CYSSDE Open Call 3: Penetration Testing and Vulnerability Assessment

CYSSDE Open Call 3 funds penetration testing and vulnerability assessment providers to strengthen cyber resilience across EU/EEA critical infrastructures, essential services and SMEs under grant agreement 101158471. Total budget is €2,353,000 with up to €200,000 per project (lump sum) on a 50% co-funding basis and an 18-month Support Programme including mentoring and non-financial support. Applications are single-stage via FundingBox OnePass by 28 April 2026 at 15:00 Brussels time and eligible applicants must be registered and controlled in EU Member States or EEA countries, applying as a single entity or a consortium of up to two entities led by a cybersecurity specialist. Selected beneficiaries must deliver a minimum of 10 external penetration tests and vulnerability assessments during the programme.

What it funds

Overview

Grants for providers of penetration testing and vulnerability assessment services to perform external assessments for critical sectors, supporting NIS2 and the Cyber Resilience Act. Selected projects join an 18-month tailored support programme including mentoring, technical guidance and dissemination activities.

Funding and key dates:Up to €200,000 per project (lump sum); funding rate 50% co‑funding. Total cascade budget €2,353,000. Expected to select up to 12 beneficiaries. Programme duration 18 months. Opening 27 Feb 2026; deadline 28 Apr 2026, 15:00 Brussels time. Apply online CYSSDE call page ¹.

1. 1Eligibility: SMEs, mid-caps, large companies, research centres (including universities), public bodies; single entity or consortia up to 2 entities (must be cybersecurity-led).
2. 2Geography: Applicants must be registered in and controlled by an EU Member State or an EEA country; entities subject to EU restrictive measures or controlled by non-EU/EEA third countries are ineligible.
3. 3Minimum requirement for beneficiaries: deliver at least 10 penetration tests/vulnerability assessments for external end-users during the programme.

Evaluation will follow admissibility and eligibility checks, external expert review (minimum two experts), consensus selection committee and possible interviews. Support and questions via helpdesk: helpdesk@cyssde.eu.

Footnotes

1. 1Submit proposals via the FundingBox / OnePass portal: opportunities.getonepass.eu. Project website: cyssde.eu.

CYSSDE Open Call 3 invites entities with cybersecurity expertise to deliver penetration testing and vulnerability assessment services under an 18-month Support Programme. The call is part of the EU-funded project CyberSecurity Deplopyment Preparedness Support, Capacity & Capabilities (acronym: CYSSDE), operating under DIGITAL-ECCC - Preparedness support and mutual assistance. The initiative aims to strengthen Member States’ cyber resilience and support practical implementation of the NIS2 Directive and the Cyber Resilience Act (CRA) by selecting up to 12 projects to conduct high-quality testing for critical sectors.

Key dates and budget:Opening date: 27 February 2026. Deadline model: single-stage. Deadline: 28 April 2026 at 15:00 Brussels time. Expected duration of participation: 18-month Support Programme. Total funding available: €2,353,000. Maximum grant per project: up to €200,000 as a lump sum. Funding rate: 50% co-funding required from the beneficiary.

Where to apply and support contacts:Applications must be submitted online via FundingBox OnePass at Apply on OnePass (FundingBox). Project website and updates: CYSSDE project website. Helpdesk: helpdesk@cyssde.eu.

Eligibility and Participation

Eligible Applicant Types

Eligible applicants are entities with cybersecurity expertise, including SMEs, mid-caps, large companies, research centres (including universities), and public bodies.

Consortium Composition

Applications are accepted from individual entities or from small consortia of up to 2 entities. Consortia must be led by a cybersecurity specialist.

Geographic Eligibility

Applicants must be registered in, and controlled by, entities within an EU Member State or an EEA country. Entities subject to EU restrictive measures or controlled by non-EU/non-EEA third countries are not eligible.

Scope, Objectives, and Mandatory Activities

The call targets the deployment of penetration testing and vulnerability assessment services aligned with NIS2 and CRA objectives across critical sectors. Beneficiaries will deliver professional-grade external assessments to end-users, which can include critical infrastructures, essential services, or SMEs. Each beneficiary must execute a minimum of 10 penetration tests and vulnerability assessments for external end-users during the core operational period.

Programme structure (18 months):Stage 1: Execution Plan (Month 1). Define a detailed roadmap based on the successful proposal, including goals, KPIs, deliverables, and resource allocation. Stage 2: Developing Testing Scenarios (Months 2–6). Technical preparation for external assessments, including strategic planning, tailored scenario design, and set-up or installation of systems, tools, and environments. Stage 3: External Assessments with End-Users (Months 7–15). Core operational deployment to the market; execute at least 10 penetration tests and vulnerability assessments with selected end-users in critical infrastructures, essential services, or SMEs. Stage 4: Outputs and Sustainability Services (Months 16–18). Maximise impact and mitigation via publications (anonymised where required), responsible vulnerability disclosure to operating organisations or manufacturers, and provision of ongoing risk monitoring services.

