---
title: "SECURE First Open Call: CRA Readiness 2026"
description: "SECURE First Open Call 2026: what mSMEs need to submit before the deadline. CRA readiness requirements, eligibility criteria, and application guidance."
canonical: https://www.aegister.com/en/cms/insights/secure-first-open-call-cra-readiness-2026/
url: /en/cms/insights/secure-first-open-call-cra-readiness-2026/
lang: en
---

![](/static/images/header-contact.webp)

# SECURE First Open Call 2026: What mSMEs Need to Submit Before 29 March 2026

---

![SECURE First Open Call 2026: What mSMEs Need to Submit Before 29 March 2026](/static/images/cms/secure-cra-open-call.webp)

## SECURE First Open Call 2026: What mSMEs Need to Submit Before 29 March 2026

February 20, 2026

[ACN](/en/cms/keyword/acn/)
[SECURE](/en/cms/keyword/secure/)
[CRA](/en/cms/keyword/cra/)
[Cyber Resilience Act](/en/cms/keyword/cyber-resilience-act/)
+6

The SECURE First Open Call is live from **28 January 2026 to 29 March 2026** and provides **up to EUR 30,000 per project** at a **50% co-financing rate** to support CRA-related cybersecurity improvements by mSMEs. For cybersecurity, GRC, and compliance teams, this is an immediate execution window, not a planning exercise for later quarters. ([SECURE Call page](https://www.secure4sme.eu/cascade-funding/first-open-call), [Annex 1 Guidelines](https://www.secure4sme.eu/document/open?id=24), [FAQ](https://www.secure4sme.eu/faq))

## Key takeaways

- Call publication date: **28/01/2026**.
- Call deadline: **29/03/2026**.
- Total budget: **EUR 5,000,000**.
- Funding model: **lump sum**, with **50% co-financing** up to **EUR 30,000**.
- If project costs exceed EUR 60,000, SECURE contribution remains capped at EUR 30,000.
- Maximum implementation period after Sub-Grant Agreement signature: **180 calendar days**.
- One proposal per organization is admissible in a single call.
- At least one additional SECURE open call is expected after this one.

Sources: [Annex 1 Guidelines](https://www.secure4sme.eu/document/open?id=24), [Annex 1.2 Budget Guidelines](https://www.secure4sme.eu/document/open?id=26), [FAQ](https://www.secure4sme.eu/faq).

## Call snapshot

| Topic | Confirmed value | Official source |
| --- | --- | --- |
| Call window | 28 January 2026 to 29 March 2026 | [Annex 1](https://www.secure4sme.eu/document/open?id=24), [Call page](https://www.secure4sme.eu/cascade-funding/first-open-call) |
| Total budget | EUR 5,000,000 | [Annex 1](https://www.secure4sme.eu/document/open?id=24) |
| Max grant per project | EUR 30,000 | [Annex 1](https://www.secure4sme.eu/document/open?id=24), [FAQ](https://www.secure4sme.eu/faq) |
| Co-financing | 50% of eligible costs | [Annex 1](https://www.secure4sme.eu/document/open?id=24), [Annex 1.2](https://www.secure4sme.eu/document/open?id=26) |
| Grant form | Lump sum | [Annex 1](https://www.secure4sme.eu/document/open?id=24) |
| Project duration | Up to 180 calendar days | [Annex 1](https://www.secure4sme.eu/document/open?id=24), [FAQ](https://www.secure4sme.eu/faq) |

## Who can apply

The call targets **individual legal entities** that qualify as mSMEs and are legally established in eligible countries.

- Geographic scope in Annex 1: EU Member States (including OCTs) and EEA countries (Norway, Iceland, Liechtenstein).
- mSME definition references Recommendation 2003/361/EC and related EU updates.
- Consortia are not admissible under this call model.
- Each organization can submit one proposal per call.

Sources: [Annex 1 Guidelines](https://www.secure4sme.eu/document/open?id=24), [FAQ](https://www.secure4sme.eu/faq), [EU SME definition page](https://single-market-economy.ec.europa.eu/smes/sme-fundamentals/sme-definition_en).

## What SECURE can fund

Funding is intended for activities that support the applicant mSME's own CRA readiness and cybersecurity resilience.

Examples explicitly covered in call documents include:

- compliance and governance activities,
- technical security upgrades (for example vulnerability assessment, penetration testing, code analysis),
- ICT/IT/OT resilience improvements,
- training and awareness,
- procurement of goods and services instrumental to CRA-aligned outcomes.

The detailed category list is provided in Annex 2, including category-based examples and boundaries. Details are defined in the official call documentation. ([Annex 2 CRA Scope & Eligible Activities](https://www.secure4sme.eu/document/open?id=25), [Annex 1 Guidelines](https://www.secure4sme.eu/document/open?id=24), [FAQ](https://www.secure4sme.eu/faq))

## Evaluation model and decision thresholds

The proposal evaluation uses three award criteria:

1. Excellence and relevance
2. Impact and clarity
3. Implementation

Operational scoring points from Annex 1:

- each criterion is scored by three evaluators on a 0-5 scale,
- the rounded consensus sum per criterion can reach 15,
- weighted average total score has a maximum of 15,
- proposals are excluded if they score below 10 in two or more criteria,
- proposals are also excluded if total score is below 10.

