Cross-CI Assessment of Risks and Cascading Effects in ATLANTIS Project

Abstract

Critical Infrastructures (CIs) are the backbone of modern societies, providing essential services whose disruption can have severe consequences. The interdependencies among the CIs, across sectors and national borders, add significant complexity to risk and resilience management. While various EU Directives and EU-funded projects have addressed CI risk management, most efforts have focused on individual infrastructures rather than systemic cross-sector and cross-border approaches. In the EU-funded project ATLANTIS, we address this gap by advancing CI risk and resilience assessment towards a fully integrated European protection framework. We emphasise a holistic, multi-level approach that transcends individual assets, enabling coordination across operators, sectors, and national borders. To this end, we introduce a comprehensive risk assessment methodology that explicitly accounts for interdependencies among CIs and evaluates potential impacts and probabilities of disruptive events. This methodology is underpinned by the tailored data management framework, structured across three integrated layers. To validate the approach, novel tools and methods were implemented and tested in three large-scale pilot exercises, conducted through a series of stakeholder workshops. Results indicated measurable improvements in CI preparedness and awareness, ranging from approximately 5% to 55%, depending on the threat scenario and stakeholder group. The findings demonstrate that our approach delivers added value by supporting enhanced decision-making and fostering consistent, cross-CI communication through a shared platform. This paper presents the key components, cross-CI and multi-threat risk assessment methodology, and testing outcomes of the ATLANTIS project, highlighting its contribution to advancing European CI resilience.

1. Introduction

Critical Infrastructures (CIs) represent the essential systems and services that underpin the functioning of societies and economies, including transportation, energy supply, telecommunications, water, and healthcare. As the backbone of modern civilisation, they are indispensable to societal stability, security, and development. The failure or incapacitation of such infrastructures would cause severe social and economic consequences, which is why their protection has long been recognised as a priority at national and international levels. In Europe, this importance is reflected in the EU’s Security Union Strategy [1] and, more recently, in the adoption of the Critical Entities Resilience Directive [2] (CER).

Resilience is a complex and multidimensional process that emerges from a comprehensive approach, which is essential for safeguarding critical entities. The NIS2 Directive [3] should be understood as an integral component of this approach, complementing the CER Directive by addressing the cybersecurity dimension. Together, they provide a unified framework in which risk assessment, the analysis of cascading effects, and the mapping of interdependencies play a decisive role.

This perspective should not be limited to a single threat vector, such as cyber incidents, but must instead encompass the entire spectrum of hybrid threats, where natural hazards, technological failures, malicious cyber activities, and disinformation campaigns can interact and compound one another. In this regard, there is an increasing need to move from static to dynamic risk assessment approaches in critical infrastructure protection. Such approaches rely on the continuous collection of parameters from diverse sensors and monitoring systems, which provide real-time data on the operational state of infrastructures. Integrating this information into risk models offers an opportunity to accelerate assessments and move closer to near-real-time risk evaluation, thereby enabling faster detection of anomalies, improved situational awareness, and more effective crisis response. This vision aligns with the European Union Agency for Cybersecurity (ENISA), which has repeatedly emphasised the importance of dynamic risk management and situational awareness as essential capabilities for resilience. ENISA’s reports, such as the ENISA Threat Landscape [4] and sector-specific guidance on cyber resilience of critical infrastructure, highlight that the combination of sensor-based monitoring, automated analytics, and cross-sector information sharing forms the cornerstone of modern resilience strategies across the EU. Establishing a common understanding of methodologies and approaches to risk assessment is, therefore, critical. It represents the fundamental basis and common ground for the further development of procedural activities aimed at achieving an appropriate and sustainable level of resilience across critical entities. Given the need for a broader approach, beyond cyber security only, that would encompass various threats, we aim to provide a new systemic approach to multi-threat and cross-CI risk assessment.

Despite this recognition, effective risk and resilience management for CIs remains a major challenge. Infrastructures are increasingly interconnected and interdependent, often spanning multiple sectors and borders. They face a broad spectrum of hazards and threats, from natural disasters (including NaTech events) to accidents, cyberattacks, and hybrid threats. Managing these risks is further complicated by rapid digitalisation, evolving business models, and societal change. The central challenge is therefore to establish multi-risk and resilience management approaches that address not only individual assets or CI operators, but also systemic and cascading risks across organisations, sectors, countries, and the EU as a whole. In other words, we need a new approach to multi-threat and cross-CI risk assessment.