Financial Support and Non-Financial Benefits

Funding Type and modality:Cascade funding sub-grants provided as lump sums. Maximum €200,000 per project. Funding rate is 50%; beneficiaries must contribute the remaining 50% from own or third-party resources.

Non-financial support:Access to the CYSSDE Mentoring Programme, including a dedicated expert mentor per beneficiary, technical guidance, access to tool repositories, and facilitated networking with the European cybersecurity ecosystem.

Submission and Evaluation Process

Application method:Open call with single-stage submission via FundingBox OnePass.

Evaluation criteria and steps:Proposals are evaluated against Excellence, Impact, and Implementation. Process steps: 1) Admissibility and Eligibility Check. 2) Expert Evaluation by at least two independent external experts. 3) Consensus Meeting of the CYSSDE Selection Committee to select finalists. 4) Optional Interview to clarify aspects before the final decision.

Detailed Categorisation and Structured Information

Eligible Applicant Types:SMEs, mid-caps, large enterprises, universities, research centres, and public bodies. All must demonstrate cybersecurity expertise relevant to penetration testing and vulnerability assessment.

Funding Type:Grant provided as cascade funding in the form of a lump-sum sub-grant.

Consortium Requirement:Single applicant or consortium of up to 2 entities. In consortium cases, the team must be led by a cybersecurity specialist.

Beneficiary Scope (Geographic Eligibility):Entities registered in and controlled by organisations in EU Member States or EEA countries. Entities under EU restrictive measures or controlled by non-EU/EEA third countries are ineligible.

Target Sector:Security and cybersecurity services with deployment into critical infrastructure and essential services sectors, and SMEs. The call explicitly aligns with NIS2 Directive and Cyber Resilience Act implementation. Relevant domains include ICT security, audits and testing, vulnerability management, and responsible disclosure practices across regulated and essential service environments.

Mentioned Countries:No specific countries are named. Geographic scope is EU Member States and EEA countries.

Project Stage:Implementation and deployment. The programme supports operational delivery of services to market end-users, including development of testing scenarios, execution of external assessments, and impact maximisation through disclosure and monitoring services.

Funding Amount:Up to €200,000 per selected beneficiary as a lump sum, with total call budget of €2,353,000 and up to 12 projects expected to be selected.

Application Type:Open call, single-stage submission via the dedicated FundingBox OnePass portal.

Nature of Support:Money: lump-sum grant funding with 50% co-funding requirement. Non-monetary services: tailored mentoring, technical guidance, tool repository access, and ecosystem networking.

Application Stages:Submission is single-stage. Evaluation comprises up to four sequential steps: admissibility and eligibility check, expert evaluations, consensus meeting, and an optional interview prior to final decision.

Success Rates:No success rate is disclosed. The call plans to select up to 12 projects; the number of expected proposals is not indicated.

Co-funding Requirement:Yes. 50% co-funding is required. Beneficiaries must cover the remaining 50% of eligible work with their own or third-party resources.

Deliverables, Compliance, and Expected Outputs

• Execution Plan detailing goals, KPIs, deliverables, and resource allocation (Month 1)
• Technical design and setup of bespoke testing scenarios, tools, and environments for external assessments (Months 2–6)
• Delivery of at least 10 penetration tests and vulnerability assessments for external end-users in critical infrastructures, essential services, or SMEs (Months 7–15)
• Outputs to maximise impact, including publications where appropriate (anonymised as needed), responsible vulnerability disclosures to operators or manufacturers, and ongoing risk monitoring services (Months 16–18)

Projects must adhere to responsible vulnerability disclosure practices and align with the objectives of the NIS2 Directive and the Cyber Resilience Act, ensuring that testing activities and outputs support systemic cyber resilience improvements.

Application Preparation Aids

While no official application template is provided here, applicants should align their proposal structure to the evaluation criteria of Excellence, Impact, and Implementation and to the 18-month programme stages. A practical outline to guide preparation is provided below to ensure full coverage of expected elements.

