Open Call 1: Penetration Testing Scenarios Development

CIRCAT Open Call 1 is a cascade funding opportunity under the Digital Europe Programme to support development of realistic, validated penetration testing scenarios for critical infrastructure and essential services across prioritised sectors. The total call budget is €720,000 with individual lump-sum awards of up to €40,000 per project and a 50% co-funding requirement. Selected beneficiaries join a structured 6-month support programme within the CIRCAT initiative, receiving dedicated expert mentoring, technical guidance and validation support. The call is single-stage, opened 08 May 2026 and closes on 09 July 2026 at 15:00 Brussels time.

What it funds

Scope and support

Grants to design realistic penetration testing scenarios for Networks, Applications, Virtualisation, Cloud, Industrial Control Systems (ICS) and IoT within CIRCAT prioritised verticals: Energy, Health, Public Administration, Digital infrastructure, ICT service management (B2B) and Financial market infrastructure. Selected projects join a 6-month tailored support programme with mentoring, validation and access to tool repositories.

Funding amounts and conditions:Maximum lump-sum grant per project: €40,000. Funding rate: 50% co-financing (applicant covers remaining 50%). Total call budget: €720,000. Expected participation duration: 6 months.

1. 1Who can apply: National Cybersecurity Authorities, National Coordination Centres, Operators of Essential Services, large industrial installations, governmental entities and other stakeholders able to aggregate demand (also SMEs, mid-caps, large companies, research centres and public bodies).
2. 2Geographical eligibility: entities registered in and controlled by an EU Member State or EEA country. Entities subject to EU restrictive measures or controlled by non-EU/non-EEA third countries are not eligible.
3. 3Project requirement: deliver a penetration testing scenario following the provided template and address large industrial operators.

Evaluation criteria:Excellence, Impact and Implementation. Submission via FundingBox. Support contact: circat.help@fundingbox.com. Project website: CIRCAT.

Opportunity Summary

This is a cascade funding open call launched under the CIRCAT project Cybersecurity Infrastructure Resilience, Collaboration, and Advanced Training with grant agreement number 101249750. The call targets development of realistic penetration testing scenarios for large industrial operators and Operators of Essential Services within prioritised verticals. Selected beneficiaries receive financial and non financial support and participate in a 6 month tailored support programme including mentoring, scenario design, integration, and validation.

Opening and Deadline:Opening date 08 May 2026. Single stage deadline 09 July 2026 at 15:00 Brussels time.

Total Funding and Individual Award:Total budget for this open call is €720,000.00. Maximum grant per selected project is up to €40,000.00, provided as a lump sum and disbursed across participation in the 6 month support programme.

Who Can Apply and Geographic Eligibility

Eligible applicants are entities with the capacity to aggregate demand and address large industrial operators and Operators of Essential Services. The call explicitly seeks applications from National Cybersecurity Authorities, National Coordination Centres, large industrial installations, Operators of Essential Services, governmental entities, and other relevant stakeholders. Eligible legal entity types include SMEs, mid caps, large companies, research centres including universities, and public bodies. Applicants must be registered in and controlled by entities within an EU Member State or an EEA country. Entities subject to EU restrictive measures or controlled by non EU non EEA third countries are not eligible.

Eligible Applicant Types:SMEs, mid caps, large enterprises, research centres and universities, public bodies, National Cybersecurity Authorities, National Coordination Centres, large industrial installations, Operators of Essential Services, governmental entities, and other stakeholders with capacity to aggregate demand.

Beneficiary Scope Geographic Eligibility:Applicants must be registered in and controlled by entities within EU Member States or EEA countries. Entities controlled by non EU or non EEA third countries or subject to EU restrictive measures are excluded.

