Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025

The "Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025" program is a funding opportunity initiated by the Research and Innovation Foundation (RIF) in collaboration with the Digital Security Authority (DSA) as the National Cybersecurity Coordination Centre (NCC-CY). This initiative specifically targets small and medium enterprises (SMEs) operating in Cyprus, aiming to improve their cybersecurity infrastructure and attain a basic level of cybersecurity maturity.

Eligible applicants must be SMEs legally established and active in Cyprus, with each organization permitted to submit one project proposal as a Host Organisation. The program employs a grant funding mechanism, allowing SMEs to acquire cybersecurity solutions and services necessary for improving their security posture. Notably, the total funding allocated for this program is €1.5 million, with amounts for individual projects expected to range based on specific solutions proposed, likely falling between €50,000 to €200,000.

The funding supports various aspects of cybersecurity enhancement, including gap analyses, implementation of technical solutions (like firewalls and malware protection), and professional services (such as security assessments and training). Projects should aim at obtaining certification under the NCC-CY Cyber-Hygiene Framework within a required timeline of nine months after project approval.

The application process is characterized as an open call with a submission deadline of November 18, 2025. Proposals submitted electronically through the Research and Innovation Foundation’s IRIS Portal will undergo a single-stage evaluation process conducted by an Independent Evaluation Committee. Evaluations will assess proposals based on relevance, added value, and implementation feasibility.

While successful proposals will receive funding, the document does not specify success rates, indicating that this could vary based on the competitiveness of the submissions and the available budget. Although co-funding by the Republic of Cyprus is mentioned, it remains unclear whether SMEs are required to provide any additional funding.

Overall, this initiative not only seeks to enhance individual SMEs' cybersecurity resilience but also aims to elevate the overall cybersecurity standard across the SME sector in Cyprus, thus contributing to a more secure digital economy. The program emphasizes that participating SMEs must engage in publicity activities post-certification to promote the benefits derived from the funding and their improved cybersecurity status.

Key details to note include: the schedule for project completion, the structured gap analysis requirements, and the focus on a holistic approach to cybersecurity that incorporates compliance with European and internationally recognized standards.

The Research and Innovation Foundation (RIF) in collaboration with the Digital Security Authority (DSA) as the National Cybersecurity Coordination Centre (NCC-CY), has announced a Call for Proposals for the Programme «Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025». This program invites beneficiaries to submit project proposals aimed at resolving cybersecurity issues faced by SMEs.

The program emphasizes a streamlined submission process, rapid evaluation, and timely project implementation within a predefined timeframe.

A gap analysis is required for participation, assessing an SME's cybersecurity posture at technical, operational, and strategic levels. This analysis is based on the NCC-CY Cyber-Hygiene for SMEs framework, which includes the following control measures:

1. Security Policy:
Control Measure 1.1: Senior management must create, approve, and communicate a cybersecurity policy internally and externally. This policy should be reviewed and updated at least annually.

2. Awareness and Training:
Control Measure 2.1: Staff and users with access to information must be aware of information security and their role in maintaining it. Regular cybersecurity awareness activities are required, at least annually.
Control Measure 2.2: Staff and users must receive education, training, and information on policies, procedures, security measures, and relevant technological or organizational issues. Training should be tailored to different roles within the organization.

ENISA AR-in-a-Box: SMEs may optionally use ENISA’s Awareness Raising in a Box (AR-in-a-Box) toolkit to support cybersecurity awareness and training. This toolkit provides guidance, templates, communication strategy recommendations, and KPIs for effective awareness programs. It also includes interactive materials and support for cyber crisis communication plans.

3. Software Update:
Control Measure 3.1: IT and communication systems must have the latest, stable security updates from trusted sources.
Control Measure 3.2: Automated vulnerability scanning and penetration tests must be implemented annually.
Control Measure 3.3: Information and communication systems no longer supported with security updates should not be used.

4. Protection from Malicious Software:
Control Measure 4.1: Malicious software protection programs and functions must be installed on all IT and communication systems and updated regularly.

5. Network Security:
Control Measure 5.1: Firewalls must be installed and configured at appropriate points in the network.
Control Measure 5.2: Wireless access to the network should be secured with appropriate routing and firewall protection.

6. Backups:
Control Measure 6.1: Critical information must be identified and backed up regularly according to a backup policy.

7. Access Control:
Control Measure 7.1: Important information must be located and access rights granted to authorized and authenticated users based on the need-to-know principle.
Control Measure 7.2: An appropriate password policy must be created and implemented in all systems.
Control Measure 7.3: Administrative or privileged rights should be granted to the minimum necessary number of authorized staff.

8. Security Incidents:
Control Measure 8.1: Structures and processes for responding to security incidents must be established, and staff must be appropriately trained.

