EU Critical Entities Resilience Directive
Module 2 of 5Tuesday 14 March, 22:30. Six months before Sara joined the firm. The phone is going to ring in twelve minutes. The dosage bar is going to climb. The choice is yours.
Audit Room , Day +245 , momentary cut
Six months before the designation letter
It is six months before Sara joined the firm.
The Beckdale plant is calm. Threshmoor , the second plant , is on quiet automation tonight. The HVAC crew from Northgate Facilities is in for routine maintenance until 23:30. They have site access to the plant but not to the control room.
From this point until the morning, you are Mateo Quintana.
Tuesday evening
Lena was admitted at 21:08. The consultant said he would phone with the assessment. The call could come at any time.
The custody hearing is in nine weeks. The lawyer your ex-wife retained has just filed an emergency motion alleging unsuitable supervision. You found out at lunchtime. You have not told Hannah you know.
Beckdale tonight is calm. The dosing-sensor on Chlorination Pump 1 has been giving low-confidence readings for two weeks. Maintenance window is on the 18th. You will replace the sensor then. Tonight the sensor is still readable; you are watching the trend.
The plant is fine. Lena will be fine. I am fine.
The trend
Sensor is wobbling more than yesterday. The in-line is still reading clean. The spike isn't real, it is the sensor. Replace it Friday. Document it tomorrow.
If I had a second operator I would ask them. I do not have a second operator. The night shift staffing was reduced last year.
What happens between 22:34 and 22:46
Twelve minutes from now the dosage spike will happen. The in-line sensor will catch it. Mateo will not be at the console.
Activity: reconstruct the 12-minute window from the telemetry, the door-camera footage, and Mateo's verbal account given six months later. Some pieces are reliable, some are not. Place each beat in chronological order.
Reconstruct the window
Place the six beats in chronological order. Use the ↑ / ↓ buttons to move each card up or down. Each beat in the correct position scores +1. Each in the wrong position scores -1. The cap is ±5.
22:38
The Nokia vibrates.
It is the hospital ward number. You have been waiting for this call for ninety-eight minutes.
This is the call. The ward will be brief. Two minutes. I will be back at the console at 22:40.
Decision 1 of 3
Lena is on the phone. The dosage bar is in amber. The HVAC crew is somewhere in the building.
In the corridor
(through the Nokia) Daddy. The doctor said I have to stay tonight. I want to come home.
I know. I will come tomorrow morning. Mum is just outside, yes? She will be back in. Will you be brave for me until then.
Yes.
Sleep now.
Three minutes pass. You are back at the console at 22:46.
The dosage spike happened at 22:42. The in-line caught it within 23 seconds. The flush diversion engaged automatically. No exposure to the treated network.
You did not see Geraint walk past the door. You will not see his face for nine months.
A 23-second dosing spike. An automatic system performing exactly as designed. A child held until her father returned to her.
The directive does not punish a moment of human absence. Article 13 Paragraph 1 requires the resilience measures be "appropriate and proportionate." An in-line sensor with automatic flush diversion was operating. The system protected itself.
What the directive WILL ask, eight months from now: was the absence logged. Was the supervisor informed. Was the dosage spike, even though no one was harmed, notified under Article 15.
If those answers are yes, this is a story that ends here. If those answers are no, this is the moment the cover-up begins.
At the console
You don't pick up the Nokia. You text the ward nurse: "Tell Lena I love her. I'll call in 10 minutes. I'm at work and a thing is happening."
You watch the dosage bar climb. At second 6, the in-line sensor at the output detects the spike. Automatic flush diversion engages. The bar peaks and corrects. Twenty-three seconds.
You log the spike at 22:43, six minutes after the start of the event. You log your manual override engagement (which was redundant, the in-line did its job, but you engaged it anyway). You note that you remained at the console throughout.
At 22:48 you ring Lena back. You speak for four minutes. You tell her you love her in Spanish.
The HVAC crew is on-site. You see one of them, a sandy-haired man in coveralls, pass the open control-room door at 22:43. You raise your hand. He nods. He keeps walking. You do not yet know his name.
Resilience +6. Notification +4. Documentation +2. Trust-with-Regulator +5. The cover-up does not begin. M5's Cover-up Held ending is now unreachable on this path.
Lena spent four minutes longer in fear than she would have on the other path. You will live with that.
Article 13 Paragraph 1 resilience measures held. The directive's design, in-line sensor, automatic flush diversion, supervised access, performed exactly as intended. The supervised access is the part that mattered most: by being present, you saw the HVAC contractor pass. The fact that you did not yet know his name does not undo that you saw him.
