message: "I'm scoping around the inherited surface. Substantive update Friday week three." He doesn't reply for two days, then sends back a single line: "Trust your judgement on the scope. Tell me what you find."
This is the read of Article 12 Paragraph 1 that an auditor will respect, the assessment is "comprehensive" but its depth is calibrated to the entity's actual signal, not to a generic checklist. The cost is that you bought week three's truth with week one's visibility.
Resilience +3. Documentation +2. Trust-with-Regulator +2.
The directive does not say "audit everything to the same depth." It says "reflect the entity's specific risk profile." Calibrated scoping is the work; the line-item scoping is the avoidance.
Decision 1 outcome
You treat every system in scope by default. The parent company gets a 47-page list of items by Friday. Tobias replies with "comprehensive" and means it as a compliment. The site team's group chat goes quiet for an afternoon, then the operations manager asks you for a coffee.
Three weeks in you realise you are working on items that do not need this depth. You will have to triage. The parent company you impressed in week one is going to see a triaged, narrower scope come back in week four, and you will have to explain the change. You bought week one's visibility with week four's credibility.
Resilience +2. Personnel +2 (the broad sweep surfaces the contractor list under Article 14 Paragraph 1, it will matter in M3). But Trust-with-Regulator +0, comprehensiveness without calibration reads to an auditor as the absence of judgement, not the presence of thoroughness.
Over-scoping is a defensible answer to "did you do enough." It is a poor answer to "did you make the right calls." Article 12 Paragraph 1 rewards judgement, not volume.
Article 14 Paragraph 1 requires background checks for personnel in sensitive roles, including third-party contractors. The broad sweep surfaces that population, the calibrated scope (Choice B) would also surface it but more selectively.
Activity 1 of 2 , SCADA log triage
You have pulled the past 12 months of incident logs from the SCADA management system. Forty-six entries total. Eight stand out for one reason or another.
Tag each one for follow-up. Be honest about which entries deserve the attention of an auditor in eight months.
4-bucket triage: Flag for follow-up (important) / File as routine / Escalate to parent company (urgent) / Archive (ignore).
0 of 8 triaged.
Audit room, interruption
Eckhardt looks up from the file. He places a finger on the page. He waits.
You answer in character. The choice is not scored. It shapes Eckhardt's tone for the rest of the audit.
Frau Lindgren, you said the Beckdale HVAC contractor entry felt important. Important, that is a careful word. Why important and not routine.
Penelope Garrick's prior-incident folder
You open the folder Penelope Garrick, your predecessor, kept on prior incidents. It is a manila ring-binder, kept in a filing cabinet she did not migrate to the cloud.
On the inside cover there is a single yellow sticky note, in blue biro, in handwriting you do not recognise:
Penelope left six months ago. The incident the sticky note appears to refer to has not happened yet, the designation letter arrived this week.
You photograph the note with your phone. You do not raise it with anyone. You do not yet know what to do with it.
Activity 2 of 2 , log inspection
You go back to the entry that wouldn't quite settle.
Click any phrase that feels inconsistent with a routine "sensor fault, no exposure" classification. False-positive penalty for flagging genuinely routine descriptors. Submit when done.
0 phrases flagged.
Decision 2 of 3
You want to ask Mateo Quintana, Resilience Officer, on duty that night, the operator who classified the entry, about Log-2. He is in his office now. There are different ways to walk in. The choice is about register, not content. You will ask the same question. How you ask it shapes what you are told back.
Decision 2 outcome
You walk into Mateo's office, sit down, and ask. He is calm. He doesn't blink.
"Sara, hi. The 14 March entry. Yes. The dosing sensor on Pump 1 had been giving us low-confidence readings for about two weeks before that. The 14 March event was the sensor going hard-fault. The in-line caught the spike. Twenty-three seconds. Nothing reached the network. I logged it Tier 4 because that is what it was. The sensor was replaced on the 18th at the scheduled window."
He stops. He waits. He does not volunteer further detail. You notice he is wearing his wedding ring on his right hand. You did not know he was divorced.
Documentation +2. Trust-with-Regulator +1. The conversation is on record.
