---
title: "MIMIT Cloud & Cybersecurity Voucher 2026 — Italian SMEs"
description: Italian SMEs can fund cloud and cybersecurity services through the 2026 MIMIT voucher. Beneficiary criteria, eligible expenses, application steps, and verified supplier list.
canonical: https://www.aegister.com/en/cms/insights/mimit-cloud-cybersecurity-voucher-2026-italian-smes/
url: /en/cms/insights/mimit-cloud-cybersecurity-voucher-2026-italian-smes/
lang: en
---

![](/static/images/header-contact.webp)

# MIMIT 2026 Cloud and Cybersecurity Voucher: Who Qualifies and How to Apply

---

![MIMIT 2026 Cloud and Cybersecurity Voucher: Who Qualifies and How to Apply](/static/images/cms/voucher-mimit-cloud-cybersecurity-2026-pmi.webp)

## MIMIT 2026 Cloud and Cybersecurity Voucher: Who Qualifies and How to Apply

April 28, 2026

[MIMIT voucher](/en/cms/keyword/mimit-voucher/)
[Italian SME cybersecurity funding](/en/cms/keyword/italian-sme-cybersecurity-funding/)
[cloud voucher 2026](/en/cms/keyword/cloud-voucher-2026/)
[cybersecurity voucher](/en/cms/keyword/cybersecurity-voucher/)
+6

## Key Takeaways

- The official measure is the **Voucher Cloud & Cybersecurity**, governed by the MIMIT decree of 18 July 2025.
- The financial envelope is **EUR 150 million**, funded by Fondo Sviluppo e Coesione resources for the 2014-2020 programming period.
- Eligible beneficiaries are Italian SMEs and self-employed workers operating nationally and holding a connectivity contract with at least **30 Mbps** download speed at application time.
- The grant is a non-repayable contribution under the de minimis regime, up to **50%** of eligible expenses and capped at **EUR 20,000**.
- Eligible cybersecurity items include firewall, NGFW, IPS, antivirus, antimalware, network monitoring software, encryption, SIEM and vulnerability management software.
- Professional configuration, monitoring and continuous support services are eligible up to **30%** of the total spending plan and must be linked to other eligible services.
- Supplier registration has been extended to **12:00 on 27 May 2026**; the SME application window will be defined by a later directorial decree.

## Scope of This Article

This guide explains what the MIMIT cloud and cybersecurity voucher funds, who it is designed for, which operational steps SMEs should prepare, and how to evaluate a cybersecurity supplier without assuming that any provider is already on the official list.

The article is based on the official MIMIT page last updated on 28 April 2026, the ministerial decree of 18 July 2025, the directorial decree of 21 November 2025, the extension decree of 22 April 2026, and the MIMIT FAQ. It does not replace the formal call documentation.

## What the MIMIT Cloud and Cybersecurity Voucher Is

The Voucher Cloud & Cybersecurity is an incentive designed to support demand for cloud computing and cybersecurity products and services by SMEs and self-employed workers. The policy goal is not to reimburse generic IT spending; it is to help organizations acquire new, additional, more advanced or more secure technological solutions compared with what they already use ([MIMIT ministerial decree of 18 July 2025](https://www.mimit.gov.it/it/normativa/decreti-ministeriali/decreto-ministeriale-18-luglio-2025-disciplina-degli-interventi-di-sostegno-alla-domanda-di-servizi-di-cloud-computing-e-cyber-security)).

The MIMIT page also states that eligible products and services must be provided by suppliers included in the specific supplier list managed by the Ministry. This is operationally important: the beneficiary should not treat a quote as voucher-ready until both the supplier and the proposed product or service are included in the relevant list.

## Who Can Request the Voucher

The official MIMIT page identifies the target beneficiaries as SMEs and self-employed workers operating throughout Italy. At the time they submit the application, they must have a connectivity service contract with minimum download speed of **30 Mbps**.

The final access procedure for beneficiaries is still pending. MIMIT states that the terms and modalities for submitting applications by SMEs and self-employed workers will be defined by a later directorial measure after formation of the supplier list ([MIMIT incentive page](https://www.mimit.gov.it/it/incentivi/sostegno-alla-domanda-di-servizi-di-cloud-computing-e-cyber-security)).

