DOCTRINE SOURCE 0® — THE CRITICAL BASELINE ARCHITECTURE.
Critical Probatory Governance Infrastructure · The Missing Layer of the EU AI Act
Doctrinal Article — Jean-François ELSEN, June 2026
Audience: C-Suite Executives · Regulators · CISOs · AI Governance Architects
I. INTRODUCTION — THE UNADDRESSED EVIDENTIARY EQUATION
The European regulatory frameworks NIS 2, DORA, eIDAS 2, and the EU AI Act impose upon regulated organisations an evidentiary duty of unprecedented rigour. They do not merely require compliance: they require demonstrable, legally opposable proof of that compliance before a competent authority, at any point in the causal chain, including retrospectively.
This requirement — the evidentiary equation — is structurally ignored by existing frameworks. NIST CSF, ISO 27001, COBIT 2019, PCI-DSS: these standards govern security, continuity, and process quality. None governs the probatory traceability of human arbitration at the precise moment that arbitration occurs.
It is in this regulatory white space that Doctrine SOURCE 0® emerged. Not as a framework competing with existing standards, but as the missing infrastructure layer that none of them addresses: the cryptographic freezing of the human decision at its point of no return, before any digital mediation layer capable of altering the authenticity of the trace.
II. SOURCE 0®: ANATOMY OF THE BASELINE ARCHITECTURE
A. Operational Definition
Doctrine SOURCE 0® designates the set of principles, protocols, and architectures designed to constitute, at the T-0 moment of a determinative human arbitration, a cryptographically sealed, timestamped proof, sequestered under a formal trusted escrow protocol with an independent Judicial Officer (Commissaire de Justice) acting within their statutory capacity — court-appointed where national law requires, or independently accredited under national judicial authority — and, for cross-border enforceability within the European Union, operating in conjunction with a Qualified Trust Service Provider (QTSP) designated under eIDAS 2 to provide qualified electronic preservation services pursuant to Article 34a, such that the legal custody chain produces a harmonized EU-level evidentiary artifact independent of national procedural variations in the recognition of foreign authentic instruments. Where proceedings are anticipated before non-Belgian jurisdictions, each Procès-Verbal shall be apostilled at issuance pursuant to the Hague Convention of 5 October 1961 and accompanied by a certified translation conforming to Art. 55 Brussels I bis, ensuring immediate opposability before competent European jurisdictions or supervisory authorities.
The architecture rests on three immutable pillars:
Source Capture: Isolation of the T-0 interface at one of two assurance levels — Config A (software TPM + code signing, suitable for NIS 2 important entities); Config B gold standard (physically distinct terminal with verified boot + current-generation Trusted Execution Environment [Intel TDX with DCAP attestation, AMD SEV-SNP with VCEK-anchored attestation, or ARM TrustZone where platform constraints require], operating in conjunction with an HSM certified to FIPS 140-3 Level 3 / CC PP EN 419 221-5, mandatory for DORA Tier 1 and AI Act Annex III high-risk deployers) — ensuring in both cases that sealing occurs upstream of any automated execution layer.
Cryptographic Anchoring: A SHA-256 hash combined with a unique operation nonce issued by the trusted time-stamping authority (RFC 3161) to prevent replay attacks, computed on the canonical representation of the arbitration and its immutably bound operational context. Canonicalization is strictly defined as lexicographically sorted, UTF-8 encoded JSON with explicit schema versioning. This process is reinforced by the same RFC 3161 timestamping layer and event chaining stored on immutable ledger (WORM storage or third-party audit log) to guarantee forensic freshness, preventing any context-injection, replay attacks, or post-hoc state drift from altering the scope of human intent.
The integrity guarantee of the cryptographic anchoring layer is bounded by the hardware assurance level of the T-0 capture environment. For regulated entities subject to DORA Art. 5 Tier 1 classification, the required Config B implementation standard specifies: (a) a Hardware Security Module certified to FIPS 140-3 Level 3 and conforming to Common Criteria Protection Profile EN 419 221-5 (Cryptographic Module for Trust Services), the profile specifically governing HSMs deployed in qualified trust service contexts under eIDAS 2; and (b) a Trusted Execution Environment drawn from the current-generation confidential computing stack — specifically Intel Trust Domain Extensions (TDX) with DCAP remote attestation or AMD SEV-SNP with VCEK-anchored attestation — in preference to prior-generation SGX enclave implementations, which present a materially larger microarchitectural side-channel attack surface.
