Criteria for Distinguishing Nominal from Operative H-4b in Public Sector Digital Infrastructure
D1–D4 arkkitehtuuriauditoinnin mittarit: nimellisen ja operationaalisen H-4b:n erottaminen julkisen sektorin digitaalisessa infrastruktuurissa
This note specifies the minimum audit criteria that distinguish nominal H-4b (process compliance) from operative H-4b (architectural compliance) for public sector digital infrastructure. It does not recommend specific technologies, procurement approaches, or implementation programmes. It identifies what structural properties must be demonstrably present — and how their presence can be verified — given the WP-011 analytical finding that process-level regulation does not constitute operative institutional liability.
The criteria are applicable to any jurisdiction evaluating its H-4b status under the WP-011 framework. The Finnish context is used as the primary reference case throughout.
WP-011 §06 identifies an Architectural Specificity Gap in current EU regulatory instruments. NIS2 and the Critical Entities Resilience Directive specify security process requirements more completely than they specify endurance architecture requirements. A jurisdiction can satisfy NIS2 in full while retaining the single-platform dependencies that WP-006 identifies as the primary continuity vulnerability in the public sector decision layer.
WP-011 §08.3 establishes a revised adoption rule in which H-4b operationalisation is the trigger condition for institutional adoption of viability architecture. But the model does not specify what H-4b operationalisation requires in concrete terms. This Technical Note provides that specification.
The diagnostic question this note answers: does the current regulatory and procurement framework make non-adoption of D1–D4 endurance architecture present-costly — or does it make non-adoption administratively acknowledged but consequence-free?
WP-011 §04 establishes that nominal institutional liability behaves functionally as absent liability, even when formally acknowledged. The distinction between nominal and operative H-4b is therefore the decisive variable — not the existence of regulatory frameworks but whether they change the adoption cost calculus.
| Dimension | Nominal H-4b — Process compliance | Operative H-4b — Architectural compliance |
|---|---|---|
| Primary question | Who is responsible? | Does it work under stress? |
| Audit object | Documentation, policies, best-practice adherence | D1–D4 structural properties — demonstrably present and measurable |
| Compliance vehicle | Cloud-provider SLAs, security certifications, management declarations | Sovereign hardware, independent logic, out-of-band capability |
| Enforcement trigger | Incident occurrence or documentation failure | Architectural specification absence — independent of incident history |
| Cost structure effect | Compliance costs are incurred; adoption cost calculus unchanged | Non-adoption produces present, attributable, proportionate institutional cost |
| Result | Compliance | Viability |
The structural gap between these two columns is the Architectural Specificity Gap. Closing it requires that audit frameworks specify D1–D4 properties as mandatory architectural requirements — not as process management obligations.
WP-006 §07 defines four duration components. This section specifies the minimum audit criteria for each. Each criterion is expressed as a verifiable property: either present and demonstrable, or absent. Where a property is absent, H-4b is nominal for that dimension regardless of process compliance status.
Decision-critical systems must sustain function across the reference compound stress duration without dependency on external grid availability or external fuel supply chains.
Decision-critical data — registers, operative information, situational awareness data — must remain accessible under conditions of network separation, provider unavailability, or jurisdictional stress.
Authentication and authorisation for decision-critical functions must remain operative when external identity infrastructure is unavailable. This is directly linked to the WP-003 Institutional Termination Time concept: identity failure terminates institutional decision capacity irrespective of data and power availability.
The decision audit trail for actions taken under compound stress must be preserved, tamper-evident, and accessible to post-event accountability processes — even if the primary systems that generated the decisions are no longer available.
WP-011 §08 establishes that H-4b becomes operative when non-adoption produces costs that are concrete, attributable, and proportionate to the adoption cost being avoided — independent of whether a failure event has occurred. The D1–D4 metrics in §03 specify what must be present. This section specifies the procurement standard that makes absence of these properties institutionally costly.
An operative H-4b procurement standard for public sector digital infrastructure has three structural properties:
D1–D4 endurance properties are specified as mandatory requirements in public procurement frameworks for decision-critical digital systems — not as optional "best practice" or "security recommendation" elements. A system that does not satisfy D1–D4 criteria cannot be procured for decision-critical functions, regardless of other compliance status.
Compliance with D1–D4 requirements is demonstrated through auditable evidence of the properties described in §03, not through provider declarations, SLA documentation, or security certifications alone. The audit must be performable by the procuring jurisdiction without provider intermediation.
Non-compliance with D1–D4 requirements produces consequences proportionate to the adoption cost avoided: contract termination rights, procurement exclusion, or regulatory sanction sufficient to make the cost of non-compliance exceed the cost of compliance. Without this property, the standard is nominal regardless of its technical specificity.
A jurisdiction whose procurement framework satisfies all three properties has operative H-4b for the D1–D4 scope. A jurisdiction whose framework satisfies Properties 1 and 2 but not 3 has a well-specified but nominal standard — the Architectural Specificity Gap is closed but the cost structure is unchanged.
