Call for applications for grant to support the enhancement of the cyber resilience of products

TestCert-SK is a cascade funding call under the EU Digital Europe Programme offering €318,720 in non‑repayable grants to increase the cyber resilience of products and support preparedness for the Cyber Resilience Act. Eligible applicants are certified educational institutions (for development of support tools and training activities) and Slovak-registered small and medium-sized enterprises that are manufacturers of products with digital elements (for analysis, testing and deployment activities). The call opens 30 April 2026, closes 1 July 2026 at 18:00 Brussels time, requires electronic submission via the Central Public Administration Portal with a qualified electronic signature, and projects must be completed by 31 October 2026. Grants are paid as a single final instalment after approval of the final report and supporting accounting documents.

Who can apply

Eligibility highlights

This cascade funding call (project TestCert-SK, Digital Europe) accepts single applications from: certified educational institutions for activities 1 to 3; and SMEs registered in Slovakia that are manufacturers of products with digital elements for activities 4 to 10. Natural persons and micro-enterprises are excluded.

Funding and deadline:Total allocation €318,720. Grants paid as a single instalment at project end after final report. Deadline for applications 1 July 2026, 18:00 Brussels time ¹.

1. 1What is funded: short projects to improve CRA compliance via support tools, training, analyses, testing, and deployment of security hardware/software tied to eligible activities.
2. 2Eligible applicants: certified educational institutions (activities 1-3) and Slovak SMEs that are product manufacturers with digital elements (activities 4-10).
3. 3Project outputs: methodological tools, training curricula, gap and risk analyses, action plans, vulnerability and penetration test reports, lab test reports, and deployment documentation for monitoring/protection tools.

Applications must be signed with a qualified electronic signature and submitted via the Central Public Administration Portal (www.slovensko.sk) as specified in the call conditions; ranking is by published selection criteria and funding is allocated in ranking order ¹.

Footnotes

1. 1Full call text and application instructions: ncca.nbu.gov.sk

Key administrative facts

Call title:Call for applications for grant to support the enhancement of the cyber resilience of products. Project acronym: TestCert-SK. Full name of EU funded project: Testing and Certification Capabilities in Slovakia. Grant agreement number: 101127837. Programme: Digital Europe Programme (project DIGITAL-ECCC). Opening date: 30 April 2026. Deadline (single-stage): 1 July 2026, 18:00 Brussels time. Expected duration of participation: until 31 October 2026. Total funding available under this cascade call: €318,720. The grant will be provided as financial support to third parties under the TestCert-SK grant agreement between the European Commission and the NSA.

Purpose and scope

Purpose:Provide one-off grants to eligible beneficiaries in Slovakia to increase the cyber resilience of products with digital elements and to support preparedness for compliance with the Cyber Resilience Act (Regulation (EU) 2024/2847). Only projects explicitly aimed at enhancing cyber resilience through the defined eligible activities in Areas 1–5 are considered eligible.

Primary link for the official call documentation:Full call text and annexes are published by the authority running the cascade and a copy is available on the authority site and on the EU Funding & Tenders Portal Official call page ¹.

Eligible applicants (types and legal restrictions)

Two beneficiary categories are defined by activity area:educational institutions and SMEs (manufacturers). Precise legal eligibility and conditions are mandatory and strictly checked at submission.

1. 1Educational institutions: certified educational institutions as defined by Section 10 of Act No. 292/2024 Coll. on Adult Education and entered in the register of certified educational institutions. These entities are eligible for Area 1 (support tools) and Area 2 (education activities 1–3).
2. 2Small and medium-sized enterprises (SMEs): legal entities (not natural person entrepreneurs) defined under Section 2(2)(a) of the Commercial Code that meet the SME definition (Annex I to Commission Regulation (EU) No 651/2014) and are registered in the Slovak Republic on the date of submission. SMEs are eligible for Areas 3–5 (activities 4–10). Micro-enterprises are explicitly excluded. Applicants established by mergers or reorganisations use the period of operation of the longest-standing dissolving company to satisfy minimum operating period requirements.
3. 3Additional SME accounting requirement: As of the application date the SME must have approved financial statements for two consecutive completed financial periods each of at least 12 months immediately preceding the application year (detailed examples provided in call guidance).
4. 4Manufacturing requirement: For activities 4–10 the applicant must demonstrate, on the date of submission, that it is a manufacturer of a product with digital elements as defined in Regulation (EU) 2024/2847 (Cyber Resilience Act).