Funding Modality, Co funding and Support

This opportunity provides grants as a lump sum payment up to €40,000 per project. The funding rate requires 50 percent co funding from the applicant or other resources, meaning the applicant must cover the remaining 50 percent of the project costs. In addition to monetary support, CIRCAT provides substantial non monetary support: assignment of a dedicated CIRCAT expert mentor, access to the CIRCAT Mentoring Programme, technical guidance, tool repositories, and networking with the European cybersecurity ecosystem.

Funding Type:Grant, lump sum. Non financial support includes mentoring, technical guidance, tool repositories, and networking.

Call Objectives, Target Sectors and Activities

The call requires beneficiaries to design penetration testing scenarios that safely replicate realistic threats in controlled environments and that reflect emerging attack patterns and exploit techniques. Scenarios must focus on Networks, Applications, Virtualisation, Cloud, Industrial Control Systems, and Internet of Things. Scenarios must be targeted to one of the CIRCAT prioritised verticals and address large industrial operators.

1. 1Prioritised verticals: Energy, Health, Public Administration, Digital infrastructure, ICT Service management B2B, Financial market infrastructure.
2. 2Technical domains for scenarios: Networks, Applications, Virtualisation, Cloud, Industrial Control Systems ICS, IoT.
3. 3Eligible activities: Vulnerability testing support scenario development and documentation, customised threat and risk scenario analyses, scenario integration and validation.

Target Sector:Cybersecurity applied to critical infrastructure and large industrial operations across Energy, Health, Public Administration, Digital infrastructure, ICT Service management B2B, and Financial market infrastructure. Technical scope includes networks, applications, virtualisation, cloud, ICS, and IoT.

Project Stage, Duration and Expected Maturity

Projects should be at a development and validation stage where teams can deliver concrete, executable penetration testing scenarios and validate them in collaboration with mentors. The expected duration of participation in the CIRCAT support programme is 6 months, structured into short staged activities for mentoring, scenario definition, integration and validation. The initiative targets demonstration and validation of threat scenarios rather than basic research or late stage commercial scale up.

Project Stage:Development, validation and demonstration of penetration testing scenarios.

Submission, Evaluation and Selection Process

Proposals must be submitted online via the FundingBox platform at the specified application link. The selection process is single stage and comprises an admissibility and eligibility check, prescoring, expert evaluation by at least two independent external experts and one internal expert, a consensus meeting by the CIRCAT Selection Committee, and optionally an interview to clarify proposal details before final decisions. Selected finalists will enter a sub grant agreement and the CIRCAT support programme.

Application Type and How to Apply:Open call, single stage. Proposals must be submitted online through the FundingBox opportunities portal at opportunities.getonepass.eu ¹. For support contact circat.help@fundingbox.com.

Application Stages:Single stage submission. Evaluation includes multiple internal stages described above: admissibility and eligibility check, prescoring, expert evaluation, consensus meeting and optional interview. Counting distinct selection steps applicants pass, there are effectively 4 to 5 stages.

Success Rates and Competition

The call does not publish an explicit success rate. With a total budget of €720,000 and maximum award €40,000 per project, the call can fund up to approximately 18 projects if all awards are at the maximum. Actual number of awards may differ due to variable award sizes and quality based selection.

Co funding Requirement

Applicants must provide 50 percent co funding. The grant covers 50 percent of the project costs up to the €40,000 lump sum. Co funding must come from the applicant or other sources and must be demonstrated as required by the sub grant agreement.

Consortium Requirement

The call does not mandate a consortium. Single applicants are eligible. However applicants are encouraged to demonstrate capacity to aggregate demand or collaborate with relevant stakeholders such as national authorities, large operators, or research centres. Where consortium proposals are used, all partners must meet the geographical eligibility rules.

Templates and Application Content Structure

Applicants must follow the application form on the FundingBox platform and the Penetration Testing Scenario template provided in Annex 1 of the call documentation. The application should include a structured Individual Mentoring Plan IMP with KPIs and deliverables, a detailed scenario definition including threat vectors, technical steps, tools and methodologies, and a plan for scenario integration and validation. The expected application sections are outlined below to help applicants prepare their submission.

