Funding Support for MSMEs under the Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) introduces new compliance requirements for businesses operating in the digital ecosystem. To help micro, small and medium-sized enterprises (MSMEs) adapt and thrive, SECURE is launching targeted funding opportunities designed to support your journey toward cybersecurity compliance.
Who Can Apply?
This opportunity is open to European MSMEs falling within the scope of the CRA and committed to strengthening their digital resilience through concrete, actionable initiatives.
What’s in It for Your MSMEs?
Through our Open Calls for Proposals, eligible MSMEs will gain access to:
| 1st Call Total Budget | € 5 million |
|---|---|
| Funding per grant | Up to € 30,000 |
| Target applicant | Micro, small and medium-sized enterprises (MSMEs) |
| Co-financing | 50% |
| First call | 28 January 2026 - 29 March 2026 |
Cyber Resilience Act (CRA) will impact micro, small and medium-sized enterprises (MSMEs) that operate within sectors mandated to comply with the CRA such as:
Given the pivotal role of SMEs in the EU’s economy and their vulnerabilities, targeted support is crucial for their CRA compliance and overall resilience.
The sectors under the CRA are critical to the digital ecosystem, where breaches can have widespread impacts.
Challenges for MSMEs include limited cybersecurity expertise and resources, making them prime targets for cyber threats, particularly as part of essential service and product providers’ supply chains or when serving a broad audience.
The SECURE project provides tailored support and funding to built SMEs capabilities for cyber resilience.
At least two Open Calls will be launched during the project timeline. Each call will be open for a fixed period, during which MSMEs can submit proposals online.
Applications will be managed through our user-friendly platform, featuring:
Stay tuned dates and full details will be published soon on this page.
All submitted proposals will undergo a preliminary Formal Eligibility check to assess the achievement of CRA-related Requirements. Eligible submissions will be evaluated by the SECURE Evaluation Committee, an independent pool of expert under strict conflict-of-interest rules.
Projects will be ranked and selected based on:
Excellence and Relevance: assessing the quality and credibility of the proposed action in relation to the objectives of the Cyber Resilience Act (CRA)
Impact and Clarity: evaluating the expected benefits of the Project and the clarity of the whole Proposal
Implementation: considering the feasibility and practicality of the Project plan
Full transparency is guaranteed: scoring criteria, funding terms, and evaluation procedures will be publicly available on the Official Call Documentation.
To cofinance concrete projects submitted by EU mSMEs with the scope of strengthening cyber resilience and helping enterprises to comply with the CYBER RESILIENCE ACT (CRA) through activities covering products, infrastructures, processes, and governance. Funding focuses on CRA-aligned outcomes.
Company eligibility Criteria: Only individual legal entities that qualify as mSMEs and are legally established in eligible countries (EU + EEA), meeting all legal/ethical requirements and not subject to double funding. Only Consortia and business networks are not eligible.
CRA-related Requirements: This Open Call is addressed to business activities related to the development, manufacturing, import, or distribution of digital products or services, specifically those falling under the scope of the CRA. Applicants must operate in a sector or have business activity that reasonably falls, may fall or will fall within the CRA scope and regulatory framework or clearly demonstrate willingness to do so. Furthermore, only Projects aimed at achieving compliance with the CRA will be accepted.
Per Commission Recommendation 2003/361/EC and Commission Delegated Directive (EU) 2023/2775: fewer than 250 employees (AWU), ≤ €50M turnover and/or ≤ €43M balance sheet total. Apply affiliation rules (autonomous/partner/linked) to compute the figures. Find here a complete guideline: https://op.europa.eu/en/publication-detail/-/publication/79c0ce87-f4dc-11e6-8a35-01aa75ed71a1.
This is the first call; at least another call will follow.
Only 1 Project proposal is admissible for each single organization.
Yes, but remember: for each Open Call only 1 Project proposal is admissible for each single organization.
Yes, in case your proposal has not been funded, your proposal can be re-submitted in a latter call. You should review the evaluation report with care and revise the proposal in line with the comments received.
On the SECURE platform/website and via email notifications from the platform.
Stay updated on the SECURE project, cyber resilience news, and upcoming opportunities by subscribing our newsletter.