Eligible activities, beneficiaries and expected deliverables (full list)

The call defines five Areas and ten eligible activities. Applicants may only propose activities matching their beneficiary category: educational institutions may propose Activities 1–3; manufacturers (SMEs) may propose Activities 4–10. Applicants may combine activities within the allowed range for their beneficiary type. The call provides specific expected outputs/deliverables for each activity and allows procurement of technologies necessary to meet CRA compliance objectives if directly linked to an eligible activity.

Financial rules, payment and administrative requirements

Funding type:non-repayable grant (financial support to third parties) paid in a single instalment at the end of the project after approval of the final report. Payment is conditional on submission of supporting accounting documents, fulfilment of project indicators, the final report and documentation produced under the project. Beneficiaries must keep analytical accounting records of project-related expenditure. The grant is provided under the TestCert-SK project grant agreement and funded from the Digital Europe Programme.

Total funding available and individual award size:Total funding available for this cascade call is €318,720. The call text does not present a per-beneficiary maximum in the scraped content; applicants should consult the official annexes for maximum grant per third party and eligible cost categories ¹.

Submission, signature and delivery

Application submission model:single-stage. The completed application form must be signed by the statutory body with a qualified electronic signature or a qualified electronic signature bearing a mandate certificate or a qualified electronic seal. The signed application must be sent as an annex to the electronic submission via the Authority’s electronic mailbox on the Central Public Administration Portal www.slovensko.sk using the ‘General Agenda’ service. Applications not received in the specified form will be disqualified. The method of delivery is further detailed in Annex 2 of the call Conditions for granting a grant.

Evaluation and selection process

Each application is assessed using the Criteria for the selection of projects (Annex 3 to the call). Applications that meet eligibility and selection criteria are scored and ranked descending by score. Draft grant agreements are sent in ranking order to applicants for whom full funding is available. Applicants for whom funding is not available due to exhausted funds will not receive a draft grant agreement.

1. 1Scoring and ranking based on Annex 3 selection criteria (applicants must refer to Annex 3).
2. 2Draft grant agreement issued to highest-ranked applicants while funds remain available.
3. 3No funding offer for applicants beyond the call allocation.

Co-funding and eligible costs

The scraped content does not explicitly state a mandatory co-funding percentage. The grant is conditional on accounting records and fulfilment of project indicators. Applicants must consult Annex 2 (Conditions) and the full call documentation to confirm co-financing rules, eligible direct and indirect costs, procurement rules and allowed subcontracting. The call allows procurement of necessary technologies when directly linked to eligible activities.

Consortium requirement and geographic scope

Consortium requirement:single applicant. The call is a cascade funding measure offering grants to single beneficiaries (either a certified educational institution or a Slovak SME manufacturer). Geographic eligibility: applicants must be registered in the Slovak Republic. The call is implemented under an EU project but is limited to entities in Slovakia for this cascade.

Target sectors and project stage

Target sector:ICT, cybersecurity for products with digital elements, software and hardware security, product certification and conformity assessment. Expected project stage: applied/compliance readiness, validation and demonstration activities—targets include gap analysis, testing, training and implementation of remediation actions to achieve CRA compliance rather than early research or large-scale commercialisation.

Application type, stages and success rate

Application type:open competitive single-stage call (applicants submit one application; multiple submissions allowed but only the last submitted is considered). Application stages: effectively one stage for submission followed by evaluation and ranking; successful applicants sign a grant agreement and implement the project then submit a final report for payment (so operational stages: submission, evaluation, grant award, implementation, final report/payment). Success rate: not specified in the call text. Given the limited total allocation (€318,720) and typical cascade call practice, success rates depend on the number of eligible applications and requested amounts; applicants should assume strong competition and plan proposals to be cost-effective and clearly aligned with selection criteria.

Nature of support and payment modality

Nature of support:monetary (non-repayable grant) and conditional on deliverables. Non-monetary support is not described in the scraped content, but the call expects deliverables such as training materials, reports and testing evidence. Payment modality: single final instalment after approval of final report and submission of accounting documents.

