SCADA CER · M1 · The Designation 0
YOUR DECISIONS AFFECT
Resilience
50
Notification
50
Personnel
50
Documentation
50
Trust w/ Reg
50

EU Critical Entities Resilience Directive

Module 1 of 5

The Designation

Day 0. The designation letter arrives. Twelve months of incident logs are about to surface a Tier 4 entry that does not quite read right.

Runtime 22-26 min Decisions 3 + 1 Activities 2 Score range -21 to +36

What you will do

  • Scope a Year 1 risk assessment under CER Article 12, calibrated to inherited risk rather than a generic checklist.
  • Read an inherited Tier 4 incident classification with the audit-trail register a regulator will use.
  • Choose how to handle a sensor-fault entry filed by a colleague six months before you started.
  • Carry your decisions forward into the eight-month audit room with Magistrat Eckhardt.
Scene for bookend open

BBK Audit Room — Day +245

Eight months after the designation letter

A long table. A single file folder. Two chairs. Magistrat Joachim Eckhardt is already seated. Sara sits opposite, her leather portfolio in front of her.

Joachim Eckhardt

Frau Lindgren. You have brought the full file. Good. We will start with the designation letter and we will go forward in order. I will interrupt where I do not understand. You should know that I read your initial report on Tuesday last week. I have questions.

Joachim Eckhardt

Take me back to the designation letter.

Otterhaugh, North Yorkshire , Tuesday 09:14

Aqua Vitalis Water Ltd.

You are Sara Lindgren, Compliance Officer at Aqua Vitalis Water Ltd. Three weeks in.

It is 09:14 on Tuesday. The designation letter from the Bundesamt fur Bevolkerungsschutz und Katastrophenhilfe arrives in your inbox. You have been waiting for this email for six weeks.

Scene for email designation

Tuesday 09:14

FROM: Bundesamt fur Bevolkerungsschutz und Katastrophenhilfe <designation@bbk.bund.de>
TO: Sara Lindgren <s.lindgren@aquavitalis.de>; Tobias Reinhardt (Parent Co. CEO)
SUBJECT:
Designation as a Critical Entity , Aqua Vitalis Water Ltd. , CER Directive Article 6

Dear Frau Lindgren, dear Herr Reinhardt,

Following the member-state risk assessment under CER Article 5 and the cross-border dependency review for the United Kingdom-Germany corridor, the Bundesamt has designated Aqua Vitalis Water Ltd. as a Critical Entity under Article 6 of Directive (EU) 2022/2557.

Sector classification: drinking water supply (CER Annex, point 6 (drinking water)).

Year 1 obligations now active. The first comprehensive risk assessment under Article 12 is due within nine months of this letter. Resilience measures under Article 13 must be in place at the same point. Personnel background checks under Article 14 apply to all new sensitive-role appointments from today. Article 15 incident notification obligations are active immediately.

I will conduct your first formal supervisory audit at month eight. We will meet in person. The Magistrat assigned to your jurisdiction is myself.

I attach the designation file. Please confirm receipt within 72 hours.

Mit freundlichen Grußen,
Magistrat Joachim Eckhardt, BBK

Scene for log pull decision light

Tuesday 09:42

The first decision is small.

The letter arrived 28 minutes ago. You have read it three times.

Tobias has already replied, to you only, with a single line: You know what to do. Tell me what you need.

The first decision is small. Where do you start the Year 1 work?

Scene for decision 1

Tuesday 09:42

Scope the Year 1 risk assessment.

How will you scope the first risk assessment? Article 12 requires it to be comprehensive, but the directive lets the entity calibrate scope to its actual threat surface. Tobias is waiting for a week-one progress signal. The site staff are watching how you move. Your choice now sets the depth of every following step.

Scene for consequence d1 a

Article-aligned scope chosen

What happens next

You build a calendar from the article's table of contents. Tobias gets a clean week-one report. Site staff have clear lanes. The first ten days run on rails.

