Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025 - Τourism

The "Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025 - Tourism" program invites proposals to improve cybersecurity within SMEs in the tourism sector in Cyprus. It is funded by the Research and Innovation Foundation (RIF) in collaboration with the Digital Security Authority (DSA), operating as the National Cybersecurity Coordination Centre (NCC-CY). The total budget for the program is €1,000,000, aimed at supporting SMEs by providing grants for purchasing cybersecurity solutions and services.

Eligible applicants are SMEs legally established and active in the Republic of Cyprus. Each SME may submit only one proposal as a Host Organization, focusing on improving cybersecurity to achieve certification in compliance with the NCC-CY Cyber-Hygiene Framework for SMEs, which includes eleven key control areas such as security policy, staff training, malware protection, and data privacy.

Applicants must conduct a thorough gap analysis of their current cybersecurity measures and propose solutions to meet the identified needs. The proposals must align with established evaluation criteria, including relevance to program goals, potential benefits, and implementation feasibility. Successful applicants will have 9 months to complete their projects, with submission deadlines established for November 18, 2025.

Beyond financial support, the program offers technical guidance and resources, including access to ENISA’s Awareness Raising in a Box toolkit to enhance cybersecurity training. The submission process requires proposals to be submitted electronically through the IRIS Portal, and an Independent Evaluation Committee will evaluate submissions based on predetermined criteria. Successful projects must also undertake publicity activities to communicate their achievements after receiving funding.

Overall, this initiative aims to bolster the cybersecurity resilience of tourism SMEs in Cyprus, ensuring they can safeguard their operations, data, and customer interactions while complying with European standards.

The Research and Innovation Foundation (RIF) in collaboration with the Digital Security Authority (DSA) as the National Cybersecurity Coordination Centre (NCC-CY), has announced a Call for Proposals for the Programme «Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025 - Tourism». This program invites beneficiaries to submit project proposals aimed at improving cybersecurity within SMEs in the tourism sector in Cyprus.

The program aims to provide a streamlined process for proposal submission, rapid evaluation, and timely project implementation, addressing cybersecurity challenges faced by these enterprises within a predefined timeframe.

A key requirement for participation is a gap analysis, which will assess an SME's current cybersecurity posture at the technical, operational, and strategic levels. This analysis will be based on the rules, control measures, and procedures outlined in the NCC-CY Cyber-Hygiene for SMEs framework. The framework includes the following key areas:

1. Security Policy:
Control Measure 1.1: The organization's senior management must establish, approve, and communicate a cybersecurity policy both internally and externally. This policy should be reviewed and updated at least annually.

2. Awareness and Training:
Control Measure 2.1: All staff and users with access to the organization's information, regardless of employment status, must be aware of information security and their role in maintaining it. Regular cybersecurity awareness activities, at least annually, are required.
Control Measure 2.2: Staff and users must receive education, training, and information on the organization's policies, procedures, and security measures, as well as relevant technological and organizational issues. Training should be tailored to the security requirements of different roles.

ENISA AR-in-a-Box: SMEs may optionally use ENISA’s Awareness Raising in a Box (AR-in-a-Box) to support and enhance cybersecurity awareness and training activities. Developed by the European Union Agency for Cybersecurity (ENISA), AR-in-a-Box is a comprehensive toolkit designed to assist organizations in building effective cybersecurity awareness programmes tailored to their specific needs. The toolkit provides structured guidance for the design and implementation of internal and external awareness campaigns. It includes templates, communication strategy recommendations, and guidance on selecting appropriate communication channels. It also supports the development of key performance indicators (KPIs) to assess the effectiveness of awareness initiatives. Additionally, AR-in-a-Box contains interactive materials such as quizzes and games, which can be used to engage staff in understanding cybersecurity principles. It also offers support for the creation of cyber crisis communication plans. The use of AR-in-a-Box is not mandatory but can significantly enhance the organisation’s efforts in raising cybersecurity awareness. More information is available at official ENISA and EU website.

3. Software Update:
Control Measure 3.1: IT and communications systems must have the latest, stable security updates installed from trusted sources (e.g., the manufacturer).
Control Measure 3.2: Automated vulnerability scanning and penetration tests must be implemented annually.
Control Measure 3.3: Information and communication systems no longer supported with security updates by their manufacturers should not be used.

4. Protection from Malicious Software:
Control Measure 4.1: Malicious software protection programs and functions must be installed on all IT and communication systems and updated regularly.

5. Network Security:
Control Measure 5.1: Firewalls must be installed and configured at appropriate points in the network to protect systems and information from relevant threats.
Control Measure 5.2: Wireless access to the organization's network should be implemented with appropriate routing and protection through firewalls.

