The EU supports SMEs in implementing the Cyber Resilience Act. Up to €30,000 is available for security testing, consulting and process measures.
What is it about?
The SECURE project (Strengthening EU SMEs Cyber Resilience) is an EU-funded programme under the Digital Europe Programme. Its goal is to financially support European SMEs in implementing the Cyber Resilience Act (CRA).
The reality is that many manufacturers — especially in mechanical and plant engineering — are affected by the CRA but lack the internal resources and budget to carry out compliance projects on their own. This is exactly where SECURE steps in.
Key facts at a glance
- Grant amount: Up to €30,000 per company
- Co-financing: 50% of eligible costs are covered
- Total budget for this round: €5 million
- Project duration: Maximum 180 days
- Payment model: Lump-sum (flat-rate settlement without detailed cost proof)
- Application period: 28 January to 29 March 2026
What is funded?
The funding covers a wide range of activities that prepare companies for the CRA:
- Compliance consulting: Gap analyses, support with conformity assessment, setting up policies and processes
- Technical security measures: Vulnerability assessments, penetration tests, source code analysis, product hardening
- Governance and risk management: Internal processes for incident detection, vulnerability disclosure, risk assessments, supply chain security
- Training: Awareness training and further education for staff on product security and CRA requirements
- Procurement: External services and tools necessary to achieve the security objectives
In short: nearly all measures that move a company closer to CRA compliance are eligible for funding.
Who can apply?
Eligible applicants are micro, small and medium-sized enterprises (SMEs) headquartered in the EU or EEA. The EU definition of an SME applies:
- Fewer than 250 employees
- Annual turnover ≤ €50 million and/or balance sheet total ≤ €43 million
The full definition, including rules on linked enterprises, can be found on the official EU SME definition page: https://single-market-economy.ec.europa.eu/smes/sme-fundamentals/sme-definition_en
Note: Only single companies can apply — no consortia or alliances. Subcontracts to external service providers are explicitly eligible costs.
How does the process work?
- Registration on the SECURE platform and upload of company documents
- Submit proposal: Project description with concrete goals, work packages and measurable KPIs
- Evaluation: Formal check by the consortium, technical assessment by experts, eligibility check by the national Cybersecurity Coordination Centre (NCC)
- Implementation: After approval, the company has 180 days to carry out the project
- Closure: Technical report proving the achieved goals — payment is made afterward
Optional pre-financing of 40% can be requested.
Use funding for external consulting
The 50% co-financing explicitly also applies to external service providers. That means if a company hires a specialised provider for a gap analysis, IEC 62443 consulting or penetration testing, those costs are reimbursed at 50%.
We at Secuvise support manufacturers exactly on these topics — from the initial assessment through development of a security roadmap to concrete technical tests. If you want to use the funding, we are happy to help you put together a suitable project package that meets the requirements of the call and genuinely advances your company.
Use funding for your CRA compliance
Up to €30,000 co-financing for gap analyses, security testing and consulting — we help you identify the right measures and prepare the application.
Next steps
The application period ends on 29 March 2026. If you want to use the funding, you should start preparing promptly — the project description and the definition of measurable goals in particular require some lead time.
All details on the open call, the proposal templates and the complete guidelines are available on the SECURE project page: https://www.secure4sme.eu/cascade-funding
