EU Critical Entities Resilience Directive
Module 4 of 5Tuesday 9 May, 06:32. Two months after the audit. Seven seconds before the AMBER alarm fires on Pump 1. The cascade has already started. Davesh has six minutes.
Audit Room , Day +245 , momentary cut
Frau Lindgren. Tuesday the ninth of May. Six thirty-two. Mr Iyer was on shift. Mr Whitlock was , depending on what Frau Bhalla wrote in section 4 , either on-site or not.
Yes.
Take me to the alarm panel.
Tuesday 9 May. Aqua Vitalis. 06:00.
It is Tuesday 9 May, 06:00.
You started your shift at 06:00, early because routine maintenance was scheduled on the alkali-dosing pump from 06:00 to 09:00. Phil Akande is on the second console. The kettle is on.
From this point until the end of the morning, you are Davesh Iyer.
Routine.
Routine. Phil sends a tea over at 06:14. The maintenance window proceeds, pump 2 alkali-dosing offline, pump 1 picking up the load, exactly as planned.
Whitlock comes on shift at 06:30. He nods at you. Goes to the maintenance bay.
06:32. The alarm panel lights up across two zones.
Right. Here we go again. What's it this time.
06:32.
Two-zone alarm. Alkali-side. Pump 1 (the one carrying the load during the maintenance window) is reading abnormal. Pump 2 (the one being maintained) is reading abnormal too, but Pump 2 should be inert. There is nothing in Pump 2 to be abnormal about.
This is not a maintenance fault. Maintenance faults don't flag both pumps. Phil, Phil is going to need to take a manual sample.
Decision 1 of 3
The 24-hour Article 15 notification clock starts the moment you become aware of an incident that may significantly disrupt the service. The two-zone alarm is that moment. You have ninety seconds before the first call. The decision is who you call first.
Decision 1 outcome
You phone the BBK duty line at 06:33. The duty officer logs the initial notification at 06:34. Article 15 24h clock starts on the dot.
Notification +4. Trust-with-Regulator +3. Documentation +1.
Tradeoff: the call to Sara comes second, at 06:38. She rings you back at 06:42. By then the BBK already knows. Sara is fine with this. She will be in the audit room with you in eight months.
Article 15 Paragraph 1 requires initial notification within 24 hours of awareness. There is no rule that says you must route through the Compliance Officer. Direct-to-regulator is the fastest disclosure path; it is also the path that reads to a regulator as "this entity takes the obligation seriously."
Decision 1 outcome
You phone Sara at 06:33. Sara is on the line within 90 seconds. You walk her through what you have. She phones the BBK at 06:36; initial notification logged at 06:37.
Notification +2. Trust-with-Regulator +6. Documentation +2.
This is the canonical path. Compliance Officer first; regulator second through the formal channel.
Phone-the-Compliance-Officer-first is the orthodox route. Article 15 doesn't require it; the audit-trail rewards it because it preserves the role of the Compliance Officer as the single point of regulator contact.
Decision 1 outcome
Phil goes to settling tank 3. He takes the sample at 06:38. He runs it. Result at 06:51. You phone Sara at 06:52, BBK at 06:54. Initial notification logged at 06:55.
23 minutes have passed between the alarm and the notification. The 24-hour clock has been burned through 1.6% of itself for nothing , the manual sample didn't tell you anything the SCADA hadn't already told you.
Notification -2. Trust-with-Regulator -4.
Carry-forward: the audit-trail records "operations manager prioritised local sample over regulatory notification." That sentence is what Eckhardt will quote at M5 hot-seat.
Wanting more information before phoning the regulator is a defensible operational instinct. The directive is explicit that the obligation triggers on awareness of POSSIBLE significant disruption, not awareness of confirmed disruption. Article 15 does not require certainty. The audit-trail does not reward operators who waited for it.
What's on the network.
Activity #192 , Cascade Map. NEW to the catalogue. First implementation here.
The cascade is propagating along the alkali-dosing line. Pick the breaking-point node, then pick a mitigation route. Choose mitigations that break the cascade before it reaches the city's main supply node.