The cost of staying is paid in a single conversation with a frightened seven-year-old. The cost of leaving was paid by a different person, eight months later.
Stay alert
A short interlude. Three small anomalies will appear on the SCADA monitor over the next minute. None are real failures. They are the noise that fills a quiet shift. Click each one as it appears. Missed clicks are not penalised. A completion bonus rewards catching all three.
Audit room , interruption
Eckhardt looks up. He places a finger on the page.
You answer in character. The choice is not scored. It shapes Eckhardt's tone for the rest of the audit.
Frau Lindgren. The HVAC crew sign-out at twenty-three thirty-four. Four minutes later than the logged window. Did you flag this in your week-three triage.
04:30 , the morning of
Three things are on the desk. The 22:42 dosage spike. The 23:34 HVAC sign-out (four minutes after the contracted window). And a supply-chain alert from a partner utility in Cumbria, a similar plant configuration, similar SCADA architecture, was the subject of an unsuccessful remote-access attempt at 21:50 the same evening.
Three signals. Possibly one event. Possibly three coincidences.
Threat-vector triangulation
Three signals. Decide if they are one event or three coincidences. Toggle each connection on or off. You can draw zero, one, two, or three connections. Submit when ready.
Asymmetric scoring: false-negative (treat as separate when they are connected) is penalised heavier than false-positive (treat as connected when uncertain). The CER thesis lives here, physical, cyber, and supply-chain are one risk surface, not three.
Possible connections
Decision 2 of 3
You write the incident classification at 04:47. The Tier you choose determines whether Article 15 24-hour notification triggers, whether the parent company is informed, whether your line manager is informed, and what is on the record.
Decision 2 outcome
You file Tier 2 at 04:47. The Article 15 24-hour notification clock starts.
You phone Aqua Vitalis duty Ops Manager at 05:14, Davesh Iyer is on-call, he answers within two rings, he is awake. You walk him through it. He asks the questions you would have asked him. You do not lie about the absence. You do not lie about the HVAC sign-out variance.
Tobias Reinhardt, parent company CEO, is informed by 09:00. By 11:30 the parent company has appointed an independent reviewer.
Eight months from now Eckhardt will read this filing and recognise the courage it took to write at 04:47 on a Tuesday after the longest night of your life.
Resilience +5. Notification +6. Documentation +6. Trust-with-Regulator +8. The cover-up does not begin. The course's M5 Clean Break ending is now reachable from this M2 path.
Carry-forward to M3: The HVAC contractor sign-out variance is in the file. Priya's Article 14 background-check work in M3 will be informed by this. The misidentification reveal in M3, when she recognises Geraint's photo, will land harder, because the player remembers writing the variance into the file at 04:47.
Article 15 Paragraph 1 triggers on "incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services." A 23-second dosing spike that the in-line sensor caught is borderline. Tier 2 reads it generously toward notification. A regulator reads that generosity as the correct calibration.
Logging your own absence is not a directive obligation. It is a choice. The choice is what an auditor cares about.
Decision 2 outcome
You file Tier 3. Internal review only, no Article 15 notification. The parent company is told via the weekly resilience digest, four days from now.
You log your three-minute absence in operator notes, partially. You phrase it as "transient operator step-out (1 phone call to family)." You do not name the call.
You log the HVAC sign-out variance as "within tolerance." You do not flag it for follow-up.
Documentation +2. Notification 0. Trust-with-Regulator -2. The cover-up has not yet fully begun, but you have started writing in a register that an auditor reads as evasive. Six months from now Sara will read this entry and feel the language is slightly off.
Carry-forward to M3: The HVAC contractor sign-out variance is logged but not flagged. Priya's M3 work will need to surface it from the routine entries. The misidentification reveal in M3 will be earned, not given.
Tier 3 is a defensible classification for a 23-second sensor spike that the in-line caught. The directive does not require Tier 2 here. It does not prohibit it.
The choice that an auditor reads is not the Tier number. It is the operator-notes language. "Transient operator step-out" is a sentence that mentions an event without naming it. Article 15 does not require the naming. The audit-trail does.
Decision 2 outcome
You file Tier 4 at 04:47. "Transient sensor fault on chlorination dosing line. In-line sensor corrected within 23 seconds. No exposure to treated network. Operator confirmed manual override not engaged. Sensor flagged for replacement at next maintenance window. No notification required under Article 15. Tier 4."
You do not log your absence. You do not log the HVAC sign-out variance. The classification is the sentence the historical timeline contains. Six months later Sara will read it.
