Why cybersecurity SMEs struggle to pick the right EU funding

The team drops everything to help a customer during a serious security incident. Days later, the release plan changes again because a demanding user needs a new capability. These sound like common situations for a cybersecurity SME. However, for many of these cybersecurity startups, something else is often more stressful and challenging: understanding the EU funding landscape. In this article, we help SMEs navigate cybersecurity reality into a clear assessment so that the SMEs can choose among Horizon Europe (RIA/IA), DIGITAL and the EIC Accelerator with confidence. 

The opportunities are real: Horizon Europe, the Digital Europe Programme (DIGITAL) and the European Innovation Council EIC Accelerator are major EU-level options. Many countries also run national or regional co-funding schemes alongside them. However, the logic behind each instrument is not always explained in a way cybersecurity practitioners can use. Acronyms pile up: TRL, EUCC, CSIRT, FAIR data, FTO. Many SMEs are left wondering which instrument actually fits their technology, maturity and strategy.

Some key EU terminology

Technology Readiness Levels (TRLs) are indicators of the maturity level of a particular technology and provide a common understanding of technology status across the innovation chain. They range from TRL 1 (basic principles) to TRL 9 (actual system proven in operational environment).

• Horizon Europe is the EU’s key funding programme for research and innovation (2021–2027), designed to tackle climate change, support the UN Sustainable Development Goals, and boost Europe’s competitiveness and growth.)

• Research and Innovation Actions (RIA) fund projects that create new knowledge or explore the feasibility of new or improved technologies, typically at low to mid TRLs, with a funding rate of 100% for all beneficiaries.

• Innovation Actions (IA) support activities closer to market, typically at higher TRLs, with funding up to 70% for for‑profit entities and 100% for non‑profit organisations.

• The Digital Europe Programme is the EU’s deployment‑focused funding instrument that scales key digital capacities: supercomputing, AI, cybersecurity, advanced skills, broad digital deployment, and semiconductors. It is aimed to strengthen EU’s technological sovereignty and accelerate the uptake of trusted, competitive digital technologies across public administrations, businesses, and society.

• The EIC Accelerator is a very specific funding programme, under Horizon Europe, that supports innovative start-ups and SMEs who are developing high‑risk, high‑impact innovations with strong scale‑up potential. EIC stands for European Innovation Council. The official description states a grant component below €2.5 million and up to €10 million of equity investments, and it also notes that higher amounts can be available under STEP ScaleUp.

The real challenge: cybersecurity doesn’t fit standard TRLs

One of the main reasons cybersecurity SMEs struggle to choose the right EU funding instrument is that cybersecurity does not map easily to Technology Readiness Levels. TRLs were originally designed in the 1970s for aerospace, and then adopted in manufacturing and engineering systems, domains where progression is linear, environments are controlled, and prototypes can be tested without hostile interference.

Cybersecurity is different: adversarial conditions, fast‑changing attack surfaces and legal or privacy constraints complicate operational validation. A team may have a robust detection engine (seemingly TRL 7) but only curated datasets, because operational telemetry from Security Operation Centres (SOCs), hospitals, utilities or financial operators is often sensitive and may be difficult to share due to legal, contractual, and security constraints.

Cybersecurity is also highly dependent on ecosystems. A cryptographic library is often useless without integration partners. A threat intelligence engine needs data sources. This makes the product maturity dimension intertwined with partner maturity, a factor that TRLs do not capture.

Finally, cybersecurity includes other critical elements (certification pathways, conformity assessment, and secure development lifecycles) that lie outside classical TRL thinking but could heavily influence evaluator judgments.

Because of all these factors, SMEs often misinterpret their own maturity level, leading them into funding instruments that do not match their real needs.

How cybersecurity SMEs can choose the right EU funding instrument

Below, we provide a framework with seven dimensions that you can use to assess your SME and choose the right funding instrument for you. Each dimension reflects whether funding programme evaluators will view your proposal as credible, competitive, and aligned with its purpose.

1. Strategic objective 

The best way to start this assessment is to forget technology for a moment and think of strategy: what is your company’s primary strategic objective?

• If the goal is to scale a disruptive product, the EIC Accelerator could be the best choice because it funds single-applicant SMEs developing breakthrough solutions.
• When the aim is to deploy mature technology with operators or end‑users, the Digital Europe Programme is a stronger fit since it supports collaborative real‑world uptake.
• If f the intention is to advance applied research with industry or public‑sector partners, Horizon Europe IAs are suitable.
• When the objective is to generate new scientific knowledge or test early concepts, Horizon Europe RIAs provide the right environment. 

2. TRL and deep-tech starting point

Technological maturity further narrows the choice.

