SECURE-CALL #1 - SECURE First Open Call For Proposals

The SECURE First Open Call for Proposals is a European Union-funded initiative aimed at strengthening the cybersecurity capabilities of micro, small, and medium-sized enterprises (mSMEs) in alignment with the Cyber Resilience Act (CRA). The call offers a total funding budget of EUR 5,000,000, with individual grants up to EUR 30,000 provided as lump sums, covering 50 percent of eligible project costs.

Eligible applicants must be single legal entities classified as mSMEs under the EU Commission Recommendation 2003/361/EC and must be legally established in EU Member States or EEA countries. Consortia, large enterprises, and individuals are explicitly excluded from application. Each project must directly relate to CRA compliance, addressing cybersecurity requirements for digital products and services.

The application process is a single-stage model, requiring submissions through the SECURE online platform by the deadline of March 29, 2026. The process involves a multi-phase evaluation system, including mandatory documentation uploads, proposal and budget submissions, and a three-tier assessment that evaluates criteria such as project relevance, technical quality, clarity, and implementation feasibility. Successful applicants will enter an implementation phase lasting up to 180 days following the signing of a Sub-Grant Agreement.

The financial support primarily targets practical compliance activities like cybersecurity assessments, security control implementations, and organizational process developments to help mSMEs meet the CRA obligations. Applicants are required to provide co-funding of an equal amount as the EU grant, ensuring they contribute 50 percent of eligible project costs.

The overarching goal of this call is to facilitate EU SMEs in adapting to the regulatory landscape imposed by the Cyber Resilience Act, thereby enhancing the overall cybersecurity posture of smaller enterprises across the digital economy.

The SECURE First Open Call for Proposals aims to strengthen the cybersecurity capacities of European SMEs in line with the Cyber Resilience Act (CRA) requirements and obligations. The call, identified by topic DIGITAL-ECCC-2024-DEPLOY-CYBER-06-STRENGTHENCRA, is part of the SECURE project, officially named "SECURE Strengthening EU SMEs Cyber Resilience," with grant agreement number 101190325. The total funding available is 5,000,000.00 EUR.

The opening date for submissions was January 28, 2026, and the deadline is March 29, 2026, at 23:59 Brussels time. The call follows a single-stage submission model.

Eligibility is restricted to single legal entities that qualify as micro, small, or medium-sized enterprises (mSMEs) according to Commission Recommendation 2003/361/EC. These entities must be legally established in an EU Member State (including Overseas Countries and Territories - OCTs) or in European Economic Area (EEA) countries. Consortia, EU bodies, international organizations, and natural persons are not eligible. Applicants must comply with all applicable EU and national legal, ethical, and financial obligations, must not fall under EU exclusion grounds, must not qualify as enterprises in difficulty, and must ensure the absence of double funding. Projects must demonstrate direct and substantive relevance to the Cyber Resilience Act (CRA). Applicants must operate, or credibly plan to operate, within the CRA scope, and proposed activities must clearly support compliance with CRA requirements for identified digital products or services. Company eligibility is formally validated by the relevant National Cybersecurity Coordination Centre (NCC). Detailed eligibility rules are provided in Appendix A of the SECURE Open Calls Application Guidelines (Annex 1), while the CRA scope and eligible activities are specified in ANNEX 2 – CRA Scope & Eligible Activities, Services and Goods.

The application process is structured in two stages and several phases, conducted exclusively via the SECURE online platform.

Stage 1 involves the Application & Evaluation Process:

Phase 1: Registration and Company Documentation. Applicants register on the platform, complete an eligibility checklist, and upload mandatory company documentation. This includes digitally signed declarations (PAdES format), official registration evidence, an ownership and control declaration (ANNEX 3 – Ownership Control Declaration), the most recent financial statement, and any additional documentation requested by the national NCC. Modifications are only possible upon explicit NCC request after final submission.

Phase 2: Proposal and Budget Submission. Applicants prepare and upload the Proposal Template (ANNEX 1.1) and the Budget Template (ANNEX 1.3), following the Proposal Budget Guidelines (ANNEX 1.2). Proposals must define objectives, work packages, deliverables, milestones, and KPIs, with a maximum project duration of 180 calendar days. Funding is granted as a lump sum, covering 50% of eligible costs up to EUR 30,000. Applicants may optionally request 40% pre-financing at this stage. No changes are allowed after the final submission is confirmed.

Phase 3: Evaluation. Submitted proposals undergo a three-layer evaluation process: Formal Evaluation verifies completeness, CRA relevance, and consistency with eligible activities. Technical Evaluation is carried out by an independent Evaluation Committee of cybersecurity and CRA experts, assessing proposals against the criteria of Excellence & Relevance, Impact & Clarity, and Implementation, using the scoring system and thresholds defined in Appendix B – Proposal Technical Evaluation. Company Eligibility Verification is conducted by the applicant’s national NCC, which may request integrations and formally confirms company-level eligibility. Failure to obtain NCC validation may result in exclusion, irrespective of technical score.