Asymmetric scoring: each mitigation has a time-cost. Wrong mitigations let the cascade propagate further. Right mitigations break it. Multiple correct answers exist; the activity rewards minimum-disruption mitigation, not maximum-action.
Break the cascade.
Two clicks. First: click the breaking-point node (the node where intervention will stop the propagation). Second: click the mitigation that you would route through.
Pattern-match.
Mini-game interlude. ~60 seconds. Match this morning's alarm signature to a threat type. The mini-game is teaching the recognition reflex CER expects ops staff to have. No score penalty for a wrong match. Completion bonus only.
Audit room , interruption
Eckhardt looks up.
You answer in character. The choice is not scored. It shapes Eckhardt's tone in the M5 hot-seat.
Frau Lindgren. Mr Iyer recognised the pattern as cyber-physical at six forty-three. He had eleven minutes of evidence at that point. Was the recognition fast or slow.
Decision 2 of 3 , mitigation
The cascade is on the map. The pattern is recognised. You have to choose how to mitigate. Three options; each has a different signal to the regulator and the network.
Decision 2 outcome
Pump 1 isolated at 06:47. Threshmoor backup engaged at 06:48. Network output at 80% by 06:50. The cascade is broken. The 14-minute timer to city-main contamination resets to safe.
Resilience +6. Trust-with-Regulator +4. Documentation +2.
Carry-forward to D3: the disruption is on the operational record but not on the consumer-facing record. The detailed report has clean engineering decisions to point to.
Article 13 Paragraph 1 requires resilience measures "appropriate and proportionate." Immediate isolation when the cascade is recognised and the backup is available is the proportionate response. The directive does not punish operational disruption that prevents service disruption.
Decision 2 outcome
Output capped to 60% at 06:48. Hazard continues to propagate at the alkali-dosing nodes, slowly. Settling tank 3 turns AMBER at 06:54. You isolate Pump 1 at 06:55.
The cascade is broken at 06:55. Eight extra minutes of exposure. The network experienced a transient AMBER state at settling tank 3, within tolerance, but visible on the historical record.
Resilience +3. Trust-with-Regulator +1. Documentation +1.
Phased response is a reasonable engineering instinct. The directive doesn't prefer one style over another. The audit-trail records the AMBER state at settling tank 3, which a regulator reads as "service was at risk for eight minutes longer than necessary."
Decision 2 outcome
You hold position. Phil collects data. At 06:54 settling tank 3 turns AMBER. You isolate Pump 1 at 06:55. By 06:57 the AMBER state has propagated to the network feed. City supply at 06:58 is showing AMBER for sixty seconds before the manual flush diversion engages.
No consumer harm. Sixty seconds of AMBER on the city main. The detailed report has to explain the wait-and-see decision.
Resilience -4. Trust-with-Regulator -3. Documentation -1.
Wait-and-see is the choice you defend in writing in the detailed report. It is rarely the choice that survives that defence. Article 13 expects proportionate response. Wait-and-see is under-response when the cascade is known and the backup is available.
The intervention.
Activity #174 , Reaction-window timing. Adapted from Martyn's Law M5.
Whitlock is at his workbench. The cascade has been broken. The next move is the personnel-side mitigation: revoke his site access, escort him from the maintenance bay, and inform the police.
Three verdict zones for the click: too-early (false-alarm-undermining-staff-trust if revoked before the cyber-physical pattern is unambiguous); in-window (multi-source convergence: cascade-map identifies pump 2 anomaly + alarm-pattern recognition + Whitlock's M3 file); too-late (situation upgraded to a different procedure , Whitlock leaves the bay with a USB drive in his pocket).
When to act.
A 6-minute window scaled to 30 seconds. The cursor sweeps left-to-right. Click STOP when you would intervene. Click too early, you act before the pattern is unambiguous and undermine staff trust. Click in-window, you act on multi-source convergence. Click too late, Whitlock has had time to remove evidence and the situation is upgraded.
No on-site personnel mitigation needed.