Practical implication: SMEs can prepare the evidence file now, but should wait for the final MIMIT instructions before committing to the timing, forms, portal workflow or ranking mechanism.

## What the Voucher Funds

MIMIT lists five broad categories of eligible spending:

| Category | Examples from MIMIT sources | Operational reading |
| --- | --- | --- |
| Cybersecurity hardware | Firewall, NGFW, router/switch, intrusion prevention devices | Network protection and perimeter controls |
| Cybersecurity software | Antivirus, antimalware, network monitoring, encryption, SIEM, vulnerability management | Detection, protection and vulnerability handling |
| IaaS and PaaS cloud | Virtual machines, storage and backup, VPN, DDoS services, databases | Infrastructure modernization and cloud security |
| SaaS cloud | ERP, HRM, workflow, productivity, CMS, e-commerce, CRM, UCC and PABX | Cloud business applications, including configurable or customized SaaS |
| Configuration, monitoring and continuous support | Professional services except training | Eligible up to 30% of the total plan and only if connected to other eligible items |

The MIMIT FAQ clarifies that pure consulting and training are excluded when they are not connected to operational implementation. A cybersecurity assessment alone is therefore not enough if it does not lead to an eligible implementation or continuous-support service.

## Amount and Coverage Percentage

The incentive is a non-repayable grant under the de minimis regulation. MIMIT states that it can cover up to **50%** of eligible expenses and cannot exceed **EUR 20,000** per beneficiary.

| Parameter | MIMIT value | Planning consequence |
| --- | --- | --- |
| Minimum spending plan | EUR 4,000 | Micro-projects below this threshold are not suitable |
| Maximum grant rate | 50% of eligible expenses | The company must budget the non-funded share |
| Maximum grant amount | EUR 20,000 | Larger projects can be eligible, but the subsidy is capped |
| Direct purchase duration | Maximum 12 months from grant award communication | Implementation calendar must fit within the grant window |
| Subscription duration | At least 24 months, with eligible costs limited to the first 24 months if longer | Contract duration and eligible cost period must be separated |

## How to Prepare the Application

The beneficiary application window is not yet open. However, SMEs can already prepare the work package that normally blocks voucher requests:

1. confirm SME or self-employed status and the 30 Mbps connectivity requirement;
2. identify the cloud and cybersecurity gap the project must solve;
3. avoid duplicating products or services already in use with similar performance;
4. map each cost item to one MIMIT eligible category;
5. check whether the supplier and the specific product or service are listed once MIMIT publishes the final list;
6. prepare digital identity, delegation, company registry and signing workflow for the portal;
7. keep the project scope narrow enough to be implemented and documented within the required timeline.

The supplier-side procedure currently runs through Invitalia's reserved area. MIMIT also published a supplier accreditation manual and certification guidance for suppliers.

## The Supplier List

The supplier list is central to eligibility. MIMIT states that suppliers must register in a dedicated list and that registration gives the declared products and services the qualification required for incentive eligibility.

The original supplier registration period was 4 March to 23 April 2026. MIMIT extended the deadline to **12:00 on 27 May 2026** with the decree of 22 April 2026 ([MIMIT extension decree](https://www.mimit.gov.it/it/normativa/decreti-direttoriali/decreto-direttoriale-22-aprile-2026-cloud-computing-e-cyber-security-proroga-iscrizione-elenco-fornitori)).

The FAQ also clarifies that integrators and resellers may need to register for their own configuration, monitoring and continuous-support services. Third-party products must be listed by the vendor; the integrator cannot simply insert another vendor's products as its own.

## Common Application Mistakes

- **Assuming the supplier is eligible:** verify both the supplier and the specific service once the official list is available.
- **Building a consulting-only project:** MIMIT excludes pure consulting and training from the professional-services category.
- **Repeating existing capabilities:** the measure funds new or more advanced solutions, not services with equivalent performance to what the company already uses.
- **Ignoring the 30% cap:** configuration, monitoring and support cannot dominate the spending plan.
- **Misaligning contract duration:** direct purchases and subscriptions follow different timing rules.

