CyberNEMO SAAM is a pan-European Knowledge Sharing, risk Assessment, threat Analysis and incidents Mitigation collaborative platform designed to protect Critical Infrastructures (CIs) across Europe. Operating as the federated CTI exchange backbone of the broader CyberNEMO platform, SAAM serves as a pan-European CTI hub that collects, analysis, enriches, and distributes cybersecurity intelligence among interconnected infrastructure operators, national and cross-border cybersecurity authorities and communities. By centralising cyber threat data from diverse CI sectors including energy, transport, healthcare, and finance and structuring it around the widely adopted STIX 2.1 standard, SAAM creates a common operational picture that no single organisation could achieve on its own.

Modern cyber threats do not respect sector or national boundaries. A sophisticated attack on an energy grid can swiftly ripple into transport management systems or hospital networks, creating cascading failures that isolated, manually-processed intelligence cannot prevent. SAAM addresses this gap by positioning itself as the central nervous system of European CI cybersecurity, automatically correlating cross-sector incident patterns, attributing threats to known actors, and generating timely advisories for eligible partners. Governed by the most appropriate authority within the CyberNEMO ecosystem, and fully aligned with NIS2 compliance obligations, SAAM represents a significant step forward in building the collective resilience that Europe’s critical infrastructure communities urgently need.

SAAM delivers four tightly integrated capabilities. Cross-CI Knowledge Sharing enables the seamless exchange of CTI data across sector boundaries and national borders through secure Trusted Circles at Sectoral, National, Cross-Border, and Pan-European level utilizing interoperable standards such as STIX v2.1, TAXII 2.1 and Traffic Light Protocol (TLP) for controlled dissemination. SAAM’s Systemic Risk Analysis Engine applies automated analysis over incoming cyberthreat reports to score, correlate, and contextualise vulnerabilities and attacks. In addiiton, SRAE analysis contributes to the identification of coordinated attacks taking into account potential cascading effects. This contributes to SAAM’s enhanced State Awareness which gives operators and authorities a real-time, holistic view of the threat landscape across interconnected CI domains. Finally, SAAM’s Incident Mitigation translates enriched intelligence into actionable guidance, enabling CSIRTs and CI owners to coordinate responses swiftly and effectively before threats cascade across sectors.