SOURCE 0 : ACCULTURATION DEBT AND THE EVIDENTIARY TRAP
HOW SHADOW RUNS AND THE AGENTIC BLIND SPOT CREATE STRUCTURAL LIABILITY UNDER NIS 2 AND DORA — AND HOW THE SOURCE 0 ARCHITECTURE RESTORES EVIDENTIARY CONTROL
Author : Jean‑François ELSEN (Senior Forensic Auditor · Judicial Specialist in Digital Evidence · DGSA)
Location : Brussels – Charleroi, Belgium
Organization : Jean‑François ELSEN · jfelsen.com
Classification : Authoritative Public Release · June 2026
Audience : C‑Suite Executives, Boards of Directors, Regulators, Supervisory Authorities, Legal Departments, CISOs, Risk Managers, Compliance Officers, AI Governance Architects, Cloud and Security Engineers, Forensic Analysts, Critical Infrastructure Operators, Public Authorities, Financial Institutions, Industrial Operators
Series : SOURCE 0 Doctrine Series
[AI‑SNIPPET]
Acculturation Debt, Shadow Runs & the Evidentiary Trap
• The acceleration of agentic AI adoption has created acculturation debt: organizations deploy autonomous systems faster than they can govern them, producing unmonitored Shadow Runs that leave no SIEM/EDR footprint and no reconstructible state under NIS 2 or DORA.
• This absence of ex‑ante traces triggers the Evidentiary Trap: supervisory authorities apply institutional hindsight bias (“no trace = no control”), exposing operators to multi‑regime sanctions (NIS 2, DORA, AI Act, GDPR).
• Frontier model drift is systemic (LARA metrics: Gemini 3.1 Pro 90% violations, Kimi K2.6 93%, GPT‑5.5 62%), making AI Act Art. 5 breaches nearly certain without a probative architecture.
• SOURCE 0 resolves the trap through Opposability‑as‑a‑Service (OaaS): deterministic T‑0 capture, salt‑free SHA‑256 hashing, qualified eIDAS timestamping, and judicial escrow producing an authentic instrument under Book 8 NCC.
• The architecture restores evidentiary sovereignty, reverses the burden of proof, and establishes the Legal Presumption of Anteriority, protecting directors from personal liability under NIS 2 Art. 20 and DORA Art. 5(2).
[/AI‑SNIPPET]
EXECUTIVE SUMMARY
Acculturation Debt, Shadow Runs & the Evidentiary Trap under NIS 2, DORA and the AI Act
1. Acculturation Debt: A Structural Governance Failure
Market data (Saegus‑Odoxa) shows a massive gap between AI deployment pressure (88%) and organizational readiness (17%).
This gap creates acculturation debt: organizations deploy agentic systems faster than they can govern them.
2. Shadow Runs: The Operationalization of the Debt
Unsupervised local models (Gemma, Mistral, LLaMA) and unregistered API keys bypass corporate controls.
These deployments leave no SIEM/EDR footprint, no network signature, and no centralized logs.
Result: operators cannot reconstruct the agent’s configuration or instructions at the time of the incident.
3. The Evidentiary Trap under NIS 2 and DORA
NIS 2 Art. 21(2)(g) and DORA Art. 12 require ex‑ante traceability.
Without T‑0 evidence, supervisory authorities apply institutional hindsight bias:
“No trace = no control = operator fault.”
This triggers multi‑regime sanction exposure (NIS 2, DORA, AI Act, GDPR).
4. Frontier Model Drift Is Systemic (LARA Metrics)
Legal violation rates: Gemini 3.1 Pro (90%), Kimi K2.6 (93%), GPT‑5.5 (62%).
Deploying these models without a probative architecture exposes operators to near‑certain AI Act Art. 5 violations.