## Coordination With NIS 2, CRA and Security Operations

The voucher can support projects that also improve regulatory readiness. For example, a SME subject to NIS 2 may use eligible spending to strengthen log management, vulnerability management, cloud backup, monitoring or incident-response tooling.

For NIS 2 planning, see Aegister's [NIS 2 guide](/en/cms/insights/aegister-nis-2-guide/) and the article on [ACN baseline measures](/en/cms/insights/nis2-basic-measures-acn/). For SIEM-related spending, start from the Wazuh overview and the article on [centralized log management for NIS 2 detection](/en/cms/insights/wazuh-centralized-log-management-nis-2-detection-requirements/). Product manufacturers should also read the [Cyber Resilience Act guide](/en/cms/insights/cyber-resilience-act-cra-obligations-manufacturers/).

## How to Evaluate a Cybersecurity Supplier

Until MIMIT publishes or confirms the official supplier list, do not rely on marketing claims. Evaluate suppliers on the evidence that will matter later: eligible categories, certifications, operational capability, ability to document deliverables, and capacity to support implementation rather than only advisory work.

Aegister's approach combines governance support, technical evidence collection and ongoing cyber operations through [Virtual CISO services](https://aegister.com/en/solutions/virtual-ciso/) and the [Cyber Console](https://aegister.com/en/solutions/cyber-console/). Voucher eligibility for any Aegister service must be checked against the final MIMIT supplier list and the specific products or services admitted for funding.

## Example Project Packages

The safest way to design a voucher project is to start from an operational outcome, then map each cost to a MIMIT eligible category. A company should avoid a shopping list that mixes unrelated tools, because the file must show why the plan improves security or cloud maturity.

| Business need | Possible eligible components | Evidence to keep |
| --- | --- | --- |
| Improve incident detection | SIEM, network monitoring, configuration and continuous monitoring support | Scope, log-source list, onboarding plan, monitoring reports |
| Reduce vulnerability exposure | Vulnerability management software, configuration support, remediation tracking | Asset list, scan schedule, finding register, closure evidence |
| Strengthen cloud resilience | IaaS/PaaS storage, backup, VPN, DDoS services and secure configuration | Architecture diagram, backup tests, access-control evidence |
| Modernize business applications | SaaS ERP, CRM, workflow or productivity tools with security functions | Contract, configuration records, user access model |

## Documents to Prepare Before the Window Opens

Even before the beneficiary window is published, SMEs can prepare a clean evidence pack. This reduces execution risk when the final MIMIT decree defines the portal, forms and deadlines.

- company registry data and delegation chain for whoever submits the application;
- evidence of SME or self-employed status and national operating presence;
- connectivity contract showing the minimum 30 Mbps download requirement;
- description of the current cloud or cybersecurity baseline;
- draft project plan with eligible categories, costs, duration and expected outcome;
- supplier quote, to be reconciled with the final official supplier list;
- de minimis tracking and cumulation check with other incentives;
- implementation evidence model for final reporting and payment requests.

This preparation is also useful if the company decides not to apply. The same file can support NIS 2 readiness, internal budgeting and supplier due diligence.

## Decision Criteria Before Selecting a Supplier

Before signing a quote, the SME should ask three concrete questions. First, does the supplier appear in the official MIMIT list for the relevant category? Second, is the exact product or service included, not only the supplier name? Third, can the supplier provide implementation evidence that will support payment requests and future audits?

This matters because the voucher is not just a discount. It creates a funded project with eligibility, implementation and reporting constraints. A technically good supplier that cannot document scope, dates, deliverables and service continuity may create administrative risk for the beneficiary.

## FAQ

### Is the SME application window open?

No. As of the MIMIT page updated on 28 April 2026, terms and modalities for SME and self-employed applications will be defined by a later directorial decree.

### What can the voucher fund?

It can fund eligible cloud and cybersecurity hardware, software, IaaS, PaaS, SaaS, and connected professional configuration, monitoring and support services.

### Can professional services be funded?

Yes, but only when connected to eligible products or services, and up to 30% of the total spending plan. Pure consulting and training are excluded by the MIMIT FAQ.

