Open Call: Financial Support for Penetration Test and Vulnerability Assessment

This open call, part of the broader CYSSDE project launched on June 1, 2024, provides financial support to third parties for penetration testing, vulnerability assessments, and improved risk monitoring under the DIGITAL-ECCC-2023-DEPLOY-CYBER-04-SUPPORT-ASSIST topic.

Scope and Objectives

• The CYSSDE project seeks to strengthen the cybersecurity maturity and resilience of Essential Service Operators and SMEs across Member States through organised open calls for Penetration Testing and vulnerability assessments. By supporting Member States, CYSSDE aims to complement national efforts by developing methods, scenarios, and use cases aligned with NIS2 requirements.
• Supported by NCCs in different Member States, the aim is to work with up to 20 selected and supported Pen Testing organisations with capabilities to execute at least 200 Pen Tests and Vulnerability assessments for Essential Services Operators, SMEs and other entities. CYSSDE will not only target these highly demanding critical infrastructures when it comes to vulnerability assessments but aims to focus on some specific increments together with Critical Infrastructure operators in order to use those to learn from and adopt them towards Essential Operators and the wider group of SMEs.
• CYSSDE specifically aims to reduce the potential impact of these vulnerabilities, by at least identifying them through Penetration Testing activities. But CYSSDE also aims to focus on identifying and researching not-so obvious vulnerabilities or threats which are still unknown and reporting those. CYSSDE will be able to finance and to help identify and document assessments, and provide additional capabilities throughout the 27 Member States, offering NCCs and Member States better access to skilled Penetration Testing services to mitigate these challenges.

Funding Information

• This first open call will select up to ten (10) applications. Successful applicants will be receiving up to 200,000.00€ in 50% co-funding and up to 18 months of tailored support, structured across four key stages. The beneficiaries will receive support and counselling from CYSSDE mentors during this support programme.
• At least 50% co-funding is required, selected beneficiaries have to co-finance the activity by a minimum of 50% of the total costs of the activity. Applicants seeking to receive 200,000.00 € therefore have to indicate that the total cost of the Pen Testing and Vulnerability Assessment activities will be 400,000.00 € or more.

Eligible Activities

• The activities eligible for financial support are those that address the deployment needs of a Penetration Testing and Vulnerability Assessment organisation. These activities may include:
  • Hiring additional personnel, skills and expertise,
  • Developing specialised skills through training and education,
  • Developing additional technologies and tools, as well as performing applied research, for the required Penetration Testing and Vulnerability Assessments. These efforts can include, for instance, the development of automation tools, and the integration of testing mechanisms into a common platform,
  • Setting up, operating and maintaining or hiring testing and sandboxing environments, this can include specific architecture for Critical Infrastructure, Essential or Important Services, Class I and II critical or AI products and services or related,
  • Services and components needed for vulnerability reporting (eg CVEs),
  • Facilities and Range mechanisms to provide capture the flag actions, or hackathon resulting in Penetration Testing and Vulnerability Assessments
  • Setting up, operating and maintaining Infrastructures or hiring facilities to gain deeper insights into device vulnerabilities (eg R/F scanners, testing equipment, …),
  • Accessing and contributing intelligence services, risk monitoring platforms and services, and related efforts,
  • Acquiring, Leasing, Hiring appliances and/or applications for device testing such as IoT, INFRA, and OT devices, (which can also be shared in consortium-based projects),
  • Licensing, purchasing, renting, and hiring tooling for Penetration Testing or Vulnerability Assessments (according to the list of tools available on the cyssde.eu website, or others), for manual and automated assessments,
  • Using external assessment services, provided that they use the same level of detailed description as above,
  • Defining and providing external assessment services such as counselling, advisory, assistance, … to target entities (OES, essential and important entities, critical infrastructure, others …)
• Applicants can decide upon one or more of these activities, as long as they can provide a minimum of 10 Penetration Tests and/or Vulnerability Assessments.

Eligibility Criteria

• Types of entities
  • They are looking for individual entities or consortia of a maximum of 2 entities being SMEs (including micro-enterprises and start-ups), mid-caps or large companies, research centers and public bodies that are registered in the Member States of the European Union.
  • Please note that a minimum of 25% of the overall budget allocation will be designated for SMEs. Applications can be submitted by Penetration Testing and Vulnerability Assessment organizations individually or in a consortium (of a maximum of two entities), with a designated coordinator organisation.
  • CYSSDE partners and their affiliate entities, employees or associates are NOT eligible to act as applicants.
  • NCCs that participate in OC1 are eligible to participate in OC2 and/or OC3. The total maximum amount of funding per participating organisation however is 200,000.00€.

For more information, visit European Commission.