The modelling of interdependent CI systems has been the subject of extensive scientific research. Ouyang [5] provided a comprehensive review of existing modelling and simulation approaches, identifying key challenges such as the precise collection of CI data to derive interdependencies, the comprehensive modelling of multiple infrastructures and their long-term evolution, the integration of different modelling approaches, and the validation of results using metrics relevant for decision-making. Ji et al. [6] reviewed CI resilience modelling, combining bibliometric analysis with an examination of five popular computational methodologies and their related challenges. Advocating for the concept of “smart CI”, they highlighted the main open issues of model transparency and explainability, portability, robustness, security and safety, as well as enabling multi-scale human–computer interaction.

Cross-CI disturbances can also be viewed through the lens of supply network disruptions. In this respect, Kim et al. [7] proposed developing a network-based perspective of disruptions and resilience. By applying graph theory, they showed how such an approach can capture emergent behaviours both at the level of individual CI assets and across the wider interconnected network.

Lampropoulos et al. [8] reviewed the use of Digital Twins (DTs) in critical infrastructure. Their findings suggest that DTs can enhance traceability, provide interactive visualisation and analysis, and enable real-time monitoring in CI systems. In doing so, they helped bridge the gap between physical infrastructures and their virtual counterparts, where risk and resilience modelling data are represented.

Gordan et al. [9] presented the PRECINCT project’s approach to common cyber-physical security management of both citizens and infrastructures in specific geographical areas. Their work made use of Serious Games (SG) and Digital Twins (DTs) as tools for vulnerability assessment and for analysing complex cascading effects. The risk/resilience modelling considered discrete operational states of CIs and their transitions (a CI-to-CI probabilistic approach). The authors highlighted data availability and comprehensiveness (such as mapping interdependencies, defining relevant states, and deriving probabilities) as the most pressing challenges. However, the approach does not fully address impact evaluation at the CI level and remains tailored mainly to specific target areas.

Šarūnienė et al. [10] proposed a cross-sector methodology for CI risk assessment that explicitly accounts for interdependencies among CIs and adopts a multi-hazard perspective. The methodology consists of system description, hazard identification, probability and consequence calculation, and risk evaluation. CI criticality is used solely as a measure for risk, with evaluation performed using a standard risk matrix approach. The probabilistic component is implemented through Bayesian Belief Networks, which implicitly assumes that circular interdependencies can be disregarded. Other impact or damage categories are outside the scope of this methodology.

Most past research and many EU-funded projects have focused on protecting single sectors or specific installations [11,12,13,14]. Dependencies among CIs and the potential cascading effects of disruptions have often been addressed only superficially, generally at the organisational, sectoral, or national level rather than at a comprehensive cross-organisational, cross-sectoral, and cross-border (the so-called cross-CI) level. An important step forward was made in the PRECINCT project [15], which advanced the analysis of interdependencies and cascading effects across CI sectors. However, existing approaches still lack a structured and validated methodology that integrates multi-hazard and multi-threat scenarios that extend beyond sectoral silos and national boundaries, while also supporting near-real-time situational awareness and decision-making. This gap hampers the ability of CI operators and authorities to assess systemic risks consistently and to coordinate risk management actions across domains.

To address this research gap, the key question addressed in this paper is as follows: How can cross-CI multi-threat risk assessment be operationalised in a way that is both methodologically rigorous and practically usable by diverse CI stakeholders?

Our aim within the ATLANTIS project [16] responds to this challenge by enhancing and extending existing concepts of CI resilience and Cyber-Physical-Human (CPH) security. Our ambition is to move beyond isolated protection of single assets or operators toward a systemic, European-level approach. To this end, we developed and validated a Decision Support System (DSS) that builds on a novel cross-CI and multi-threat risk assessment methodology presented in this paper, while supporting decision-making at cross-operator, cross-sector, and cross-national scales.

The remainder of this article is structured as follows. Section 2 presents the risk assessment approach, including its architecture, methods, and metadata model. Section 3 discusses the results from the implementation and testing of the approach. Finally, Section 4 summarises our findings.

2. Approach and Methods Used

The approach to cross-CI and multi-threat risk assessment builds on the relationships among the specific potential threats and specific CI assets, considered as the nodes in the modelled network that represent the modelled domain. While other approaches are available, we opted for a rather traditional concept where the risks for nodes are considered as a product of the specific categorised consequences and their respective probabilities. In Section 2.1, we will present the main steps of the risk assessment method applied to the individual nodes of the modelled domain. In Section 2.2, we will present the ATLANTIS architecture in terms of data flow that drives the risk assessment.

