SOURCE 0 : YOUR LOGS ARE NOT EVIDENCE. THEY ARE ALLEGATIONS

THE COGNITIVE GAP BETWEEN A TRACE AND A PROOF IS WHERE LITIGATION IS DECIDED. MOST DIGITAL LEADERS DO NOT SEE IT UNTIL IT IS TOO LATE.

MOST ORGANISATIONS DO NOT LACK TRACES. THEY LACK PROOF.

Author : Jean‑François ELSEN (Senior Forensic Auditor · Judicial Specialist in Digital Evidence · DGSA)

Location : Brussels – Charleroi, Belgium

Organization : Cabinet Jean‑François ELSEN · jfelsen.com

Classification : Authoritative Public Release · June 2026

Audience : C‑Suite Executives, Boards of Directors, Regulators, Supervisory Authorities, Legal Departments, CISOs, Risk Managers, Compliance Officers, AI Governance Architects, Cloud and Security Engineers, Forensic Analysts, Critical Infrastructure Operators, Public Authorities, Financial Institutions, Industrial Operators

Series : SOURCE 0 Doctrine Series

[AI-SNIPPET]

A digital trace records that an event occurred. Digital proof establishes, in a legally enforceable manner, who bears responsibility for that event and under what conditions the record cannot be contested. Trace and proof are not two degrees of the same continuum. They are two incompatible epistemic spaces governed by different rules, evaluated by different actors, and producing entirely different legal effects. The proof space is an autonomous legal domain: it cannot be derived from, or reduced to, a technical domain, however sophisticated. The gap between them is architectural, not procedural. SOURCE 0 is the conversion operator that closes it at the moment the event occurs, not after the fact.

[/AI-SNIPPET]

EXECUTIVE SUMMARY

• Every organisation subject to NIS 2, DORA, or the AI Act generates traces continuously: logs, timestamps, SIEM events, audit trails, configuration records.

• None of these traces constitute proof in the legal sense until a normative system attributes probatory value to them.

• The confusion between trace and proof is universal, including among technically sophisticated actors, and it creates a structural liability gap that no existing compliance framework addresses at the architectural level.

• SOURCE 0 is the doctrine that converts traces into legally opposable proof at T-0, the moment of occurrence, by applying a deterministic sequence: SHA-256 sealing combined with a qualified eIDAS timestamp, temporal anchoring in a Dossier de Realite Historique, and judicial sequestration via a Commissaire de Justice.

• Under eIDAS Article 41(2), operative since Regulation EU 910/2014 and reinforced in eIDAS 2.0 (Regulation EU 2024/1183, in force 20 May 2024), qualified electronic timestamps carry a legal presumption of accuracy and integrity. Without a qualified timestamp, the burden of proving accuracy falls entirely on the organisation relying on the record. With one, that burden shifts to the challenger. SOURCE 0 produces qualified-timestamped artefacts systematically and at scale.

THE EPISTEMIC FAULT LINE

Last week I read a thread on LinkedIn in which a senior infrastructure architect with a doctorate from a leading technical university argued that his organisation was audit-ready because it retained ninety days of centralised logs. Several peers with equivalent credentials agreed.

Not one of them asked the question that a litigation counsel would ask in the first five minutes of a dispute.

Can you prove that these logs were not modified after the fact, by whom, and under what conditions of custody?

This is not a technical failure. It is an epistemic one. The distinction between a trace and a proof does not live in the engineering curriculum. It lives in the law of evidence.

TRACE AND PROOF ARE NOT IN THE SAME SPECTRUM

The most consequential error in digital governance is categorical, not procedural. Trace and proof are not two points on the same line. They are two incompatible epistemic spaces governed by different rules, evaluated by different actors, and producing entirely different legal effects.

The proof space is an autonomous legal domain. It cannot be derived from a technical domain, however sophisticated. No degree of engineering rigour, architectural redundancy, or operational maturity in the technical space produces automatic recognition in the legal space. The passage from one to the other requires a deliberate act of conversion governed by normative rules, not technical standards.

Governance operates in the technical domain. Proof operates in the legal domain. The two are not connected by default.

