Cyber security and resilience in the energy sector in the Nordic region

The CRESCENDO initiative, funded by the EU through the Digital Europe Programme, is launching a call for proposals aimed at enhancing cybersecurity resilience in the Nordic energy sector. This initiative addresses the unique cybersecurity challenges encountered by energy organizations regarding the convergence of Information Technology (IT) and Operational Technology (OT) systems. The objective is to foster cross-border collaboration, innovation, and capacity building, while encouraging high-impact projects that can deliver tailored cybersecurity services, address critical skills gaps, and align industry practices with EU frameworks like the NIS Directive and the Critical Entities Resilience (CER) Directive.

Eligible applicants must form consortia consisting of at least two entities, including one cybersecurity organization and one energy sector organization. The participating organizations can be private companies (which include start-ups, SMEs, and large enterprises), universities, research centers, public authorities, and organizations that represent energy-related operators in the Nordic region. All applicants must be established in the EU/EEA and cannot have controlling ownership from outside these areas, with a specific emphasis on the Nordic countries.

The total available funding for this call is 1,000,000 EUR, with individual project funding capped at up to 200,000 EUR. The Research Council will cover up to 50% of total project costs. Applicants must provide matching funds for the remaining 50%. Approximately ten projects are expected to receive funding. The projects should have a maximum duration of six months.

The application process requires proposals to be submitted electronically through My RCN web, and applicants must include mandatory attachments such as a project description and a CV of the project manager. The timeline for submission opens on October 1, 2025, and closes on November 26, 2025, at 17:00 Brussels time.

Each application will be assessed based on three main criteria: Excellence (30% weight), Impact (40% weight), and Implementation (30% weight). Applications must score an average of at least 4.0 out of 7 to be considered for funding, and priority will be given to projects that include women participants. The thematic areas for funded projects include risk assessment, security testing, and threat modeling, specifically addressing cybersecurity vulnerabilities within the energy sector.

Overall, this initiative seeks to bolster cybersecurity defenses within the Nordic energy sector through practical, scalable solutions and collaborative projects, thereby contributing to a secure and resilient energy future in Europe.

The CRESCENDO initiative, funded by the EU through the Digital Europe Programme, is offering a call for proposals to strengthen cybersecurity resilience across the Nordic energy sector. The Research Council of Norway welcomes applications for projects focusing on cross-border collaboration, innovation, and capacity building, specifically targeting the cybersecurity challenges of IT and OT systems in energy organizations. The call aims to fund high-impact projects that deliver tailored cybersecurity services, address critical skills gaps, and align industry practices with EU frameworks like the NIS Directive and the Critical Entities Resilience (CER) Directive. Projects should demonstrate practical value and potential for adoption across the energy sector.

The opening date for submissions is October 1, 2025, and the deadline is November 26, 2025, at 17:00 Brussels time. The expected project duration is a maximum of 6 months. The total funding available is 1,000,000 EUR, and the project acronym is CRESCENDO. The full name of the EU-funded project is Cyber preparedness and RESilienCe of the Energy sector in the NorDic regiOn. The grant agreement number is 101158535, and the topic is DIGITAL-ECCC-2023-DEPLOY-CYBER-04-SUPPORT-ASSIST Preparedness support and mutual assistance.

Eligible applicants must form consortia of at least two entities, comprising one cybersecurity organization and one energy sector organization. Eligible organizations include private companies (start-ups, SMEs, and large companies), universities and research centers, other organizations representing energy-related operators in the Nordics, and public authorities. Applicants must be established in the EU/EEA and cannot have controlling ownership from outside the EU/EEA.

The call encourages projects including SMEs in the energy sector as partners. The European Commission’s guidelines for the definition of SMEs should be consulted.

The application process involves an electronic application in My RCN web, along with at least two attachments: a detailed project description using the standard template and a CV for the project manager using the standard template. Optional attachments include CVs for key participants. All attachments must be in PDF format and written in English. The project owner, listed in the application form, must approve the submission on behalf of all partners. The project manager must be employed by the project owner or one of the partner organizations. A separate project administrator is also required, and this person cannot be the same as the project manager.

