NCC Sponsorship Gap-Analysis Questionnaire

Please fill out the short questionnaire below to check your company’s eligibility for NCC funding.
Once submitted, you’ll instantly see your eligibility result.

👤 Contact Info

Name: Email: Company: Phone: Preferred Contact Method:

I consent to submitting this form I agree to receive marketing info

🧩 Section 1 — Company Eligibility

Is your company legally registered and operating in territories under the control of the Republic of Cyprus? What is your company size? What is your annual turnover or balance sheet total? Does your company operate in the tourism sector (hotels or travel agencies)? Has your company received funding from the NCC-CY-ENTERPRISES/1223 call? Is your company active in the fisheries, aquaculture, or primary agriculture sector? Is your company free of outstanding amounts owed to the Digital Security Authority? Do you have facilities and staff located in Cyprus?

💰 Section 2 — Funding Scope

What funding amount do you estimate needing for your cybersecurity project? Have you completed or planned a Gap Analysis according to the NCC-CY Cyber-Hygiene Framework? Do you plan to pursue Cybersecurity Certification (ISO 27001:2013 or 2022)? Will your project include both services (consulting, implementation, audits) and equipment (firewalls, backup systems, etc.)? Have you secured or planned to secure at least three quotes for purchases > €15,000 (excl. VAT)? Can you complete the project within 9 months from contract signing?

🧠 Section 3 — Cybersecurity Readiness

Does your organisation currently have an approved and communicated Cybersecurity Policy? Have your staff received cybersecurity awareness or training in the past 12 months? Are your systems regularly updated with security patches? Do you have antivirus/malware protection installed and active on all systems? Do you have firewalls and secure network configurations protecting internal systems? Do you maintain regular data backups (3-2-1 or equivalent)? Do you apply access control and password policies (MFA, need-to-know principles)? Do you have a security incident response plan or designated contact? Are physical security controls in place (locked rooms, CCTV, access cards)? Do you have a GDPR-aligned Data Protection Policy? Have you performed a Business / Operational Impact Analysis?

🧾 Section 4 — Management & Commitment

Is there a designated cybersecurity lead or CISO-level contact in your company? Is management committed to participating in the mandatory CISO training and RIF project workshop? Can your company issue and manage publicity actions (press release, post, video) after certification? Are you prepared to comply with the “Do No Significant Harm” environmental principle (EU Regulation 2020/852)? Do you agree to prepare and submit the required Annex II (Gap Analysis) and Annex III (Single Undertaking Declaration) with your proposal?

Frequently Asked Questions

What is the NCC-CY Funding Programme?

The National Cybersecurity Coordination Centre (NCC-CY) funding programme — managed by the Research and Innovation Foundation (RIF) — helps Cypriot SMEs strengthen their cybersecurity.
It provides up to 70% co-funding for implementing cybersecurity measures and obtaining Cyber-Hygiene Certification.

Who can apply?

Eligible applicants are Small and Medium Enterprises (SMEs) legally registered and active in Cyprus.
You must:

Employ fewer than 250 people
Have turnover ≤ €50M or balance sheet ≤ €43M
Not operate in the tourism, fisheries, or primary agriculture sectors
Not have received NCC-CY funding under the 2023 call

What funding amount can I receive?

You can apply for €20,000 to €65,000, or up to €75,000 if your project uses ENISA’s AR-in-a-Box awareness toolkit.
The programme covers 70% of eligible costs (the remaining 30% is your company’s contribution) .

What activities and expenses are eligible?

Eligible costs include services and equipment directly related to achieving certification — such as:

Cybersecurity consulting, policies, and training
Firewall, antivirus, backup, and access control systems
SOC and incident management tools
Data protection and business continuity planning
Certification audit costs
All expenses must align with the NCC-CY Cyber-Hygiene Framework for SMEs

How long do I have to complete the project?

Projects must be completed within 9 months of contract signing .

What documents are required for submission?

To apply, you’ll need:

Part A – General Information & Budget (completed on IRIS portal)
Part B – Technical Annex (project description & plan)
Annex II – Gap Analysis
Annex III – Single Undertaking Declaration

What is the “Gap Analysis”?

The Gap Analysis is a required document that evaluates your company’s current cybersecurity status against the 11 control measures of the Cyber-Hygiene Framework.
It helps define what solutions and services you need to reach certification level.

What is the ENISA AR-in-a-Box?

It’s a cyber awareness toolkit developed by ENISA to help SMEs train staff, plan awareness campaigns, and measure impact.
Using it can make your application more competitive — and unlock up to €10,000 additional funding .

Who conducts the certification?

Certification must be carried out by accredited bodies (ISO 17021 & ISO 27006) that can certify compliance with ISO/IEC 27001:2013 or 27001:2022 .

What happens if my project doesn’t achieve certification?

If your company does not achieve certification by project end, the funding will not be granted and any pre-financing must be refunded to RIF .

How do I apply?

Applications are submitted electronically through the IRIS Portal of the Research and Innovation Foundation:
👉 https://iris.research.org.cy

What support does CDMA provide?

CDMA Services Ltd helps you with the Gap Analysis, proposal preparation, cost justification, and certification implementation.
We also assist in aligning your cybersecurity investments with the NCC-CY control measures and preparing the required annexes for submission.

When is the submission deadline?

All proposals must be submitted by 18 November 2025, 13:00 (Cyprus Time) .

What if I’m not eligible yet?

If you’re not yet eligible, you can still request a free roadmap to eligibility — a personalized PDF that outlines the next steps your company should take to qualify for the next round.

Managed IT

Professional Services

IT Strategy