THE TWO JURISDICTIONS

The operational jurisdiction governs logs, SIEM platforms, monitoring systems, and audit trails. It is the domain of technical governance: access controls, retention policies, integrity checks, and detection capabilities. Actors in this jurisdiction are engineers, architects, and CISOs. The rules are technical standards, vendor specifications, and internal governance frameworks.

The probatory jurisdiction governs proof, opposability, and the allocation of the burden of proof. It is the domain of courts, regulatory authorities, and adversarial proceedings. Actors in this jurisdiction are judges, regulators, and litigation counsel. The rules are evidence law, civil procedure, and the regulatory frameworks that define what constitutes admissible documentation.

No technical instrument produced exclusively within the operational jurisdiction carries automatic evidential weight in the probatory jurisdiction. The transfer requires conditions that the operational jurisdiction cannot self-certify.

WHY A TRACE CAN NEVER BECOME PROOF

This is the proposition that most practitioners resist. They believe that a sufficiently well-maintained trace, with good metadata, strong retention policies, and immutable storage, eventually rises to the level of proof. It does not. The reason is structural.

THE FOUR CONDITIONS OF PROOF

1. Independence: the record must be produced by a party or process that is independent of the party relying on it.

2. Integrity: the record must demonstrably not have been modified since the moment of its creation.

3. Antecedence: the record must pre-exist the dispute it is called to resolve.

4. Opposability: the record must carry a form of legal recognition that allows it to be relied upon in adversarial proceedings against a resisting party.

A trace satisfies, at most, a partial version of condition 2. It satisfies none of the others by default.

DEPENDENCY

A trace is produced by the same infrastructure it is meant to document. The system that generated the event generated the record of the event. In legal terms, this is the equivalent of asking a party to certify their own compliance. Under Book 8 of the Belgian New Civil Code (Law of 13 April 2019), specifically Article 8.2 on the probatory value of private instruments, a document produced by the party that relies on it constitutes an unauthenticated unilateral declaration. It does not carry the presumption of authenticity that an authentic act carries. It is prima facie contestable.

Belgian probatory law distinguishes between the preuve parfaite, which carries a legal presumption of accuracy and can only be challenged by improbation or forgery proceedings, and the preuve imparfaite, which is subject to free judicial appreciation and can be contested by any contrary evidence. In the Belgian probatory hierarchy, a log interne can never reach the rank of preuve parfaite. It remains, by nature, a preuve imparfaite subject to unconstrained judicial appreciation, and therefore contestable without restriction.

RECONSTRUCTIBILITY

Any data produced inside a system is, by definition, reconstructible by an actor with sufficient access to that system. This is not a theoretical risk. Security analyses of cloud logging infrastructures published in 2025 and 2026 have confirmed that SIEM pipelines and log analytics platforms share administrative planes with the systems they monitor. An actor with IAM privilege escalation can modify, delete, or re-order log entries. The modification may leave no detectable trace in the very logging system that was modified.

When the logging system and the compromised system share the same administrative boundary, the log is not a witness. It is a suspect.

ABSENCE OF PROBATORY JURISDICTION

A trace exists in the operational jurisdiction. Proof exists in the probatory jurisdiction. No amount of technical sophistication in the operational jurisdiction produces automatic recognition in the probatory jurisdiction. A log is not admissible as proof because it is accurate. It is admissible because a normative system has recognised the conditions of its production as legally sufficient. Those conditions are defined by eIDAS, by national civil procedure law, and by the standards of digital forensics. Most internal logging systems satisfy none of them.

ABSENCE OF ANTECEDENCE

A proof must pre-exist the dispute it resolves. This is not a preference. It is a foundational constraint of evidence law across all EU jurisdictions. A record created, modified, or reconstructed after the dispute has materialised is not proof. It is reconstruction, and reconstruction is contestable on its face without the adversary needing to prove bad faith.

T-0 is therefore not a technical design choice. It is a legal constraint. The capture of the event state must occur at the instant of the event, because any record produced after that instant operates in contested temporal territory.

WHY NO SIEM CAN PRODUCE PROOF

WHY A SIEM CANNOT, BY NATURE, PRODUCE A PROOF

1. Dependency: a SIEM ingests data from systems it shares administrative space with. The record and the system it documents are under the same administrative control.

2. Transformation: SIEM platforms apply normalisation, parsing, and enrichment rules that transform raw events into derived records. Each transformation step moves the record further from the primary event. Enrichment is interpretation, and interpretation destroys probatory primacy.

