1. If a company was founded and is officially registered in an EU Member State, but is 100% owned and controlled by a company established in a non-EU/EEA country (such as Switzerland), is it eligible to apply?

No, the company is not eligible. While the company itself is founded and registered in an EU Member State, the programme does not accept entities that are directly or indirectly controlled by a person or entity established in a country outside the EU or EEA. Because the company is fully owned by a non-EU/EEA entity, it fails to meet this criteria. You can find this rule detailed in Section 1.3 "Ground rules and formal requirements" (under "Ownership control and governance") of the Open Call Terms & Conditions.

2. Are Turkish organisations or organisations from non-EU countries (including Digital Europe associated countries) eligible? 

No, only applicants established in EU Member States and EEA countries are eligible. The CYSSDE project is funded under the Digital Europe Programme (Specific Objective 3: Cybersecurity and Trust), which imposes security restrictions under Article 12(5) of the Digital Europe Regulation. As a result, entities from Turkey or any other non-EU country are not eligible to participate. This rule applies to all types of entities.

3. Must applicants operate exclusively in penetration testing and vulnerability assessment?

No, applicants do not need to operate exclusively in these fields. The program is open to a variety of organisations, including penetration testing companies, technology providers, cybersecurity service companies, research institutions, and other related entities. However, expertise in cybersecurity is required to conduct the necessary penetration tests and vulnerability assessments.

4. What are the eligibility rules for public bodies and research centres (e.g., must they be established in Member States)?

Public bodies and research centres must also be established in EU Member States or EEA countries to be eligible for this call. The same eligibility rule applies to all entities, meaning they must not be directly or indirectly controlled by a country outside the EU or by an entity from an ineligible country. Public Universities are eligible for both individual and consortium applications.

5. Can a non-profit private association or public university apply? 

Yes, public entities, universities, and non-profit private associations are eligible to apply individually or as part of a consortium, provided they are established in an EU Member State or EEA country.

6. Can a Critical Infrastructure Operator apply individually, even if their IT team conducts their own penetration testing?

A Critical Infrastructure Operator can apply individually if they meet all eligibility criteria. However, to strengthen your application, you should consider multiple penetration tests, broader vulnerability assessments, or capacity-building efforts. Collaboration with external partners may also enhance their proposal's competitiveness.

7. Are associated SMEs in a consortium eligible if one company has a controlling stake in the other? 

The eligibility of these entities will be assessed at the end of the selection process if they are selected to sign the SGA.

8. Can we apply as a consortium? What are the rules?  Yes, you can apply individually or as a consortium. A consortium is limited to a maximum of two entities. At least one entity in the consortium must be a penetration testing organisation responsible for the technical assessments.

9. Can a non-EU/EEA firm participate as a consortium member to deliver technical work? No. Entities from any non-EU country/EEA countries are not eligible to participate. All entities must be registered in, and controlled by a person or entity established in, a Member State of the European Union or an EEA country.

10. Can a consortium consist of a cybersecurity company and an end-user entity? Yes. A consortium is limited to a maximum of two entities. At least one entity must specialise in cybersecurity and be responsible for the technical assessments.

11. Does the current status of a country's NIS2 Directive transposition affect an applicant's eligibility? The current status of the NIS2 Directive transposition into national law does not affect an applicant's eligibility. Entities are eligible if they comply with the general ground rules and formal requirements established in Section 1.3.

1. How many evaluators will review my proposal? 

Each eligible proposal will be evaluated by 2 independent external experts. A third evaluator will only be engaged if there is a significant discrepancy (3 points or greater) between the scores of the first two experts.

2. Will there be an interview during the selection process? 

Yes. An Optional Interview Stage has been introduced for OC3. Following the initial scoring and Consensus Meeting, the Selection Committee may request an interview with shortlisted applicants to clarify specific technical approaches or team capacities before making the final decision.

3. What kind of evidence is expected for prior experiences in the application? 

Providing numbers is fine, but providing concrete proof—such as references to past work, case studies, or methodologies—will significantly strengthen your proposal and make it more credible. References can be anonymised if necessary.

1. How are the different budget categories calculated, and how must they be calculated?

The application form includes the main categories, and some calculations (like overheads and total budget) are automated.