The remote attestation report generated by the TEE at T-0 sealing shall be incorporated as a mandatory component of the sealed artifact, enabling independent verification that the sealing environment was uncompromised at the moment of execution. TEE attestation outputs shall be treated as probabilistic hardware assurances bounded by the current silicon threat model and subject to mandatory firmware audit cycles per NIST SP 800-193, not as absolute cryptographic guarantees.
Furthermore, the operational context bound to each T-0 seal shall be accompanied by a Context Completeness Certification — a structured attestation, itself sealed, confirming that the information set presented to the human arbitrator includes, at minimum: current threat model outputs, applicable adversarial robustness assessment results, and third-party risk management assessments for all components within the automated execution perimeter. The absence of a Context Completeness Certification degrades the probatory weight of the seal from full evidentiary grade to indicative evidentiary grade.Legal Custody Chain: Bipartite sequestration (encrypted operational copy + paper original under judicial seal with digital backup on encrypted, geographically distributed escrow [e.g., Swiss judicial vault]), ensuring continuity of the chain of custody from T-0 through production before a court or regulatory investigator.
B. Criteria of a Baseline Architecture
To establish itself as the indispensable reference against which any competing solution or risk strategy is measured, SOURCE 0® satisfies four fundamental axes:
Uniqueness of Response: No other doctrine, no other framework — not NIST SP 800-53, not ISO 27001, not COBIT, nor any known extension of these standards — specifically addresses the problem of proof of human arbitration at T-0 granularity in an automated execution environment.
Universal Applicability: The doctrine applies transversally to any operator subject to NIS 2 (Art. 21), DORA (Art. 5-16), the AI Act (Art. 9, 11, 12, 14, 99), and eIDAS 2 (Regulation UE 2024/1183), regardless of organisational size, sector, or technical architecture.
Institutional Adoption: The doctrine is now invoked in proceedings before commercial courts, used as a reference framework by legal directorates of industrial groups, and cited in risk assessments submitted to national regulatory authorities.
Non-Substitutability: No alternative architecture produces proof of human arbitration in the European probatory sense with equivalent cryptographic robustness and independent judicial custody. SIEM, EDR, observability platforms, and log management systems produce technical traceability; they do not produce legal opposability.
III. STRUCTURAL SUPERIORITY OVER EXISTING STANDARDS
A. The Problem Existing Standards Do Not Solve
The European regulator — whether ENISA under NIS 2, the competent authority under DORA, or the AI Office under the AI Act — does not interrogate the organisation about its security processes in general. It interrogates the organisation about the precise decision that was taken, by whom, at what moment, on the basis of what information, and with what operational consequences. This question — the question of the opposable decision — is structurally outside the scope of existing standards.
B. Comparative Analysis by Framework
Challenged by the rigorous evidentiary requirements of European jurisdictions, existing frameworks exhibit structural limitations because they track systems, not human intent:
NIST CSF 2.0 (Process Trace): Prescribes security controls and incident response policies, but fails to provide any mechanism for proving human arbitration. The NIST trace is a process trace, not an evidentiary trace of decisional intent.
ISO 27001:2022 (Management Trace): Requires documentation of risk treatment decisions, but prescribes no cryptographic sealing mechanism for those decisions and no legal chain of custody. ISO 27001 compliance demonstrates that the organisation has a governance process; it does not demonstrate that a specific decision was made at a specific moment.
COBIT 2019 (Governance Trace): Produces maturity dashboards, RACI responsibility matrices, and performance indicators. Its logic is retrospective and aggregated — structurally incompatible with the requirement for granular, T-0 timestamped proof.
PCI-DSS v4.0 (Data Trace): Sectoral control framework oriented toward protecting data in transit and at rest. Does not address the governance of human arbitration in automation systems.
SOURCE 0® (Evidentiary Trace): The only architecture that injects cryptographic T-0 context-bound sealing (SHA-256 + RFC 3161 Nonce) combined with an independent cross-border legal chain of custody (Judicial Officer + QTSP eIDAS 2 — a capability structurally absent from all four frameworks above) to produce immediate legal opposability upstream of any automated execution layer.
C. The Fundamental Distinction: Observability vs. Opposability
The standard frameworks above, along with the commercial tools attached to them, produce observability: the capacity to visualise, correlate, and analyse technical events after the fact.