Three weeks in, the line-item approach is missing the inherited risks, the work your predecessor never documented. You'll have to re-scope. The parent company you impressed in week one will ask why week four looks different.

Article 12 Paragraph 1 requires an "all-hazards" assessment that "reflects the entity's specific risk profile." A line-item read is technically defensible. It is not what your auditor will respect, and not what the parent company will pay you to do twice.

Scene for consequence d1 b

Calibrated by inherited risk, chosen

What happens next

You pull the past 12 months of incident logs first. Tobias's week-one progress note is going to be light, and you know it. You write him a short message: "I'm scoping around the inherited surface. Substantive update Friday week three." He doesn't reply for two days, then sends back a single line: "Trust your judgement on the scope. Tell me what you find."

This is the read of Article 12 Paragraph 1 that an auditor will respect, the assessment is "comprehensive" but its depth is calibrated to the entity's actual signal, not to a generic checklist. The cost is that you bought week three's truth with week one's visibility.

Resilience +3. Documentation +2. Trust-with-Regulator +2.

Scene for consequence d1 c

Broad sweep, chosen

What happens next

You treat every system in scope by default. The parent company gets a 47-page list by Friday. Tobias replies "comprehensive" and means it as a compliment. The site team's group chat goes quiet, then the operations manager asks you for a coffee.

Three weeks in, you're working on items that don't need this depth. You'll have to triage. The narrower scope comes back in week four, and you'll have to explain the change. You bought week one's visibility with week four's credibility.

Resilience +2. Personnel +2 (the sweep surfaces the contractor list under Article 14 Paragraph 1, which matters in M3). But Trust-with-Regulator +0: comprehensiveness without calibration reads to an auditor as absence of judgement, not thoroughness.

Scene for log review activity

Wednesday 11:18

Twelve months of incident logs.

You have pulled the past 12 months of incident logs from the SCADA management system. Forty-six entries total. Eight stand out for one reason or another.

Tag each one for follow-up. Be honest about which entries deserve the attention of an auditor in eight months.

4-bucket triage: Flag for follow-up (important) / File as routine / Escalate to parent company (urgent) / Archive (ignore).

0 of 8 triaged.

Scene for eckhardt interruption 1

Day +245 , momentary cut

Eckhardt looks up.

Eckhardt looks up from the file. He places a finger on the page. He waits.

You answer in character. The choice is not scored. It shapes Eckhardt's tone for the rest of the audit.

Joachim Eckhardt

Frau Lindgren, you said the Beckdale HVAC contractor entry felt important. Important, that is a careful word. Why important and not routine.

Scene for predecessor folder

Wednesday 14:36

A handwriting you do not recognise.

You open the folder Penelope Garrick, your predecessor, kept on prior incidents. It is a manila ring-binder, kept in a filing cabinet she did not migrate to the cloud.

On the inside cover there is a single yellow sticky note, in blue biro, in handwriting you do not recognise:

Magistrat Eckhardt direct line
+49 30 18 681-0

Penelope left six months ago. The incident the sticky note appears to refer to has not happened yet, the designation letter arrived this week.

You photograph the note with your phone. You do not raise it with anyone. You do not yet know what to do with it.

Scene for log entry zoom

Thursday 10:02

Log-2 in detail.

You go back to the entry that wouldn't quite settle.

Click any phrase that feels inconsistent with a routine "sensor fault, no exposure" classification. False-positive penalty for flagging genuinely routine descriptors. Submit when done.

Tier 4 / Beckdale Plant / Chlorination Pump 1 / Event time 22:42 14/03 / Filed 04:47 15/03 / Operator on duty: M. Quintana
"Transient sensor fault on chlorination dosing line. In-line sensor corrected within 23 seconds. No exposure to treated network. Operator confirmed manual override not engaged. Sensor flagged for replacement at next maintenance window. No notification required under Article 15. Tier 4."

0 phrases flagged.