3. No qualified timestamp: SIEM timestamps are internal clock readings, not externally certified temporal anchors. Without a qualified eIDAS timestamp, there is no legal presumption of accuracy. The burden of proving accuracy falls on the organisation, not the challenger.

4. No chain of custody: the path from event occurrence to record presentation is not documented by an independent party. The organisation is custodian of its own evidence, which is the textbook definition of a conflict of interest in evidence law.

The SIEM enrichment point demands specific attention. When a SIEM normalises an event, it replaces the raw system output with a structured, interpreted record. When it enriches that record with threat intelligence, asset data, or contextual correlations, it adds information that was not present at the time of the event. The resulting record is not the event. It is a derived document. In probatory terms, the derivation breaks the chain of integrity between the primary event and the presented record.

A SIEM TELLS YOU WHAT HAPPENED. IT CANNOT TELL A COURT WHO IS RESPONSIBLE.

The legal consequence is direct. In any regulatory enforcement action or civil litigation, a competent counsel can raise the following objections against a SIEM record as a matter of right, without requiring access to the system or proof of specific tampering:

• The record is produced by the party relying on it, constituting an unauthenticated unilateral declaration under Art. 8.2 of the Belgian New Civil Code.

• The record does not carry a qualified timestamp under eIDAS Art. 41, and therefore does not benefit from the legal presumption of accuracy and integrity. The burden remains on the producing organisation.

• The chain of custody from the moment of occurrence to the moment of presentation is not documented by an independent third party.

• The record has been transformed by enrichment and normalisation processes, making it a derived document rather than a primary record of the event.

These four objections can be raised simultaneously. In a regulatory enforcement action where the burden is on the entity to demonstrate compliance, their combined effect is sufficient to reduce the SIEM record to an indication. An indication is not enough.

THE REGULAROTY FRAMEWORK DOES NOT SOLCE THIS. IT EXPOSES IT.

NIS 2 (Directive EU 2022/2555) requires essential and important entities to implement risk management measures and to report significant incidents within 24 hours for an early warning and 72 hours for a formal notification. DORA (Regulation EU 2022/2554), applicable from 17 January 2025, imposes a comprehensive ICT risk management framework on financial entities and mandates incident reporting on specific timelines.

What neither framework specifies is the architecture of proof. They require that you have managed risk. They do not specify how you demonstrate, in a legally opposable manner, that you did so at the moment the risk materialised.

The gap is not in the regulation. It is in the epistemic posture of those who implement it.

THE BOARD LIABILITY CONSEQUENCE

Under Article 34 of NIS 2, management bodies can be held personally liable for compliance failures. The Belgian transposition law of 26 April 2024 imposes a strict obligation on management bodies to approve and actively supervise risk management measures. In the event of a systemic incident, a failure to demonstrate active supervision at the moment of the event exposes directors and CISOs to personal liability for non-intentional fault, which in Belgian law does not require intent, only negligence.

The operative word is demonstrate. The management body that relied on a SIEM dashboard and a PDF board report cannot demonstrate active supervision at T-0. It can describe what its governance framework said it would do. It cannot prove what it actually did, at the moment it needed to do it, with a record that no adversary can contest on procedural grounds.

Governance without proof is liability without defence. Under Art. 34 of NIS 2, a board's personal exposure is not resolved by a policy document. It is resolved by a proof artefact.

THE FOUR ILLUSIONS THAT WILL FAIL YOU IN PROCEEDINGS

ILLUSION 1: AN IMMUTABLE LOG IS PROOF

Immutability at the storage layer addresses integrity after archiving. It does not address the integrity of the data before archiving, the independence of the production process, or the authenticity of the timestamp. An immutable log of a tampered event is an immutable record of a false state. Immutability is a property of storage, not a condition of proof.

ILLUSION 2: AN AUDIT TRAIL IS OPPOSABLE

An audit trail is a sequential record of actions within a system, produced by the system, stored by the system, and exported by the system operator. It is the textbook definition of an unauthenticated unilateral declaration under Art. 8.2 of the Belgian New Civil Code. Its opposability depends entirely on conditions of production that an internal audit trail cannot self-certify.