Sources: [Annex 1 Guidelines](https://www.secure4sme.eu/document/open?id=24), [Call page](https://www.secure4sme.eu/cascade-funding/first-open-call).

## Contracting and payment timing

- SECURE documentation indicates rejection/admission notifications approximately 150-155 days from call closure.
- Optional pre-financing is set at 40% of grant value after Sub-Grant Agreement signature, if requested in the proposal stage.
- Remaining balance is paid after implementation and technical report approval.

Sources: [Annex 1 Guidelines](https://www.secure4sme.eu/document/open?id=24), [Annex 1.2 Budget Guidelines](https://www.secure4sme.eu/document/open?id=26), [FAQ](https://www.secure4sme.eu/faq).

## Why this call matters for CRA programs in 2026

Regulation (EU) 2024/2847 entered into force on **10 December 2024**. The CRA applies from **11 December 2027**, with earlier application milestones for selected provisions, including **Article 14 from 11 September 2026** and **Chapter IV (Articles 35-51) from 11 June 2026**. This makes 2026 a transition year for practical readiness work. ([EUR-Lex CRA text, Article 71](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELLAR%3A21b7d4eb-a6e2-11ef-85f0-01aa75ed71a1), [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary))

## Operational checklist for security, GRC, and compliance teams

1. Confirm legal entity status and mSME qualification before drafting budget and work packages.
2. Map the proposed intervention to CRA scope and SECURE eligibility criteria.
3. Build a budget aligned with Annex 1.2 constraints and documentation expectations.
4. Align evidence and KPI logic to the three evaluation criteria before submission.
5. Plan internal resources for a 180-day implementation window and technical reporting.
6. Validate that all hard facts in the proposal are traceable to official SECURE documents.

## FAQ

### Is this grant a full-cost reimbursement?

No. The contribution is capped at 50% of eligible costs and up to EUR 30,000 per project. ([Annex 1 Guidelines](https://www.secure4sme.eu/document/open?id=24), [FAQ](https://www.secure4sme.eu/faq))

### Can one company submit multiple proposals in this call?

No. One proposal per organization is admissible for a single call. ([FAQ](https://www.secure4sme.eu/faq))

### Are projects developing compliance tools for other SMEs eligible?

The call focuses on the applicant's own CRA compliance needs. Projects primarily aimed at third-party commercialization are not the primary target unless directly tied to the applicant's own compliance path. ([FAQ](https://www.secure4sme.eu/faq), [Annex 2](https://www.secure4sme.eu/document/open?id=25))

### Is NIS2 classification required to apply?

No. Eligibility is linked to CRA scope and call criteria, not NIS2 essential/important entity classification. ([FAQ](https://www.secure4sme.eu/faq))

## Official sources

- [SECURE First Open Call page](https://www.secure4sme.eu/cascade-funding/first-open-call)
- [SECURE FAQ](https://www.secure4sme.eu/faq)
- [Annex 1 - Open Call Guidelines](https://www.secure4sme.eu/document/open?id=24)
- [Annex 1.2 - Proposal Budget Guidelines](https://www.secure4sme.eu/document/open?id=26)
- [Annex 2 - CRA Scope & Eligible Activities](https://www.secure4sme.eu/document/open?id=25)
- [EUR-Lex - Regulation (EU) 2024/2847](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELLAR%3A21b7d4eb-a6e2-11ef-85f0-01aa75ed71a1)
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary)

Share this post

## Related News

[![NIS 2: Basic Security Measures Defined by ACN for Essential and Important Entities](/static/images/cms/nis2-basic-measures-acn.webp)](/en/cms/insights/nis2-basic-measures-acn/)

[NIS 2: Basic Security Measures Defined by ACN for Essential and Important Entities](/en/cms/insights/nis2-basic-measures-acn/)

[The Italian Cybersecurity Agency (ACN) has published baseline security measures for entities under NIS 2, with operational deadlines and flexibility clauses to ease adoption.](/en/cms/insights/nis2-basic-measures-acn/)

[ACN](/en/cms/keyword/acn/)
[cybersecurity compliance](/en/cms/keyword/cybersecurity-compliance/)
+5

[![NIS Representative in Italy: When It Is Needed and How the Designation Works](/static/images/cms/nis-2-compliance.webp)](/en/cms/insights/nis-representative-italy-designation-process/)

[NIS Representative in Italy: When It Is Needed and How the Designation Works](/en/cms/insights/nis-representative-italy-designation-process/)

[The Italy-based NIS representative is a specific cross-border compliance mechanism for legal persons with no EU establishment that perform the inherently cross-border activities listed in Article 7(5) of Legislative Decree 138/2024. Designation package is transmitted to ACN yearly from 1 September to 30 November.](/en/cms/insights/nis-representative-italy-designation-process/)

[ACN](/en/cms/keyword/acn/)
[Determinazione 127437/2026](/en/cms/keyword/determinazione-1274372026/)
+8

[![New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/static/images/cms/nis-registrazione-2026-scadenza.webp)](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/)

[New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/)

[The ACN 2026 timing determination sets a distinct implementation path for entities first listed in the Italian NIS perimeter during 2026: significant-incident notification starts on 1 January 2027 and baseline security measures must be adopted by 31 July 2027.](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/)

[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
+8