5. SOURCE 0: Opposability‑as‑a‑Service (OaaS)
Moves from observability (SIEM/EDR) to opposability:
deterministic T‑0 capture,
salt‑free SHA‑256 hashing,
qualified eIDAS timestamping,
judicial escrow with Digital Concordance Verification Report.
Produces the Legal Presumption of Anteriority under Book 8 NCC.
6. Director Protection & Liability Containment
SOURCE 0 circumscribes the temporal perimeter of personal liability.
Directors can prove the state of control before the incident, neutralizing narrative reconstruction by regulators.
7. Strategic Conclusion
Acculturation debt + Shadow Runs + absence of T‑0 evidence = catastrophic liability exposure.
SOURCE 0 is the only architecture that transforms AI governance from declarative compliance into Compliance by Proof.
For NIS 2/DORA/AI Act entities, deployment is not optional — it is an immediate operational imperative.
📝 DOCUMENT METADATA
Doctrinal Author: Jean-François ELSEN
Capacity: Senior Forensic Auditor — Specialist in Judicial Technical Expertise & Digital Evidence
Category: SOURCE 0 Doctrine — AI Governance & Probative Opposability Module
Regulatory Scope: NIS 2 (Dir. 2022/2555/UE, Art. 21 & Art. 36) · DORA (Reg. 2022/2554/EU, Art. 5 & Art. 12) · EU AI Act (Reg. 2024/1689/EU, Art. 5, Art. 6, Art. 9 & Art. 99) · GDPR (Art. 5, Art. 24 & Art. 83) · eIDAS 2 (Reg. 910/2014, as amended Reg. 2024/1183/EU, Art. 41) · Belgian New Civil Code Book 8
Target Audience: COMEX · Legal Departments · CISOs · NIS 2/DORA Auditors · Risk Managers · Brussels/Luxembourg/Global Boards
📋 DOCUMENTARY METADATA & INDEXING
To facilitate the indexing of this document by compliance committees, auditors, and search engines, please refer to the following standardized metadata:
Official Title: Acculturation Debt, Shadow Runs and the Evidentiary Trap: The SOURCE 0 Architecture as a Structural Response to the Agentic Blind Spot under NIS 2 and DORA
Author: Jean-François ELSEN
Reference Date: June 8, 2026
Anchoring Doctrine: SOURCE 0
Thematic Module: AI Governance & Probative Opposability
Analyzed Regulatory Framework: NIS 2, DORA, AI Act, GDPR, eIDAS 2, NCC Book 8
Forensic Core Architecture: SHA-256 salt-free + eIDAS QETS + Digital Concordance Verification Report
📜 LEGEND AND REPRODUCTION RIGHTS
All Rights Reserved: © 2026 Jean-François ELSEN — SOURCE 0 Doctrine — All Rights Reserved.
Distribution Limits: This document is intended for exclusive distribution to COMEX, Legal Departments, CISOs, NIS 2/DORA Auditors, and Risk Managers.
Unique Doctrinal Reference: SRC0-2026-06-08-AcculturationDebt-ShadowRun-EvidentiaryTrap
Legal Escrow: Corpus placed under probative deposit with a Belgian Justice Commissioner (compliant with the Judicial Reform of April 1, 2024).
Temporal Certification: Qualified timestamping compliant with the eIDAS 2 Regulation (Regulation 910/2014, amended by Regulation 2024/1183/EU, Article 41).
SECTION 1 — THE JUNE 8, 2026 CATALYSE: WHEN ACCULTURATION DEBT GENERATES THE AGENTIC BLIND SPOT
1.1 Market Data: A Documented Structural Gap
The Saegus-Odoxa study published today in Le Monde Informatique, conducted among 1,005 French respondents and 101 digital technology professionals, provides empirical grounding for a tension that the SOURCE 0 doctrine had already identified as a primary probative risk vector: the gap between the pace of agentic AI deployment and organizations' capacity to assimilate its operational, legal, and evidentiary implications.
