FAQ

• Company eligibility Criteria: Only individual legal entities that qualify as mSMEs and are legally established in eligible countries (EU + EEA), meeting all legal/ethical requirements and not subject to double funding. Only Consortia and business networks are not eligible.

• CRA-related Requirements: This Open Call is addressed to business activities related to the development, manufacturing, import, or distribution of digital products or services, specifically those falling under the scope of the CRA. Applicants must operate in a sector or have business activity that reasonably falls, may fall or will fall within the CRA scope and regulatory framework or clearly demonstrate willingness to do so. Furthermore, only Projects aimed at achieving compliance with the CRA will be accepted.

Per Commission Recommendation 2003/361/EC and Commission Delegated Directive (EU) 2023/2775: fewer than 250 employees (AWU), ≤ €50M turnover and/or ≤ €43M balance sheet total. Apply affiliation rules (autonomous/partner/linked) to compute the figures. Find here a complete guideline: https://op.europa.eu/en/publication-detail/-/publication/79c0ce87-f4dc-11e6-8a35-01aa75ed71a1.

• SECURE Call 1 total budget = €5,000,000,
• Maximum funding = €30,000 per project,
• Cofinancing rate = 50% (cost cap = € 60.000),
• Maximum eligible Project Cost = No limit. If total eligible costs > €60,000, contribution will still be capped at €30,000.
• Cost Reporting Method = Lump‑sum grant modality (for more information see how-to-manage-your-lump-sum-grants_en.pdf).

This is the first call; at least another call will follow.

Only 1 Project proposal is admissible for each single organization.

Yes, but remember: for each Open Call only 1 Project proposal is admissible for each single organization.

Yes, in case your proposal has not been funded, your proposal can be re-submitted in a latter call. You should review the evaluation report with care and revise the proposal in line with the comments received.

On the SECURE platform/website and via email notifications from the platform.

The Evaluation Committee determines a completion percentage based on achieved KPIs/Deliverables; the balance payment is reduced proportionally (e.g., 60% completion → 60% of grant).

No balance payment is made. If pre‑financing was paid, the beneficiary may be required to reimburse it.

No—the grant is funded with EU funds and does not fall under de minimis nor GBER.

Yes. Although no detailed financial reporting is required for the lump sum, the European Commission and other audit authorities (e.g., European Cybersecurity Competence Centre – ECCC, European Court of Auditors – ECA, European Anti‑Fraud Office – OLAF, European Public Prosecutor’s Office – EPPO, and national audit authorities) may conduct checks or audits. Therefore, the beneficiary must keep full and accurate records of all declared costs (e.g., contracts, invoices, timesheets, payroll records, accounting extracts, and all types of documentation that audit authorities may request) as well as of project implementation. All documentation must be retained for up to 5 years from the project end date.

SECURE funding is capped at EUR 30,000 per project, covering 50% of eligible costs. Projects with higher total costs may still apply, but any amount exceeding EUR 60,000 must be fully covered by the applicant. The Call does not allow increasing the funding cap or combining multiple SECURE grants for the same project.

If pre-financing was requested during application by the applicant company, the prefinancing amount (40% of the grant amount) will be transferred shortly after the Sub-Grant Agreement is signed and countersigned, which is expected around August–September 2026; If no pre-financing was requested, payment is made only after project completion and approval of the Technical Report, after the implementation period.

NCCs support applicants and verify company eligibility. If the NCC of a country is not involved or does not complete validation, the proposal may be ineligible. Applicants are recommended to check involvement of their NCC. Here’s the EU NCCs list: https://cybersecurity-centre.europa.eu/nccs_en.

As NCCs are responsible for carrying out the eligibility check of applicant companies, organisations based in a country whose NCC does not participate in the SECURE project may submit a project proposal, yet their application cannot be assured to pass the company eligibility checks.

Be an individual legal entity, qualify as an mSME, be established in an eligible country (EU + EEA), meet legal/ethical requirements, and ensure no double funding.