2.1. Risk Assessment

The methodology introduces a structured, scenario-driven framework that integrates conventional risk assessment techniques with cross-operator interdependency modelling, and context-aware hazard/threat sensing [17,18,19,20]. Developed for complex, multi-stakeholder environments, the approach supports real-time and anticipatory risk assessment across interdependent CIs, with particular emphasis on cascading and compounding risks within and across CIs. The methodology includes seven sequential steps, as illustrated in Figure 1 and further elaborated below.

While the explanations below discuss the CI and its assets under the analysis, the steps are to be systematically applied at all CIs within the modelled domain, e.g., geographically, the critical infrastructure sector, national borders, or their combination.

Step 1: Define a Threat or a Hazard.

Purpose: The assessment begins with the identification of a credible and context-specific threat(s) (e.g., cyberattack, sabotage) or hazard(s) (e.g., natural disaster, equipment failure). This initial step anchors the risk scenario in a real or plausible situation, ensuring relevance and alignment with operational conditions.

Inputs: Threat identification is based on several dimensions, including geographical setting (e.g., a tunnel prone to seismic activity, a logistics hub prone to wildfires), domain-specific vulnerabilities (e.g., cyber incidents in digital, finance, or health), or recommendations from recent intelligence and regulatory priorities (e.g., terrorist attacks, economic instability, the use of AI). This context-aware approach ensures that threats are neither abstract nor overly general but reflect the operational and strategic realities faced by CI operators. Data sources are usually CI-specific safety and security risk assessment reports, risk registries, past incident reports, etc.

Method: Crucially, the identified threat or hazard must carry the potential to trigger cross-organisational effects, either through direct impact on a specific CI or through ripple effects across interconnected systems. Here, close cooperation with CIs’ risk managers is crucial. At this stage, the focus is on understanding the nature of the initiating events, their plausible causes, and the general conditions under which they might arise, without yet specifying all affected actors.

Outputs: Result is a consolidated list of diverse relevant hazards and threats to the specific CI.

Step 2: Identify Involved CIs.

Purpose: Building on the threat(s) or hazard(s) defined in the previous step, this phase focuses on determining the CI operators that would either be directly affected or indirectly exposed to its effects.

Inputs: List of CIs that are subject to relevant threats (from the previous step).

Method: Directly affected CIs are those whose assets fall within the immediate scope of the threat (e.g., port whose terminal is flooded, telecommunications provider whose systems are under a cyberattack), whereas indirectly affected CIs are those with technical, logistical, or operational interdependencies with the primary CI (e.g., oil distributer who cannot receive new reserves due to a closed port terminal).

This step is conducted in close collaboration with the CI stakeholders, using asset inventories and service maps to identify all relevant actors across their primary or most critical supply chains. Particular attention is given to cross-border and cross-sector dimensions, ensuring that the broader systemic risk is captured from the outset.

The identification of CIs is validated through joint workshops and interviews, ensuring that the domain expertise informs the mapping of relevant infrastructures and organisations.

Outputs: Consolidated list of directly and indirectly potentially affected CIs.

Step 3: Identify Affected Assets.

Purpose: For each involved CI operator, the next step is to identify its key assets that may be affected by the scenario.

Inputs: CI’s operational procedures, mapping of work processes, assets and utility systems.

Method: These assets may include physical components (e.g., transport terminals, pipelines), cyber systems (e.g., communication servers, SCADA systems), or organisational processes (e.g., customs clearance). The identification is based on the nature and the scope of the threat, the functional role of the asset, and its exposure to direct or indirect consequences.

Each asset is analysed in terms of its operational role, input dependencies for its functioning (e.g., power, connectivity), and service outputs relevant for other systems. This granular analysis provides the foundation for tracing how disruptions at the asset level may propagate through the broader infrastructure ecosystem.

Outputs: Consolidated list of assets per CI that are in any way related to other assets that are directly or indirectly affected.

Step 4: Identify Relevant Interdependencies.

Purpose: To identify types of dependencies among pairs of potentially affected assets (CIs).

Inputs: A list of assets per CI that are in any way related to other assets/CIs that are directly or indirectly affected.

Method: With the affected assets identified, the analysis shifts to understanding the interdependencies that connect them. These interdependencies are classified at two levels. Macro-level interdependencies that capture CI-to-CI relationships (e.g., port’s reliance on telecommunications) and micro-level interdependencies that detail asset-to-asset dependencies within each involved CI (e.g., railway shunting station depends on the rail tracks that lead to it). The asset hierarchy used is based on the ISO 14224:2016 standard [21].