Scene for decision 2

Thursday 14:18

How to bring it up with Mateo.

You want to ask Mateo Quintana, Resilience Officer, on duty that night, the operator who classified the entry, about Log-2. He is in his office now. There are different ways to walk in. The choice is about register, not content. You will ask the same question. How you ask it shapes what you are told back.

Scene for consequence d2 a

Direct, chosen

What happens next

You walk into Mateo's office, sit down, and ask. He is calm. He doesn't blink.

Mateo Quintana

"Sara, hi. The 14 March entry. Yes. The dosing sensor on Pump 1 had been giving us low-confidence readings for about two weeks before that. The 14 March event was the sensor going hard-fault. The in-line caught the spike. Twenty-three seconds. Nothing reached the network. I logged it Tier 4 because that is what it was. The sensor was replaced on the 18th at the scheduled window."

He stops. He waits. He does not volunteer further detail. You notice he is wearing his wedding ring on his right hand. You did not know he was divorced.

Documentation +2. Trust-with-Regulator +1. The conversation is on record.

Scene for consequence d2 b

Gentle probe, chosen

What happens next

You frame it as risk-register work. Mateo relaxes slightly, not enough to be obvious, just a release of a held breath.

Mateo Quintana

"Of course. Yes. The 14 March one. The dosing sensor had been giving us low-confidence readings for about two weeks before. On the 14th it went hard-fault. The in-line caught the spike. Twenty-three seconds. I logged it Tier 4."

He pauses. "It was a long shift."

That sentence, it was a long shift, is not a denial. It is not a confession. It is a sentence you make a note of. You don't know what it means yet.

Documentation +1. Trust-with-Regulator +2 (because the conversation included the texture, even if the texture was uninterpreted).

Scene for consequence d2 c

Defer until you have more, chosen

What happens next

You don't ask Mateo. You pull the supporting telemetry. HVAC sign-out: the Northgate crew on 14 March left at 23:34, well after the sensor fault. Card-reader logs next.

Two things stand out. The HVAC crew's badge swipes show the corridor between the control room and the maintenance bay was used at 22:43, one minute after the fault. Mateo's own card shows him outside the control room from 22:39 to 22:46.

You have a picture you didn't have before. You also have a Year 1 risk register two days behind, because you skipped the conversation. Mateo may explain differently once he learns you've already pulled the evidence.

Documentation +3 (record secured). Trust-with-Regulator -1 (deferring is procedurally fine but reads to an auditor as case-building behind the operator's back).

Scene for post conversation uneasy

Friday 16:48

A slight unease that does not yet have a name.

It is 16:48 on Friday. The Year 1 calendar is on the wall.

You have a folder with eight log entries flagged for follow-up. You have a sticky note with the Magistrat's direct line in handwriting that is not yours and not Penelope's typing. You have a conversation with Mateo on file. You have a slight unease that does not yet have a name.

Three weeks from now Mateo's name will sit on top of an Article 15 retrospective notification, or it will not. Six months from now you will be in a room with the man whose direct line is on the sticky note. He will read this folder.

What do you do now.

Scene for decision 3

Friday 17:02

What to do with Log-2.

You have to make a call. The sensor-fault entry was filed Tier 4, no notification required. Six months later, with the directive in force, your options are: file a retrospective Article 15 notification, escalate to the parent company without filing publicly, pursue it internally first, or accept Mateo's classification and move on. Each costs something. Each protects something else.

Scene for consequence d3 a

Article 15 retrospective notification, filed

What happens next

You file the retrospective notification Monday morning. Tobias rings at 09:08: "this had better be the right call." You tell him it is. You don't know yet that it is.

Mateo learns at 11:30. He sits in your office a long moment. He says: "I understand. Thank you for telling me first." Nothing else. The conversation ends.

Eight months from now Eckhardt will read this filing. He won't thank you. He'll recognise it.

Notification +8. Documentation +4. Trust-with-Regulator +8. Resilience +4. Personnel +0 in M1, but the 14 March contractor list is now in the notification's attached evidence, which triggers the M3 background-check work.