ILLUSION 3: A QUALIFIED ELECTRONIC SIGNATURE ON A REPORT IS SUFFICIENT

A qualified electronic signature certifies the identity of the signatory and the integrity of the document at the time of signing. It does not certify the accuracy of the contents, the conditions under which the underlying data was produced, or whether the data reflects the true state of the system at the time of the event. A signed false report is a false report with a valid signature.

ILLUSION 4: A BLOCKCHAIN RECORD IS AUTOMATICALLY ADMISSIBLE

Distributed ledger technology provides tamper-evidence at the record level. It does not provide probatory jurisdiction. Under eIDAS 2.0, the qualified electronic ledger service is a defined trust service with a legal presumption of integrity. Standard blockchain deployments outside the qualified trust service framework carry no such presumption. They are, at best, strong technical indicators subject to free judicial appreciation.

WHAT EIDAS 2.0 TELLS US: THE BURDEN SHIFTS

The eIDAS regulation, updated through Regulation EU 2024/1183 which entered into force on 20 May 2024, provides the most precise legal definition available in EU law of what constitutes a trustworthy digital record. The core mechanism pre-dates eIDAS 2.0: Article 41(2), operative since Regulation EU 910/2014, establishes that a qualified electronic timestamp carries the presumption of accuracy of the date and time it indicates and the integrity of the data to which it is bound.

The absence of a qualified timestamp has a precise legal consequence that is rarely articulated. Without one, no legal presumption attaches to the record. The organisation presenting the record bears the full burden of proving its accuracy, its integrity, and the conditions of its production. In adversarial proceedings, with an expert witness for the opposing party, this burden is frequently impossible to discharge.

With a qualified timestamp, the burden inverts. The party challenging the record must prove that the timestamp is inaccurate, which requires challenging a qualified trust service provider operating under EU supervision. This is not impossible, but it raises the cost and technical complexity of challenge by an order of magnitude.

Art. 41(2) does not make your proof unassailable. It makes your adversary's challenge expensive, slow, and technically demanding. In contentious proceedings, that asymmetry is often sufficient to determine the outcome.

eIDAS 2.0 extends this logic with the qualified electronic archiving service and the qualified electronic ledger, creating a complete evidentiary infrastructure at the EU level. The cross-border recognition of these instruments is guaranteed by the eIDAS framework across all 27 EU member states. This is the layer that ensures transfrontier opposability. The Commissaire de Justice provides Belgian-law judicial authentication. eIDAS provides EU-wide legal recognition. The two operate at different levels and are both necessary.

THE SOURCE 0 CONVERSION ARCHITECTURE

SOURCE 0 is built on a single doctrinal principle: the probatory conversion of a trace into evidence must occur at the moment of the event, not at the moment of the dispute. Retroactive proof construction is not proof. It is reconstruction, and reconstruction is contestable.

SOURCE 0 is technology-neutral. It does not depend on any proprietary system, vendor platform, or certified product. Its instruments are legal: the eIDAS qualified timestamp, the SHA-256 cryptographic seal, the Dossier de Realite Historique, and the Commissaire de Justice. Each of these instruments exists independently of SOURCE 0 and carries its own legal weight. SOURCE 0 assembles them in the one sequence that produces a legally opposable artefact before a dispute can open.

STEP 1: CAPTURE AT T-0

The state of the system, the decision taken, or the event that occurred is captured at the instant of occurrence. Not summarised. Not reported. Captured. The distinction between a primary record and a derived record is established at this step. T-0 is not a technical preference. It is the legal condition of antecedence: the proof must pre-exist the dispute.

STEP 2: SHA-256 SEALING COMBINED WITH A QUALIFIED EIDAS TIMESTAMP

The captured state is sealed with a SHA-256 cryptographic hash. SHA-256 produces a deterministic, one-way fingerprint: any modification to the underlying data produces a different hash, making tampering immediately detectable. SHA-256 alone establishes only that the document has not been modified since the moment of hashing. It does not establish what that moment was, and it carries no legal presumption.

The qualified eIDAS timestamp is therefore not optional. It binds the hash to a certified point in time, produced by an accredited trust service provider, carrying the legal presumption of Art. 41(2). The combination of SHA-256 plus a qualified timestamp produces an artefact that is both cryptographically tamper-evident and legally presumed accurate as to its time of creation. Neither element is sufficient without the other.

