Two compounding layers—physical cascade topology and monitoring blind spots—create a detection gap that existing regulatory frameworks have identified but not yet closed.
The conventional framing of infrastructure security asks whether an adversary can breach the perimeter of a defended system. Paarker asks a different question: what if the topology of the infrastructure itself—the physical dependencies between systems, the gaps in how those systems are monitored, and the shared architectural patterns through which they were built—constitutes the vulnerability?
Cascade is not a metaphor. It is a measurable, expanding deformation across coupled systems. Research across 700 events in 30 countries found that five times more companies lose service from cascade propagation than from the originating physical event, with cascade failures accounting for 64–89% of all service disruptions (Mühlhofer et al., ETH Zurich, 2024). The two layers described on this page explain why.
All findings below are drawn from public European and international sources: ENISA threat landscapes, Five Eyes joint advisories, ENTSO-E incident reports, EU Commission assessments, and open-source incident records.
Europe built its water, energy, and industrial infrastructure across the twentieth century as an integrated physical system that crosses national boundaries. Alpine hydroelectric cascades feed the ENTSO-E synchronous grid serving 400 million people across 25 countries. The Po River basin connects agricultural water supply, industrial cooling, municipal treatment, and power generation in a single hydrological system. Nuclear plants across France and Central Europe depend on river water for cooling.
| System | Scale | Dependencies | Key Vulnerability |
|---|---|---|---|
| Alpine Hydroelectric | Multi-country cascade | ENTSO-E grid, Po Valley industry, nuclear cooling | Cross-border cascade, multi-regulator jurisdiction |
| ENTSO-E Grid | 25 countries, 400M people | All electrified infrastructure, data centers, transport | Frequency deviation propagates in seconds across borders |
| Northern Italy Industrial | Lombardy-Veneto-Emilia corridor | Manufacturing, water treatment, energy, transport | Dense NIS2 entity concentration, shared infrastructure |
| North Sea Energy | Multi-national | Offshore wind, subsea cables, gas interconnectors | Physical access difficulty, shared cable corridors |
The fundamental problem with cascade topology as a threat surface is temporal. Physical consequences propagate at the speed of hydraulics and electrical grid frequency deviation. Defensive responses propagate at the speed of cross-border coordination: CSIRT notification chains, national authority engagement, regulatory waiver processing, multi-lateral incident command establishment.
On January 8, 2021, a cascade of automatic disconnections split the ENTSO-E Continental Europe Synchronous Area. Within seconds, the grid separated into two isolated regions, triggering emergency load-shedding across multiple countries. No human could have intervened at the speed the physics required.
The 2022 Nord Stream pipeline incidents demonstrated that European energy infrastructure is also a target for physical disruption. The economic cascade from those events propagated through energy markets, industrial production, and national security calculations for months. An adversary does not need to destroy infrastructure. Creating sufficient uncertainty about integrity triggers its own cascade.
European infrastructure is governed by a patchwork of national regulators, each implementing EU directives on different timelines. NIS2 was adopted in January 2023, with member state transposition due by October 2024. Italy transposed via D.Lgs. 138/2024. Other member states are at different stages. This creates regulatory seams: the same physical infrastructure that cascades across national boundaries is monitored by regulators who operate within them.
A hydroelectric cascade that begins in Switzerland and propagates through Italy and Austria crosses at least three separate regulatory frameworks, none of which has visibility into the others' monitoring posture. Italy's mandatory natural catastrophe insurance regime (Decree 18/2025), backed by the SACE reinsurance facility, adds a financial dimension to these cascade paths that no existing model prices across domains.
Authoritative registries of European infrastructure exist—dam registries, ENTSO-E's grid model, national asset inventories. They catalog physical attributes: location, capacity, ownership, structural characteristics. They carry no information about the vulnerability status, patch levels, or incident history of the control systems operating these assets.
The NIS2 registration process captures entity-level information—contact details, sector classification, IP ranges. This is a significant step forward. But it captures a snapshot, not a continuous feed. An entity compliant at registration may drift into non-compliance within weeks. The registration portal cannot detect this drift.
The sectors with the lowest incident reporting rates in Europe include water infrastructure, dam management, and operational technology in energy and manufacturing. The conventional interpretation is reassuring: few reported incidents suggests the sector is secure. That interpretation is wrong.
Financial services and healthcare report thousands of incidents annually not because they are uniquely insecure, but because they can see what is happening to them. The water sector's near-zero reporting indicates an absence of monitoring capability, not an absence of adversary activity.
ENISA's Threat Landscape 2024 documented persistent state-sponsored operations targeting European critical infrastructure. The joint advisory published by Five Eyes agencies confirmed pre-positioning in water and energy operational technology networks—actors maintaining access for years before detection. An adversary operating in an environment with no monitoring, using techniques designed to evade monitoring, generates no incidents to report.
| Year | Incident | Significance |
|---|---|---|
| 2021 | ENTSO-E grid split | Continental synchronous area separated in seconds. Cross-border cascade, multi-country impact. |
| 2022 | Nord Stream pipeline | Physical destruction of cross-border energy infrastructure. Economic cascade lasted months. |
| 2023–2025 | Volt Typhoon pre-positioning | Five Eyes advisory confirmed state-sponsored presence across water and energy OT. Multi-year dwell times. |
| 2025 | Lake Risevatnet Dam, Norway | Russian-attributed actors opened a water valve to full capacity for four hours. Classified as hybrid warfare. |
| 2025 | Tczew Hydropower Plant, Poland | Russian hacktivists modified generator parameters, forced turbine stoppage. Second attack on same facility in three months. |
Each layer makes the other worse. The monitoring void makes the cascade topology more dangerous because an adversary can pre-position within a cascade-connected asset without detection. The cascade topology makes the monitoring void more consequential because compromise propagates through physical dependencies before anyone knows there is a problem.
The compound scenario: an adversary targets a cascade-connected asset that lacks monitoring (Layer Two), and achieves effects that propagate through the physical topology (Layer One). At no point does the adversary need unusual sophistication. The infrastructure provides the attack path.
No existing tool reads across both layers. Incumbent models stop at the facility level. Cascade pricing requires the geometry of cross-domain propagation—stages four and five of the cascade chain, where physical events become financial events become regulatory events.
Existing approaches are asset-specific and sector-bounded. They are optimized for hardening individual facilities, improving detection within individual systems, and assessing risk within individual organizations. Those are valuable objectives. They do not address the compound vulnerability.
NIS2 and DORA mandate cross-infrastructure risk assessment and supply-chain security. Italy's mandatory natural catastrophe insurance regime (Decree 18/2025) creates a financial obligation that intersects with cascade physics. These regulations exist because European institutions recognized the gap. The tools to close it do not yet exist at the structural level.
The detection capability that is missing must read across regulatory boundaries, treat the absence of expected telemetry as a detection signal, identify when cascade-connected assets share correlated vulnerabilities, and price cascade propagation across physical, financial, operational, and regulatory dimensions.
Paarker was built to operate in this gap.
The European licensee of INFORMN geometric intelligence. Startup Innovativa, Milan.
About the Company