A mayor reviews the morning news. Ransomware has paralyzed a neighboring municipality - systems have been down for two weeks, residents cannot access services, media are asking questions. The IT budget barely covers ongoing maintenance, with no room for advanced security systems. But an opportunity is emerging: EU Recovery and Resilience Facility programs offer funding for cybersecurity. The challenge is that application deadlines are approaching and procedures seem complicated.
This situation affects thousands of public institutions across Europe. NIS2 and DORA requirements mandate security investments that strain budgets. Simultaneously, EU member states are implementing unprecedented cybersecurity funding programs through their National Recovery and Resilience Plans. Programs targeting local governments, critical infrastructure operators, and public institutions offer significant funding - often covering 100% of eligible costs.
What is the Recovery and Resilience Facility?
The Recovery and Resilience Facility (RRF) is the centerpiece of NextGenerationEU, the EU’s recovery plan addressing the pandemic’s economic and social impact. Member states receive billions in grants and loans to finance reforms and investments in digital transformation, green transition, and resilience.
Digital transformation components in national plans include dedicated cybersecurity investments. Member states have allocated significant portions of their digital budgets specifically for public sector cybersecurity - strengthening defenses at local, regional, and national levels.
The funding must be utilized within specific timeframes, typically by 2026. Organizations that miss application deadlines lose this historic opportunity. Procedures are rigorous - applications with errors are rejected.
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
What types of organizations are eligible?
Eligibility varies by member state and specific program, but common beneficiaries include:
Local government units - municipalities, counties, and regions, particularly smaller entities that previously lacked resources for advanced security.
Critical infrastructure operators - organizations operating essential services in sectors like water, energy, healthcare, and transportation.
Public administration bodies - government agencies and offices at various levels.
Public healthcare institutions - hospitals, health centers, and medical facilities.
Specific eligibility criteria are defined in each program’s regulations. Organizations should verify current requirements with national authorities or program operators.
What expenditures typically qualify for funding?
Funding programs generally define broad categories of eligible cybersecurity expenditures.
Security system procurement and implementation forms the main category. This includes: EDR (Endpoint Detection and Response) systems, SIEM (Security Information and Event Management) platforms, next-generation firewalls, backup and disaster recovery solutions, email protection systems, and vulnerability management tools.
Cybersecurity services represent another key category. Eligible items include: security audits and penetration testing, SOC (Security Operations Center) services including Managed SOC, employee cybersecurity training, security policy and procedure development, and certification support (e.g., ISO 27001).
Supporting infrastructure expenditures may include: servers and storage necessary for security system operation, network equipment for segmentation, and uninterruptible power supplies for critical security infrastructure.
Expenditures must be directly related to cybersecurity. Standard computer equipment or office software generally doesn’t qualify.
What are common application mistakes to avoid?
Analysis of previous funding rounds reveals typical errors leading to rejection.
Scope mismatch - the application includes ineligible expenditures or objectives unrelated to cybersecurity. Before submission, carefully analyze the eligibility catalog and ensure all planned purchases fit within it.
Insufficient justification - the application doesn’t explain why specific solutions are needed. Stating “we need EDR because it’s important” isn’t enough. Applications must demonstrate current security gaps, the threats addressed, and how new systems improve security posture.
Unrealistic timelines - the project assumes implementation of complex systems in impossibly short periods. SIEM implementation in a large organization may take months - timelines must reflect this reality.
No sustainability plan - the application doesn’t show how systems will be maintained after project completion. Purchasing advanced SIEM without a maintenance plan (either internal team or Managed SOC) will result in rejection.
Formal errors - missing signatures, outdated documents, missed deadlines. These errors are eliminatory with no opportunity for correction.
How should organizations choose technical solutions?
Solution selection should be based on actual organizational needs, not product popularity or vendor marketing.