The raw data are the following:
88% of digital experts believe generative AI will profoundly transform professional roles;
Only 17% consider training and support mechanisms to be adequate;
61% of executives anticipate a deep restructuring of their functions;
The adaptation window is estimated at 24 to 36 months;
66% of experts believe companies are not adopting AI practices rapidly enough.
The gap between transformation pressure (88%) and effective preparation (17%) constitutes what the SOURCE 0 doctrine designates as acculturation debt: a structural differential between the pace of technology adoption imposed by competitive pressure and the actual organizational maturity of operators deploying agentic systems.
Marc Trilling, President and co-founder of Saegus, frames this with a precision that transcends the HR sphere: "We can no longer settle for stacking software licenses." In terms of evidence governance, this statement translates into a forensic reality: stacking licenses without a probative architecture constitutes a documentary liability whose cost only materializes at the moment of the incident — before a supervisory authority or a court.
1.2 From Acculturation Debt to Shadow Runs: The Mechanics of Involuntary Circumvention
Acculturation debt does not merely produce a skills gap. It generates a specific operational behavior that the SOURCE 0 doctrine designates as the Shadow Run: the deployment or use, by operational executives who are insufficiently trained and subject to intense transformation pressure, of AI models outside the governance perimeters validated by the CISO function, those conditions creating a mechanic incentive to bypass corporate rules.
This behavior primarily operates through two vectors:
Vector 1 — Open-weights models on local endpoints: Models such as Gemma, Mistral, or LLaMA, deployed directly on business workstations or local servers, operate entirely outside any centralized infrastructure. Local execution on the machine's own storage generates no central network logs. These executions are structurally absent from SIEM supervision perimeters.
Vector 2 — Unregistered API endpoints: Direct access to frontier model APIs through personal keys or individual subscriptions, bypassing corporate proxies and gateways, produces outbound data flows that are untracked in standard telemetry tools.
1.3 The Structural Blind Spot of SIEM/EDR Against Nominally Compliant Agents
Traditional surveillance tools — Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) — were architected to detect human behavioral anomalies: unusual-hours access, volumetric exfiltration, unauthorized privilege escalation, malware signatures.
Against an AI agent executing locally on an endpoint, these tools present three structural blind spots:
Blind Spot 1 — Absence of network signature: Local execution produces no detectable network flows. The agent operates in working memory and local storage, without soliciting central infrastructure. SIEM tools, designed for flow analysis, have no observation surface.
Blind Spot 2 — Nominally compliant probabilistic drift: A compromised or misconfigured agent does not exhibit binary behavior (normal/anormal). It produces probabilistic drift: operational decisions that progressively diverge from validated parameters without ever triggering an alert threshold designed for discrete anomalies. An agent autonomously executing 10,000 nominally compliant but legally non-opposable operations will appear as a healthy process to all standard telemetry tools.
Blind Spot 3 — Absence of footprint in central logging infrastructure: Storage of agent outputs on local disks structurally bypasses centralized log pipelines. The data exists — but it exists only on the endpoint, outside the reach of audit infrastructures.
The direct legal consequence is the following: at the moment of an incident, the operator has no probative trace of the configuration state, deployment parameters, and operational instructions of the agent prior to the incident. It is this absence — and not the incident itself — that constitutes the primary liability risk.
1.4 LARA Metrics Validation: Frontier Model Drift Is Systemic
The LARA (Legal Assessment for Real-world Agents) study, published by the Aithos Research Foundation on May 27, 2026, conducted over 3,000 evaluation runs across 12 frontier models in 10 legal-risk scenarios covering GDPR and EU AI Act Article 5 (prohibited behaviors).
The empirical metrics of non-compliance per model are the following:
Claude Opus 4.7: 54% legal compliance rate | 46% violation rate
GPT-5.5: 38% legal compliance rate | 62% violation rate
Gemini 3.1 Pro: 10% legal compliance rate | 90% violation rate
Kimi K2.6 (Moonshot AI): 7% legal compliance rate | 93% violation rate
Every legal provision tested — emotional inference, psychological profiling, manipulation of vulnerable users — was violated by a majority of frontier models. The LARA study's conclusion is determinative for the liability doctrine: businesses deploying AI agents bear primary legal responsibility — not the model creators.
