The evaluation of the application is not only about whether the planned project is good, but also about how well-founded, up-to-date, sustainable, and organizationally embedded the cybersecurity development is. A general overview of the cybersecurity support grant is available here.
The scoring system includes elements that carry particularly high weight, and it is worth building the application material around these.
The strongest message: cybersecurity has an accountable owner
The scoring places strong emphasis on whether the organization has a designated, properly prepared person responsible for the security of the electronic information system who is genuinely integrated into operations (not merely named on paper). This matters because, in the evaluators’ eyes, technology only has real value if it is backed by accountability, a decision-making framework, and sustainable operation.
The key to sound justification: recent professional documentation
It is clearly a strong scoring factor if the need for the development is supported by a recent audit/report. The logic is straightforward: if the initial risks and gaps are documented, the planned measures align better with the objectives and the budget.
Risk reduction through replacing obsolete systems
The scoring also specifically looks at whether the project meaningfully reduces known security risks, for example, by replacing EOL/EOS systems and licenses by the end of the development. For evaluators, this is typically a clear and tangible risk-management step.
Sustainability and longer-term operation
Another highlighted element is how sustainable the procured solution is, which the call also assesses through the duration of vendor support. The logic is that longer vendor support means more predictable updates, bug fixes, and support backing – thereby reducing the risk of rapid obsolescence.
The implementation location matters too
Territorial considerations also appear in the scoring: it can be an advantage if the development is implemented in specific (less developed) regions. For this reason, it is worth addressing the implementation location clearly and consistently in the application material, including the presentation of related data.
Regulatory relevance as an evaluation factor
The scoring also takes into account if the applicant is an economic operator subject to the Cybersecurity Act. From the evaluators’ perspective, this indicates that the development is not just general IT, but a relevant cybersecurity investment connected to legal and operational risks.
Less “content-related,” but make sure it’s in order
The scoring also includes financial and operational elements (for example, operating history, financial indicators, tax classification). When compiling the application, it is important that the required certificates and calculations are complete and correct.
Based on the scoring criteria, the strongest application is one that builds on a documented starting point, selects a modern and sustainable solution, meaningfully reduces risk (especially by replacing obsolete systems), and clearly demonstrates organizational accountability. In addition, it should not be overlooked that the implementation location and regulatory relevance may also influence the evaluation.
For more information or consulting, please fill in our contact form.