Testing and Certification Capabilities

The completed application form shall be signed by the statutory body with a qualified electronic signature or a qualified electronic signature bearing a mandate certificate or a qualified electronic seal.

The applicant shall send the application signed in this way to the Authority in electronic form, as an annex to the electronic submission, via the Authority’s electronic mailbox established within the Central Public Administration Portal www.slovensko.sk via the ‘General Agenda’ service.

An application that is not received by the Authority in the form indicated above will not be considered to have been submitted and will be disqualified from the evaluation process.

The method of delivery of the application set out in Annex 2 to the call ‘Conditions for granting a grant’ is further detailed.

In order to establish the ranking of applications, each grant application is assessed with the application of the Criteria for the selection of projects, which form Annex 3 to the call . By applying the criteria for selecting projects, the Authority creates a descending ranking of applicants whose grant applications met the conditions for granting a grant, starting from the application that obtained the most points based on the criteria.

The purpose of applying the criteria for selecting projects is to determine the ranking of applicants, according to which the Authority sends a notification of compliance with the conditions for granting a grant. At the same time, it immediately sends the draft grant agreement to those applicants (in the order determined based on the project selection criteria) for whom the grant is fully covered by the amount of call funds available.

For applicants for whom the grant is not fully covered by the amount of available allocation of the call funds, the Authority will not send a draft grant agreement due to the lack of funds intended for exhaustion within the call.

For more information please visit https://ncca.nbu.gov.sk/vyzva-na-predkladanie-ziadosti-o-nenavratny-financny-prispevok-nfp-na-podporu-zvysovania-kybernetickej-odolnosti-produktov-v-ramci-financnej-podpory-tretim-stranam/?csrt=3188211923617740323

Only projects aimed at enhancing the cyber resilience of products through the following activities are considered eligible under this call:

Area 1: Support tools

Beneficiary: Educational institutions

Eligible activity 1: Development of support tools and documentation to fulfil CRA obligations

The aim is to provide manufacturers, importers and distributors with practical tools to help them fulfil their CRA obligations, including templates for technical documentation and declarations of conformity, methodological guidelines, checklists and instructions, etc.

Project outputs under this activity include: Market-wide methodologies and tools, CRA sample documentation for model products, CRA readiness assessment services or audit templates, an open knowledge base or web platform with CRA support.

Area 2: Education

Beneficiary: Educational institutions

Eligible activity 2: Training on CRA requirements

The aim of this training is to train SME staff on the legislative obligations and basic cybersecurity requirements arising from the CRA. Topics include secure design principles, conformity assessment pathways and vulnerability management obligations.

• Project outputs under this activity include: a developed training programme for the CRA, a detailed training curriculum, training materials and presentations, records of staff attendance and completion of the training, and test results to measure the level of understanding of the subject matter.

The beneficiary is required to provide free training for at least 5 participants nominated by 5 different SMEs

Eligible Activity 3: Technical training related to cybersecurity

These training sessions are aimed at practically enhancing the technical skills of developers and engineers with the aim of aligning day-to-day operations with CRA requirements. They cover areas such as secure coding, threat modelling and working securely with open-source components.

• Project outputs under this activity include: a developed training programme for the CRA area, technical documentation of training syllabuses, presentations focused on practical demonstrations of techniques, records of completion of technical training, and quantifiable results of the assessment of participants’ technical skills.

The beneficiary is required to provide free training for at least 5 participants nominated by 5 different SMEs

Area 3: Analysis and documentation

Beneficiary: Small and medium-sized enterprises – manufacturer

Eligible activity 4: Analysis of discrepancies in compliance with the CRA

This activity serves to review current processes for the manufacture and distribution of products with digital elements against CRA requirements. The aim is to identify technical and organisational gaps that prevent full compliance with regulations by benchmarking current practice against mandatory controls, such as vulnerability disclosure, logging and security updates.

• The outputs of projects within this activity include: CRA Conformity Gap Analysis Report, Gap Analysis Register, Compliance Checklist verifying adherence to key CRA controls, and an executive summary of the main findings and recommendations.

