SECURE First Open Call 2026: What mSMEs Need to Submit Before 29 March 2026

Article Thumbnail
EU funding | ACN | cybersecurity compliance | CRA | PMI | cascade funding | SECURE | Cyber Resilience Act | open call | mSME

SECURE First Open Call 2026: What mSMEs Need to Submit Before 29 March 2026

February 20, 2026

The SECURE First Open Call is live from 28 January 2026 to 29 March 2026 and provides up to EUR 30,000 per project at a 50% co-financing rate to support CRA-related cybersecurity improvements by mSMEs. For cybersecurity, GRC, and compliance teams, this is an immediate execution window, not a planning exercise for later quarters. (SECURE Call page, Annex 1 Guidelines, FAQ)

Key takeaways

  • Call publication date: 28/01/2026.
  • Call deadline: 29/03/2026.
  • Total budget: EUR 5,000,000.
  • Funding model: lump sum, with 50% co-financing up to EUR 30,000.
  • If project costs exceed EUR 60,000, SECURE contribution remains capped at EUR 30,000.
  • Maximum implementation period after Sub-Grant Agreement signature: 180 calendar days.
  • One proposal per organization is admissible in a single call.
  • At least one additional SECURE open call is expected after this one.

Sources: Annex 1 Guidelines, Annex 1.2 Budget Guidelines, FAQ.

Call snapshot

Topic Confirmed value Official source
Call window28 January 2026 to 29 March 2026Annex 1, Call page
Total budgetEUR 5,000,000Annex 1
Max grant per projectEUR 30,000Annex 1, FAQ
Co-financing50% of eligible costsAnnex 1, Annex 1.2
Grant formLump sumAnnex 1
Project durationUp to 180 calendar daysAnnex 1, FAQ

Who can apply

The call targets individual legal entities that qualify as mSMEs and are legally established in eligible countries.

  • Geographic scope in Annex 1: EU Member States (including OCTs) and EEA countries (Norway, Iceland, Liechtenstein).
  • mSME definition references Recommendation 2003/361/EC and related EU updates.
  • Consortia are not admissible under this call model.
  • Each organization can submit one proposal per call.

Sources: Annex 1 Guidelines, FAQ, EU SME definition page.

What SECURE can fund

Funding is intended for activities that support the applicant mSME's own CRA readiness and cybersecurity resilience.

Examples explicitly covered in call documents include:

  • compliance and governance activities,
  • technical security upgrades (for example vulnerability assessment, penetration testing, code analysis),
  • ICT/IT/OT resilience improvements,
  • training and awareness,
  • procurement of goods and services instrumental to CRA-aligned outcomes.

The detailed category list is provided in Annex 2, including category-based examples and boundaries. Details are defined in the official call documentation. (Annex 2 CRA Scope & Eligible Activities, Annex 1 Guidelines, FAQ)

Evaluation model and decision thresholds

The proposal evaluation uses three award criteria:

  1. Excellence and relevance
  2. Impact and clarity
  3. Implementation

Operational scoring points from Annex 1:

  • each criterion is scored by three evaluators on a 0-5 scale,
  • the rounded consensus sum per criterion can reach 15,
  • weighted average total score has a maximum of 15,
  • proposals are excluded if they score below 10 in two or more criteria,
  • proposals are also excluded if total score is below 10.

Sources: Annex 1 Guidelines, Call page.

Contracting and payment timing

  • SECURE documentation indicates rejection/admission notifications approximately 150-155 days from call closure.
  • Optional pre-financing is set at 40% of grant value after Sub-Grant Agreement signature, if requested in the proposal stage.
  • Remaining balance is paid after implementation and technical report approval.

Sources: Annex 1 Guidelines, Annex 1.2 Budget Guidelines, FAQ.

Why this call matters for CRA programs in 2026

Regulation (EU) 2024/2847 entered into force on 10 December 2024. The CRA applies from 11 December 2027, with earlier application milestones for selected provisions, including Article 14 from 11 September 2026 and Chapter IV (Articles 35-51) from 11 June 2026. This makes 2026 a transition year for practical readiness work. (EUR-Lex CRA text, Article 71, European Commission CRA summary)

Operational checklist for security, GRC, and compliance teams

  1. Confirm legal entity status and mSME qualification before drafting budget and work packages.
  2. Map the proposed intervention to CRA scope and SECURE eligibility criteria.
  3. Build a budget aligned with Annex 1.2 constraints and documentation expectations.
  4. Align evidence and KPI logic to the three evaluation criteria before submission.
  5. Plan internal resources for a 180-day implementation window and technical reporting.
  6. Validate that all hard facts in the proposal are traceable to official SECURE documents.

FAQ

Is this grant a full-cost reimbursement?

No. The contribution is capped at 50% of eligible costs and up to EUR 30,000 per project. (Annex 1 Guidelines, FAQ)

Can one company submit multiple proposals in this call?

No. One proposal per organization is admissible for a single call. (FAQ)

Are projects developing compliance tools for other SMEs eligible?

The call focuses on the applicant's own CRA compliance needs. Projects primarily aimed at third-party commercialization are not the primary target unless directly tied to the applicant's own compliance path. (FAQ, Annex 2)

Is NIS2 classification required to apply?

No. Eligibility is linked to CRA scope and call criteria, not NIS2 essential/important entity classification. (FAQ)

Official sources

Share this post