SOURCE 0® produces opposability: the capacity to present, before a court or supervisory authority, evidence satisfying the criteria of Article 8.3 of the Belgian New Civil Code, Article 41(2) of eIDAS 2 (Regulation UE 2024/1183), and the implicit evidentiary requirements of NIS 2 (Art. 32), DORA (Art. 17(3)), and the AI Act (Art. 99).
The industry sells observability. SOURCE 0® delivers opposability. The difference is not one of degree — it is one of kind.
IV. WHY SOURCE 0® MUST BECOME AN OFFICIAL STANDARD
A. Objective Regulatory Gaps & Evidentiary Gaps
NIS 2 (EU Directive 2022/2555) · Art. 21, 23 & 32 : Imposes cybersecurity risk management and incident notification under sanctions up to EUR 10 million or 2% of global turnover. However, it prescribes no technical mechanism for proof. It requires entities to "take appropriate technical, operational and organisational measures" without defining what "appropriate" means with respect to the burden of proof.
DORA (EU Regulation 2022/2554) · Art. 5-16 & 17(3) : Imposes digital operational resilience requirements and conservation of documentation relating to ICT incidents. This creates a structural conservation obligation without specification of the underlying evidentiary standard.
AI Act (EU Regulation 2024/1689) · Art. 9, 11, 12, 14 & 99 : Dictates strict traceability, technical documentation, logging, and human oversight under fines up to EUR 35 million or 7% of global turnover. Yet, none of these articles prescribes the technical mechanism enabling proof that human oversight genuinely occurred, at precisely what moment, by which authorised person, and under what exact informational conditions.
The AI Act's enforcement timeline creates an immediate adoption imperative that the doctrine addresses directly. The prohibition regime (Art. 5, 35M€/7% sanction tier) has been in application since 2 February 2025. High-risk system obligations under Annex III — the tier governing financial infrastructure, critical infrastructure operators, and AI systems affecting access to essential services — entered full application on 2 August 2026 — a date contemporaneous with this publication — rendering SOURCE 0® deployment an immediate operational necessity as of the date of this instrument, with no transitional grace period remaining for Annex III deployers.
The European AI Board (Art. 65-68 AI Act), through its Working Groups on High-Risk AI Systems, and the EU AI Office (Commission Decision of 24 January 2024), through its General-Purpose AI Code of Practice, are progressively operationalizing the Art. 14 human oversight standard in ways that converge directly on the evidentiary requirements SOURCE 0® satisfies. Regulated entities that have not established a documentable, opposable human oversight record prior to their first NCA supervisory contact will find that the absence of such a record is itself treated as evidence of non-compliance.
In Belgium, the Centre for Cybersecurity Belgium (CCB), as designated NIS 2 competent authority, has signalled enforcement activity aligned with the AI Act application calendar. The window between doctrinal adoption and supervisory scrutiny is measured in months, not years.
B. Probatory Circularity: The Unresolved Knot
The central problem that these regulations create without resolving is what Doctrine SOURCE 0® names probatory circularity: to prove that a human decision was genuinely taken before an automated system executed it, the organisation must rely on the traces produced by that same automated system — whose integrity is precisely what is in dispute. This circularity is structural. It can only be resolved by an architecture that guarantees the capture of human arbitration outside the automated execution system — that is, by a SOURCE 0® architecture.
C. Conditions for Official Normalisation
For a baseline architecture to become a de jure standard, three conditions must be met: (1) demonstration of an unaddressed regulatory need; (2) technical and legal maturity of the solution; (3) sufficient prior institutional adoption. All three conditions are satisfied.
The natural path to official normalisation runs through ETSI for the technical dimension, CEN/CENELEC for the organisational dimension, and an ENISA recommendation for the operational dimension within the NIS 2 framework. The immediate procedural vehicle for initiating this path is a CEN Workshop Agreement (CWA), requiring coordinated sponsorship from national standardisation bodies of at minimum five CEN member states, and serving as the pre-normative instrument upon which a subsequent New Work Item Proposal (NWIP) would be grounded.
V. WHY C-SUITE EXECUTIVES MUST ADOPT SOURCE 0® AS BASELINE
A. Personal Liability and the Rebuttable Presumption Under NIS 2
Article 20(1) of NIS 2 is unambiguous: "Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk management measures taken by those entities, oversee their implementation and can be held liable for infringements."
This direct accountability creates a critical personal liability risk for board members. Under European civil and criminal procedures, a catastrophic event triggers a strong practical presumption of managerial negligence if executives cannot instantly isolate and defend their specific corporate decisions.