Resilience -2. Notification -8. Documentation -6. Trust-with-Regulator -10. The cover-up has begun. The course's M5 Cover-up Held ending is now the most likely outcome on this path.
Carry-forward to M3: The HVAC contractor sign-out variance is in the routine logs only. Priya's M3 work will not surface it without help. The misidentification reveal in M3 is now contingent on Sara's M1 D1 broad-sweep choice, if Sara surfaced the contractor list, the reveal still lands; if she did not, it doesn't.
Tier 4 is the classification Mateo filed in the historical timeline. The course is not telling you Mateo was a villain for filing it, the course is showing you what it took to file it, and what it cost.
Article 15 is technically not breached by a Tier 4 classification of an in-line-corrected spike. The directive does not require notification. The audit-trail still records that you saw the supporting evidence and chose not to surface it.
Decision 2 outcome
You file Tier 4 (the technical classification is honest, the in-line caught it; the system performed). You add a single line in operator notes: "Operator briefly absent from console 22:39-22:46 to take family hospital call. Manual override not engaged."
You do not log the HVAC sign-out variance, that didn't yet register to you as connected.
Six months from now Sara will read this entry and the operator-notes line will be the reason she comes to your office.
Resilience +2. Notification 0. Documentation +4. Trust-with-Regulator +4. The cover-up does not begin. The Tier 4 classification is technically defensible AND the absence is on record. This is the compromise position, and a regulator reads it well, because it shows judgement.
Carry-forward to M3: The operator-notes line is what triggers Sara's M1 unease. Priya's M3 work surfaces the contractor list anyway because Sara's broader scoping (if D1 was 'calibrated' or 'broad-sweep') brought it forward.
The technical classification (Tier 4) and the operator transparency (absence logged) are independent choices. The directive only requires the first; the audit-trail rewards both.
Article 15 does not require Tier 2 for an in-line-corrected spike. Article 13 does not require absence-logging. But an auditor reads operator notes that name what happened as evidence of resilience-mindset, and reads operator notes that don't as evidence of something else.
Decision 3 of 3
Davesh comes on shift at 07:00. By 07:00 he will have read the duty-Ops handover. The handover automatically includes the classification you filed. You can also send him a personal email, different content possible, that goes to him and not to the wider duty list.
Decision 3 outcome
You send the email at 06:18. Davesh reads it at 06:42 on the bus. He calls you back at 06:45. You speak for eleven minutes. He asks the questions a senior operator asks; you answer them. By 07:00 he is at his desk and the handover reads to him as continuous with what you have already told him.
Documentation +4. Trust-with-Regulator +6.
Carry-forward to M3 and M4: Davesh enters M4's Tuesday-morning incident with prior knowledge of the 14 March event in his head. Whether he uses that knowledge depends on M3 and M4 player choices.
The personal email creates a parallel record to the formal classification. An auditor reads parallel records as transparency. The formal classification can be technically minimal and the personal email can carry the texture, that is a defensible disclosure architecture.
Article 15 doesn't reach this level of decision. The audit-trail does.
Decision 3 outcome
Davesh reads the email at 06:42. He replies at 06:43 with one word: "Noted." He doesn't follow up. He knows there is something. He hasn't been told what.
Documentation +1. Trust-with-Regulator +1.
Carry-forward: Davesh enters M4 with a vague memory of a 14 March event and no detail. The vague memory does not help him in M4 because he doesn't trust it.
Heads-up emails create the appearance of transparency without the substance. An auditor reads them as "something the operator wanted on the record but did not quite want to say." That reading is sometimes correct.
Decision 3 outcome
You don't email. The handover at 07:00 contains the classification you filed. Davesh reads it at 06:58 on his phone walking from the bus. He nods. He moves on.
Documentation -1. Trust-with-Regulator -3.
Carry-forward: Davesh enters M4 with no prior knowledge of the 14 March event other than the formal classification. M4's cascade-map activity is harder for him because he is reading the situation cold.
Letting the formal record speak is sometimes the right call, when the formal record is complete. When the formal record is partial, this choice is what the audit-trail records as "silence around the texture." That phrase is what eight-month-later auditors quote in the verdict.
Wednesday morning
You are in the car park. The shift is over. The next thing on your calendar is the consultant's call about Lena's discharge. The thing after that is the custody hearing in nine weeks.
Decisions recap
What's next
Six months from now a Compliance Officer named Sara Lindgren will read the entry you just filed.
What she reads will depend on the choices you made in the past five minutes, and on the choices she made in M1, three weeks before she opened your file.
Framing device, close
Eckhardt closes the M2 sub-folder. Sara watches him.
END OF MODULE 2