Templates and application form structure (guidance extracted from call)

The full application form and annexes (Annex 2 Conditions for granting a grant; Annex 3 Criteria for selection of projects) are referenced in the call and must be used. The completed application must be signed with a qualified electronic signature. While the scraped content does not reproduce the application form fields, applicants should prepare documents covering at least the following common elements typically required in cascade calls: legal and administrative identification of the applicant, proof of registration in Slovakia, SME status evidence, certified educational institution registration (if applicable), description of proposed activities and deliverables mapped to the eligible activity numbers, implementation timetable (project end by 31 October 2026), budget breakdown with eligible cost justification, evidence of previous financial statements (two completed years), accounting arrangements, CVs and capacities of key staff, risk assessment and mitigation, and confirmation of manufacturer status for product-with-digital-elements (where applicable). Applicants must attach the qualified signed application form and any required annexes via the Central Public Administration Portal submission mailbox as an annex to their electronic submission.

1. 1Prepare legal and administrative documents (company registration, proof of SME status, financial statements for two completed years).
2. 2Prepare technical proposal: chosen Area and Activity numbers (1–10), detailed description of tasks and expected deliverables as listed in the call, timeline, and personnel.
3. 3Prepare budget and procurement justification for any hardware/software purchases directly linked to eligible activities (list items such as firewalls, IPS, encryption, EDR/XDR, SBOM tools, MFA/PAM).
4. 4Complete and digitally sign the official application form with a qualified electronic signature, attach to electronic submission via www.slovensko.sk General Agenda service.
5. 5Ensure training offers (where applicable) include provision of free training places for 5 participants nominated by 5 different SMEs and provide attendance/completion records.

Mentioned countries / geographic references

Explicit country references in the call text:Slovak Republic (applicants must be registered in the Slovak Republic). The call is funded by the EU Digital Europe Programme but the cascade is targeted at entities in Slovakia.

Success conditions, reporting and audit

Payment is conditional upon:submission of accounting documents, fulfilment of project indicators and deliverables, submission of the final report and documentation produced under the project. Beneficiaries must maintain analytical accounting records for the supported project. The final report and deliverables will be reviewed by the Authority before the final payment is authorised. Standard public aid and EU funding compliance rules referenced in the call and annexes will apply (including references to the Commercial Code and Commission Regulation (EU) No 651/2014).

Co-funding requirement

The scraped content does not explicitly state a co-funding ratio or mandatory beneficiary contribution. Applicants must consult Annex 2 Conditions for granting a grant and the official call documentation for co-financing rules, de minimis or regional aid rules, and eligible cost definitions. The call references compatibility with internal market aid rules and Commission Regulation (EU) No 651/2014, implying public aid rules may apply where relevant.

Project maturity and recommended fit

Recommended project stage:proposals should be implementation-oriented and focused on gap analysis, technical testing and remediation, training roll-out, deployment of monitoring/protection tools, and delivering verifiable evidence that CRA-related compliance steps have been taken. Suitable applicants will be operational SMEs with existing products with digital elements or certified educational institutions with capacity to deliver training and CRA support tools.

Important legal references cited in the call

1. 1Regulation (EU) 2024/2847 of 23 October 2024 (Cyber Resilience Act) — defines products with digital elements and CRA obligations.
2. 2Act No. 513/1991 Coll., the Commercial Code (Slovak legal reference for company definitions and legal forms).
3. 3Act No. 292/2024 Coll. on Adult Education (definition and register of certified educational institutions).
4. 4Commission Regulation (EU) No 651/2014 (state aid compatibility) as referenced for SME classification and aid rules.

For further procedural and technical clarifications applicants must consult the full call annexes (Annex 2 Conditions for granting a grant, Annex 3 Selection criteria) and the authority's web page linked in the call documentation before preparing and signing the application ¹.

Summary: what this opportunity is about and practical explanation

This is a targeted cascade funding call under the TestCert-SK project (Digital Europe Programme) offering one-off grants to eligible entities in Slovakia to accelerate preparedness and compliance with the Cyber Resilience Act for products with digital elements. Two beneficiary types can apply: certified educational institutions (for development of CRA support tools and training, Activities 1–3) and Slovak SMEs that manufacture products with digital elements (for gap analyses, risk assessments, action plans, testing, penetration testing and deployment of monitoring/protection tools, Activities 4–10). The call is competitive, limited to a total allocation of €318,720, follows a single-stage application and evaluation process, requires qualified electronic signature and electronic delivery through the national Central Public Administration Portal, and pays the grant as a single final instalment after verification of deliverables and accounting documentation. Applicants must carefully follow the annexed conditions and selection criteria, demonstrate legal and financial eligibility (including two years of approved financial statements for SMEs), and ensure proposals are directly linked to CRA compliance objectives. The timeline is short (deadline 1 July 2026) with project completion required by 31 October 2026; applicants should therefore prepare concise, delivery-focused proposals aligned with the specified activity deliverables and provide verifiable evidence of outputs and accounting to secure final payment.