Applicants must demonstrate direct relevance to CRA scope (e.g., as manufacturer/developer/importer/distributor of products with digital elements), identify covered products/services, and show how the project bridges compliance gaps.

Associations may participate as sole beneficiaries (not jointly with members). Individual members may apply independently if they meet eligibility requirements.

Grounds for exclusion include fraud, corruption, participation in criminal organization, money laundering, terrorism, human trafficking, grave professional misconduct, bankruptcy, administrative penalties, enterprise in difficulty, and EU restrictive measures.

No. The funding is not intended to develop a new commercial product; it can be used only for activities that support the applicant SME’s own compliance with the Cyber Resilience Act, even if these involve adapting or integrating existing solutions within the company’s operations or products

The SECURE funding is intended to support SMEs in achieving compliance with the Cyber Resilience Act for their own products, processes, and operations. The funded project must be directly linked to the applicant SME’s CRA compliance needs and to products or services that fall, or are expected to fall, within the scope of the CRA. Projects focused primarily on developing tools, platforms, or services aimed at facilitating CRA compliance for other SMEs are not eligible, unless such developments are an integral and necessary part of the applicant’s own CRA compliance process. In all cases, the primary beneficiary of the funded activities must be the applicant mSME itself.

No. SECURE funding is linked exclusively to the Cyber Resilience Act, and companies do not need to be classified as essential or important entities under NIS2 to be eligible.

The criteria for qualifying as an SME are defined according to the EU Commission Recommendation 2003/361/EC and Commission Delegated Directive (EU) 2023/2775. A detailed explanation of the SME definition, including examples and guidance on partner and linked enterprises, is available on the European Commission website: https://single-market-economy.ec.europa.eu/smes/sme-fundamentals/sme-definition_en

There are no regional restrictions beyond eligibility rules: any enterprise established in an eligible country, namely EU Member States and EEA countries, may apply, provided it qualifies as an SME and meets the CRA-related eligibility requirements.

Associations with a legal personality that are not public entities can participate as sole-beneficiaries. Associations cannot request funding for their associated partners since consortia are not admitted to the present Open Call.

Eligibility will follow the definitions of the Cyber Resilience Act, which applies to manufacturers, importers, distributors, and open source stewards of products with digital elements—that is, hardware or software with direct or indirect data connectivity. This means that there will not be a specific sector list, but any company already in scope of the CRA, as well as those likely to fall under it in the future, are broadly considered potentially eligible. However, final eligibility will be determined during the Formal Evaluation, based on the company description and the activities proposed. In general, sectors such as industrial machinery manufacturers, IoT Companies or electronic board producers should fall within potential scope, but each proposal will be assessed case by case.

The primary purpose of these grants is not to support R&D activities aimed at developing entirely new cybersecurity products. R&D may be eligible only when it is specifically intended to help the applicant company achieve cyber resilience and compliance with the Cyber Resilience Act (CRA). The grants are mainly intended to finance activities, services, and goods that contribute directly to achieving CRA compliance. They may also support the adoption and integration of existing cybersecurity solutions, provided that these activities directly serve the applicant company’s compliance efforts and fall within the scope of eligible activities defined in the Call (ANNEX 2).

Yes. You may apply to fund the introduction and training of your teams on specific tools for your own equipments and processes, provided these activities directly support your company’s Cyber Resilience Act compliance and are linked to products, activities or processes within CRA scope.

Yes. Eligibility is based on the Cyber Resilience Act (CRA) definitions, which apply to any manufacturer, importer, distributor, or open source steward of products with digital elements — meaning hardware or software with direct or indirect data connectivity. Therefore, companies whose core business lies in other sectors may still be eligible if they develop, operate, or maintain products with digital elements that fall under the CRA (for example: proprietary IoT modules, monitoring systems, embedded controllers, or software tools used in their operations). Typical examples include water distribution utilities, energy providers, logistics companies, transport operators, or industrial plants that build or manage custom connected systems. As always, final eligibility will be determined during the Formal Evaluation, based on the company description and the CRA relevant activities outlined in the proposal.