When estimating costs, use these guidelines:

• Personnel: Internal hourly rate multiplied by hours worked, estimated for the project.

• Purchase Costs: Covers essential project expenses (Travel, Equipment depreciation, and other Goods/Services). You must ensure the best value for money and avoid conflicts of interest.

• Subcontracting: For non-core tasks. You must ensure the best value for money and avoid conflicts of interest. (Note: Subcontractors execute tasks, whereas suppliers only provide resources.

• Overheads: Automatically calculated as a 7% flat-rate of eligible direct costs (Personnel + Purchase + Travels), excluding Subcontracting.

General Eligibility: Governed by FINANCIAL REGULATION 2018/1046. Costs are eligible if they match the budget lump sum and the tasks have been properly implemented.

2. What level of budget detail is required at the application stage, and how are the different budget categories calculated?

A detailed budget breakdown is not required at the application stage; the general budget categories provided in the application form are sufficient. As outlined in Section 2.3 "Expert Evaluation" of the Open Call Terms & Conditions, you must provide a credible estimation of your total project budget, explicitly detailing the 50% co-funding contribution. A detailed breakdown will only be requested if your proposal is selected, and it will be fully defined in your Execution Plan.

3. What is the total budget and maximum grant amount for OC3? 

The total available budget for OC3 is €2,353,000, which will fund up to 12 projects. The maximum grant amount per project is €200,000, paid as a lump sum in tranches.

4. How does the 50% co-funding rule work? 

CYSSDE will fund a maximum of 50% of your total project costs. This means a €200k grant requires a total project cost of at least €400k. You must cover the remaining 50% through your own funds or client payments. 

5. Can other grants be used to cover the remaining 50% co-funding?

Applicants are responsible for obtaining the remaining 50% from other sources. Should additional funding be sourced from another grant, compatibility with this co-funding arrangement must be ensured. Applicants are required to consult their national regulations to verify compatibility. Double funding is strictly prohibited.

6. If the project costs less than the maximum grant amount, is it still eligible?

Yes, proposals requesting less than the 200,000 EUR cap are eligible, provided the 50% co-funding requirement is met.

7. How are payments structured, and when are they released?

Payments are released based on the positive completion of each stage, approximately one month after the end of each stage:

7. • Up to €10,000 - M2

   • Up to €60,000 - M6

   • Up to €80,000 - M16

   • Up to €50,000 - M19

20% of each payment tranche will be withheld and paid after the completion of the CYSSDE project, approximately 9 months after the project's conclusion. CYSSDE project ends May 2028.

8. If we apply in a consortium, should all costs be detailed in the application, or are general categories sufficient? At this stage, the budget template's general categories are sufficient. However, you should describe key budget elements in the Implementation section (e.g., resources and capabilities, personnel). A detailed breakdown will be required if selected.

9. Does the maximum grant amount of €200,000 cover the total project cost? No. The maximum grant amount per project is €200,000, and the co-funding rate is 50%. This means your total project cost must be at least €400,000, and you must cover the remaining 50% through your own funds or client payments.

10. Can we use our commercial daily rate to calculate personnel costs? No. Personnel costs must be calculated using your internal hourly rate multiplied by the estimated hours worked for the project.

11. If we work with freelancers on a sole proprietorship basis, are they considered Personnel Costs or Subcontracting? Costs for natural persons working under a direct contract can be eligible as personnel costs if they work under conditions similar to those of an employee and the results of the work belong to the beneficiary.

12. Are automated tools developed outside the EU eligible as Purchase Costs? Yes. The strict territorial restrictions apply only to subcontracting. You may acquire tools and testing environments as essential project expenses under Purchase Costs, provided you ensure the best value for money. Subcontractors, however, execute project tasks and cannot be entities from outside the EU.

13. Are there restrictions on the percentage of subcontracting allowed? Subcontracting is strictly intended for non-core tasks. Your proposed budget and resources will be thoroughly assessed by evaluators. Relying on a high percentage of subcontracting could lead evaluators to conclude that your internal capacity to deliver the project tasks is insufficient.

1. Do we have to share sensitive client data or full test reports with CYSSDE? 

No. You do not need to disclose restricted or sensitive client information. Reporting and publication of results can be fully anonymised or presented as generalised use cases. You will coordinate the required level of detail for project verification with your assigned CYSSDE mentor.