Criteria for Determining Which Public Sector Systems Require D1–D4 Audit Control
Päätöksentekokriittisyyden luokittelutyökalu: perusteet julkisen sektorin järjestelmien D1–D4-auditoinnin piiriin asettamiselle
This note specifies the classification criteria for determining which public sector digital systems fall within the D1–D4 audit control requirement established in TN-003. It does not assess any specific system or recommend specific procurement exclusions. It provides a replicable scoping methodology applicable to any jurisdiction evaluating its D1–D4 audit scope.
The scoping tool is designed to be applied before procurement decisions, not after. Its purpose is to establish, at the architecture design stage, whether a system's failure under compound stress conditions would constitute an Institutional Termination Time event in the sense of WP-003.
TN-003 Q-4 identifies the boundary problem: not all public sector systems require D1–D4 compliance. Applying the full TN-003 audit framework universally produces two failure modes with opposite costs. Over-scoping makes the framework administratively unworkable — every system becomes "critical" and the framework loses discriminative power. Under-scoping leaves genuinely decision-critical systems under standard ICT governance, producing NIS2-compliant but structurally vulnerable infrastructure.
The scoping question is not: is this system important? The scoping question is: does loss of this system under compound stress conditions terminate, paralyse, or permanently compromise the institution's decision-making capacity or the accountability trail for decisions already made?
Importance and decision-criticality are not the same property. A payroll system may be important; its loss does not terminate institutional decision capacity. An authentication layer for classified executive communications may serve few users; its loss terminates decision capacity immediately and irreversibly for those functions.
The two scoping errors have asymmetric consequences. Understanding their structure is necessary before applying the classification criteria.
Too many systems are classified as decision-critical. D1–D4 audit requirements are imposed on systems whose loss would be disruptive but not institutionally terminal. Consequences: high procurement cost, slow procurement cycles, administrative resistance, and eventual framework abandonment as the compliance burden exceeds political tolerance. The framework retains formal existence but loses operative effect — a nominal standard in the sense of WP-011 §04.
Genuinely decision-critical systems remain under standard ICT governance. The system satisfies NIS2 process requirements, holds security certifications, and is managed by a reputable provider. Under compound stress, the D1–D4 endurance properties are absent. The institution is fully compliant and structurally exposed simultaneously — the Architectural Specificity Gap in operational form.
The scoping tool is the mechanism that holds these two errors apart. Its discriminative power depends entirely on the precision of the decision-criticality criteria — which is why the criteria must be expressed in structural terms, not in terms of operational importance, strategic value, or political sensitivity.
Three tiers are defined. Tier assignment determines audit requirement, not organisational priority. A Tier C system may be operationally important; it is not subject to D1–D4 audit control because its loss does not satisfy the termination criteria.
A system is Tier A if its loss under compound stress satisfies at least one of the following terminal conditions:
TC-1 Decision termination: loss prevents a legally or operationally authorised decision-maker from issuing, recording, or transmitting a binding decision for the duration of the stress event.
TC-2 Execution termination: loss prevents the implementation of decisions already made — blocking the command, authentication, or authorisation pathway through which decisions are acted upon.
TC-3 Accountability termination: loss permanently destroys or renders inaccessible the audit trail required to verify, after the fact, who decided what, with what authority, and under what conditions.
A system is Tier B if its loss causes significant operational disruption but does not satisfy TC-1, TC-2, or TC-3. The institution retains the ability to make, execute, and audit decisions, but service delivery to populations or internal administrative functions is degraded. Recovery is necessary but not immediate for institutional function.
Tier B systems require NIS2/CER compliance plus partial D1/D2 endurance assessment. They do not require the full TN-003 audit framework and are not subject to automatic procurement veto for D3/D4 non-compliance.
A system is Tier C if its loss produces administrative inconvenience or delays routine processes but has no effect on institutional decision capacity, service execution for critical populations, or audit trail integrity. Recovery can be deferred without institutional consequence during a compound stress event.
The following five questions operationalise the Tier A terminal conditions. A system is assigned Tier A if it answers Yes to Q-1 alone, or Yes to any three of five questions, or Yes to Q-1 plus Yes to Q-4 or Q-5. Any other combination indicates Tier B or C.
Tier A: Q-1 alone; or any three of five; or Q-1 + (Q-4 or Q-5).
Tier B: Q-2 or Q-3 alone without Q-1; or exactly two Yes answers without Q-1. Q-4 alone — without Q-1 or a three-question convergence — indicates elevated review but does not trigger Tier A. Audit trail loss is terminal only when decision-critical functions (Q-1) are at stake; standalone audit dependency without decision dependency is a serious governance risk but not an ITT condition.
Tier C: Zero or one Yes answer with no Q-1. Standard governance applies.
