Official call identifier: CYSSDE Open Call 3 (OC3)
Objective of the call
The objective of this call is to strengthen the operational capacity of cybersecurity providers to deliver high-quality penetration testing and vulnerability assessment services. The call supports organisations in enhancing cybersecurity resilience across the EU, particularly for essential and important entities covered by the NIS2 Directive, operators of essential services, digital service providers, public bodies, and SMEs supporting NIS2-relevant sectors, as outlined in the Open Call Terms & Conditions.
Scope of activities
This Open Call focuses on strengthening the capabilities of cybersecurity providers to perform structured, high-quality penetration testing and vulnerability assessments for end users.
Selected beneficiaries must conduct a minimum of 10 penetration tests and/or vulnerability assessments for external end users during the project implementation. These end users should include essential or important entities under the NIS2 Directive, operators of essential services, digital service providers, public-sector organisations, or SMEs active in NIS2-relevant sectors.
Projects are expected to:
- Design and implement structured penetration testing and vulnerability assessment scenarios
- Prepare testing methodologies aligned with recognised cybersecurity standards
- Establish or upgrade testing environments, tools and infrastructures
- Address vulnerabilities related to supply chain security, IoT, cloud systems, applications, OT devices, and appliances where relevant
- Engage with manufacturers, operators, developers, system integrators, testing centres or end users to ensure access and cooperation
- Deliver documented assessment results, including potential CVEs or responsible disclosures where applicable
- Contribute to NIS2 compliance and improved cybersecurity maturity at Member State and EU level
Eligible applicants
- Applicants must be registered in and controlled by an entity or person established in an EU Member States or EEA countries
- Entities under EU restrictive measures are not eligible
- Entities in bankruptcy, liquidation or financial difficulty are not eligible
- CYSSDE partners, affiliates and employees are not eligible
- Beneficiaries of CYSSDE Open Call 2 are not eligible
- Applicants must demonstrate proven cybersecurity expertise
- Applicants must commit to delivering at least 10 penetration tests/assessments
Consortium conditions:
- Applications may be submitted by a single entity or a consortium of up to two entities
- One entity must act as coordinator
- At least one entity must specialise in cybersecurity
- The consortium must demonstrate sufficient technical capacity, tools and methodologies
- Existing or planned engagement with essential or important entities should be clearly described
Eligible costs
- Personnel costs for cybersecurity experts
- Costs for acquiring or developing testing tools and environments
- Costs related to applied research
- Costs for accessing intelligence services
- Costs for delivering advisory and assessment services
Funding conditions
Type of action:
Cascade funding
Funding rate:
50%
EU contribution per project:
Up to €200,000
Number of funded projects:
12
Project duration:
18 months
Deadline for submission
28 April 2026