Applicants can seek funding to cover actual costs necessary to carry out the project, broken down into Staff Costs, Travel Costs, Equipment/Tech Consumables Costs (depreciation), and Subcontracting Costs. The application must include milestone activities for the entire project period. Funding of up to 200,000 EUR per project is available, with the Research Council covering up to 50 percent of the total project costs. Applicants must provide the remaining amount as own financing. Approximately 10 projects will be funded.

The application in My RCN web requires specific attention. Non-Norwegian organizations can manually enter their organization’s details. Project partners should not be added in My RCN web; only the project owner and mandatory fields should be completed. Under "Classification of scientific disciplines," applicants should select "Annen informasjonsteknologi." The fields "Other relevant programmes" and "If applying for additional funding, specify project number" should not be filled in. Applicants must present a credible plan for dissemination and communication activities, including methods and targeted audiences, in the “Dissemination of project results” section.

In the "Cost plan" section of My RCN web, all costs should be placed under "Other operating expenses" and broken down into Staff Costs, Travel Costs, Equipment/Tech Consumables Costs (depreciation), and Subcontracting Costs in the specification field. All costs should be placed under "Abroad" in the "Cost code" section, and all funding should be placed under "The Research Council" in the "Funding plan" section. The "Fellowship" field can be ignored. All numbers in the budget section should be in thousands of NOK, using the 2026 year, and should only reflect the amount of funding being applied for. The exchange rate to use for converting EUR to NOK is 11.6702, based on the European Central Bank's website.

Applications will be assessed by external referees based on Excellence, Impact, and Implementation. The administration will assess the application based on its relevance to the call's purpose.

Excellence criteria include originality/novelty (soundness, credibility, and novelty of the concept), solidity (clarity and relevance of project objectives, quality of deliverables), and potential (specification of expected effects and impacts).

Impact criteria include potential (specification of expected effects and impacts on system and societal levels) and knowledge sharing and exploitation (quality of communication and dissemination activities, credibility that outputs will contribute to specified effects and impact).

Implementation criteria include the project manager and project group (qualifications, expertise, and positioning to implement the project, appropriateness of management structures and procedures) and plans and management (clarity, understandability, and realism of the work plan and timetable, coherence of objectives and measures, support from leadership, clarity of role allocation, realism and appropriateness of the budget, discussion of potential risks).

Relevance to the call for proposals will be assessed based on how well the project satisfies the guidelines and stipulations of the call.

The assessment process involves a panel of three referees assigning marks from 1 to 7 for Excellence, Impact, and Implementation. The final mark for each criterion is the average of the individual referees' marks, with a threshold of 4. Applications with an average mark above 4 will be considered for funding. The main score is calculated with weights of 30% for Excellence, 40% for Impact, and 30% for Implementation. The administration will then give a relevance mark based on how well the application supports CRESCENDO’s overall goals. In case of equal average marks, priority will be given to projects with women project participants. The aim is to achieve a balanced portfolio of projects across the thematic areas.

Thematic areas for this call include risk assessment (development of tailored methodologies, frameworks for assessing impact, new tools for evaluating cyber maturity, sector-specific risk scenarios), security testing (safe testing methodologies, new tools for simulating cyberattacks, validation environments, guidelines for integrating penetration testing), and threat modelling (approaches reflecting the hybrid nature of cyber-physical systems, updated threat intelligence models, dynamic threat modelling tools, methods for incorporating insider threats).

Projects are expected to enhance cyber resilience, especially among SMEs, support the adoption of practical cybersecurity tools, develop critical IT/OT competencies, improve preparedness and response capabilities, promote alignment with NIS and CER directives, and facilitate cross-border collaboration. Projects should have a strong connection to practical application, including hands-on exercises, tests, or the use of Cyber Range infrastructures.

