Guide
Everything about how Atlas works, where its data comes from, how it forms its judgments, and how to get the most out of it.
What Atlas is
Atlas maps Siemens Energy's publicly disclosed portfolio against cyber-regulation regimes per country. It answers three questions for Irina and the wider SCADA / Comms / Cyber org:
- Where does regulation bite us today (and where is it about to)?
- Which products does each obligation actually apply to - with citations?
- What's the gap between regulatory expectation and Siemens Energy's posture? (computed offline in the Preparedness Workbook - see below)
Where the data comes from
| Data | Source | How it's refreshed |
|---|---|---|
| Countries & tiers | Curated list (SE legal entities + HVDC/Gamesa footprint + extraterritorial regimes) | Manual seed; admins can re-run or promote tier in UI |
| Jurisdictions | Known regulators + frameworks (NCSC, BSI, FERC/NERC, NCA, ANSSI, etc.) | Curated; extensible via admin |
| Portfolio items | siemens-energy.com public product hub - LLM-navigated (no blind crawl) | Admin action "Discover portfolio" |
| Regulation text | Local authoritative baselines (CRA, CAF v3.1/v3.2/v4) + curated summaries (NIS2, NERC CIP, PSTI, NCA OTCC) | Admin action "Ingest local baselines" (~10-15 min) |
| Horizon instruments | Public trackers + government announcements (CRSB, CRA phased deadlines, NERC CIP-015, EU AI Act Annex III, CAF v4 adoption, OTCC v2 draft) | Admin action "Seed regulations" or daily horizon-scan |
| Applicability assertions | Computed: embedding retrieval → rerank → analyst LLM judgment, grounded in regulation chunks | Admin action "Run applicability engine" |
The globe
Colour of each country polygon:
- Bright purple - Mapped. Active regulatory regime + significant SE footprint. Fully detailed in Atlas.
- Mid purple - Indexed. Meaningful footprint or emerging regulation; less depth.
- Grey - Watchlist. Horizon regulation or minor footprint.
- Amber glow - country has at least one upcoming instrument on the horizon within 24 months.
Click any country to drill into it. Drag to rotate (auto-rotation pauses for 20s). Scroll / pinch to zoom. A bottom-left legend mirrors the colour meaning.
Country panel (left sidebar)
For a mapped country, Atlas shows:
- Tier pill (mapped / indexed / watchlist) - human-editable by admins
- Rationale - why this tier
- Regulatory exposure gauge - see below
- SE footprint - why SE cares about this country
- Jurisdictions - the regulators and frameworks in play (e.g. UK-NCSC, EU-NIS2, UK-PSTI)
- Portfolio applicability - which SE offerings have Atlas-judged applicability. Click "evidence pack" to download a SE-branded PDF for a specific (product × country) pair.
- Star / pin products - click the ☆ next to a portfolio item to pin it to the top of the list. Pinned items appear in a "★ Pinned" block above the rest. Pinning is per-user and global: star HVDC once and it's pinned at the top in every country where HVDC has applicability, so you can jump country-to-country without re-pinning.
Regulatory exposure score
The computation:
- For each obligation Atlas has an active applicability assertion for in a country:
- • Verdict
applies→ row score = confidence × 1.0 - • Verdict
partially_applies→ row score = confidence × 0.5 - • Verdict
does_not_apply/uncertain→ excluded - Average the row scores for each portfolio item, then average across portfolio items → country exposure
For actual preparedness (met / partial / not met per obligation) use the Preparedness Workbook export and fill in the Compliance Status column locally. The workbook's charts and formulas recompute real preparedness as you type.
Horizon radar
Instruments that have been announced, drafted, or assigned an effective date within the next 24 months. Examples currently tracked:
- UK Cyber Security & Resilience Bill (CRSB)
- EU CRA Article 14 (vuln-reporting) - 11 Sep 2026; CRA full - 11 Dec 2027
- EU AI Act Annex III - 2 Aug 2026
- UK CAF v4 adoption by OFGEM for 2026/27 audit cycle
- US NERC CIP-015 (INSM) - 2028; CIP-003-9 - 2026
- Saudi NCA OTCC v2 - draft watchdog
Open from the right-hand dock (🌐 icon). Badge number = countries with at least one upcoming instrument. Click an item to jump to that country.
Ask Atlas (chat)
A retrieval-augmented chat scoped to the regulation corpus. Ask things like:
- "What does the CRA say about vulnerability handling?"
- "Does NERC CIP-007 apply to transformers?"
- "What's in CAF B4 about secure configuration?"
