Promoting cyber resilience among small and medium-sized enterprises

The SECURE – Strengthening EU SMEs Cyber Resilience Project is a three-year project that was launched in January 2025 and is funded by the European Union as part of the Digital Europe programme.

The aim of the project is to strengthen the cyber security resilience of European micro, small and medium-sized enterprises (MSMEs). This will be achieved through the publication of open calls for proposals to help companies meet the requirements of the Cyber Resilience Act (CRA). The calls for proposals offer direct financial support to co-finance specific projects aimed at improving CRA compliance and optimising cybersecurity practices.
 

Micro, small and medium-sized enterprises (mSMEs) that are registered as legally independent companies in a Member State of the European Union or in the European Economic Area (EEA) are eligible to apply.

According to Commission Recommendation 2003/361/EC, mSMEs employ fewer than 250 people, have an annual turnover not exceeding EUR 50 million and/or an annual balance sheet total not exceeding EUR 43 million. mSME status must be indicated in the application and will be verified during the evaluation process.

The basic requirement for funding is that companies develop, manufacture or operate products, services or business processes that fall within the scope of the Cyber Resilience Act (CRA). In addition, applicants must pursue a clearly defined project that aims either to improve CRA compliance or to specifically strengthen their own cyber resilience.

Corporations or corporate networks are not eligible for funding – applications may only be submitted by individual companies.
 

The budget available for the first call for proposals is approximately €5 million. Successful applicants will receive a grant covering 50 per cent of the total eligible costs of their project, up to a maximum of €30,000. If the total cost of the project exceeds €60,000, the SECURE contribution will be limited to €30,000.

Applicants must complete the project budget plan in accordance with Annex 1.3 in euros (EUR) and provide a breakdown of the estimated eligible costs by budget category.
 

Interested companies must register on the SECURE platform and create an account. The documents, guidelines and templates for the applications can be viewed there.

The application can then be submitted online via the SECURE platform's call portal. It is emphasised that ‘direct and material relevance to the scope of the Cyber Resilience Act (CRA)’ must be demonstrated.

When drafting the proposal, the CRA-related requirements must be clearly set out by defining the operational context of the company in which the project is being developed. The assessment will focus on whether the company's current or future activities are likely to fall within the scope of the CRA. To facilitate classification in accordance with the CRA provisions, ENISA guidelines and other materials provided by the SECURE project consortium, applicants must clearly indicate in their proposal which products/services fall or will fall within the scope of the CRA.
 

In addition to the above-mentioned mSME criteria and the content review with regard to cyber resilience objectives, the submitted proposals will also be reviewed based on the following criteria:

• Excellence and relevance: Quality and relevance to CRA objectives
• Impact and clarity: Expected benefits and comprehensibility of the project description
• Implementation: Realistic, clear planning and feasibility
   

Applications can be submitted in a so-called ‘first open call’ from 28 January 2026 to 29 March 2026.

If a proposal is not funded, it can be resubmitted in a later call. It is not yet known when exactly these later calls will take place.