Yes. SMEs from all eligible European countries may apply; however, if the National Cybersecurity Coordination Centre in your country decide not to support the SECURE Call during the company eligibility evaluation phase, there is no guarantee that the eligibility checks can be completed successfully. An updated list of supporting NCCs will be published on the SECURE website.

No. Only individual SMEs can apply as single beneficiaries; consortia or partnerships, including those involving universities, are not eligible under this Call. Associations can participate as sole-beneficiaries if they have a legal personality.

Yes. SMEs may subcontract highly specialised technical services, including to universities or research institutions, provided the subcontracting is justified, follows best value for money principles, the supplier is based in one of the eligible countries and complies with other eligibility and subcontracting rules of the Call.

You may still apply, but there is no guarantee of funding if your national NCC does not perform the eligibility validation. Validation on the EU Funding and Tenders Portal does not replace the eligibility check carried out by the NCC for this Call, as NCC validation is a specific requirement of the SECURE procedure, since the grants are managed directly by the SECURE Consortium.

No. EUCC conformity assessment, including laboratory assessments, is not eligible under the first SECURE Call, as certification and third-party conformity mechanisms are not yet operational under the CRA and therefore excluded from funding at this stage. However, generic assessment activities aimed at improving cybersecurity levels and supporting future CRA compliance are eligible. This means that, although formal EUCC certification and lab assessments for certification are excluded, the SECURE Open Call can support activities aimed at achieving cyber resilience and CRA compliance also by using certification frameworks for an internal assessment. Eligible activities in that sense could be:

· Internal cybersecurity assessments,

· Vulnerability Assessment,

· Security by design activities,

· Preliminary gap analyses,

· Readiness evaluations,

· Process and technical improvements aligned with CRA obligations.

The 1st SECURE open Call will be focused on Default Products due to the lack of the identification of specific certification schemes under the CRA. Given that, if the proposed activity is not aimed at obtaining a specific certification, a reseller of firewall and cyber threat intelligence technologies may be eligible, provided it qualifies as an SME and the proposed project supports its own Cyber Resilience Act compliance in relation to products with digital elements it places on the market, such as through branding, integration, or substantial modification, rather than resale alone.

Yes. This Call is strictly for private-sector micro, small, and medium-sized enterprises; public bodies and organisations such as public administrations or universities cannot apply as beneficiaries. Associations with a legal personality can participate as sole-beneficiaries.

In such cases, the NCC responsible for evaluating the company’s eligibility criteria will be the NCC of the Member State where the enterprise’s headquarters (legal registered office) are located.

Documents must be submitted in English, with the exception of official documents issued by national public authorities, which may be provided in their original language.

You should write the proposal following Annex 1.1 and respecting page limits. You have to include company profile, CRA relevance & objectives, methodology, impact, Implementation with WP/Tasks/Milestones/Deliverables/KPIs, Gantt, risks & mitigations, and ethics/security tables. KPI definitions should be clear and measurable. KPIs are crucial for the evaluation of the proposal and for the verification of project implementation if funded, as they are essential for the disbursement of the financial contribution.

You have to complete Annex 1.3, then export the entire file (all worksheets) to PDF and apply a PAdES signature. More information about how to complete Annex 1.3 Proposal Budget Template can be found in Chapter E – Budget and Cost Rules of the FAQ

There should be a minimum of 1 and a maximum of 3 WPs.

You have to fill the risk table indicating risk description, category (Technical/Operational/Financial), impact, likelihood, and mitigation measures; include concrete examples and alternatives.

All required documents must be signed using PAdES (PDF Advanced Electronic Signature or Qualified Electronic Signature for PDFs). This includes documents such as the Budget PDF, Applicant/Ownership declarations, CRA Maturity Assessment, Sub-Grant Agreement, and other relevant forms. Using PAdES ensures that the signatures are secure, legally recognized, and compliant with EU regulations.

Applicants must submit their most recent closed financial statement, covering the latest completed financial year at the time of application.