Every factual claim in Atlas's answer is followed by a numeric citation [1], which
maps to a regulation chunk Atlas used as evidence. Click a citation to open the full source text
in a modal.
Atlas will not hallucinate regulation content - if the corpus doesn't cover your question, it will say so and suggest where to look. Questions outside the corpus (weather, personal chat, roleplay, opinions) and classic prompt-injection patterns ("ignore previous instructions…") are politely refused.
Chat responses are rendered with minimal markdown - **bold**, *italic*, `code`, and bullet lists - with inline [N] citations and tappable source cards below each answer.
Exports
Three flavours, each with "INDICATIVE · pending review" and the public-data disclaimer on every page:
- Bulk workbook (XLSX) + Word narrative (DOCX) - everything Atlas knows, filterable by items / instruments / confidence / verdicts. Good for bulk review.
- Preparedness Workbook (XLSX) - see next section. The flagship Excel deliverable.
- Evidence Pack (PDF) - one SE-branded PDF for a specific (portfolio item × country) pair. Contains executive summary, applicable obligations, verbatim source extracts, and provenance. Suitable to hand to a customer procurement team.
Preparedness Workbook
This is the tool that bridges Atlas (public data) and SE's internal compliance position (confidential data).
What Atlas ships you:
- Sheet Instructions - usage notes and formula explanation
- Sheet Compliance Matrix - one row per (portfolio × obligation × country) Atlas-judged applicable, with Atlas verdict + confidence + empty Compliance Status dropdown, Evidence Ref, and Reviewer columns
- Sheet Country Dashboard - auto-computed per-country preparedness % + known-review-coverage % + bar charts
- Sheet Portfolio Heatmap - item × country grid, colour-scaled preparedness
- Sheet Gaps - auto-filtered Not-Met + Partially-Met rows with copy of all row context
- Sheet Provenance - Atlas version + regulation version dates + content hashes
Usage: fill in the Compliance Status column (dropdown: Met / Partially Met / Not Met / N/A / Unknown). All charts, scores, and the dashboard update live. Nothing is uploaded back to Atlas.
Evidence packs
Per-product per-country PDF with cover, executive summary, applicable obligations (with Atlas's verdict, confidence, and rationale), verbatim source extracts from the regulation text, a table of obligations that don't apply (with reasons), and a provenance page listing regulation version dates and source URLs. Irina can hand this unchanged to a customer procurement or legal team.
Applicability assertions
The core Atlas judgment. For each (portfolio item × obligation × country) triple:
- Embed the obligation text (BGE-large, 1024-dim)
- Retrieve top candidate chunks from the regulation corpus via vector kNN (sqlite-vec)
- Rerank with
bge-reranker-v2-m3 - Ask the
analystrole (Gemma 4 26B) for a grounded verdict: applies / partially_applies / does_not_apply / uncertain - Require numeric citations into the evidence chunks; store confidence + rationale
- Freeze the evidence chunk hashes so that if the regulation later changes, Atlas can identify every assertion whose evidence moved
At scale we use an embedding-based relevance pre-filter (top-20 most-similar obligations per item, cosine ≥ 0.25) to avoid asking the LLM to judge obviously-irrelevant pairs (e.g. PSTI default-passwords for a subsea transformer).
Change cascade (horizon scan)
Runs daily at 03:17 UK time (APScheduler). For each registered horizon source URL:
- HEAD → compare ETag / Last-Modified. Unchanged → bail.
- Fetch body → SHA256 hash. Unchanged → bail.
- Re-chunk + per-chunk embed diff (cosine < 0.98). Pinpoint what moved.
- LLM summary of the diff → change_events row.
- Any assertion whose frozen
evidence_chunk_hashesintersects the removed set is marked stale. - Telegram digest is sent to Bill.
How the LLMs are used
| Role | Model | Used for |
|---|---|---|
analyst | Gemma 4 26B-A4B-heretic Q8_0 (round-robin across 4 DGX Spark nodes) | Applicability judgment, obligation extraction, Ask-Atlas answers, regulation diff summaries |
coder | Qwen3.6-35B-A3B-heretic (spark-53:8002) | Tool-calling portfolio discovery, structured JSON extraction from siemens-energy.com pages |
embed-large | BGE-large-en-v1.5 (spark-52:8000, 1024-dim) | Chunk embedding for vector retrieval; relevance pre-filter for assertions |
rerank | bge-reranker-v2-m3 (spark-51:8000) | Top-K reranking of retrieved chunks before handing to analyst |
All LLM inference is on-premise (Bill's homelab DGX Spark cluster). No request leaves the
internal network. Thinking mode is explicitly disabled (chat_template_kwargs.enable_thinking = false)
for latency; model temperatures and sampler settings match the fleet's published no-think recipes.