Direct is the register an auditor will most respect after the fact. The conversation gets put in the file as "compliance-officer-led review of operator's classification decision." That phrasing protects the audit trail and protects Mateo.
What you do not get: the texture of why the conversation felt slightly more contained than you expected.
Decision 2 outcome
You frame it as risk-register work. Mateo relaxes slightly, not enough to be obvious, just a release of a held breath.
"Of course. Yes. The 14 March one. The dosing sensor had been giving us low-confidence readings for about two weeks before. On the 14th it went hard-fault. The in-line caught the spike. Twenty-three seconds. I logged it Tier 4."
He pauses. "It was a long shift."
That sentence, it was a long shift, is not a denial. It is not a confession. It is a sentence you make a note of. You don't know what it means yet.
Documentation +1. Trust-with-Regulator +2 (because the conversation included the texture, even if the texture was uninterpreted).
Soft-land registers create more disclosure than direct registers in conversations like this. The texture comes in around the edges of the answer to a softer question. You do not yet know what to do with the texture. That is fine, you have it on record.
Decision 2 outcome
You don't ask Mateo. You pull the supporting telemetry. You pull the HVAC contractor sign-out times, the Northgate crew on 14 March left at 23:34, well after the sensor fault. You pull the card-reader logs.
Two things stand out. First, the HVAC crew's badge swipes show the corridor between the control room and the maintenance bay was used at 22:43, one minute after the sensor-fault event. Second, Mateo's own card swipe shows him outside the control room from 22:39 to 22:46.
You now have a picture you did not have before. You also have a Year 1 risk register that is two days behind because you did not have the conversation. Mateo has not been asked to explain. He may explain differently when he learns you have already pulled the supporting evidence.
Documentation +3 (you have the supporting record). Trust-with-Regulator -1 (deferring the conversation is procedurally good but reads to an auditor as building a case behind the operator's back).
Deferring the conversation is sometimes the right call. It is rarely the right call when the operator is competent and not yet under suspicion. The audit room reads pre-built cases as adversarial; it reads conversations on the record as compliance work.
Friday afternoon
It is 16:48 on Friday. The Year 1 calendar is on the wall.
You have a folder with eight log entries flagged for follow-up. You have a sticky note with the Magistrat's direct line in handwriting that is not yours and not Penelope's typing. You have a conversation with Mateo on file. You have a slight unease that does not yet have a name.
Three weeks from now Mateo's name will sit on top of an Article 15 retrospective notification, or it will not. Six months from now you will be in a room with the man whose direct line is on the sticky note. He will read this folder.
What do you do now.
Decision 3 of 3
You have to make a call. The sensor-fault entry was filed Tier 4, no notification required. Six months later, with the directive in force, you have the option to file a retrospective Article 15 notification, the option to escalate the matter to the parent company without filing publicly, the option to pursue it further internally before deciding, or the option to accept Mateo's classification and move on. Each costs something. Each protects something else.
Decision 3 outcome
You file the retrospective notification on Monday morning. Tobias rings you at 09:08, "this had better be the right call." You tell him it is. You don't know yet that it is.
Mateo learns at 11:30. He sits in your office for a long pause. He says: "I understand. Thank you for telling me first." He does not say anything else. The conversation ends.
Eight months from now Eckhardt will read this filing. He will not thank you. He will recognise it.
Notification +8. Documentation +4. Trust-with-Regulator +8. Resilience +4 (the historical record now covers the inherited risk). Personnel +0 in M1, but the contractor list from 14 March is now in the notification's attached evidence, which is the trigger for the M3 background-check work.
Carry-forward to M2: The course's M2 flashback is now framed by your M1 disclosure. Mateo will know, in M2, that the course of his life has changed because of a 23-second event he did not log honestly. He will tell you the truth, in M2, before you ask the next question.
Article 15 Paragraph 1 requires notification of significant incidents within 24 hours of awareness, with detailed report at 72. Retrospective notification of pre-designation events is not in the literal article. It is a regulator-friendly read.
Eckhardt will respect this. Tobias will pay you to do it again. Mateo will lose the role and keep his daughter.