6. Backups:
Control Measure 6.1: Critical information must be identified and backed up regularly in alignment with a backup policy.

7. Access Control:
Control Measure 7.1: Important information locations must be identified. A structure must be created in an appropriate storage area to grant access rights to authorized and authenticated users based on the need-to-know principle.
Control Measure 7.2: An appropriate password policy must be created and implemented in all systems.
Control Measure 7.3: Administrative or privileged rights should be granted to a minimum necessary number of authorized staff.

8. Security Incidents:
Control Measure 8.1: Structures and processes for responding to security incidents must be established. Staff involved in these procedures should be appropriately trained.

9. Physical Security Measures:
Control Measure 9.1: Physical security measures must be adopted to protect systems and facilities from natural and environmental threats.

10. Data Protection:
Control Measure 10.1: A Personal Data Protection Policy based on the GDPR regulation must be designed, implemented, approved, and published.

11. Operational Impact Analysis:
Control Measure 11.1: An appropriate methodology for operational impact analysis must be designed and implemented. The results and key figures should be recorded, maintained, and utilized to design relevant measures and implementations.

Based on the gap analysis, enterprises will prepare proposals that include a list of solutions and services they intend to use to achieve the “Cyber-Hygiene Framework for SME of NCC-CY” certification.

Proposals must be submitted through the Research and Innovation Foundation’s IRIS Portal (https://iris.research.org.cy/#!/). Project Coordinators and participating organizations must register on the IRIS Portal in advance. Applicants are advised to consult the «Guide for Applicants» and «IRIS Portal User Manual» available on the IRIS Portal (https://iris.research.org.cy/#/documentlibrary). The RIF encourages the participation of women as Project Coordinators and gender-balanced participation in projects.

The evaluation process includes a Preliminary Check and Evaluation by an Independent Evaluation Committee (IEC) composed of experts in business and cybersecurity. Proposals meeting all criteria will be evaluated by the IEC, which will rank the proposals and document their rationale in an Evaluation Report. The Evaluation Report will be communicated to the Project Coordinator. The final funding decision rests with the Committee and is not subject to appeal.

The evaluation criteria are:
1. Relevance (30%): Alignment with the call's objectives and activities, and the degree of cybersecurity upgrading in relation to the company's current state.
2. Added Value and Benefit (40%): The degree to which the project ensures expected results and deliverables, the effectiveness of actions in demonstrating the benefits of funding, the enhancement of competitiveness, and the positive impact on business operations due to increased cybersecurity.
3. Implementation (30%): Maturity of the project, adequacy of needs analysis, completeness of the action plan, timeline, budget, and the capacity of the Host Organization to carry out the project. Also, the plan to ensure that the increased level of cybersecurity resulting from the funding is preserved over time.

Proposals selected for funding will be based on their ranking, and the total funding will not exceed the call budget.

Specific restrictions and conditions include that each organization can submit only one project proposal as a Host Organization. Participating entities engaged in economic activity must be legally established and active in territories under the control of the Republic of Cyprus, documented by facilities, staff, audited financial statements, and tax returns. Upon project completion, SMEs must undertake at least one publicity activity highlighting the achievement of the Certification, referencing the funding's benefits and including logos of relevant organizations and co-funding by the Republic of Cyprus.

The program aims to ensure SMEs achieve a basic level of cybersecurity to protect their infrastructures, systems, and information. This will be achieved through the purchase of solutions and services to maintain and strengthen the level of security and resilience of SMEs operating in the Tourism industry, as well as through the evaluation and identification of challenges and weaknesses. Additionally, the Programme seeks to achieve their compliance of SMES with European and internationally accepted measures and standards through a certification scheme, the Cyber-Hygiene Framework for Small and Medium Enterprises (SME) of the NCC-CY.

Through the Programme, SMEs operating in the Tourism industry will have the opportunity to obtain a Cybersecurity Certification issued by Certification Bodies accredited according to ISO 17021 and ISO 27006, competent to carry out inspections and certifications for information security management systems according to ISO/IEC 27001:2013 and/or ISO/IEC 27001:2022.

Following certification, enterprises can assess their maturity level, identify vulnerabilities, mitigate risks, and strengthen cybersecurity practices, allowing them to invest in information and data protection based on the NCC-CY Cyber-Hygiene Framework for SMEs.