We consider interdependencies as one-to-one and unidirectional dependencies among pairs of assets, considering the different operational dimensions adopted by Rinaldi et al. [22], including, among others, infrastructure characteristics (e.g., organisational, operational, spatial), state of operation (e.g., normal, repair, stressed), and type of interdependency. The adopted list of interdependency types according to Rinaldi et al. [22] is presented in

Table 1. Types of interdependencies considered in ATLANTIS (adopted from Rinaldi et al. [22]).

Type	Description
Physical	The state of an asset depends on the physical output of another asset.
Cyber	The state of an asset depends on the information/data that is transmitted through cyber systems by another asset.
Geographical	The state of an asset might be affected by another asset due to their geographical proximity, making them vulnerable to the same environmental or physical threat.
Logical	Interdependencies via a mechanism that is not of a physical, cyber, or logical nature (e.g., a disruption of the public transport system might lead to congestion in other modes of transportation).
Functional	Operational linkages where the functioning of one asset is necessary for the functioning of another (e.g., emergency response operations depend functionally on both communication and transport systems).
Policy	Arises when legal, regulatory, or policy decisions in one sector impact others (e.g., a change in energy policy can trigger a change in oil prices).
Shared	Assets share common resources or components.
Economic	Arises when financial or market-based influences in one sector impact another (e.g., a spike in fuel costs affects transportation costs).

.

The definitions of the interdependencies overlap to some extent (Rinaldi et al. [22]), and in the analysis, the most important type should be considered. The type of interdependency strongly affects how the dependent asset will experience the potential failure of the origin asset (e.g., considering the time to develop impacts).

To represent these dependencies, the methodology employs a (mainly qualitative) data model that records the identifiers of origin and dependent asset, their basic information, dependency type, estimated propagation time, and descriptive information about the failure impact/final state. The data model is presented in Figure 2.

This modelling approach enables analysts to simulate how an initial asset failure may evolve into broader systemic risks through branching, multi-level propagation.

Outputs: Data on all one-to-one asset dependencies of the CIs within the model domain.

Step 5: Analyse Threat Dynamics.

Purpose: To model probabilistic relationships of the CI’s sensors to the specific hazards, threats, asset states and threat categories.

Inputs: CIs sensors relations data to the specific hazards and threats, data on all one-to-one asset dependencies within the model domain (from the previous step).

Method: This step focuses on the analysis of the threat dynamics as they relate to asset states and their deterioration. This links CI’s sensors for asset condition monitoring (e.g., working/not working), typically conducted through sensor data or performance indicators, with underlying causes (e.g., the “not working” state is linked to the “no power” cause) and corresponding threat/hazard categories (e.g., natural hazard, cyber threats). The failure probabilities of the dependent assets from the origin assets due to the interdependencies are also considered.

Here, the work is based on the available specific historical data, statistical trends, or other intelligence data. It is important to use realistic probability data related to the context of each CI, as well as the technical, social, and political context at a given time. The concept thus assumes that the probability of a specific cause can depend on the hazard/threat category.

To be precise, p_A, the statistical probability of an event with attribute A in n_A out of N observations (with N large enough), is calculated as:

$$p_A={\displaystyle \frac{n_A}{N}}$$

(1)

Two assumptions guide the analysis in this step. First, in the absence of a disruption, an asset is assumed to be operating normally, and the probability of such a normal operational state is assumed to be 100%. Second, in the case of a disruption (event threat), we consider all possible failed states and their underlying causes that are to be monitored by the sensors, and the respective probabilities of failed states must sum to 100%. Next, for each failed state, we consider all possible respective threat/hazard categories and respective probabilities of the categories for each failed state, ensuring that the probabilities of the categories for each failed state sum to 100%. This structure enables a nuanced, context-sensitive threat analysis that accounts for multiple pathways and their respective likelihoods. This approach is applied to the CI’s external and internal threats, as well as to the dependencies among the CIs and/or their assets.