9. Physical Security Measures:
Control Measure 9.1: Physical security measures must be adopted to protect systems and facilities from natural and environmental threats.

10. Data Protection:
Control Measure 10.1: A Personal Data Protection Policy based on GDPR must be designed, implemented, approved, and published.

11. Operational Impact Analysis:
Control Measure 11.1: An appropriate methodology for operational impact analysis must be designed and implemented. Results should be recorded, maintained, and utilized to design relevant measures.

Based on the gap analysis, enterprises will prepare proposals including solutions and services to achieve the “Cyber-Hygiene Framework for SME of NCC-CY” certification.

Proposals must be submitted through the Research and Innovation Foundation’s IRIS Portal (https://iris.research.org.cy/#!/). Project Coordinators and participating organizations must register on the IRIS Portal. Applicants are advised to consult the «Guide for Applicants» and «IRIS Portal User Manual» available on the portal.

The evaluation process involves a Preliminary Check and Evaluation by an Independent Evaluation Committee (IEC) composed of experts in business and cybersecurity. Proposals meeting all criteria will be evaluated by the IEC, which will rank them and document their rationale in an Evaluation Report. The Evaluation Report will be communicated to the Project Coordinator. The final funding decision rests with the Committee, and its decision is final and not subject to appeal.

Evaluation Criteria:
1. Relevance – Weight 30%:
Alignment of the Proposal and the expected project results with the objectives and activities described in this Call.
Degree of cybersecurity upgrading/development in the company in relation to the current state/operation of the company (holistic approach based on gap analysis and obtaining the Cybersecurity certification).

2. Added Value and Benefit – Weight 40%:
Degree to which the proposed project can ensure the expected results and deliverables stated in this Call.
Effectiveness of the proposed actions in terms of visibility to demonstrate the benefits of the funding.
Degree of enhancement of the competitiveness of the enterprise and effectiveness of the funding in terms of increasing the level of cyber security of the enterprise itself and thereby providing increased security to its customers and recipients of its services.
Degree of positive impact on the overall operations of the business as a result of the increased level of cybersecurity (resilience, increased efficiency, reduced costs, exploitation of new capabilities/opportunities).

3. Implementation – Weight 30%:
Maturity of the proposed project and adequacy of the needs analysis based on the existing infrastructure in the Host Organization.
Completeness and appropriateness of the action plan, timeline and budget for securing the products and services based on the gap analysis and certification.
Completeness, quality and capacity of the Host Organization to carry out the project and implement the proposed objectives and action plan.
Plan to ensure that the increased level of cybersecurity resulting from the funding is preserved over time.

Selection: Proposals deemed eligible will be selected for funding based on their ranking, within the total Call budget.

Specific Restrictions and Conditions for Participation:
Each organization can submit only one project proposal as a Host Organization.
Participating entities engaged in economic activity must be legally established and active in territories under the control of the Republic of Cyprus, with documented facilities and staff.
Upon project completion, each SME must undertake at least one publicity activity highlighting the achievement of the Certification, referencing the funding's benefit and including logos of NCC-CY, RIF, the Commissioner of Communications, and the Digital Security Authority, as well as reference to co-funding by the Republic of Cyprus, adhering to the publicity obligations for projects funded by the Digital Europe Programme.

The program aims to ensure that SMEs reach a basic level of cybersecurity to protect their infrastructures, systems, and information. This will be achieved through the purchase of solutions and services to maintain and strengthen the level of security and resilience of small and medium enterprises (SMEs), as well as through the evaluation and identification of challenges and weaknesses. The program also aims to achieve compliance with European and internationally accepted measures and standards through the Cyber-Hygiene Framework for Small and Medium Enterprises (SME) of the NCC-CY certification scheme.

Through the Programme, SMEs will have the opportunity to obtain a Cybersecurity Certification issued by Certification Bodies accredited according to ISO 17021 and ISO 27006, competent to carry out inspections and certifications for information security management systems according to ISO/IEC 27001:2013 and/or ISO/IEC 27001:2022.

Following certification, enterprises can assess their maturity, identify vulnerabilities, mitigate risk, and strengthen cybersecurity practices, investing in information and data protection based on the NCC-CY Cyber-Hygiene Framework for SMEs.

