Enhancing Cybersecurity for Small and Medium Enterprises in the Republic of Cyprus 2025 - Τourism

Beneficiaries

Categories of enterprises:

Beneficiaries are Small and Medium Enterprises (SMEs) that fall under one of the following categories:
1) Hotel Enterprises
    Must hold a valid Hotel Operating License, according to the Law on the Establishment and Operation of Hotels and Tourist Accommodations (Law 34(I)/2019)
2) Travel Agencies / Agents
    Must hold a Tourist Office Operating License, according to the Law on Tourism and Travel Agencies and Guides (Law 41(I)/1995).

 

 

Restrictions:

1) Enterprises operating in the following sectors cannot be funded:
   – Fisheries and aquaculture.
   – Primary production of agricultural products
2) Each entity can submit only one proposal as the Lead Beneficiary.
3) The beneficiary must be legally established and operating in areas controlled by the Republic of Cyprus.
4) There must be no outstanding debts to the Digital Security Authority.

 

 

Obligations of Beneficiaries:

1) Mandatory implementation of at least one publicity action to showcase the achieved certification (e.g., media publication, video, event).
2) Mandatory participation in:
   – Project Coordinator in an informational workshop by RIF.
   – A team member in CISO (Chief Information Security Officer) training.
   – Attendance of seminars on project financial management.

Eligible Costs

Expenses must be necessary for obtaining cybersecurity certification, in accordance with the Cyber Hygiene Framework for SMEs of the NCC-CY.

 

Expense Categories: 

  1. Purchase of Services 
  2. Purchase of Instruments and Equipment

Indicative Examples:

  1. Design and implementation of cybersecurity policies. 
  2. Staff training and awareness activities. 
  3. Installation of two-factor authentication. 
  4. SOC (Security Operation Center) systems. 
  5. Incident response services. 
  6. Privileged Access Management systems. 
  7. Firewalls and Web Application Firewalls (WAF). 
  8. Backup systems (storage, tapes). 
  9. Antivirus software. 
  10. Penetration Testing services. 
  11. DoS/DDoS protection services. 
  12. IDS/IPS systems (Intrusion Detection/Prevention Systems). 
  13. Business Impact Analysis services. 
  14. SIEM systems. 
  15. Physical security systems (e.g., access control). 
  16. Cost of one cybersecurity certification audit by the Digital Security Authority (DSA). 

Important Notes:

  1. Three quotations must be obtained for expenses exceeding €15,000 (excluding VAT). 
  2. VAT is not eligible and must be covered by the beneficiary. 
  3. The entity that performs the gap analysis cannot also provide the services/equipment for implementation. 
  4. Depreciation does not apply in the equipment category 

Funding

1) Minimum funding per project: €20,000
2) Maximum funding per project:
   – €65,000, or
   – €75,000 in case the ENISA AR-in-a-Box tool is used.
3) Funding intensity: 70% of eligible expenses.

 

Grant Payment Process:

1) Advance Payment: 50% upon signing the contract.
2) Final Payment: The remaining 50% is paid after project completion and submission of:
   – Activity Report.

   – Grant Payment Application.

   – Proof of certification from accredited ISO 27001 certification bodies.

 
Note: If certification is not achieved, the advance payment must be returned to the Research and Innovation Foundation (RIF).

Eligibility Criteria​

1) Legal establishment and operation within the Republic of Cyprus.
2) Only one proposal per entity can be submitted
3) Compliance with the de minimis Regulation (EU 2023/2831).
4) Mandatory participation in:
    – Informational workshop organized by RIF.
    – CISO training.
    – Financial management seminars.
5) Implementation of at least one publicity action.
6) Compliance with environmental requirements, ensuring no significant harm to the six environmental objectives of the EU.

I am interested
Scroll to Top