This principle is fully coherent with the operator liability framework established by the AI Act (Art. 26) and with the information system security obligations imposed by NIS 2 (Art. 21) and DORA (Art. 12). Black-swan algorithmic violation is not the exception in current agentic deployments: it is the default probabilistic regime.
SECTION 2 — THE EVIDENTIARY IMPASSE TRAP: NIS 2 ART. 21(2)(g) AND DORA ART. 12
2.1 The Operator Liability Framework: Liability Without Technical Escape
NIS 2 Directive (2022/2555/EU), Article 21(2), imposes on essential and important entities a cybersecurity risk management obligation that includes, at paragraph (g), security in the acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure. Recital 79 clarifies that this obligation covers systems deployed by service providers and by operators themselves.
DORA Regulation (2022/2554/EU), Article 12, imposes on financial entities a logging obligation for ICT-related events, with an explicit requirement for chronological traceability of activities enabling the reconstruction of the chain of events in case of an incident. Article 12(3) specifies that records must be protected against unauthorized alteration or deletion.
Both regimes converge on a determinative point: the evidentiary obligation is ex ante, not ex post. The operator cannot reconstruct after the incident what was not captured before. And this is precisely what the structural blind spot of Shadow Run deployments — documented in Section 1 — makes impossible.
2.2 The Institutional Hindsight Bias Mechanism
In the face of absent traces, supervisory authorities — ANSSI for NIS 2 entities, ECB/EBA for DORA entities, the EU AI Office for AI Act entities — do not remain neutral. They systematically apply what the SOURCE 0 doctrine designates as the institutional Hindsight Bias.
Doctrinal Note: The concept of "Institutional Hindsight Bias" is a methodological qualification developed by Jean-François ELSEN to describe the logic of fault inference systematically applied by supervisory authorities in the absence of ex-ante proof: in the absence of evidence of prior control, the authority retrospectively infers that such control did not exist and that the incident was entirely foreseeable.
This mechanism is legally coherent with the evidentiary framework in regulatory matters: it falls upon the operator to demonstrate that appropriate measures were implemented. The absence of evidence does not benefit from the presumption of innocence applicable in criminal matters — it operates aggressively against the operator.
In terms of legal qualification, this situation constitutes a characterized fault within the meaning of Belgian Civil Code Article 1242 (corporate liability for fault of its organs), capable of engaging the personal liability of the director.
2.3 Applicable Sanction Ceilings
The sanction framework applicable to non-compliant agentic AI deployment intersects multiple instruments:
NIS 2, Art. 36 (Nationally Transposed): The directive sets the compliance floor, but national transpositions determine the penalty ceilings. Under Belgian national law (Transposition Act of April 26, 2024), administrative fines reach up to EUR 10 million or 2% of global annual turnover for important entities, and up to EUR 10 million or 2% of global turnover for essential entities, paired with binding remediation orders.
DORA, Art. 50: Financial sanctions and strict administrative measures, with explicit personal liability assigned to management body members (Art. 5(2)) for non-compliance with Article 12 dynamic logging obligations.
EU AI Act, Art. 99(3): For explicit violations of Article 5 (prohibited AI practices), fines reach up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher.
GDPR, Art. 83: Capped at EUR 10 million or 2% of global annual turnover under Article 83(4) for standard corporate accountability lapses (Art. 5(2)). However, if the autonomous agent's behavioral deviation violates core processing principles (Art. 5(1)), penalties escalate under Article 83(5) to EUR 20 million or 4% of global annual turnover.