Footnotes

1. 1Official call documentation and annexes available from the implementing authority: ncca.nbu.gov.sk

Funding Opportunity Overview

This cascade funding call supports the enhancement of cyber resilience of products in Slovakia through the TestCert-SK project, which is part of the European Union's Digital Europe Programme. The call is designed to help organizations comply with the Cyber Resilience Act (CRA) by providing financial support for concrete projects aimed at improving cybersecurity practices and CRA compliance. The call is administered by the National Coordination Centre (NCC) in Slovakia and is funded under grant agreement number 101127837 DIGITAL-ECCC.

Call Timeline:Opening date: 30 April 2026. Deadline date: 01 July 2026 at 18:00 Brussels time. Expected project duration: until 31 October 2026.

Total Funding Available:€318,720 in cascade funding distributed across eligible projects.

Eligible Applicants

The call has two distinct categories of eligible applicants based on the type of activities proposed.

Category 1: Educational Institutions (Activities 1-3):Certified educational institutions as defined in Section 10 of Act No. 292/2024 Coll. on Adult Education and entered in the register of certified educational institutions are eligible to propose support tools development and training activities.

Category 2: Small and Medium-Sized Enterprises (Activities 4-10):Legal entities meeting the SME definition are eligible to propose analysis, documentation and testing activities. Applicants must meet all of the following conditions: meet the definition of a small or medium-sized enterprise (micro-enterprises are not eligible); be registered in the Slovak Republic on the date of application submission; have approved financial statements for two completed financial periods of at least 12 months each, with the most recent period immediately preceding the application submission period; demonstrate that they are a manufacturer of a product with digital elements as defined in Regulation (EU) 2024/2847 (Cyber Resilience Act); be single legal entities (natural persons and entrepreneurs are not eligible); and submit only one application per organization.

Eligible Activities and Project Areas

The call supports ten specific eligible activities organized into five thematic areas. Applicants may combine activities from their respective category to create comprehensive projects.

Area 1: Support Tools (Educational Institutions):Activity 1 focuses on development of support tools and documentation to fulfil CRA obligations. Project outputs include market-wide methodologies and tools, CRA sample documentation for model products, CRA readiness assessment services or audit templates, and open knowledge bases or web platforms with CRA support.

Area 2: Education (Educational Institutions):Activity 2 provides training on CRA requirements for SME staff covering legislative obligations, basic cybersecurity requirements, secure design principles, conformity assessment pathways and vulnerability management. Beneficiaries must provide free training to at least 5 participants nominated by 5 different SMEs. Activity 3 offers technical training related to cybersecurity for developers and engineers covering secure coding, threat modelling and open-source component security. Beneficiaries must provide free training to at least 5 participants nominated by 5 different SMEs.

Area 3: Analysis and Documentation (SME Manufacturers):Activity 4 involves analysis of discrepancies in compliance with the CRA by reviewing current manufacturing and distribution processes against CRA requirements and identifying technical and organisational gaps. Deliverables include CRA Conformity Gap Analysis Report, Gap Analysis Register, Compliance Checklist and executive summary. Activity 5 provides compliance needs analysis and risk analysis assessing product security requirements in context of identified risks throughout the product lifecycle, including threat scenarios, impact analysis and third-party component reliance. Deliverables include CRA Risk Assessment Report, Threat Scenario Analysis, third-party component risk register and Regulatory Exposure Assessment. Activity 6 develops a CRA Action Plan providing structured roadmap for addressing compliance gaps with defined corrective actions, responsibility allocation and timelines. Deliverables include CRA Action Plan documentation, personnel and financial resource allocation plan, progress tracking tool and technical documentation of implemented corrective measures.