### Does a supplier need to be in the official list?

Yes. Products and services must be supplied by listed providers, and the relevant products or services must be admitted in the list.

## Official Sources

- [MIMIT: Voucher Cloud & Cybersecurity](https://www.mimit.gov.it/it/incentivi/sostegno-alla-domanda-di-servizi-di-cloud-computing-e-cyber-security)
- [MIMIT FAQ](https://www.mimit.gov.it/it/assistenza/domande-frequenti/sostegno-domanda-servizi-di-cloud-computing-e-cyber-security-risposta-alle-domande-frequenti-faq)
- [MIMIT decree of 22 April 2026](https://www.mimit.gov.it/it/normativa/decreti-direttoriali/decreto-direttoriale-22-aprile-2026-cloud-computing-e-cyber-security-proroga-iscrizione-elenco-fornitori)
- [MIMIT directorial decree of 21 November 2025](https://www.mimit.gov.it/it/normativa/decreti-direttoriali/decreto-direttoriale-21-novembre-2025-interventi-di-sostegno-alla-domanda-di-servizi-di-cloud-computing-e-cyber-security-modalita-formazione-elenco-dei-soggetti-abilitati)
- [MIMIT ministerial decree of 18 July 2025](https://www.mimit.gov.it/it/normativa/decreti-ministeriali/decreto-ministeriale-18-luglio-2025-disciplina-degli-interventi-di-sostegno-alla-domanda-di-servizi-di-cloud-computing-e-cyber-security)

Share this post

## Related News

[![Cybersecurity Audit: What It Is, How It Works, and How to Prepare](/static/images/cms/audit-cybersecurity-tipi-fasi-preparazione.webp)](/en/cms/insights/cybersecurity-audit-types-phases-preparation/)

[Cybersecurity Audit: What It Is, How It Works, and How to Prepare](/en/cms/insights/cybersecurity-audit-types-phases-preparation/)

[A cybersecurity audit checks whether security governance, controls, evidence and technical practices are suitable for the chosen framework. This guide explains audit types, phases, preparation steps and common failure patterns for NIS 2, ISO 27001, DORA and ACN baseline readiness.](/en/cms/insights/cybersecurity-audit-types-phases-preparation/)

[compliance audit](/en/cms/keyword/compliance-audit/)
[cybersecurity audit](/en/cms/keyword/cybersecurity-audit/)
+8

[![Cybersecurity Frameworks Compared: NIST CSF, ISO 27001, NIS 2, ACN Baseline](/static/images/cms/framework-cybersecurity-confronto-nist-iso-27001-nis-2-acn.webp)](/en/cms/insights/cybersecurity-frameworks-nist-iso-27001-nis-2-acn-comparison/)

[Cybersecurity Frameworks Compared: NIST CSF, ISO 27001, NIS 2, ACN Baseline](/en/cms/insights/cybersecurity-frameworks-nist-iso-27001-nis-2-acn-comparison/)

[NIST CSF, ISO/IEC 27001, NIS 2 and the ACN baseline solve different problems. This comparison explains which are voluntary, mandatory, certifiable, operational or strategic, and how Italian organizations can combine them without duplicating work.](/en/cms/insights/cybersecurity-frameworks-nist-iso-27001-nis-2-acn-comparison/)

[NIST CSF](/en/cms/keyword/nist-csf/)
[ISO 27001](/en/cms/keyword/iso-27001/)
+8

[![EU AI Act: Cybersecurity Implications for Compliance Teams](/static/images/cms/eu-ai-act-cybersecurity-implications.webp)](/en/cms/insights/eu-ai-act-cybersecurity-implications/)

[EU AI Act: Cybersecurity Implications for Compliance Teams](/en/cms/insights/eu-ai-act-cybersecurity-implications/)

[Focused guide to the cybersecurity implications of the EU AI Act for compliance teams, including staged application dates, high-risk AI controls, and coordination with NIS 2 and CRA.](/en/cms/insights/eu-ai-act-cybersecurity-implications/)

[Cyber Resilience Act](/en/cms/keyword/cyber-resilience-act/)
[EU AI Act](/en/cms/keyword/eu-ai-act/)
+8