1. 1Administrative and contact details of the applicant and legal status confirmation.
2. 2Background and capacity statement explaining ability to aggregate demand and work with large industrial operators.
3. 3Individual Mentoring Plan IMP that defines project KPIs, timeline and deliverables for the 6 month programme.
4. 4Penetration Testing Scenario description following Annex 1 template: targeted vertical, technical domain, threat vectors, step by step technical scenario execution plan, safety and containment measures, required tools and data, success criteria and measurable KPIs.
5. 5Integration and validation plan describing how mentors and stakeholders will validate and replicate the scenario and measure outcomes.
6. 6Budget justification demonstrating total costs, requested €40,000 or other amount, and clear proof of 50 percent co funding.
7. 7Risk management and compliance, especially regarding responsible disclosure, legal and safety considerations for penetration testing activities.

Key Facts Table

Mentioned Countries

EU Member States and EEA countries are explicitly mentioned as eligible jurisdictions. No individual countries are listed by name in the call text.

Nature of Support

Beneficiaries receive money in the form of a grant lump sum and non monetary services including mentoring, technical guidance, access to tool repositories, and networking opportunities.

Final Summary

This open call finances development and validation of realistic penetration testing scenarios targeted at large industrial operators and Operators of Essential Services across critical sectors including Energy, Health, Public Administration, Digital infrastructure, ICT service management B2B, and Financial market infrastructure. It offers a maximum of €40,000 per project as a lump sum with 50 percent co funding required and pairs each beneficiary with a CIRCAT mentor through a structured 6 month support programme. The call is single stage, requires online submission via FundingBox, and evaluates proposals through admissibility checks, prescoring, multi expert evaluation, and selection committee review. Applicants should prepare a detailed Individual Mentoring Plan IMP, a scenario definition following Annex 1, and a robust validation and integration plan addressing technical, legal and safety considerations for penetration testing. Interested entities from EU and EEA jurisdictions that can demonstrate the capacity to work with large industrial operators and aggregate demand should apply before the 09 July 2026 deadline and contact circat.help@fundingbox.com for support ¹.

Footnotes

1. 1Application portal and details available at opportunities.getonepass.eu. Project website circat.eu.

Funding Opportunity Overview

CIRCAT Open Call 1 is a cascade funding opportunity under the Digital Europe Programme, specifically targeting the development of penetration testing scenarios for critical infrastructure and essential services. The call is part of the Cybersecurity Infrastructure Resilience, Collaboration, and Advanced Training (CIRCAT) project, funded under the DIGITAL-ECCC topic addressing preparedness support and mutual assistance for larger industrial operations and installations. The opportunity aims to strengthen cybersecurity resilience across European critical sectors by supporting the creation of realistic, validated penetration testing scenarios that reflect emerging threat landscapes and attack methodologies.

Call Status and Timeline:The call opened on 08 May 2026 and operates on a single-stage submission model with a deadline of 09 July 2026 at 15:00 Brussels time. The expected duration of participation is 6 months, with beneficiaries receiving support through an 18-month overall support programme structure.

Funding Details

Total Budget and Individual Awards:The total funding available for this open call is €720,000. Individual beneficiaries can receive up to €40,000 per project as a lump sum grant ¹.

Co-Funding Requirements:The funding operates on a 50% co-funding basis, meaning applicants must provide matching funds covering the remaining 50% of project costs through their own resources or other sources.

Disbursement Structure:Funding is disbursed across a 6-month tailored support programme following selection and signature of the Sub-Grant Agreement.

Eligible Applicants

The call welcomes applications from a diverse range of organizations with capacity to aggregate demand and develop cybersecurity solutions for large industrial operators. Primary target applicants include National Cybersecurity Authorities (NCAs), National Coordination Centres, large industrial installations, Operators of Essential Services (OES), and governmental entities.