Considering the asset is disrupted (event threat), probabilities $p_{{FS}_i}$ of i = 1, 2, …, j possible failed states (FS) sum to unity, as follows:

$$\sum _{i=1}^{i=j}{p}_{{FS}_i}=1$$

(2)

And, considering a given asset’s failed state i, probabilities $p_{{FS}_{i_n}}$ of its n = 1, 2, …, k possible specific threats sum to unity, as follows:

$$\sum _{n=1}^{n=k}{p}_{{{FS}_i}_n}=1$$

(3)

For example, a specific asset’s failed state with index i = 1 has failure probability $p_{{FS}_1}$. If, for example, the failed state has contributions from three types of threats, then, in Equation (3), we have i = 1, k = 3, and then $p_{{FS}_{1_1}}$, $p_{{FS}_{1_2}}$ and $p_{{FS}_{1_3}}$ sum to unity.

The considered hazard/threat categories are summarised in

Table 2. Overview of the considered hazard/threat categories, definitions and references.

Threat/Hazard Category	Brief Description and References
Technology-Human-Organisational (THO)	Unintentional industrial site failures due to human error, technological faults, or hazardous substance releases. May include nuclear and radiological events [23].
NaTech and climate-related	Natural hazards (e.g., floods) that trigger failures in CI due to weakness in THO measures. Also includes extreme weather phenomena linked to climate change [24,25].
Physical attack	Intentional human-caused disruption, such as unauthorised access or direct attacks on CI sites (e.g., terrorist attack, sabotage) [26].
Cyber-attack	Malicious cyber intrusions or conditions that lead to asset loss or operational failures, including hacking, malware, data breaches, and system disruptions [27].
Technology trends related	Emerging disruptive technologies that could create vulnerabilities or security concerns within CI systems [28].
Foreign Direct Investments (FDI)	Security risks associated with foreign ownership or investment in CI, including potential denial of access, espionage, and technology leakage [29].
Critical supplies (non-EU)	Risks related to supply chain dependencies on non-EU countries, potentially causing disruptions in essential materials, technology, or expertise [30].

.

Outputs: Evaluated probabilities for all CI sensors data in relation to the asset failure states, pertaining hazard/threat categories and assets interdependencies.

Step 6: Analyse Event Impacts.

Purpose: Analyse the specific event impacts and evaluate the overall impact score.

Inputs: Data on expected final state from all one-to-one asset dependencies of the CIs within the model domain (from step 4).

Method: Following the identification of causes and threat pathways, the methodology evaluates the potential impacts of each disruption scenario. Impact assessment is structured across several impact categories as proposed by Bennet in [31], including operational continuity, safety, financial losses, environmental consequences, reputational damage, and regulatory compliance. This approach ensures that all relevant categories are semi-quantified, aggregated, and weighted to reflect the scenario’s real-world implications appropriately.

For each failure scenario (i.e., for each set of asset-sensor-state-cause-hazard/threat data), we evaluate expected impacts using a scoring scale from 0 to 4 across the categories and the scoring criteria, reflecting its severity in the context of the CI operator. The impact categories, scores and criteria are presented in

Table 3. Adopted impact categories, scores, and criteria (adopted from Bennett [31]).

Impact Category	Score and Criteria
1. People Exposed: The number of individuals affected.	0: None exposed. 1: 1–50 people exposed. 2: 51–250 people exposed. 3: 251–1000 people exposed. 4: 1001+ people exposed.
2. Economic Impact (Repair or replacement costs): The financial burden of restoring services.	0: No significant economic effect. 1: Restoring cost is less than 250,000 €. 2: Restoring cost is between 250,000 and 1,000,000 € 3: Restoring cost is between 1,000,000 and 10,000,000 €. 4: Restoring cost is greater than 10,000,000 €.
3. Economic Impact (Contribution to the economy): Wider economic consequences.	0: No significant economic effect. 1: Impact on the individual critical asset’s profitability is <10%. 2: Impact on the organisation’s profitability is >10%. 3: Impact on the regional economy. 4: Impact on the national economy.
4. Business or Service Interruption: Duration and severity of operational downtime.	0: Critical assets could operate with minimal operational changes or repair. 1: Critical assets could partially operate. 2: Critical asset is shut down or unable to operate for <6 months. 3: Critical asset is shut down or unable to operate for >6 months. 4: Critical asset is not expected to be restored.
5. Interdependencies: Effects on interconnected infrastructure.	0: No effect on the critical asset’s normal operations. 1: Critical asset is a stand-alone facility and is not interdependent on other assets; adverse effects would not extend beyond this single asset. 2: Critical asset is part of a larger system; however, adverse effects would not extend beyond this single asset 3: Critical asset is part of a larger system, and at least one other asset depends on its outputs. 4: Critical asset is part of a larger system, and many other assets depend on its outputs.
6. Criticality: The importance of the asset in maintaining essential services.	0: No adverse effect. 1: Minor adverse effects would occur, limited to a local environment. 2: Significant adverse effects would occur, limited to the local environment 3: Significant adverse effects would occur in the broader environment. 4: Significant adverse effects would occur nationally or worldwide.
7. Environmental Impact: Potential damage to water, air, soil, and biodiversity.	0: None. 1: Limited damage. 2: Short-term damage to a limited extension of the surrounding environment. 3: Long-term damage to a limited extension of the surrounding environment or short-term damage to a significant extension of the surrounding environment. 4: Permanent or long-term damage to a significant extension of the surrounding environment.