Area 4: Testing (SME Manufacturers):Activity 7 conducts vulnerability testing through technical assessment identifying weaknesses in software, firmware and hardware components using static and dynamic analysis, configuration review and third-party dependency checks. Deliverables include detailed vulnerability assessment report, remediation plan, automated code scan logs and third-party library analysis reports. Activity 8 performs laboratory tests verifying product security functions such as encryption, authentication and access control in controlled environment. Deliverables include technical reports with remediation recommendations, updated process and technical artefacts, task coordination records and expert advisory meeting summaries. Activity 9 executes penetration testing through authorised cyber attack simulations assessing real-world exploitability of vulnerabilities across various interfaces. Deliverables include penetration testing report, proof-of-concept demonstrations, network and system risk review and vulnerability removal documentation.

Area 5: Hardware and Software (SME Manufacturers):Activity 10 deploys services and tools for monitoring, protection and prevention including continuous security monitoring, proactive threat prevention and incident detection systems such as IDS systems, malware scanning and encryption management. Deliverables include IDS tool and logging system deployment documentation, access and privilege control reports, encryption solution deployment logs and threat detection reports. Applicants may procure technologies necessary to achieve CRA compliance objectives including network security tools (firewalls, IPS), data protection technologies (encryption, DLP), endpoint security (EDR, XDR), vulnerability management and SBOM tools, and identity solutions (MFA, PAM).

Funding Details

Total Budget:€318,720 available for distribution across all approved projects.

Grant Payment:Grants are paid in a single instalment at the end of the project following approval of the final report. Payment is conditional upon submission of accounting documents, fulfilment of project indicators, submission of final report and project documentation. Beneficiaries must maintain analytical accounting records of expenditure relating to the supported project.

Application and Evaluation Process

Applications must be submitted electronically via the Authority's electronic mailbox established within the Central Public Administration Portal www.slovensko.sk through the General Agenda service. The completed application form must be signed by the statutory body with a qualified electronic signature, qualified electronic signature bearing a mandate certificate, or qualified electronic seal. Applications not received in this specified form will be disqualified from evaluation.

Evaluation and Ranking:Each grant application is assessed using project selection criteria forming Annex 3 to the call. The Authority creates a descending ranking of applicants whose applications met the conditions for granting a grant, starting from the application obtaining the most points. The Authority sends notifications of compliance and draft grant agreements to applicants in order determined by project selection criteria, but only for those whose grants are fully covered by available call funds. Applicants whose grants are not fully covered by available allocation will not receive a draft grant agreement due to insufficient funds.

Key Requirements and Restrictions

• Applicants may submit only one application for grant. If multiple applications are submitted, the Office will consider only the application submitted last.
• Educational institutions must provide free training to at least 5 participants nominated by 5 different SMEs for training activities.
• SME manufacturers must be registered in the Slovak Republic on the date of application submission.
• SME manufacturers must have approved financial statements for two completed financial periods of at least 12 months each.
• Projects must be aimed exclusively at enhancing cyber resilience of products through the ten specified eligible activities.
• Natural persons and entrepreneurs are not eligible beneficiaries.
• Micro-enterprises are not eligible beneficiaries.
• Applicants must comply with all relevant legal and ethical requirements.
• Projects must not be subject to double funding.

Regulatory Context

This call is directly linked to the implementation of the Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, which establishes harmonized cybersecurity requirements for products with digital elements placed on the EU market. The CRA came into force in December 2024 and will be fully applicable from 11 December 2027. The regulation requires manufacturers, importers and software managers to consider cybersecurity at every stage of a product's life cycle, from development to maintenance. This TestCert-SK call provides financial support to help Slovak organizations prepare for and comply with these mandatory requirements ¹.

Additional Information

For detailed information about the call, including submission procedures, evaluation criteria and grant conditions, applicants should visit the official call page at [[ncca.nbu.gov.sk. The call is part of the broader EU initiative to strengthen cyber resilience across the European Union through the Digital Europe Programme, which continues to finance uptake and deployment actions in cybersecurity through 2025-2027 ².

Footnotes

1. 1The Cyber Resilience Act establishes mandatory cybersecurity requirements for manufacturers, covering the planning, design, development and maintenance of products with digital elements. The CRA aims to enhance the security of hardware and software products by setting uniform standards across the EU and will start to apply on 11 December 2027.
2. 2The Digital Europe Programme continues to finance uptake and deployment actions in cybersecurity during 2025-2027, with priorities ranging from new technologies for cybersecurity including AI and post-quantum transition to actions for improving EU cyber resilience and supporting SMEs in achieving compliance with new regulatory requirements.