Eligible Entity Types:

• Small and Medium-sized Enterprises (SMEs)
• Mid-cap companies
• Large companies
• Research centres and universities
• Public bodies
• National Cybersecurity Authorities and Coordination Centres
• Operators of Essential Services (OES)
• Large industrial installations

Geographical Eligibility:Applicants must be registered in and controlled by entities within an EU Member State or an EEA country. Entities subject to EU restrictive measures or controlled by non-EU or non-EEA third countries are not eligible.

Scope and Eligible Activities

CIRCAT Open Call 1 focuses on the development of penetration testing scenarios targeting large industrial operators and essential services. Beneficiaries must design scenarios following provided templates within one or more of the prioritised vertical sectors.

Prioritised Vertical Sectors:

• Energy
• Health
• Public Administration
• Digital infrastructure
• ICT Service management (B2B)
• Financial market infrastructure

Technical Scope Areas:

Scenarios must address testing for Networks, Applications, Virtualisation, Cloud, Industrial Control Systems (ICS), and Internet of Things (IoT) environments.

Eligible Activities:

• Vulnerability Testing Support: Developing and documenting realistic penetration testing scenarios that reflect current and emerging attack patterns
• Threat and Risk Assessment Support: Conducting customised risk scenario analyses tailored to specific industrial operations and essential services
• Scenario design following CIRCAT-provided templates
• Integration of threat vectors and technical methodologies for controlled environment replication

Support Programme Structure

Selected beneficiaries participate in a structured 6-month support programme within the broader 18-month CIRCAT initiative. Each beneficiary receives dedicated mentoring and guidance through four operational stages.

Stage 1: Individual Mentoring Plan (Up to 1 month):Beneficiaries work with CIRCAT expert mentors to define a structured work plan tailored to their project. This stage produces an Individual Mentoring Plan (IMP) document that establishes project-specific key performance indicators (KPIs) and deliverables.

Stage 2: Scenario Definition (Up to 3 months):Participants identify relevant threat vectors and detail the technical steps, tools, and methodologies required to safely replicate these threats in a controlled environment. This stage forms the core of scenario development work.

Stage 3: Scenario Integration and Validation (Up to 2 months):CIRCAT mentors collaborate with participants to validate the developed scenarios, ensuring they accurately reflect emerging attack patterns and exploit techniques relevant to the target sector and technology domain.

Stage 4: Outputs and Sustainability (Implied):Beneficiaries finalize deliverables and ensure scenarios are documented and ready for deployment or integration into broader cybersecurity frameworks.

Non-Financial Support and Benefits

Beyond financial grants, selected beneficiaries gain access to comprehensive support mechanisms designed to enhance project quality and sustainability.

• Dedicated CIRCAT expert mentor paired with each beneficiary
• Access to the CIRCAT Mentoring Programme providing technical guidance and expertise
• Tool repositories and technical resources for scenario development
• Networking opportunities with the broader European cybersecurity ecosystem
• Guidance on scenario template compliance and best practices
• Support in validating scenarios against emerging threat intelligence

Evaluation and Selection Process

Proposals undergo a multi-stage evaluation process designed to ensure transparency, fairness, and thorough assessment of technical quality and strategic alignment.

Evaluation Stages:

1. 1Admissibility and Eligibility Check: Initial verification that proposals meet fundamental requirements including applicant eligibility, proposal completeness, and adherence to submission guidelines
2. 2Prescoring: Preliminary assessment of proposal quality and alignment with call objectives
3. 3Expert Evaluation: Assessment by at least 2 independent external experts and 1 internal expert using predefined award criteria
4. 4Consensus Meeting: CIRCAT Selection Committee reviews expert evaluations and selects finalists
5. 5Optional Interview: The Selection Committee may request interviews to clarify specific proposal aspects before final decision

Award Criteria:

• Excellence: Technical quality, relevance, and innovation of proposed penetration testing scenarios
• Impact: Potential contribution to cybersecurity resilience of critical infrastructure and essential services across Europe
• Implementation: Feasibility of execution, quality of methodology, and capacity of applicant team

Application Process

Submission Platform:Proposals must be submitted online via the FundingBox platform at [[opportunities.getonepass.eu.