.

In addition, to accommodate sectoral differences, and/or among the CIs and their environmental specifics, each impact category is assigned a weight representing its relative importance to the specific CI. For example, a telecommunications operator may assign higher weight to service continuity, while a chemical processing plant may prioritise environmental risk.

Prioritisation is conducted with the following priority weights:

• 1 (low priority): The category has minimal influence on risk mitigation decisions.
• 2 (moderate priority): The category is important but balanced with other high-priority factors.
• 3 (high priority): This category is a critical factor in risk mitigation; failure would have severe implications on the business process.

Finally, the Total Impact TI is calculated as a weighted sum of all category scores:

$$TI= \sum _{\begin{array}{c}Sum Across all \\ Impact Categories\end{array}}(Category Weight \times Impact Score)$$

(4)

For failure scenario comparability, the Total Impact TI is normalised to TI_N to a [0, 1] range, enabling consistent interpretation across different operators and domains:

$${TI}_N= {\displaystyle \frac{TI}{\sum _{\begin{array}{c}For all \\ Impact \\ Categories\end{array}}Category Weight \times 4}}$$

(5)

This impact evaluation step transforms failure scenario-specific disruptions into quantifiable metrics that can inform risk prioritisation and mitigation planning.

Outputs: Evaluated normalised total impacts for all failure scenarios.

Step 7: Calculate Risk Scores.

Purpose: Calculate the Risk Score for each failure scenario.

Inputs: Outputs from steps 5 and 6.

Method: In this final step, the Risk Score for each failure scenario is calculated by combining the threat analysis probabilities of asset’s failed state i and its specific threat k with the normalised impact score TI_N:

$$Risk Score=p_{{FS}_i}\times p_{{FS}_{i_n}} \times {TI}_N \times 100$$

(6)

The result is a value between 0 and 100, reflecting the compounded likelihood and severity of a specific failure scenario, expressed as a percentage. To support interpretation and decision making, risk levels may be classified as follows:

• <25%: Low Risk
• 25–50%: Medium Risk
• 50–75%: High Risk
• >75%: Critical Risk

Outputs: The Risk Score and interpreted risk levels serve as a foundation for comparative risk assessment across failure scenarios, infrastructures, sectors, and regions. It supports CI operators in identifying priority vulnerabilities, evaluating mitigation strategies, and strengthening inter-organisational preparedness through evidence-based collaboration.

As a summary, the entire risk assessment methodology can be effectively and visually presented in Figure 3.

2.2. ATLANTIS Architecture

The architecture focuses on the system’s functional structure rather than its physical organisation. It aims to capture the system’s functionality, data flow, and control flow in a way that is easy to understand and communicate. The key elements of a logical architecture include:

• Components: Building blocks of the system, including software modules, hardware devices, and network components.
• Relationships: Connections and interactions between components, such as data flow, control flow, and communication protocols.
• Dependencies: Relationships between components that define their order of execution or operation.
• Processes: Activities or operations performed by the system, including data processing, communication, and control.

The architecture in ATLANTIS builds upon the architecture proposed in the InfraStress project [12], extending its capabilities through three layers (Figure 4):

• Layer 1 is the CI-specific Incident Detection System (IDS) or civilian Command, Control, Communications, Computers, and Intelligence (C4I) systems. It is responsible for CI-specific information gathering and CI observation, including physical (i.e., hazard/threat-specific sensors, video surveillance, drones), cyber (e.g., complex data from PLC, SCADA, IDC, and network connectivity systems), and Humans in Vicinity (HiVIC) as human sensors.
• Layer 2 is responsible for local incidents processing, systemic risks pattern extraction, situational awareness, threats prediction/early-detection, and automatic countermeasures enforcement.
• Layer 3 is a federated cross-CI collaborative Knowledge sharing platform, Risk Assessment, State Awareness and Incidents Mitigation (CCI-SAAM) among collaborative cross-border and cross-domain CIs.