All templates and required documents are available on the SECURE website, while some auto-generated documents will be available directly on the platform (e.g: Applicant Self Declaration and Sub-Grant Agreement). The online platform will be accessible via the SECURE website from 28 January 2026.

Each criterion is scored 0–5 per evaluator; Proposals are evaluated by groups of 3 evaluators. The score assigned from each evaluator to each criterion will be summed, with a maximum final score per criterion = 15. A weighted average will be calculated between the sum result for each criterion with a maximum final average score of 15 (rounding rules apply). Exclusion: if score is <10 in two or more criteria or weighted average is <10. Large discrepancies may trigger an additional evaluator.

By submission timestamp—earlier submissions rank higher in case of a tie (amendment periods not counted).

Evaluators are cybersecurity/CRA experts appointed from SECURE Consortium partners’ staff; the Ev.Co. can include up to 21 members (one per partner).

Yes. During the technical evaluation, the Committee may request clarifications via email within the stated timeframe.

After Technical Report submission, Ev.Co. verifies Deliverables, Milestones, KPIs and may request amendments (within 14 calendar days from notification). The outcomes of this evaluation are classified as: Fully Achieved, Partially Achieved (with percentage), or Not Achieved.

A mandatory questionnaire to complete/sign (PAdES) after Sub‑GA. Without uploading it, Technical Report upload is blocked and the project is considered not implemented.

Detailed implementation narrative linked to KPIs/Deliverables, including supporting evidence such as technical documents, VA/PT outputs, code/executables, network maps, multimedia, etc.

Submissions after the 180‑day deadline are not accepted unless explicitly requested by Ev.Co. If empty/illegible or the evidence not provided— even after being requested and within the 14-day amendment period—the project may be deemed not implemented and therefore ineligible for payment.

Precisely those stated in the Proposal (Annex 1.1) and reiterated in the Technical Report: e.g., PDF technical reports, VA/PT outputs, source code review results, network mappings, certificates, training records, multimedia evidence, etc.

Yes, early submission is allowed; however, it does not result in early payment, as evaluation and payment of balance follow the standard timeline.

Yes, after the project has been implemented and the grant payment completed, funded companies will receive a formal attestation of project completion.

Yes, beneficiaries are strongly encouraged to publish project results.

All publications and social media posts must include:

• EU and European Commission logos
• SECURE Project logo
• ECCC logo
• Funding bodies (EU Commission, ECCC, and SECURE Consortium)
• Any other relevant project details

Further guidance is provided in the Call Guidelines. The formal attestation issued by the platform also contains useful information for result dissemination.
 

Projects may start only after the Sub-Grant Agreement is signed both by the Company and the SECURE Consortium representative, which is expected around 5–6 months after the call deadline, following completion of the evaluation and eligibility checks.

No. Only activities carried out after the Sub-Grant Agreement is signed are eligible; KPIs and results achieved before signature cannot be validated or recognised for funding, even if the project is later selected. During the drafting of your project Proposal you will be asked to provide a timeline (Gantt chart) of the project activities. The activities kick-off and deadlines shall fall within the 6-month implementation period which starts from the day of the uploading of the signed Sub-Grant agreement.

Projects must be implemented within a maximum of 180 calendar days (6 months) from the signing of the Sub-Grant Agreement; this deadline is mandatory and extensions are not foreseen.

Under the SECURE Open Call, the primary purpose of using or developing a CRA self assessment tool is to support the mSME’s own internal CRA readiness and compliance efforts. Therefore, the expectation is that the SME develops, adapts, or uses such a tool for internal purposes, not for commercialisation or distribution to third parties. However, an important exception applies: if the SME develops a compliance tool that itself qualifies as a “product with digital elements” under the CRA, and therefore must be brought into CRA compliance, then activities related to ensuring that this tool meets CRA requirements may be eligible.

Through the platform dashboard and email notifications to the address provided during registration.

Official support is provided via the platform and email (submission‑support@secure4sme.eu). Any additional help channels will be announced on the SECURE website/platform.