Support and Contact:For inquiries and technical support, applicants should contact the helpdesk at circat.help@fundingbox.com. Additional information is available on the project website at [[https://circat.eu]]..

Key Submission Requirements:

• Online submission via FundingBox platform
• Compliance with CIRCAT scenario template provided in Annex 1
• Clear identification of target vertical sector (Energy, Health, Public Administration, Digital infrastructure, ICT Service management, or Financial market infrastructure)
• Specification of technology domains (Networks, Applications, Virtualisation, Cloud, ICS, or IoT)
• Demonstration of focus on large industrial operators and essential services
• Evidence of applicant capacity and relevant expertise
• Identification of co-funding sources covering 50% of project costs

Key Considerations for Applicants

Applicants should carefully consider several factors when preparing proposals to maximize competitiveness and ensure successful implementation.

Strategic Alignment:Proposals should clearly demonstrate alignment with EU cybersecurity priorities, particularly the Digital Operational Resilience Act (DORA) and NIS2 Directive requirements. Scenarios should address realistic, emerging threats relevant to the target sector and reflect current threat intelligence.

Sector-Specific Expertise:Applicants with deep domain knowledge in their chosen vertical sector (Energy, Health, Public Administration, Digital infrastructure, ICT Service management, or Financial market infrastructure) will be better positioned to develop scenarios that accurately reflect sector-specific risks and operational constraints.

Co-Funding Preparation:Since the call requires 50% co-funding, applicants must secure or commit matching resources before submission. This demonstrates financial commitment and project viability.

Mentoring Programme Value:The dedicated expert mentoring and access to CIRCAT's tool repositories and European cybersecurity network represent significant non-financial benefits. Applicants should view this support as integral to project success and scenario quality.

Scenario Realism and Validation:Proposals should emphasize the realism and practical applicability of proposed scenarios. Evaluators will assess whether scenarios accurately reflect emerging attack patterns and can be effectively validated against real-world threat landscapes.

Contextual Information on Related EU Cybersecurity Initiatives

CIRCAT Open Call 1 operates within a broader EU cybersecurity support ecosystem. Understanding related initiatives provides context for this opportunity ².

The CYSSDE project, also funded under the Digital Europe Programme, operates parallel open calls for penetration testing and vulnerability assessment services. CYSSDE's third and final open call (CYSSDE OC3) selected up to 12 penetration testing organizations to deliver minimum 100 penetration tests and vulnerability assessments for Essential Services Operators and SMEs. This complementary initiative demonstrates the EU's multi-faceted approach to building cybersecurity capacity, with CIRCAT focusing on scenario development and CYSSDE focusing on testing execution.

Additionally, the EU has introduced Delegated Regulation (EU) 2025/1190 establishing harmonized standards for threat-led penetration testing (TLPT) in the financial sector. This regulation prescribes a four-phase TLPT process including preparation, threat intelligence and analysis, red team testing, and closure and remediation. CIRCAT scenarios should align with these emerging regulatory frameworks to ensure long-term relevance and compliance applicability.

Summary of Key Opportunity Features

Footnotes

1. 1The €40,000 maximum award is provided as a lump sum, with disbursement occurring across the 6-month support programme following Sub-Grant Agreement signature. This structure differs from traditional reimbursement-based grants and requires applicants to manage cash flow accordingly.
2. 2The CYSSDE project (Cybersecurity Support for Essential Services and Digital Entities) operates under the same Digital Europe Programme funding stream. CYSSDE's Open Call 3 selected up to 12 penetration testing organizations to deliver minimum 100 penetration tests and vulnerability assessments. CYSSDE received 121 applications for its second open call, demonstrating strong market demand for EU-supported cybersecurity capacity building. More information is available at [[https://cyssde.eu]]..