The opening date for submissions is September 12, 2025, and the deadline is November 18, 2025, at 13:00 (Brussels time). The expected duration of participation is that all approved projects must be completed within 9 months. The total funding available is 1,000,000.00 €. The project acronym is N4CY2, and the full name of the EU funded project is Advancing the NCC-CY: The Next Chapter of the National Cybersecurity Coordination Centre of Cyprus. The grant agreement number is 101195086. The topic is DIGITAL-ECCC-2024-DEPLOY-NCC-06-MS-COORDINATION - Deploying The Network of National Coordination Centres with Member States.

In summary, this opportunity is a call for proposals targeting SMEs in the tourism sector within the Republic of Cyprus. The goal is to enhance their cybersecurity posture through a structured program that includes gap analysis, implementation of cybersecurity solutions and services, and ultimately, achieving a Cybersecurity Certification based on the NCC-CY Cyber-Hygiene Framework for SMEs. The program is funded by the Research and Innovation Foundation (RIF) in collaboration with the Digital Security Authority (DSA) as the National Cybersecurity Coordination Centre (NCC-CY) and aims to improve the security and resilience of these businesses, ensuring compliance with European and international standards. The funding will enable SMEs to invest in necessary cybersecurity measures, protect their infrastructure and data, and increase their competitiveness by demonstrating a commitment to cybersecurity best practices.

Eligible Applicant Types: The eligible applicant types are Small and Medium Enterprises (SMEs). Specifically, the call targets SMEs operating in the Tourism industry within the Republic of Cyprus.

Funding Type: The primary financial mechanism is a grant, aimed at enabling SMEs to purchase solutions and services to enhance their cybersecurity.

Consortium Requirement: The opportunity appears to be primarily targeted towards single applicants, specifically SMEs. While the mention of "Cypriot Consortium" exists, the emphasis is on individual SMEs taking the role of a "Host Organisation." Each organization can submit only one project proposal as a Host Organisation.

Beneficiary Scope (Geographic Eligibility): The geographic eligibility is limited to the Republic of Cyprus. Participating entities must be legally established and active in territories under the control of the Republic of Cyprus, with facilities and staff located within these territories.

Target Sector: The program targets the cybersecurity sector, with a specific focus on SMEs operating within the Tourism industry.

Mentioned Countries: Cyprus, European Union.

Project Stage: The expected maturity of the project is at the stage where SMEs need to implement and strengthen their cybersecurity measures. This includes conducting a gap analysis, purchasing solutions and services, and ultimately achieving cybersecurity certification. The projects are expected to be implemented within a predefined maximum period.

Funding Amount: The total funding available for this call is €1,000,000. The specific funding range for individual projects is not explicitly stated, but it will be determined based on the proposals and the total call budget.

Application Type: The application type is an open call for proposals.

Nature of Support: Beneficiaries will receive money to purchase solutions and services to improve their cybersecurity and achieve certification.

Application Stages: The application process involves a single stage submission, followed by a preliminary check and evaluation by an Independent Evaluation Committee (IEC).

Success Rates: The success rates are not explicitly mentioned. Proposals will be selected for funding based on their ranking after the evaluation process, and the total funding will not exceed the call budget.

Co-funding Requirement: The document does not explicitly state a co-funding requirement.

Summary:

The "Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025 Tourism" program is a call for proposals aimed at bolstering the cybersecurity of SMEs operating in the tourism sector within Cyprus. Funded by the Research and Innovation Foundation (RIF) in collaboration with the Digital Security Authority (DSA) as the National Cybersecurity Coordination Centre (NCC-CY), the program offers grants to SMEs to purchase cybersecurity solutions and services. The goal is to help these businesses achieve a basic level of cybersecurity and obtain the "Cyber-Hygiene Framework for SME of NCC-CY" certification.

To participate, SMEs must conduct a gap analysis to assess their current cybersecurity posture against the NCC-CY Cyber-Hygiene framework. This framework covers key areas such as security policy, awareness and training, software updates, protection from malicious software, network security, backups, access control, security incidents, physical security measures, data protection, and operational impact analysis. SMEs can also leverage ENISA's Awareness Raising in a Box (AR-in-a-Box) toolkit to enhance their cybersecurity awareness and training efforts.

The application process involves submitting proposals through the RIF's IRIS Portal. An Independent Evaluation Committee (IEC) will evaluate proposals based on relevance, added value and benefit, and implementation. Successful projects must be completed within 9 months and will be required to undertake publicity activities to highlight their achievements. The total funding available for this call is €1,000,000. This initiative aims to strengthen the cybersecurity resilience of SMEs in the Cypriot tourism industry, ensuring they can protect their infrastructure, systems, and information in line with European and international standards.