Decision 3 outcome
You walk into Mateo's office at 17:18 on Friday. He is alone. You sit down. You tell him what you have found in the supporting evidence, the badge swipes, his card outside the control room from 22:39 to 22:46, the HVAC crew in the corridor at 22:43.
Mateo looks at his hands. He says: "Can I have the weekend." You say: "Yes."
On Monday at 08:14 he is in your office before you arrive. He has written a one-page account. It is not yet the whole truth. It is more truth than the log.
Documentation +3. Trust-with-Regulator +5. The Year 1 calendar slips by three days. The audit-trail picks up texture you did not know was there.
Carry-forward to M2: Mateo's M2 flashback opens with him in your office on Monday morning, having written his one-page account. The course's M2 silence scene is reframed, the player IS Mateo on Tuesday 14 March, knowing that nine months later a colleague will give him a weekend to write the truth.
Going direct to the operator first, before escalating, costs calendar and gains record. The audit-trail records "compliance-officer-led conversation prior to escalation," which an auditor reads as judgement, not as adversarial case-building.
It also gives the operator the chance to surface what was missing from the log without being on the back foot. Mateo's one-page account is now part of the file.
Decision 3 outcome
You write a confidential note to Tobias on Sunday evening. Monday morning at 11:14 Tobias replies: he has spoken to the parent company's legal counsel. They want a full investigation. They have appointed an external investigator. Mateo will be informed by the parent company on Tuesday.
Mateo finds out from a HR director he does not know, by video call. He looks at you across the open-plan on Wednesday morning and does not say anything.
You have the documentation. You have lost the record. The audit-trail will record this as "compliance officer escalated upward without operator interview," which an auditor reads as adversarial.
Documentation +2. Trust-with-Regulator -3 (escalation without operator interview is procedurally weak; even though you escalated, the route reduces credibility). Resilience +2.
Carry-forward to M2: Mateo's M2 flashback is now framed by his finding out from a stranger that his career has changed. The misidentification reveal in M3 will land harder, because the player feels the cost of having been efficient over kind in M1.
Article 12 expects the operator interview before the escalation, when the operator is competent and not yet under suspicion. The directive does not have a literal rule for this, but the audit-trail reads it that way.
Decision 3 outcome
You file the conversation in the record. You move on to the next item on the Year 1 list. Three weeks pass.
Five months from now the same plant will have a real incident. Mateo will be on duty again. The cover-up he chose on 14 March will compound. The audit room you walk into in eight months will be a different audit room than the one in this file.
Documentation -3 (you destroyed the audit trail you were starting to build). Notification -4. Trust-with-Regulator -6.
Carry-forward to M2: The M2 silence scene plays out with the player understanding that no one is ever going to ask. The course's M5 ending router is now heavily weighted toward The Cover-up Held.
Acceptance of an inherited classification is a defensible choice when the supporting evidence is clean. It is a poor choice when the supporting evidence is suggestive, the audit-trail records "compliance officer reviewed supporting evidence and accepted classification," and that record is what the auditor reads in the room.
Article 15 does not literally require retrospective notification. The directive's spirit does.
End of week three
Three weeks in, you have a Year 1 calendar that is more honest than it was on Day 0. The work that comes next is not the work the directive says you must do. It is the work the file says you have started.
Decisions recap
What's next
Eckhardt will read this folder in eight months.
What he will not see in the folder is the unease you have not yet named, the sticky note in handwriting that is not yours, the conversation with Mateo that left a sentence on the air you cannot interpret, the badge swipes from 14 March.
The next module returns to Tuesday 14 March, 22:39, when Mateo Quintana stepped into the corridor to take a phone call. The player will be Mateo for the whole module, and the directive being tested in M2 is Article 13 Paragraph 1, the resilience-measures article. The in-line sensor that caught the spike at 22:42 is the resilience measure. The 23 seconds is the resilience measure working. The cover-up is the failure of the article, not the spike.
Framing device, close
Eckhardt closes a sub-folder. He opens the next.
Frau Lindgren. The 14 March entry. The operator was Mr Quintana.
Yes.
We will hear next from Mr Quintana. Take me back to Tuesday the 14th of March. Twenty-two thirty-nine.
END OF MODULE 1