• SMEs already operating at mid‑to‑high TRLs with a clear route to market align well with the EIC Accelerator.
• Digital Europe Programme typically expects solutions mature enough for deployment (high TRLs).
• Horizon Europe Innovation Actions help advance technologies from mid TRLs toward operational readiness, while Horizon Europe RIAs fit early‑stage exploratory work.
  Each specific call sets eligible TRLs. As a rule of thumb, Digital Europe Programme often targets deployment, EIC Accelerator targets TRL 6–8, Horizon Europe spans TRL depending on specific action and topic.
  

3. Validation environment and data requirements

Cybersecurity solutions depend heavily on where and how they are validated. Are there legal constraints on the data your product needs? The required validation environment heavily influences the funding option.

• The EIC Accelerator supports companies planning to build operational validation capabilities during commercialisation rather than requiring them upfront.

• Projects in need of real infrastructures, operational logs, live SOC telemetry or production‑like pilots generally suit Digital Europe Programme.

• When controlled or relevant lab environments suffice (e.g. synthetic or anonymised datasets), Horizon Europe RIA or IA calls are appropriate depending on the TRL.
  
  

4. Customer and end-user involvement 

Do you need customers or end-users in order to test your product? End‑user engagement also shapes the decision.

• SMEs that wish to run a project alone without a consortium should consider the EIC Accelerator.

• If the solution requires active participation from operators or public‑sector users, the Digital Europe Programme is typically the best match.

• Horizon Europe IAs work when end‑user involvement is useful but not yet essential, while Horizon Europe RIAs apply when no operational end‑user testing is required.

5. Intellectual property (IP), exploitation and competitive edge 

Different instruments embody different expectations regarding IP ownership and exploitation.
The EIC Accelerator favours SMEs that need to retain strong IP control and convert it into rapid productisation and market entry.

• The Digital Europe Programme supports adoption‑oriented work, where exploitation often depends on cooperation with operators, public authorities, or ecosystems deploying the solution (e.g., enterprise or managed SOCs, telecom or cloud operators, national cybersecurity authorities or CSIRTs, and sectoral or cross‑border cybersecurity deployment ecosystems).

• Horizon Europe IAs are suited to collaborative projects where shared research outputs and joint exploitation plans are acceptable.

• Horizon Europe RIAs place the least emphasis on immediate IP commercialisation, allowing research teams to focus on methodological advances, foundational knowledge, and open scientific contributions.

6. Compliance and certification

We know that compliance and conformity are big burdens for European SMEs in general. This dimension looks at the compliance burden your solution must address.

• Choose EIC Accelerator when you must show a credible commercial path toward CRA/NIS2/EUCC compliance but do not need consortium‑level operational pilots. In other words, compliance is part of go‑to‑market.
• Choose Digital Europe Programme when your solution requires real‑environment evidence (operators, infrastructures, cross‑border pilots) or when regulatory implementation must be demonstrated in practice.
• Choose Horizon Europe IA when you are building or improving technology that will later undergo certification, but you are still at the stage of collaborative research and innovation rather than deployment.
• Choose Horizon Europe RIA when your current area of research requires awareness of upcoming regulations but no operational compliance. For instance, the research involves ethics, GDPR-safe data handling, and responsible security testing.
  
  

Financial capacity also influences which instrument is realistic for an SME.

• The EIC Accelerator is suitable for companies that require substantial upfront funding or cannot pre‑finance large collaborative projects. This instrument provides significant grant and equity support directly to a single SME.

• The Digital Europe Programme, Horizon Europe IA and Horizon Europe RIA all operate through consortia, which means the company must withstand longer reimbursement cycles and pre‑finance part of its work. In Horizon IA and RIA projects, research organisations often absorb a larger share of costs and carry heavy tasks, which can reduce the financial load on SMEs. However, you must still be comfortable with the typical cash‑flow profile of collaborative EU projects 

How Spinverse can support

After doing this assessment yourself, it will become clear that choosing the right EU funding instrument is not just an administrative exercise, it's a strategic decision that directly affects your company’s product roadmap, competitive positioning, and long-term growth.

If you want to ensure that your next funding application is strategically positioned, technically credible and aligned with evaluator expectations, we can help. Our team continuously works with cybersecurity SMEs, research partners and public sector operators across Europe. We know how Horizon Europe, the Digital Europe Programme and the EIC Accelerator are evaluated in practice and we use this insight to help SMEs choose the right pathway, build the right consortium and build funding proposals that stand out.

Would you like to learn how Spinverse can help you with your next funding proposal? Get in touch with our cybersecurity expert today! 

Oscar Santolalla
oscar.santolalla@spinverse.com