The starting point should be a cybersecurity maturity assessment. An organization without basic protections doesn’t need advanced SIEM - it needs firewall, antivirus, and backup first. Investments should match maturity level and actual threats.
For typical smaller public organizations, a basic security stack should include: EDR on all workstations, next-generation firewall with IPS capabilities, backup system with offsite replication, and awareness training for employees. This foundation must exist before more advanced systems make sense.
For larger entities or those with higher maturity, sensible investments include: SIEM for centralized log analysis, Managed SOC service providing 24/7 monitoring, PAM (Privileged Access Management) for protecting privileged accounts, and penetration testing and security audits.
Ensuring operational continuity is critical. Purchasing SIEM without a team to operate it wastes resources. Managed SOC services solve this problem - an external expert team monitors the environment 24/7 while the organization pays a predictable monthly fee.
Why is Managed SOC particularly valuable for funded projects?
Managed SOC services are especially attractive in the funding context for several reasons.
First, Managed SOC solves the competency gap. Small public organizations don’t have and won’t have specialists in SIEM or threat hunting. Managed SOC provides access to experts without building an internal team.
Second, Managed SOC costs are predictable. Fixed monthly fees fit more easily into public sector budget planning than unpredictable costs of internal SOC (staff turnover, training, unexpected incidents).
Third, Managed SOC provides 24/7 monitoring that most organizations cannot provide independently. Attacks don’t wait for office hours - detection and response capability at night or on weekends is critical.
How does this funding align with NIS2 requirements?
EU-funded projects provide an excellent opportunity to simultaneously meet NIS2 directive requirements. When planning investments, organizations should consider regulatory obligations.
NIS2 requires implementing risk management measures including: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, network and system security, and employee training.
Funded projects can address all these areas: EDR and SIEM systems provide detection and incident handling, backup/DR solutions ensure business continuity, network segmentation and firewalls secure networks, and awareness training builds employee knowledge.
Project documentation (initial audit, investment plan, policies and procedures) can form the basis for NIS2-required documentation. One investment solves two problems - funding and regulatory compliance.
Strategic map for cybersecurity funding utilization
| Investment area | Example solutions | Addressed requirements |
|---|---|---|
| Endpoint protection | EDR systems | NIS2 Article 21 |
| Monitoring and detection | SIEM + Managed SOC | NIS2, 24/7 monitoring |
| Network protection | NGFW, segmentation | NIS2 Article 21 |
| Business continuity | Backup, DR | NIS2 Article 21, DORA |
| Awareness | Training, simulations | NIS2 Article 21 |
| Audit and documentation | Audits, policies, ISO 27001 | NIS2 documentation |
Summary
EU Recovery and Resilience Facility funding programs represent a historic opportunity to strengthen cybersecurity in public institutions. Significant resources are available for local governments, critical infrastructure operators, and other eligible entities - but require active action within defined timeframes.
Success requires proper preparation: current state audit, realistic investment plan, avoiding typical formal errors. Solution selection should be based on actual needs, not vendor marketing. For most small and medium organizations, Managed SOC services are more rational than building internal security teams.
Funded projects also enable meeting NIS2 and other regulatory requirements. One investment can simultaneously provide funding and legal compliance. This synergy is worth leveraging.
Time works against organizations that delay. RRF funding must be utilized by 2026, program calls have limited budgets, and procedures require time. Institutions that don’t use this opportunity will have to finance necessary investments from their own, often limited budgets.
Need support preparing a funding application? Contact us - our experts will help conduct security audits, prepare investment plans, and select solutions meeting program requirements.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
- Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
Learn More
Explore related articles in our knowledge base:
- KRI Audit: A Practical Guide to Compliance and Security in the Public Sector
- 12 Tips to Improve Cybersecurity in Your Organization
- Automotive cybersecurity: How to protect modern, connected vehicles?
- Personal board liability for cybersecurity under NIS2
- Board Responsibility for OT Cybersecurity Under NIS2
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