SOURCE 0® does not aim to grant statutory legal immunity, nor does it displace statutory governance duties. Instead, it serves as an essential protective barrier, providing robust evidentiary evidence of contemporaneous due diligence, which may counter the presumption of negligence but does not discharge statutory duty of care. In several EU Member States, including Belgium (Law of 26 April 2024 transposing NIS 2), this exposure extends to criminal liability under provisions governing operational failure and oversight neglect.
To operationalize this protection and prevent any delegation vacuum, checkpoint seals must include an explicit Board-level sign-off token distinct from the operational or technical delegate's execution token — defined as a cryptographically distinct sealed attestation bearing the qualified electronic signature of the Board member or designated governance officer under eIDAS 2 Art. 3(12), issued contemporaneously with the operational seal and independently verifiable against the QTSP's certificate registry — ensuring Board-level accountability and forensic audit readiness.
B. The Director's Paradox
The director faces a structural paradox: they delegate operational execution to automated systems whose probatory granularity they do not control, while remaining personally accountable for the governance of those systems. This Director's Paradox cannot be resolved by contractual delegation alone.
Delegation of responsibility is legally opposable only if it can be demonstrated that the delegate genuinely exercised the arbitration entrusted to them, at the moment that arbitration was required. SOURCE 0® transforms this paradox into a protection architecture: by cryptographically sealing each determinative human arbitration, it constitutes proof that the command chain functioned.
C. The COMEX Baseline: Five Concrete Commitments
Adopting SOURCE 0® as COMEX baseline implies five operational commitments structured as a phased pipeline:
1.Map Arbitrations :Phase 1: Risk Assessment.
Identification and mapping of determinative human arbitrations and their required data contexts within the operational chain.
2.Deploy T-0 Architecture :Phase 2: Technical Isolation.
Implementation of T-0 capture mechanisms deploying Config A or the hardware-audited Config B (Intel TDX / AMD SEV-SNP / HSM).
3.Anchor the Custody Chain :Phase 3: Legal Sequestration.
Establishment of the cross-border legal custody chain via a joint Judicial Officer escrow and eIDAS 2 qualified preservation layer.
4.Deploy the HAN-Graph :Phase 4: Governance Monitoring.
Integration of SOURCE 0® coverage metrics and multi-agent HAN-Graph tracking into enterprise risk governance frameworks and COMEX reporting.
5.Executive Onboarding :Phase 5: Operational Readiness.
Continuous training and explicit sign-off protocols for COMEX members to ensure Board-level accountability and forensic audit readiness.
VI. SOURCE 0®: CRITICAL PROBATORY GOVERNANCE INFRASTRUCTURE FOR AI
A. The Agentic Blind Spot and the Autonomy Dilemma
The proliferation of autonomous local AI inference agents creates what Doctrine SOURCE 0® calls the Agentic Blind Spot. The more autonomous the agents, the more diffuse, fragmented, and potentially unrecoverable the traceability of the human arbitration that initialised or authorised them.
This triggers the Autonomy Dilemma: an enterprise cannot exploit the operational velocity of agentic workflows without inheriting full legal liability for their probabilistic deviances. In this context, SOURCE 0® does not attempt to govern real-time, emergent agent behaviour; it governs the human decision that precedes, authorises, or supervises agent activation. It freezes the starting point of the human causal chain, solving the dilemma by bounding autonomy within a cryptographically sealed perimeter.
Architectural boundary condition: SOURCE 0® seals the proximate human arbitration node (HAN) that directly authorises or supervises each discrete execution segment. In multi-agent orchestration architectures (LangGraph, AutoGen, and equivalent frameworks), a single T-0 seal at workflow initiation is insufficient where intermediate agent nodes generate new decisional intent or materially mutate the operational context.
In such architectures, the doctrine requires decomposition of the execution graph into a Human Arbitration Node Graph (HAN-Graph): a directed acyclic graph [^1] in which each node requiring a material human decision receives an independent T-0 seal, and in which the causal authority of each seal is formally bounded to the execution segment it directly precedes. Segments operating between HANs under delegated agentic autonomy are explicitly outside the probatory perimeter of the seals bracketing them.