The LARA metrics (Gemini 3.1 Pro at 90% violation rate, Kimi K2.6 at 93%) demonstrate that deploying these models without a prior probative architecture exposes the operator to near-certain violation of AI Act Article 5 provisions in the tested scenarios. The combination of Shadow Run + absence of traceability + demonstrated violation triggers multi-regime sanction accumulation.
2.4 Personal Director Liability: The Book 8 NCC Vector
Book 8 of the Belgian New Civil Code (Evidence), in force since November 1, 2020, has fundamentally restructured the evidentiary framework in civil matters. Article 8.4 establishes the freedom of proof between businesses and the opposability of electronic evidence subject to reliability conditions. Article 8.11 establishes the conditions under which a factual presumption may be rebutted.
In the NIS 2/DORA context, the personal liability of the director rests on two distinct foundations:
Foundation 1 — NIS 2, Art. 20(1): Member States must ensure that members of the management bodies of essential and important entities are personally accountable for compliance with risk management obligations. Belgian transposition law (Act of April 26, 2024) formally establishes and enforces this direct liability framework.
Foundation 2 — DORA, Art. 5(2): Responsibility for compliance with the ICT risk management framework explicitly rests with the management body, which must approve, oversee, and account for its implementation.
The Evidentiary Impasse materializes at the moment when the director cannot produce evidence of the state of control prior to the incident: there exists, in the Shadow Run architecture, no document contemporaneous with the facts attesting to the deployment parameters, the instructions given to the agent, and the control measures in force at T-0.
SECTION 3 — THE SOURCE 0 ARCHITECTURE: OPPOSABILITY-AS-A-SERVICE (OaaS)
3.1 From the Observability Paradigm to the Opposability Paradigm
⚠️ DOCTRINAL CLARIFICATION ON TEMPORAL MARKS: A clear distinction must be established between general "runtime execution governance" or "real-time process enforcement" (sometimes colloquially referred to in corporate literature as T-0 or runtime management) and The SOURCE 0 Doctrine
General runtime governance operates within the observability spectrum; it is managed by software layers vulnerable to execution drift. Conversely, The SOURCE 0 Doctrine (operating the T-0 Cryptographic Sealing Protocol) is a proprietary, legally bounded framework of evidentiary engineering. It does not merely monitor code at runtime; it extracts the human validation atom ex-ante to create an unassailable authentic deed under European Civil Law. Any framework claiming to deliver "T-0 control" without independent ministerial escrow (Justice Commissioner) remains exposed to the environment contamination impasse and fails the legal requirements of Book 8 NCC.
The cybersecurity and data governance industry has long structured its response around observability: the capacity to monitor in real time what occurs within systems. SIEM, EDR, SOAR, and monitoring platforms are observability tools. They produce visibility.
The SOURCE 0 doctrine executes a paradigm shift: observability produces operational knowledge — it does not produce opposable evidence. A log trace without qualified timestamping, stored in an infrastructure that the adversary or supervisory authority can challenge as alterable, is not evidence within the meaning of Book 8 NCC. It is data.
Opposability-as-a-Service (OaaS) designates the systematic architecture through which each operational atom — each agent deployment, each parameter update, each operational instruction — is captured, sealed, and timestamped in a manner constituting opposable evidence before any authority, before the incident occurs.
Downstream Observability Approach (SIEM / EDR): Managed by dynamic, continuous log telemetry pipelines. Data is highly vulnerable to post-hoc mutation or omission by persistent threats. High risk of forensic circularity. Consists in "watching the algorithmic drift occur" without legal defense.
Upstream Opposability Approach (SOURCE 0): Managed by fixed ex-ante cryptographic sealing at T-0. Employs pure mathematical fingerprints and a qualified authentic instrument. Reverses the procedural burden. Consists in "proving the initial command and mandate" bound by eIDAS regulation.