This CRESCENDO call for proposals aims to bolster cybersecurity within the Nordic energy sector by funding projects that address critical vulnerabilities in digitalized electricity systems. It seeks to bridge the gap between IT and OT cybersecurity, focusing on practical, scalable solutions for hybrid scenarios and cyberattacks. The initiative encourages collaboration between cybersecurity and energy sector organizations to enhance resilience, promote the adoption of cybersecurity tools, develop necessary skills, and align with EU directives. By supporting projects that include risk assessments, security testing, and threat modeling, CRESCENDO aims to strengthen the overall cybersecurity posture of the Nordic energy sector and contribute to a more secure and resilient energy future for Europe.

Eligible Applicant Types: The eligible applicant types are consortia of at least two entities, consisting of one cybersecurity organization and one energy sector organization. Eligible organizations include private companies (including start-ups, SMEs, and large companies), universities and research centers, other organizations that represent energy-related operators in the Nordics, and public authorities. Applicants must be established in the EU/EEA and may not have controlling ownership from outside the EU/EEA.

Funding Type: The primary financial mechanism is a grant.

Consortium Requirement: A consortium of multiple applicants is required. Specifically, the consortium must include at least two entities: one cybersecurity organization and one energy sector organization.

Beneficiary Scope (Geographic Eligibility): Applicants must be established in the EU/EEA.

Target Sector: The program targets the energy sector, specifically focusing on cybersecurity and resilience of IT and OT systems within the energy sector. Relevant thematic areas include cyber security, risk assessment, security testing, and threat modelling.

Mentioned Countries: Norway, Finland, Denmark, Nordic region, EU, EEA.

Project Stage: The expected maturity of the project is applied research and innovation, with a focus on practical application and potential for adoption across the energy sector. Projects should demonstrate practical value and may include hands-on exercises, tests, or other applied components. The use of Cyber Range infrastructures is also welcome.

Funding Amount: Funding up to 200,000 EUR per project is available. The Research Council will cover up to 50 percent of the total project costs, and applicants must provide the remaining as own financing. The total funding available for this call is 1,000,000 EUR, which is expected to be divided between approximately 10 projects.

Application Type: The application is submitted electronically through My RCN web and includes mandatory attachments. This is a single-stage application process.

Nature of Support: Beneficiaries will receive money to cover the actual costs necessary to carry out the project.

Application Stages: The application process is single-stage.

Success Rates: The success rate can be inferred from the total funding available (1,000,000 EUR) and the expected number of projects to be funded (approximately 10), suggesting a competitive process. The success rates are other.

Co-funding Requirement: Yes, co-funding is required. The Research Council will cover up to 50 percent of the total project costs, and applicants must provide the remaining 50 percent as own financing.

The CRESCENDO initiative, funded by the EU through the Digital Europe Programme, is offering a grant opportunity focused on strengthening cybersecurity resilience within the Nordic energy sector. The call specifically targets the unique cybersecurity challenges faced by energy organizations, particularly concerning IT and OT systems. The initiative aims to foster cross-border collaboration, innovation, and capacity building in the Nordic region, which serves as a testbed for securing complex and decentralized energy infrastructures. Eligible applicants must form a consortium of at least two entities: one cybersecurity organization and one energy sector organization, both established in the EU/EEA. The call encourages the inclusion of SMEs in the energy sector. Projects can receive up to 200,000 EUR, covering a maximum of 50% of the total project costs, with the remaining 50% to be covered by the applicants. The total funding available is 1,000,000 EUR, intended to support approximately 10 projects. Projects should last no more than 6 months. The application process involves submitting an electronic application via My RCN web, along with mandatory attachments like a project description and CV of the project manager. The call emphasizes practical application and encourages hands-on exercises, security testing, risk assessment, and threat modelling. The projects are expected to enhance cyber resilience, support the adoption of cybersecurity tools, develop IT/OT competencies, improve preparedness and response capabilities, promote alignment with NIS and CER directives, and facilitate cross-border collaboration. The application will be assessed based on excellence, impact, implementation, and relevance to the call's objectives. The opening date for submissions is October 1, 2025, and the deadline is November 26, 2025, at 17:00 Brussels time.