On the left side (Figure 4), the architecture offers interconnections with external systems (e.g., other IDS and CI security systems, meteorological services, Earth observation systems) along with external Information Sharing and Analysis Centre systems.

The logical view provides a high-level representation that is intentionally generic and adaptable to various CI use cases, without delving into the specifics of technical implementations. The logical view of the architecture is generic, focusing on fundamental, domain-independent concepts such as risk detection, situational awareness, and risk mitigation. Abstracting these core functions creates a logical framework that can be applied across a wide range of CI sectors, regardless of the specific technologies or systems in use. This abstraction allows for broad applicability without being tied to specific toolchains or platforms. At the same time, it holds a modular design that separates different concerns—like cyber-physical security, situational awareness, and risk mitigation—while providing clear interactions between them. This separation of concerns ensures that each sub-framework and its components can be tailored or swapped based on the specific needs of the CI sector, making it adaptable without disrupting the overall architecture. Each layer represents a logical function that can be customised according to the unique operational or regulatory requirements of different CIs. Further, since the view is logical, it is not tied to any specific technological solutions or vendor products.

3. Results

3.1. Application in ATLANTIS

Deployment of the ATLANTIS approach and tools follows a Continuous Integration/Continuous Deployment/Continuous Piloting (CI/CD/CP) strategy based on the SCRUM methodology [32]. The piloting part involved deploying, testing, and validating the overall approach, organised through three Large Scale Pilots (LSPs) across diverse CI sectors and EU countries.

LSP#1 focused on increasing the resilience of CIs that support the smooth, secure, and safe operation of essential services within and across the transport (sea, rail, road), energy (oil), and telecommunication domains, spanning the national borders of neighbouring EU countries Slovenia, Croatia, Italy, and France. LSP#1 involved CI operators and relevant authorities along the Mediterranean trade route, namely the Mediterranean Corridor. This corridor is one of the priority axes of the Trans-European Transport Network (TEN-T), connecting the Mediterranean Basin with Central Europe and Ukraine. Stakeholders included seaport operators, rail operators, highway operators, oil products distributors, communications providers, and national authorities related to infrastructure, cybersecurity, internal affairs, and law enforcement.

LSP#2 focused on validating cyber-physical activity responses to system risks, to establish business continuity and resilience procedures in cross-domain CIs. In particular, the assessment centred on hybrid physical or cyber-attacks targeting health and logistics/supply chain operations, which can significantly impact business continuity. The pilot emphasised information exchange across various operational levels and covered three critical domains, namely health (e.g., hospital health records), logistics (supply chain), and border control (border control information systems). Participants included health institutions, ICT solution providers, and national authorities responsible for cybersecurity, internal affairs, and law enforcement in two EU countries, namely Greece and Cyprus.

LSP#3 focused on validating cyber-human security measures against systemic risks and ensuring business continuity and resilience procedures in the financial sectors across two EU countries, namely Germany and Spain. It aimed to enhance the cybersecurity posture of the financial industry, particularly against hybrid threats. Cyber-attacks targeting financial CI operators could severely impact business continuity across Europe.

3.2. Validation Approach

It should be noted that the risk assessments for the sole purpose of performing the tests of the proposed approach did not use real operational data due to security limitations. That applies to the methodological steps 5, 6, and 7 (please refer to Figure 1). Instead, representative but synthetic data were used to ensure confidentiality while still allowing systematic testing of the approach.

Within each LSP, CI partners first conducted specific hazard/threat identification activities using the developed methodology, leading to a set of representative risk scenarios tailored to their operational domains. These scenarios were then assessed through the ATLANTIS software tools, which were linked to available sensors and simulation environments. A subset of scenarios was selected for detailed scripted exercises to test the implementation of the methodology.

Validation was carried out on three complementary levels. First, technical validation focused on verifying the consistency of the methodology and its implementation in the ATLANTIS tools. For this, we used scenario descriptions, dependency data provided by CI operators, and synthetic data designed to simulate incidents and asset failures. These were run through the modelling framework and tools to test whether interdependency graphs, propagation paths, and risk scores were generated as expected. Second, usability validation examined how CI operators and stakeholders interacted with the methodology and supporting tools during the workshops. For these, we used training materials in the form of presentations and short videos introducing the methodology and tools, and simulation scripts. During the hands-on workshops, participants explored whether the outputs, such as interdependency graphs and the Digital Twin (DT) platform, facilitated a clear understanding and supported cross-CI communication. Third, impact validation assessed the perceived added value of the approach in improving preparedness and awareness. To this end, we relied on pre- and post-exercise questionnaires distributed to workshop participants, covering 20 preparedness-related and 10 awareness-related questions, each rated on a 5-point Likert scale (from Very ineffective to Very effective, coded 1–5). For instance, one question asked: “How would you rate the effectiveness of the tools and technologies in place for risk management?” The outputs were quantitative measures of change between baseline and post-exercise scores, providing evidence of improvements in stakeholders’ perception of their ability to manage complex scenarios, as well as their evaluation of the relevance and effectiveness of the ATLANTIS tools for operational risk management.