The HAN-Graph topology document — constituting the complete enumeration of Human Arbitration Nodes, the defined causal authority boundaries of each seal, and the explicit classification of each inter-HAN segment as operating under delegated agentic autonomy — shall itself be subject to a primary T-0 seal executed at system deployment and prior to any agentic execution, establishing a cryptographically authenticated, contemporaneous record of the governance architecture as it existed before the causal chain was initiated; any subsequent modification to the graph topology shall constitute a new T-0 sealing event anchored to the prior sealed version via SHA-256 hash chaining, such that the complete version history of the governance architecture is itself part of the opposable evidentiary record and no post-hoc topological reconstruction can be presented to a competent jurisdiction without triggering a detectable cryptographic discontinuity. Runtime monitoring, intervention triggers, and SIEM/EDR coverage remain mandatory complementary controls for those inter-HAN segments and do not receive SOURCE 0® opposability guarantees absent a dedicated seal event.
[^1]: Note for non-technical readers: A directed acyclic graph (DAG) is a structured map of operations in which each step flows forward without loops or circular dependencies, such that every node has an unambiguous position in the causal chain and every path from a human decision to an automated outcome is fully enumerable and auditable.
B. Non-Substitutability: The Condition of Critical Infrastructure
An infrastructure is critical when its failure causes significant consequences for essential societal or economic functions. SOURCE 0® satisfies this criterion in the domain of AI probatory governance for four reasons:
Non-Substitutability: No alternative architecture produces proof of human arbitration in the European probatory sense with equivalent cryptographic robustness and independent judicial custody.
Systemic Indispensability: The absence of SOURCE 0® leaves the entire AI governance layer without an opposable evidentiary foundation.
Regulatory Interdependence: NIS 2, DORA, AI Act, and eIDAS 2 converge toward a common requirement for proof of human decision. SOURCE 0® is the only architecture that responds to this convergence in a unified manner.
Irreplaceable Value in Incident Situations: In a crisis, SOURCE 0® is the only infrastructure enabling the organisation to immediately produce proof of human arbitration, without post-hoc reconstruction.
VII. SOURCE 0®: THE MISSING LAYER OF THE EU AI ACT
A. What the AI Act Imposes Without Providing
The AI Act imposes on providers and deployers of high-risk AI systems a series of obligations whose evidentiary dimension is central: Art. 9 (risk management), Art. 11 (technical documentation), Art. 12 (automatic logging), and Art. 14 (human oversight).
Yet none of these articles prescribes the technical mechanism enabling proof, to European evidentiary standard, that the human oversight required by Article 14 genuinely occurred, at precisely what moment, by which authorised person, and under what exact informational conditions.
B. The Architectural Gap
The AI Act treats substantive law, not procedural or evidentiary text. Its mechanics follow product liability law: it defines obligations, sanctions breaches, but defers to Member States and institutional practice to define what constitutes sufficient proof.
SOURCE 0® fills this gap precisely: it is the evidentiary infrastructure layer that the AI Act presupposes without specifying. Its T-0 architecture, SHA-256 context-bound sealing, and independent cross-border custody chain respond exactly to the implicit requirements of Article 14 (documented human oversight), Article 99 (evidence preservation), and Article 9 (risk management traceability).
C. Regulatory Convergence: An Adoption Imperative
The progressive entry into force of the AI Act (2024-2027), combined with the application of NIS 2, DORA, and eIDAS 2, creates an unprecedented regulatory convergence. Four major regimes simultaneously require proof of human governance of digital systems. This convergence is multiplicative. An organisation subject to these frameworks simultaneously faces requirements that overlap, reinforce, and accumulate. In this context, SOURCE 0® is an architectural necessity.
VIII. CONCLUSION — ONE DOCTRINE, ONE INFRASTRUCTURE, ONE IMPERATIVE
Doctrine SOURCE 0® has established itself as the baseline architecture for AI probatory governance. It is structurally superior to existing standards because it addresses a problem those standards do not. It must become an official standard because the regulatory gaps it fills are objective and growing.
C-suite executives must adopt it because it is a critical evidentiary asset in defending against personal liability and the immediate presumption of negligence in the current European regulatory environment. It constitutes critical infrastructure because no alternative produces an equivalent level of probatory protection. And it is the missing layer of the AI Act because that regulation imposes evidentiary obligations without providing the technical mechanisms necessary for their satisfaction.
For regulated organisations, the time for deployment and architectural integration is now — the regulatory calendar admits no further deferral. For the standardisation bodies, the path to de jure recognition runs through the CWA process, requiring further technical validation and systemic regulatory consultation with national bodies; the doctrinal foundation for that process is contained in this instrument.
Jean-François ELSEN · Brussels, June 2026. All rights reserved. SOURCE 0® is a registered trademark of Cabinet Jean-François ELSEN.