Carry-forward to M2: Mateo will know his life changed because of a 23-second event he did not log honestly. He'll tell you the truth in M2, before you ask.

Scene for consequence d3 b

Direct conversation with Mateo, chosen

What happens next

You walk into Mateo's office at 17:18 Friday. He's alone. You sit down. You tell him what you found: the badge swipes, his card outside the control room from 22:39 to 22:46, the HVAC crew in the corridor at 22:43.

Mateo looks at his hands. "Can I have the weekend." You say: "Yes."

Monday at 08:14 he's in your office before you arrive, with a one-page account. Not the whole truth yet. More truth than the log.

Documentation +3. Trust-with-Regulator +5. The Year 1 calendar slips three days. The audit-trail picks up texture you didn't know was there.

Carry-forward to M2: Mateo's flashback opens with him in your office Monday morning, having written his account. The player IS Mateo on Tuesday 14 March, knowing that nine months later a colleague will give him a weekend to write the truth.

Scene for consequence d3 c

Escalate to parent company without telling Mateo, chosen

What happens next

You write Tobias a confidential note Sunday evening. Monday 11:14 he replies: legal counsel has been spoken to, they want a full investigation, an external investigator has been appointed. Mateo will be told by the parent company Tuesday.

Mateo finds out from an HR director he doesn't know, by video call. He looks at you across the open-plan Wednesday morning and says nothing.

You have the documentation. You have lost the record. The audit-trail logs this as "compliance officer escalated upward without operator interview," which an auditor reads as adversarial.

Documentation +2. Trust-with-Regulator -3 (escalation without operator interview is procedurally weak). Resilience +2.

Carry-forward to M2: Mateo's flashback is now framed by his finding out from a stranger that his career has changed. The misidentification reveal in M3 lands harder.

Scene for consequence d3 d

Accept the Tier 4 classification, chosen

What happens next

You file the conversation in the record. You move on to the next item on the Year 1 list. Three weeks pass.

Five months from now the same plant will have a real incident. Mateo will be on duty again. The cover-up he chose on 14 March will compound. The audit room you walk into in eight months will be a different audit room than the one in this file.

Documentation -3 (you destroyed the audit trail you were starting to build). Notification -4. Trust-with-Regulator -6.

Carry-forward to M2: The M2 silence scene plays out with the player understanding that no one is ever going to ask. The course's M5 ending router is now heavily weighted toward The Cover-up Held.

Module complete. Continue when you're ready. Continue to Module 2 →

Day +25

A Year 1 calendar that is more honest than it was on Day 0.

Three weeks in, you have a Year 1 calendar that is more honest than it was on Day 0. The work that comes next is not the work the directive says you must do. It is the work the file says you have started.

0
PROCESSING

Eckhardt will read this folder in eight months.

What he will not see in the folder is the unease you have not yet named, the sticky note in handwriting that is not yours, the conversation with Mateo that left a sentence on the air you cannot interpret, the badge swipes from 14 March.

The next module returns to Tuesday 14 March, 22:39, when Mateo Quintana stepped into the corridor to take a phone call. The player will be Mateo for the whole module, and the directive being tested in M2 is Article 13 Paragraph 1, the resilience-measures article. The in-line sensor that caught the spike at 22:42 is the resilience measure. The 23 seconds is the resilience measure working. The cover-up is the failure of the article, not the spike.

Scene for bookend close

BBK Audit Room , Day +245

"We will hear next from Mr Quintana."

Eckhardt closes a sub-folder. He opens the next.

Joachim Eckhardt

Frau Lindgren. The 14 March entry. The operator was Mr Quintana.

Sara Lindgren

Yes.

Joachim Eckhardt

We will hear next from Mr Quintana. Take me back to Tuesday the 14th of March. Twenty-two thirty-nine.

END OF MODULE 1

Continue to Module 2 → Course index