The following examples apply the scoping test to system categories typical of Finnish public sector digital architecture. These are structural observations, not assessments of specific systems. Actual classification requires the scoping test to be applied to the specific technical and operational configuration of each system.
| System category | Q-1 | Q-2 | Q-3 | Q-4 | Q-5 | Probable tier |
|---|---|---|---|---|---|---|
| Government executive authentication layer (suomi.fi identity, strong authentication for ministerial systems) | Yes | Yes | Yes | Yes | Yes | Tier A — TC-1, TC-3 via D3 cascade |
| Cabinet decision documentation and registry (secure communications for government decisions) | Yes | Yes | Yes | Yes | No | Tier A — TC-1, TC-3 direct |
| Critical infrastructure command authorisation (system through which emergency powers are issued and authenticated) | Yes | Yes | Yes | Yes | Yes | Tier A — TC-1, TC-2 |
| Wellbeing area critical operational situational picture (system guiding immediate resource allocation decisions) | Yes | Yes | No | No | Yes | Tier A — three Yes including Q-1 |
| State payment execution system (core layer — loss blocks implementation of authorised decisions) | Yes | Yes | No | Yes | No | Tier A — TC-2, TC-3 partial |
| Public service case management systems (permit processing, benefits administration) | No | Yes | No | No | No | Tier B — operationally significant, not terminal |
| HR and personnel administration systems | No | No | No | No | No | Tier C — administrative, no decision dependency |
| Internal intranets, communication portals, non-critical reporting tools | No | No | No | No | No | Tier C |
The authentication layer (row 1) illustrates the cascade dependency mechanism: it is not itself a decision system, but its loss terminates Q-1 systems downstream. This is the Q-5 amplification pathway — the system is Tier A by structural position, not by direct function.
The scoping tool is the entry point for the institutional governance mechanism that WP-011 requires for operative H-4b. Without a defined scope, an H-4b enforcement mechanism either lacks a target (nominal) or expands without boundary (operationally unworkable). The Tier A/B/C classification provides the scope boundary.
System identified for procurement or renewal
│
▼
Scoping test applied (Q-1 through Q-5)
│
├─ Tier C → Standard ICT governance proceeds
│
├─ Tier B → NIS2/CER + partial D1/D2 assessment required
│
└─ Tier A → TN-003 D1–D4 full audit required
│
├─ Audit PASS → procurement proceeds
│
└─ Audit FAIL → procurement blocked
│
└─ Override requires:
explicit government-level decision
named accountable authority
documented risk acceptance
time-bounded remediation plan
The override pathway is structurally necessary. There will be cases where a Tier A system cannot satisfy D1–D4 requirements within procurement timelines — because H-3(t) is below threshold (TN-003 §05 Q-4), because no compliant supplier exists, or because transition costs are prohibitive in the short term. The override mechanism allows government-level political decision to accept documented architectural risk explicitly, rather than allowing nominal compliance to obscure the gap.
The named accountable authority requirement is the H-4a/H-4b interface. When operative H-4b cannot be established through procurement enforcement (Property 3 of TN-003 §04), the override mechanism converts the architectural gap into a political liability: a named individual or body has explicitly accepted documented risk on behalf of the institution. This does not resolve the technical exposure — it ensures that the exposure is not invisible. The named authority bears personal or institutional accountability if the documented risk materialises. This is the mechanism through which H-4a (political attributability) can function as a partial substitute for H-4b under conditions where operative H-4b is temporarily unachievable.
An RKOM or equivalent resilience oversight function applying this scoping tool should expect that Tier A systems will constitute a small fraction of total public sector digital systems — likely under 5% by count, but representing the systems whose failure under compound stress would produce the WP-003 Institutional Termination Time condition. The scoping tool's value is precisely that it concentrates enforcement resources on this small fraction rather than distributing them across the full ICT estate.
Dynamic reclassification. System architecture changes over time. A system initially classified as Tier C may become Tier A if other systems are deprecated and their decision-critical functions migrate to it. The scoping tool specifies criteria for classification at a point in time; a governance mechanism for periodic reclassification is outside the scope of this note and has not been specified in the ACI series.
Provider dependency inheritance. Q-3 asks whether identity dependency extends through the external provider chain. The full chain may be several layers deep — a locally hosted system may authenticate through a cloud identity provider, which authenticates through a third-party certificate authority, which relies on a root certificate managed by a foreign entity. The scoping test treats the answer as Yes if any link in the chain is not jurisdiction-controlled. Tracing the full chain in practice may require technical analysis not available at procurement design stage.
Municipal and regional boundary. The reference cases in §05 focus on central government. The scoping criteria are structurally identical at municipal and wellbeing area level — a municipal authentication layer serving emergency services satisfies TC-1 for municipal decision capacity. Whether the same D1–D4 audit mandate applies to municipal Tier A systems, or whether a proportionality adjustment is warranted for smaller institutions, is a governance design question not resolved in this note.
Interaction with DA-006 Labour Continuity Reserve. DA-006 identifies that decision-critical public sector functions face a structural workforce risk from the atrophy of experienced personnel — the L-4 segmentation finding. A Tier A system with adequate D1–D4 architectural compliance may still fail if the human operators required to run it under stress conditions are unavailable. The intersection of the TN-004 technical scoping tool and the DA-006 workforce reserve diagnostic has not been addressed in the ACI series.