This multi-level validation framework allowed us to assess not only whether the methodology and tools functioned correctly in simulated settings, but also whether they provided tangible added value for CIs in terms of situational awareness, cross-CI communication, and decision support during complex crisis scenarios.

3.3. Example

The piloting phase involved thirteen specific threat scenarios: seven under LSP#1, two under LSP#2, and four under LSP#3. For each scenario, interdependencies among the relevant CIs were modelled, analysed, and visualised as part of the deployment and demonstration activities. These exercises primarily served to illustrate how the methodology could be applied in practice and to support structured discussions with CI stakeholders.

It is important to emphasise that the focus of this section is on demonstrating the application of the cross-CI risk assessment methodology rather than reporting the results of the underlying risk assessments. For security reasons, full details of the CI assets, vulnerabilities, and threats involved cannot be disclosed. Instead, we provide selected illustrative outputs such as the interdependency graph shown in Figure 5 for one LSP#1 scenario. This example shows how the methodology was applied in practice, how it supported stakeholder engagement, and what lessons were learned about its usability and scalability.

In practice, the interdependency graphs proved to be highly effective communication aids for facilitating cross-CI risk discussions. They helped stakeholders better grasp operational linkages, one-to-one dependencies, and the potential cascading effects that could follow from the disruption of origin assets. While the illustrative example in Figure 5 does not display external hazards or explicit threat sources, or example cascading effects among the assets, the modelling framework (as described in Section 2.1 Risk assessment, Step 4) is designed to accommodate both direct and propagated risks across interconnected CI networks.

All thirteen scenarios were considered to validate the ATLANTIS methodology and tools following the three-level validation approach described in Section 3.2.

Regarding the final evaluation, in LSP#1 alone, 40 respondents participated in the final evaluation covering seven scenarios. The project goal of achieving a 40% improvement in preparedness and awareness was met or exceeded in several cases, with improvements ranging from roughly 5% to 55% depending on the scenario and respondent group. In other cases, high baseline scores naturally limited the potential for further gains. It should be underlined that building preparedness and awareness in CIs is inherently a long-term process, often requiring systemic and cultural shifts that go beyond the life timeline of a single project.

Nevertheless, these exercises clearly demonstrate the added value of our methodology and supporting tools in real-world settings. In particular, the combination of structured risk assessment, tool-supported simulations, and the shared Digital Twin platform significantly enhanced stakeholders’ ability to communicate risks consistently and coordinate across CI boundaries, one of the most positively rated aspects of the demonstrated solution.

4. Conclusions

The paper presented the cross-CI, cross-sector, and cross-border risk assessment methodology and supporting data management architecture developed within the EU-funded ATLANTIS project. The methodology enables a transparent, structured, seven-step process for risk assessment, covering scenario definition, identification of critical CI resources, and multi-dimensional evaluation of risks based on likelihood and impact.

The methodology is operationalised through the three-level ATLANTIS data framework, comprising (i) CI-specific incident detection systems, (ii) local incident processing, prediction, and response, and (iii) federated cross-CI knowledge sharing, risk assessment, situational awareness, and coordinated mitigation across sectors and borders.

The methodology and tools were validated in three large-scale pilots, applying an agile SCRUM-based process to diverse threat scenarios. Validation activities included interactive workshops with stakeholders, where results showed improvements in preparedness and awareness ranging from approximately 5% to 55%, depending on the scenario and stakeholder group—thus meeting and, in some cases, exceeding the project’s goal of a 40% increase.

Overall, these findings confirm the added value of the ATLANTIS solutions. The methodology, together with the supporting tools, such as the Digital Twin and shared communication platform, has been shown to strengthen coordination, improve risk understanding, and enhance communication consistency across CIs, sectors, and national borders. These results underline the potential of the ATLANTIS approach not only to improve operational resilience today but also to inform future European efforts in systemic risk management and CI protection.