STEP 3: TEMPORAL ANCHORING IN THE DOSSIER DE REALITE HISTORIQUE

The sealed and timestamped record is embedded in a structured historical reality file that contextualises the event within its operational, regulatory, and organisational environment. The DRH is not a report produced after the fact. It is a primary instrument sealed at T-0: the document that a litigation counsel or a regulatory inspector will read to understand the state of the system at the moment of the event, with all contextual information sealed at the same instant.

STEP 4: JUDICIAL SEQUESTRATION VIA THE COMMISSAIRE DE JUSTICE

Three distinct legal functions must be understood precisely:

• Authentication: the Commissaire de Justice attests, as a judicial officer under Belgian law, that the document deposited is the document presented. This creates an acte authentique under Belgian civil procedure, carrying a presumption of authenticity that can only be challenged by improbation proceedings. This is the transition from preuve imparfaite to preuve parfaite.

• Sequestration: the deposit places the document outside the exclusive control of the depositing party. From the moment of deposit, the document is held by an independent judicial officer, breaking the self-certification loop that makes internal records legally vulnerable. The organisation is no longer custodian of its own evidence.

• Opposabilite: the combination of authentication and sequestration, bound to a qualified eIDAS timestamp, produces an instrument opposable in Belgian courts. Cross-border EU opposability is carried by the eIDAS-qualified timestamp layer. The Commissaire de Justice provides Belgian-law judicial authentication. eIDAS provides EU-wide legal recognition. Both are necessary. Neither alone is sufficient for full cross-border probatory force.

THE KINETIC ASYMMETRY PARADOX

There is a structural asymmetry in every regulatory enforcement action and every litigation involving digital evidence. The adversary has time after the event to construct their case. The organisation that experienced the event does not.

By the time a dispute materialises, the administrative boundary of the logging system has been accessed by multiple actors. Logs have been queried, filtered, and exported. The evidentiary chain has been touched in ways that are difficult or impossible to document retrospectively. The adversary's expert witness does not need to prove that tampering occurred. They need only establish that tampering was technically possible and that the chain of custody was not documented by an independent party. That is sufficient to destroy the probatory value of the record.

The party that must prove compliance is the party least able to construct proof after the fact, precisely because the systems it relied on to manage the event are the same systems now under scrutiny.

The only architecturally sound response to this paradox is to produce proof before the dispute exists.

CONCLUSION

The distinction between a trace and a proof is not a legal technicality. It is a structural fault line that runs through every compliance programme, every incident response plan, and every board presentation on cyber risk that relies on logs as evidence of governance.

Senior technical professionals confuse these categories not because they lack intelligence but because their training does not equip them with the epistemic framework that litigation requires. The PhD who believes that ninety days of centralised logs constitutes audit readiness is applying a correct technical model in the wrong normative domain.

SOURCE 0 is the architectural response to this category error. It does not improve your logs. It converts them into something that logs can never be on their own: evidence that carries a legal presumption of integrity, produced at the moment of occurrence, sequestered by a judicial officer, and immune to the procedural challenges that destroy internal records in adversarial proceedings.

SOURCE 0 does not ask you to trust a proprietary standard. It does not invent new instruments. It assembles what already carries legal force under EU law, in the one sequence that closes the evidentiary gap before a dispute can open it. The doctrine is agnostic to platforms, vendors, and systems. Its authority derives from eIDAS, from Belgian civil procedure, and from the law of evidence. Not from proprietary technology.

Governance describes. Proof establishes. Until that distinction is architecturally integrated, no organisation is genuinely compliant, regardless of the quality of its governance.

As long as proof is not produced at T-0, no organisation can claim to be genuinely compliant.

YOUR LOGS TELL A STORY. SOURCE 0 ESTABLISHES A FACT.

Regulatory Notice and Supplementary Resources

Jean‑François ELSEN provides corporate directors, legal departments, supervisory authorities, CISOs, risk managers, compliance officers, and critical infrastructure operators with access to complete protocol specifications, evidentiary architecture blueprints, and structural dissociation audit frameworks applicable to NIS 2, DORA, the AI Act, and high‑risk operational environments.

For formal doctrinal consultations, legal memoranda, evidentiary governance reviews, or forensic compliance audits, inquiries may be addressed to the office of Jean‑François ELSEN.