WP-011 §05 identifies Finland as a live test case in which H-1, H-2, and H-3 are present but H-4b remains operationally incomplete. DA-005 establishes that Finland is simultaneously among the most attractive physical locations for AI infrastructure in Europe and among the most structurally exposed in terms of public decision-infrastructure continuity.
The falsification condition FC-4 from WP-011 §07 specifies the test: if Finland adopts continuity architecture for the public sector decision layer before NIS2/CER enforcement becomes operative, without an intervening forcing event, H-4a (political attributability) has demonstrated substitution capacity. If adoption occurs only after enforcement is operative, H-4b is confirmed as the necessary mechanism.
For this test to be evaluable, the following must be observable by 2028:
| Criterion | Observable indicator | H-4b status if present |
|---|---|---|
| Procurement standard | VM (Finnish Government ICT Centre) or equivalent central procurement authority has published D1–D4 minimum requirements for new decision-critical system contracts | Property 1 satisfied — specification present |
| Audit mechanism | At least one decision-critical system has undergone independent D1–D4 audit without provider intermediation; methodology documented and repeatable | Property 2 satisfied — verification mechanism present |
| Enforcement record | At least one procurement decision has been affected by D1–D4 non-compliance — either contract modified, delayed, or declined on architectural grounds | Property 3 satisfied — cost structure changed |
| H-3(t) status | Finnish procurement expertise for sovereign D1–D4 infrastructure is documentably available: at least one qualified supplier per dimension in the Finnish or directly accessible Nordic market | WP-011 §08.2 H-3(t) above threshold |
If all four indicators are present by 2028, Finland has operative H-4b for public sector digital infrastructure and the WP-011 prediction is on track. If the procurement standard exists but the enforcement record does not, Finland has nominal H-4b — Property 3 is the residual gap. If neither procurement standard nor audit mechanism exists, H-4b remains absent and NIS2/CER implementation has not closed the Architectural Specificity Gap.
The H-3(t) indicator is time-sensitive independently of H-4b. If Finnish procurement expertise for sovereign digital infrastructure is not documentably available by 2028, the H-3(t) atrophy risk identified in WP-011 §08.2 is materialising. This is a separate diagnostic from H-4b status — a jurisdiction can have operative H-4b but an H-3(t) below threshold, producing the trigger-without-execution failure mode.
NIS2 advances the H-4b structure in several respects: extended scope, strengthened incident reporting, and management personal liability provisions. These are moves toward operative H-4b. The residual gap is architectural specificity.
| Regulatory instrument | What it specifies | What it does not specify | H-4b assessment |
|---|---|---|---|
| NIS2 (Directive 2022/2555) | Risk management measures, incident reporting, supply chain security, management accountability | D1–D4 endurance architecture properties; does not prohibit hyperscale single-platform dependency for decision-critical functions | NOMINAL for D1–D4 scope |
| CER Directive (2022/2557) | Physical resilience of critical entities; business continuity, risk assessment, incident reporting | Digital decision-layer endurance architecture; D1–D4 specifications not referenced | NOMINAL for D1–D4 scope |
| DORA (Regulation 2022/2554) | ICT risk management for financial sector; resilience testing, third-party risk | Sector-specific; does not apply to general public sector decision infrastructure | SECTOR-LIMITED |
| Procurement standard (hypothetical operative H-4b) | D1–D4 mandatory for decision-critical systems; verifiable audit; proportionate enforcement | — | OPERATIVE if Properties 1–3 satisfied |
The instrument that would close the gap does not yet exist at the EU level or in Finnish national procurement frameworks at the specificity required. This is not a failure of the existing instruments — NIS2 and CER were designed to address different failure modes. The D1–D4 architectural requirement falls in the space between them.
Duration threshold calibration. What is the minimum duration for D1 (power endurance) that constitutes the compound stress reference event? WP-001 establishes the Black Period concept; its quantitative calibration to the Finnish public sector load profile has not been conducted in available public analysis. The 72-hour threshold used in §03 is a working minimum derived from DA-001 S2 — it requires domain-specific stress scenario analysis to confirm.
H-3(t) atrophy rate. At what rate is Finnish procurement expertise in sovereign digital infrastructure developing or degrading? This is the critical variable for the §05 H-3(t) indicator. If the talent pool is not documentably growing, the trigger-without-execution failure mode may already be approaching. Quantitative assessment requires labour market data on ICT procurement expertise in Finnish public administration, which is outside the scope of this note.
Successful Deferral boundary. WP-011 §08 FC-6 introduces the Successful Deferral falsification condition: if the threat dissolves before a forcing event, H-4b investment was not required. The technical forcing condition (§8.3) bounds when D1–D4 adoption is structurally necessary. Defining the probability threshold P(catastrophic loss | no adoption) in quantitative terms for the Finnish public sector decision layer requires a risk quantification exercise not attempted in the WP or TN series to date.
Minimum viable scope. Not all public sector systems require D1–D4 compliance. The criteria in §03 apply to decision-critical functions. Defining the boundary between decision-critical and non-decision-critical in Finnish government architecture — i.e. which systems, if unavailable under compound stress, constitute an Institutional Termination Time event in WP-003 terms — is a scoping exercise this note does not resolve.