Users & roles
- admin - full access, including Actions menu, ingest triggers, user management, assertion runs.
- user - read-only of the pitch surface: globe, country drill-down, chat, evidence packs, exports. Actions menu is hidden.
Admins manage users from Actions → Manage users: add, reset passwords, disable, promote/demote, delete.
Admin actions (what each button does)
| Action | What it does | Time |
|---|---|---|
| Seed countries | Idempotent curated seed of 45 countries + 71 jurisdictions | Instant |
| Seed regulations | Curated summaries of NIS2 / CRA / PSTI / NERC CIP / OTCC + horizon instruments | ~15s |
| Ingest local baselines | Full-text ingest of CRA + CAF v3.1 / v3.2 / v4 from the read-only baselines mount - replaces curated summaries with authoritative text, cascade-invalidates dependent assertions | ~10-15 min |
| Discover portfolio | LLM-driven navigation of siemens-energy.com to rediscover portfolio items | ~5-8 min |
| Run applicability engine | Full cross-product with embedding pre-filter → top 20 per item → analyst judgment, 10-way parallel | ~10-20 min |
| Run horizon scan | Fires the daily scheduler manually | ~1-5 min |
Applicability vs commercial presence
Two different concepts, easy to confuse. Atlas today answers one of them:
- Regulatory applicability (what "Portfolio applicability" in the country panel means today): given the cyber regulations in country X, which SE products do those regs bind? Driven entirely by the regulation text Atlas has ingested. If a country has registered jurisdictions but no regulation text loaded yet, Atlas cannot compute applicability for it and the country panel shows a "data gap" state, NOT a statement that SE has no products there.
- Commercial / delivery presence: where has SE actually delivered, sold, or operated this product? HVDC interconnectors in Ireland, Gamesa wind farms in Brazil, Siemens Energy syncons in the UK. This is a separate data layer Atlas does not have today — it's planned for v0.3 as the Delivery Footprint Layer. The sources will be public (press releases, 4C Offshore for wind, GCCIA / ENTSO-E for HVDC, investor-day maps).
When v0.3 lands, the globe will have a colour-mode toggle: Regulatory exposure vs SE delivery presence vs Both.
Regulation browser (/docs)
Three-pane reader for every regulation Atlas has ingested. Left: instrument
list. Middle: outline built from the document's heading path. Right: clause
text with a language toggle (EN / DE / FR / IT / ES) and in-document semantic
search. Every clause has a copy-link button that yields a permanent URL
like /docs#CAF-v3.1/clause-42 — drop those links into emails or
decks and they open straight to the clause.
Translations are generated on demand, cached on the chunk content hash, and survive future re-ingests. "Show original" toggle keeps the English source one click away.
Delivery Footprint Layer
Separate from regulatory applicability. Tracks where Siemens Energy has publicly-announced project deliveries — HVDC interconnectors, offshore grid connections, gas turbines, transformers, GIS, syncons, hydrogen, grid software. All sources are public (press releases, investor maps, regulator-published project lists). Closes the confusing "country shows nothing" state from v0.2 by answering the other natural question: "does SE actually sell/operate here?".
Scenario simulator
Actions → 🔮. Pick any horizon instrument and Atlas runs a dry-run cascade: if this instrument came into force today, how many live assertions would go stale, how many portfolio items affected, which in-force instruments overlap with it. Uses embedding similarity over the horizon instrument's summary. Nothing is persisted.
Obligation cross-walk
Actions → 🔗. Type a keyword or concept ("supply chain", "incident reporting in 24h", "MFA for remote access") and Atlas returns the semantically equivalent clauses across all ingested regulations. Useful for proving "a control that meets X also covers Y% of Z". Each result deep-links into the Regulation Browser at the exact clause.
Auto-narrated pitch demo
Actions → ▶ Play pitch demo. Atlas takes over the camera and flies through UK → Germany → USA → Saudi → India with 50 seconds of voice-over subtitles explaining the value at each stop. Esc to stop. Useful when you want Atlas to tell its own story.
Non-goals
- Legal advice. Atlas is an indicator; it is not a substitute for counsel.
- Real-time regulation ingest. Sources refresh on their cadence (weekly/monthly at most).
- Ingestion of internal SE data. Ever.
- Generative regulation interpretation without citations. Atlas refuses to answer outside the corpus.
Maintained by Bill for Irina · all information used is available to the general public, nothing internal to Siemens Energy.