Whitlock is not on-site this morning. The M3 vetting decision (referred or declined) means there is no contractor in the maintenance bay to intervene with. The cascade has been broken on engineering terms only. The reaction-window activity is skipped.
Carry-forward in action: the M3 referral decision pre-empts a load-bearing M4 moment.
The 24-hour clock.
Activity #180 , notification timeline composer (adapted from RRA M2). Four event cards. Four notification windows. Map each card into the correct window.
Asymmetric: under-mapping (placing a 24h-deadline event in the 1-month window) is penalised heavier than over-mapping (placing a 1-month-deadline event in the 24h window).
Map the events to the windows.
Click an event card, then click the notification window it belongs in. Submit when all four are mapped.
Decision 3 of 3 , the report
You have most of the day. The detailed report is yours to draft. The directive's ceiling is one month; Aqua Vitalis policy is to file within five working days while the incident is fresh. Sara will sign. Eckhardt will read. The choice is the framing.
Decision 3 outcome
Sara reads the draft at 16:42 on Tuesday. She makes three changes, small ones, register-only, and signs at 17:08. Filed at 17:09.
Notification +6. Trust-with-Regulator +8. Documentation +5.
Carry-forward to M5: the audit room reads this report as the moment Aqua Vitalis chose transparency over containment. The Clean Break ending becomes reachable. Eckhardt's hot-seat questions at M5 will be sharper but Sara's answers will be supported by what Davesh wrote.
Article 15 Paragraph 2 requires the detailed report to address "cause, impact, mitigation, and remediation." The directive does not require systemic framing, that's a choice. Full disclosure is the choice that an auditor reads as institutional courage.
Decision 3 outcome
The report is tight, defensible, and silent on the systemic dimension. Sara signs it at 17:14.
Notification 0. Trust-with-Regulator 0. Documentation 0.
Carry-forward: the audit room reads this report as "engineering-complete, systemically-incurious." Eckhardt's hot-seat questions will surface the M3 connection because the report did not.
Operational-only is the most common choice at this evidence threshold. It is defensible. It also forecloses the institutional credit that full-disclosure earns. See Article 15 Paragraph 2.
Decision 3 outcome
The report names Whitlock. The directive's Article 14 process is described as "in train." Aqua Vitalis is described as the victim of a contractor breach.
Notification -2. Trust-with-Regulator -10. Documentation -3.
Carry-forward: this is the worst single decision an Aqua Vitalis officer makes in the course. Externalising blame to a contractor at the 24-hour mark, when the M3 vetting decisions sit on Aqua Vitalis's books, reads to a regulator as institutional avoidance. The M5 audit room reads this report as the moment Aqua Vitalis lost the audit.
Article 15 Paragraph 2 requires the report to address cause and remediation. Naming the contractor is technically accurate. Framing the contractor as the cause when the entity's own vetting decisions enabled the access is what an auditor reads as institutional dishonesty.
Decision 3 outcome
The holding report is filed at 17:24 on Tuesday. It is one page. It says little. The directive permits a holding-detail sequence in exceptional circumstances. This was not exceptional.
Notification -6. Trust-with-Regulator -2. Documentation -5.
Holding reports are for genuinely fast-moving incidents where information is not yet available. By 14:48 on Tuesday, you had the information. Filing a holding report when the detailed report is available is procedural avoidance. See Article 15 Paragraph 2.
Tuesday evening.
Tuesday is over. The report is filed. The cascade was broken. The team did the work it was trained to do. Whitlock is in custody. Or he isn't. It depends on the choices.
Davesh, quietly, looking at the alarm panel through the glass:
Right. Here we go again. What's it this time.
Phil doesn't repeat it back. Nobody does.
Decisions recap
What's next
Eight months from now, you will sit in a BBK audit room with Sara. Eckhardt will read this report aloud. The questions he asks will be shaped by what you wrote in section 4 today.
Audit Room , momentary cut
Eckhardt closes the M4 sub-folder.
Frau Lindgren. Mr Iyer wrote the detailed report.
Yes.
I have read it. We will continue tomorrow morning. I have one more set of questions and then I will rule.
END OF MODULE 4