The evaluation of proposals is based on three core award criteria: Excellence & Relevance, Impact & Clarity, and Implementation. Excellence & Relevance measures the coherence, credibility, and CRA alignment of the proposed activities and their ability to address identified compliance gaps. Impact & Clarity assesses the expected benefits for the applicant mSME, the contribution to CRA compliance, the clarity of the proposal, and the robustness of the proposed KPIs. Implementation evaluates the feasibility and consistency of the work plan, including work packages, deliverables, milestones, evidence, and budget coherence. Each criterion is scored on a 0–5 scale by multiple evaluators, aggregated through a weighted scoring system with defined minimum thresholds. Each proposal is independently assessed by three evaluators, who assign scores from 0 to 5 for each of the three award criteria. For each criterion, individual scores are summed and averaged, with the result rounded to the nearest integer, producing a criterion score with a maximum of 15 points. These rounded scores are then combined into a final weighted average score, reflecting the relative importance of the criteria. To be eligible for funding, proposals must meet defined minimum thresholds, namely: an overall final score of at least 10 points and no score below 10 in two or more individual criteria; failure to meet either threshold results in exclusion. Where significant scoring discrepancies occur—specifically, differences of five points or more between evaluators on two or more criteria—an additional evaluator is appointed and the final score is recalculated using all assessments. In the case of tie scores in the final ranking, priority is given to the proposal submitted earlier on the platform, with submission date and time serving as the sole tie‑breaking rule.

Phase 4: Final Results and Sub-Grant Agreement. Applicants are notified of the final outcome (funded, eligible but not funded due to budget constraints, or rejected). Successful applicants are invited to sign the Sub-Grant Agreement (ANNEX 5). Following countersignature by the SECURE Consortium, the project is formally admitted to implementation, and pre-financing, if requested, may be disbursed.

Stage 2 involves Project Implementation and Assessment:

Following Sub-Grant Agreement signature, funded projects enter Stage 2, which covers implementation, reporting, and payment. Beneficiaries must complete an initial CRA Maturity Assessment, implement the approved activities within 180 days, and submit a Technical Report (ANNEX 6) together with supporting evidence demonstrating achievement of declared deliverables and KPIs. Implementation is assessed by the Evaluation Committee in accordance with Appendix C – Implementation Assessment, determining full, partial, or no balance payment based on the degree of objective achievement.

In summary, the SECURE First Open Call for Proposals provides funding for mSMEs to enhance their cybersecurity capabilities in accordance with the Cyber Resilience Act. Eligible companies can receive up to EUR 30,000 to cover 50% of their eligible costs for projects lasting up to 180 days. The application process involves a detailed submission and evaluation process, with a strong emphasis on the relevance and impact of the proposed activities in relation to CRA compliance. The call aims to strengthen the overall cybersecurity posture of European SMEs and ensure their alignment with the latest regulatory requirements.

Eligible Applicant Types: The eligible applicant type is single legal entities qualifying as micro, small or medium-sized enterprises (mSMEs) under Commission Recommendation 2003/361/EC.

Funding Type: The funding type is a grant, specifically cascade funding, provided as a lump sum.

Consortium Requirement: A single applicant is required. Consortia are explicitly excluded.

Beneficiary Scope (Geographic Eligibility): The geographic eligibility includes EU Member States (including OCTs) and EEA countries.

Target Sector: The target sector is cybersecurity, specifically related to the Cyber Resilience Act (CRA) and strengthening cybersecurity capacities of European SMEs.

Mentioned Countries: EU Member States and EEA countries are mentioned.

Project Stage: The project stage is related to demonstrating direct and substantive relevance to the Cyber Resilience Act (CRA), supporting compliance with CRA requirements for identified digital products or services. This suggests a stage of development, validation, or demonstration, focusing on practical application and compliance.

Funding Amount: The funding amount is up to EUR 30,000, covering 50% of eligible costs, granted as a lump sum. A total of EUR 5,000,000 is available for the call.

Application Type: The application type is an open call, submitted exclusively via the SECURE online platform.

Nature of Support: Beneficiaries will receive money in the form of a grant.

Application Stages: There are two main stages: Stage 1 (Application & Evaluation Process) and Stage 2 (Project Implementation and Assessment). Stage 1 has four phases: Registration and Company Documentation, Proposal and Budget Submission, Evaluation, and Final Results and Sub-Grant Agreement.

Success Rates: The success rate is not explicitly mentioned, but the text indicates that proposals can be "funded, eligible but not funded due to budget constraints, or rejected," suggesting the success rate is dependent on the number of applications and available budget.

Co-funding Requirement: Yes, the funding covers 50% of eligible costs, implying a co-funding requirement of the remaining 50% from the applicant or other sources.

Summary:

The SECURE First Open Call for Proposals aims to strengthen the cybersecurity capacities of European SMEs in line with the Cyber Resilience Act (CRA). The call provides cascade funding to single mSMEs legally established in EU Member States (including OCTs) or EEA countries. The funding is provided as a lump sum grant of up to EUR 30,000, covering 50% of eligible costs. Projects must demonstrate direct relevance to the CRA and support compliance with its requirements for digital products and services. The application process involves registration, submission of company documentation, a proposal and budget, and a multi-layered evaluation process. The evaluation considers completeness, CRA relevance, technical quality, and regulatory relevance. Successful applicants sign a Sub-Grant Agreement and implement their projects within 180 days, followed by reporting and assessment. The total funding available for this call is EUR 5,000,000. The opening date is 28 January 2026 and the deadline is 29 March 2026. The call aims to support SMEs in navigating and complying with the new cybersecurity regulations under the CRA.