Key Dates and Information:
Opening date: 12 September 2025
Deadline: 18 November 2025, 13:00 (Brussels time)
Project duration: Approved projects must be completed within 9 months.
Total funding available: 1,500,000.00 €
Project acronym: N4CY2
Full project name: Advancing the NCC-CY: The Next Chapter of the National Cybersecurity Coordination Centre of Cyprus
Grant agreement number: 101195086
Topic: DIGITAL-ECCC-2024-DEPLOY-NCC-06-MS-COORDINATION - Deploying The Network of National Coordination Centres with Member States

In summary, this opportunity is a call for proposals targeting Small and Medium Enterprises (SMEs) in the Republic of Cyprus, aiming to enhance their cybersecurity posture. The program, funded by the EU and the Republic of Cyprus, provides financial support for SMEs to implement cybersecurity solutions and services, ultimately leading to a recognized cybersecurity certification. The process involves a gap analysis to identify weaknesses, followed by the implementation of solutions aligned with the NCC-CY Cyber-Hygiene Framework. The goal is to raise the cybersecurity baseline for SMEs, making them more resilient against cyber threats and compliant with international standards, thereby protecting their data, systems, and infrastructure. The funding aims to improve the competitiveness of SMEs by enhancing their cybersecurity, which in turn increases the security for their customers and service recipients.

Eligible Applicant Types: The eligible applicant type for this opportunity is Small and Medium Enterprises (SMEs).

Funding Type: The primary financial mechanism is a grant, as the program involves the purchase of solutions and services to enhance cybersecurity for SMEs. This suggests direct financial support for implementing cybersecurity measures. It is also cascade funding.

Consortium Requirement: The opportunity appears to primarily target single applicants, specifically SMEs. While the text mentions a "Cypriot Consortium," it seems to refer to participating organizations within Cyprus rather than requiring applicants to form a consortium. Each organization can submit only one project proposal as a Host Organisation.

Beneficiary Scope (Geographic Eligibility): The geographic eligibility is limited to the Republic of Cyprus. Participation of entities engaged in an economic activity in a proposal shall be deemed valid, if they are legally established and are active in territories under the control of the Republic of Cyprus.

Target Sector: The target sector is cybersecurity. The program focuses on enhancing cybersecurity for SMEs, aiming to improve their infrastructures, systems, and information protection.

Mentioned Countries: Cyprus, European Union.

Project Stage: The expected maturity of the project is at the implementation and validation stage. SMEs are expected to conduct a gap analysis, identify vulnerabilities, and implement solutions to achieve the "Cyber-Hygiene Framework for SME of NCC-CY" certification. This suggests that the projects should be ready for deployment and certification.

Funding Amount: The total funding available is €1,500,000.00. The funding range per project is variable, depending on the solutions and services SMEs intend to use to gain the Cyber-Hygiene Framework certification.

Application Type: The application type is an open call, as indicated by the announcement of the "Call for Proposals." Proposals are submitted through the Research and Innovation Foundation’s IRIS Portal.

Nature of Support: Beneficiaries will receive money to purchase solutions and services to maintain and strengthen their level of security and resilience.

Application Stages: The application process involves a preliminary check and evaluation by an Independent Evaluation Committee (IEC). Proposals that meet all the criteria will be forwarded for evaluation by the members of the IEC. The IEC members rank the Proposals in order of priority and document the rationale for their decision in a relevant Evaluation Report. So, the application process appears to have at least two stages: eligibility check and evaluation by the IEC.

Success Rates: The success rate is not explicitly mentioned. Proposals deemed as eligible following proposal evaluation will be selected for funding according to their ranking. It is clarified that the total requested funding of selected projects will not exceed the total Call budget.

Co-funding Requirement: Co-funding is implied, as the program is co-funded by the Republic of Cyprus. However, it is not explicitly stated whether the SMEs themselves need to provide co-funding.

Summary:

The "Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025" program is a funding opportunity offered by the Research and Innovation Foundation (RIF) in collaboration with the Digital Security Authority (DSA) as the National Cybersecurity Coordination Centre (NCC-CY). This program aims to bolster the cybersecurity posture of SMEs in Cyprus by providing grants for the purchase of cybersecurity solutions and services. The goal is to help SMEs achieve a basic level of cybersecurity, protect their infrastructures, systems, and information, and comply with European and internationally accepted measures and standards through the "Cyber-Hygiene Framework for SME of NCC-CY" certification.

To participate, SMEs must conduct a gap analysis to determine their current cybersecurity situation and identify areas for improvement. They then prepare a proposal outlining the solutions and services they intend to use to achieve certification. The proposals are evaluated based on relevance, added value and benefit, and implementation criteria. The evaluation process involves a preliminary check and evaluation by an Independent Evaluation Committee (IEC).

The program has a total funding of €1,500,000.00, and approved projects must be completed within 9 months. Upon completion, SMEs are required to undertake publicity activities to highlight their achievement of the certification and the benefits derived from the funding. This initiative is part of a broader effort to advance the National Cybersecurity Coordination Centre of Cyprus and deploy a network of national coordination centers within Member States, under the DIGITAL-ECCC-2024-DEPLOY-NCC-06-MS-COORDINATION topic. The program encourages SMEs to consider using ENISA’s Awareness Raising in a Box (AR-in-a-Box) as a resource to enhance cybersecurity awareness and training activities, although it is not mandatory.