Suggested proposal outline aligned to criteria:1) Excellence: Describe cybersecurity expertise, methodologies for penetration testing and vulnerability assessments, standards and compliance approaches, toolchains, scenario design methods, and quality assurance. 2) Impact: Define targeted end-user segments in critical infrastructures, essential services, and SMEs; expected resilience benefits; alignment with NIS2 and CRA; dissemination and anonymised publication strategy; responsible disclosure processes; sustainability and market uptake beyond the programme. 3) Implementation: Provide the 18-month work plan mapped to the four stages, milestones and KPIs, team composition and roles (including the cybersecurity specialist lead), resource allocation, risk management and ethics, data protection and legal clearances as applicable, and budget reflecting the 50% co-funding requirement and lump-sum structure.

Administrative and Call Reference Details

Comprehensive Summary

CYSSDE Open Call 3 provides cascade funding and expert support to deploy penetration testing and vulnerability assessment services that strengthen cyber resilience across the EU and EEA. With up to €200,000 per beneficiary on a 50% co-funding basis and an 18-month tailored Support Programme, selected entities will design testing scenarios, execute at least 10 external assessments for end-users in critical infrastructures, essential services, or SMEs, and maximise outcomes through responsible disclosure, anonymised publications, and risk monitoring services. The call operates under DIGITAL-ECCC, aligns with NIS2 and CRA objectives, and evaluates proposals on Excellence, Impact, and Implementation through a structured multi-step review with an optional interview. Applications are open to SMEs, mid-caps, large companies, research centres including universities, and public bodies domiciled and controlled in EU or EEA countries, either as single applicants or 2-member consortia led by a cybersecurity specialist. Submissions are single-stage via FundingBox OnePass by 28 April 2026 at 15:00 Brussels time. The opportunity is designed for operational delivery and market-facing testing deployments, coupling financial support with mentoring, tools, and ecosystem networking to accelerate high-quality security testing capacity and impact across Europe.

This open call under the CYSSDE project (CyberSecurity Deployment Preparedness Support, Capacity & Capabilities, Grant Agreement 101158471) provides cascade funding to support entities conducting penetration testing and vulnerability assessments for critical infrastructures, essential services, and SMEs. It aims to strengthen cyber resilience in line with the NIS2 Directive and Cyber Resilience Act by selecting up to 12 projects to execute a minimum of 10 penetration tests each, contributing to at least 100 tests overall.

Key Dates

Opening date:27 February 2026. Deadline: 28 April 2026 at 15:00 Brussels time. Expected duration: 18-month Support Programme.

Funding Details

Total funding available:€2,353,000.

Maximum grant per project:Up to €200,000 (lump sum).¹

Funding rate:50% co-funding; applicants must cover the remaining 50% with own resources.²

Eligibility Criteria

Eligible applicants must have cybersecurity expertise, particularly in penetration testing and vulnerability assessments. Entities must be registered and controlled in EU Member States or EEA countries. Entities subject to EU restrictive measures or controlled by non-EU/non-EEA third countries are excluded.

• SMEs, mid-caps, large companies
• Research centres (including universities)
• Public bodies
• Individual entities or consortia of up to 2 entities, led by a cybersecurity specialist

Programme Structure

Selected beneficiaries sign a Sub-Grant Agreement and receive funding disbursed over an 18-month tailored Support Programme with a dedicated CYSSDE expert mentor. The programme consists of four stages.

1. 1Stage 1: Execution Plan (Month 1) - Define roadmap with goals, KPIs, deliverables, and resource allocation.
2. 2Stage 2: Developing Testing Scenarios (Months 2-6) - Strategic planning, design tailored scenarios, setup systems and tools.
3. 3Stage 3: External Assessments with End-Users (Months 7-15) - Execute minimum 10 penetration tests and vulnerability assessments for end-users (critical infrastructures, essential services, or SMEs).
4. 4Stage 4: Outputs and Sustainability Services (Months 16-18) - Generate anonymised publications, manage responsible vulnerability disclosures, provide ongoing risk monitoring.

Evaluation Process

1. 1Admissibility and Eligibility Check
2. 2Expert Evaluation by at least 2 independent external experts (based on Excellence, Impact, Implementation)
3. 3Consensus Meeting by CYSSDE Selection Committee to select finalists
4. 4Optional Interview for clarification

Application and Support

Submit proposals online via the FundingBox platform (OnePass):Application Link. Project website: CYSSDE Website. Helpdesk: helpdesk@cyssde.eu. EU Portal: EU Funding Portal.

Additional Benefits

Non-financial support includes CYSSDE Mentoring Programme with technical guidance, tool repositories, and networking in the European cybersecurity ecosystem. Access to pentesting tools catalogue available on project site.

Footnotes

1. 1Maximum grant amount confirmed across official sources including EU Funding Portal and CYSSDE documentation.
2. 2Co-funding requirement specified in call documents and FSTP guidelines.