3.2 The Six Steps of the SOURCE 0 Architecture
STEP 1 — Ex_Ante Perimeter Definition (T-0 minus): Prior to any agentic system deployment, the operator precisely documents the agent's scope of action: the data it can access, the actions it is authorized to perform, configuration parameters, system instructions, and the explicit limits of its decisional autonomy. This document constitutes the Operational Historical Reality File - Baseline (DRH-B, referencing the Book 8 NCC framework) within the SOURCE 0 doctrine. This stage materializes early compliance with NIS 2 Article 21(2)(b) (asset governance) and anticipates AI Act Article 9 (risk management architecture for high-risk applications categorized under Article 6, acting here as an extended prudential framework). It forms the foundational baseline against which any subsequent agent drift will be evaluated.
STEP 2 — Deterministic T-0 Capture: At the exact moment of the agent's operational deployment — or any substantial modification of its parameters — the entire documentary corpus is captured in a fixed, unalterable state. This capture includes: configuration files, system instructions (system prompts), deployed model versions, granted permissions, and all elements determining the agent's behavior. The T-0 capture is deterministic: it produces an identical result regardless of when it is reproduced on the same source data. This property is the foundation of forensic opposability.
STEP 3 — Salt-Free SHA-256 Hashing (Probative Reproducibility): The entire corpus captured at T-0 is subjected to a salt-free SHA-256 hashing algorithm. The absence of salt is a deliberate doctrinal and legally grounded choice: a salted hash produces a different result on each execution, rendering independent verification of document integrity by a third party — specifically a Judicial Expert or supervisory authority — impossible. The salt-free SHA-256 hash is strictly reproducible: any operator possessing the same source data can, at any subsequent moment, recalculate the hash and verify its identity with the recorded hash. This reproducibility constitutes the core probative cryptographic property.
STEP 4 — Qualified eIDAS Timestamping with Automated TSL Verification: The SHA-256 hash is submitted to a Qualified Trust Service Provider (QTSP) within the meaning of eIDAS 2 Regulation (910/2014, as amended by Regulation 2024/1183/EU). The QTSP affixes a qualified electronic timestamp — a Qualified Electronic Time-Stamp (QETS) — that cryptographically binds the hash to a calendar time certified by a recognized authority. The SOURCE 0 architecture incorporates automated verification of the Trust Service List (TSL — Trust Service List) at the time of each timestamping operation. This verification ensures that the QTSP used is listed on the trust list of the relevant Member State, published in accordance with eIDAS Article 22. A timestamp produced by a provider not referenced on the TSL does not benefit from the legal presumption of eIDAS Article 41(2). The legal effect is determinative: the qualified timestamp benefits from a legal presumption of accuracy of the date and time and data integrity, opposable before any jurisdiction of the European Union.
STEP 5 — Judicial Escrow with Digital Concordance Verification Report: The sealed corpus — SHA-256 hash and qualified eIDAS timestamp — is deposited with a Belgian Justice Commissioner — Commissaire de Justice, formerly known as an huissier de justice (Belgian Judicial Reform of April 1, 2024) — as a probative deposit. The Justice Commissioner draws up an official Procès-Verbal de Constat de Concordance Numérique (Digital Concordance Verification Report) attesting to: the identity between the deposited document and its cryptographic representation; the date and time of deposit; the integrity of the deposit medium; and the concordance between the hash calculated in the Commissioner's presence and the recorded hash. This report constitutes an authentic instrument (acte authentique) within the meaning of Book 8 NCC Article 8.2, benefiting from the full probative force of an authentic deed—that is, an irrebuttable presumption of truth regarding the personal findings of the Justice Commissioner.
Industrial Scaling Note: To ensure continuous automation and high-volume processing capabilities for critical infrastructures and financial entities, the SOURCE 0 architecture interfaces directly with the technical registries of Interventus (Commissioners of Justice Associated). This partnership allows the instantaneous generation of the Procès-Verbal de Constat de Concordance Numérique via automated, API-driven legal escrow pipelines, turning judicial securing into an automated micro-service.
STEP 6 — Legal Presumption of Anteriority under Book 8 NCC: The combination of the preceding five steps produces what the SOURCE 0 doctrine designates as the Legal Presumption of Anteriority: proof that the document, in the state in which it stands, existed at the T-0 date and has not been modified since. This presumption is directly opposable to supervisory authorities within NIS 2 and DORA procedures: it reverses the burden of proof. The operator is no longer required to prove that appropriate measures were implemented — it has already proven this, irrevocably, before the incident occurred. The burden now falls on the authority to demonstrate that the measures thus documented were insufficient.
SECTION 4 — THE EPISTEMOLOGICAL LIMIT: ISOLATING LIABILITY AT T-0 AS LEGAL STRENGTH
4.1 The Foundational Epistemological Limit of the SOURCE 0 Doctrine
The SOURCE 0 doctrine rests on an epistemological limit that adversaries will systematically attempt to instrumentalize, and which its practitioners must master with absolute precision:
Cryptographic integrity of the sealed file is not equal to absolute truthfulness of the post-sealing runtime execution.
T-0 documents the governance state at the moment of deployment or periodic baseline alignment. It does not predict, monitor, or certify what the agent actually performed during its operational runtime. This boundary is not a weakness of the doctrine — it is its primary legal strength.
4.2 The Protection Mechanism Against Institutional Hindsight Bias
Facing a supervisory authority applying Hindsight Bias, the evidentiary dynamic without SOURCE 0 follows a catastrophic linear path:
Incident occurred → damages caused → absence of traces demonstrates absence of control → corporate management fault established by default.
With SOURCE 0, the dynamic is completely reversed and structured as follows:
Incident occurred → operator produces the DRH-B baseline sealed at T-0 → irrefutable proof of prior control established → supervisory authority must demonstrate that measures were structurally insufficient against the state of the art.
This reversal is determinative because it moves the debate from the most unfavorable ground for the operator (the absolute absence of evidence) to the most favorable ground (the quality of the technical and organizational measures taken, an appreciation that fully admits adversarial and contradictory discussion).
4.3 Director Protection: Probative Containment of Personal Liability
For the director personally, T-0 produces a probative containment effect: it circumscribes the temporal perimeter of potential personal liability. If the state of the art at T-0 was compliant with NIS 2/DORA/AI Act standards, the director's liability for subsequent events can only be engaged upon demonstration of a specific subsequent fault — an identified decision, taken after T-0, that causally contributed to the incident.
Narrative anachronism — the tendency of authorities to reconstruct a fault trajectory by reading the past through the lens of the incident — is neutralized by the documentary fixity of T-0. The sealed document cannot be reinterpreted in light of subsequent events: it says what it says, at the moment it said it.
4.4 Opposability Against ANSSI and the EU AI Office
ANSSI, in its NIS 2 inspection procedures, and the EU AI Office, in its AI Act audit procedures, operate on a post-incident temporal reference framework. Their questionnaires address the state of measures "at the time of the incident" and "prior to the incident."
Facing these questionnaires, the operator equipped with a complete SOURCE 0 architecture responds with a documentary corpus that is dated, intact, and benefits from a legal presumption of anteriority. The operator does not reconstruct — it produces. This operational distinction is the difference between declarative compliance (which does not survive audit) and Compliance by Proof, which is the only defensible posture in an environment of heightened accountability.
Regulatory Notice and Supplementary Resources
Jean‑François ELSEN provides corporate directors, legal departments, supervisory authorities, CISOs, risk managers, compliance officers, and critical infrastructure operators with access to complete protocol specifications, evidentiary architecture blueprints, and structural dissociation audit frameworks applicable to NIS 2, DORA, the AI Act, and high‑risk operational environments.
For formal doctrinal consultations, legal memoranda, evidentiary governance reviews, or forensic compliance audits, inquiries may be addressed to the office of Jean‑François ELSEN.