Eligible Activity 5: Compliance Needs Analysis and Risk Analysis

At this stage, the product’s security requirements are assessed in the context of the risks identified throughout its entire lifecycle. The analysis takes into account threat scenarios, impact analysis, reliance on third-party components and potential regulatory exposure.

• Project deliverables within this activity include: a CRA Risk Assessment Report, a detailed Threat Scenario Analysis, a register of third-party component risks, and a document summarising potential penalties and obligations in terms of non-linear compliance (Regulatory Exposure Assessment).

Eligible Activity 6: CRA Action Plan

The action plan provides a structured roadmap for addressing identified compliance gaps. It defines corrective actions, allocates responsibilities and sets timelines so that improvements are integrated directly into product development cycles.

• Project deliverables under this activity include: CRA Action Plan documentation, a plan for the allocation of personnel and financial resources, a tool for tracking progress on corrective actions, and technical documentation demonstrating the successful implementation of corrective measures.

Area 4: Testing

Beneficiary: Small and medium-sized enterprises – manufacturer

Eligible Activity 7: Vulnerability testing

Technical assessment aimed at identifying weaknesses in the software, firmware and hardware components of the product. These tests include static and dynamic analysis, configuration review and third-party dependency checks.

• Project deliverables under this activity include: A detailed vulnerability assessment report and remediation plan, logs from automated code scans and runtime tests (Static/Dynamic Analysis Logs), a review of system configurations, and reports from third-party library analyses.

Eligible Activity 8: Laboratory Tests

This involves the verification of the product’s security functions, such as encryption, authentication and access control, in a controlled laboratory environment. These tests provide evidence that the product meets the CRA’s basic requirements.

• Project deliverables under this activity include: technical reports with recommendations for remediation, updated process and technical artefacts, records of task coordination, and summary reports from advisory meetings with experts.

Eligible Activity 9: Penetration Testing

Authorised simulations of cyber attacks to assess the real-world exploitability of vulnerabilities in various interfaces (firmware, APIs, cloud, embedded systems).

• Project outputs under this activity include: A penetration testing report documenting successful exploits and proposed fixes, practical demonstrations of attacks (Proof-of-Concept), a review of network and system risks, and documentation verifying the removal of identified vulnerabilities.

Area 5: Hardware and software

Beneficiary: Small and medium-sized enterprises – manufacturers

Eligible Activity 10: Services and tools for monitoring, protection and prevention

Deployment of tools for continuous security monitoring, proactive threat prevention and incident detection. Examples include IDS systems, malware scanning and encryption management.

• Project outputs under this activity include: Documentation on the deployment of IDS tools and logging systems, reports on implemented access and privilege controls, deployment logs for encryption solutions, and reports on detected threats and preventive measures.

Applicants may procure technologies necessary to achieve CRA compliance objectives within the project, provided they are directly linked to eligible activities. These include solutions for protecting information systems, production environments or the products themselves:

 network security tools (firewalls, IPS),

 data protection technologies (encryption, DLP),

 endpoint security (EDR, XDR),

 vulnerability management and SBOM tools,

 as well as identity solutions (MFA, PAM)

The applicant is entitled to combine activities from individual areas as follows:

 Educational institution – Activities 1–3

 Manufacturer – Activities 4–10

The applicant may submit only one application for grant. If multiple applications are submitted, the Office will consider the application submitted last.

Under this call, the following are eligible applicants:

Activity 1-3: certified educational institutions (within the meaning of Section 10 of Act No. 292/2024 Coll. on Adult Education), entered in the register of certified educational institutions.

Activities 4–10: legal entities as defined in Section 2(2)(a) of the Commercial Code , which meet all of the following conditions:

- they meet the definition of a small and medium-sized enterprise (hereinafter ‘SME’ ),

- are registered in the Slovak Republic on the date of submission of the application,

- as of the date of submission of the application, they have approved financial statements for:

• a completed financial period that is not shorter than 12 months and which immediately precedes the financial period in which the application was submitted ,

or

• a completed financial period that is not shorter than 12 months and which immediately precedes the financial period referred to in the previous indent .

Please note that natural persons – entrepreneurs – are not eligible beneficiaries. Legal entities that meet the definition of a micro-enterprise are also not eligible beneficiaries.

In the case of SMEs established through a merger, consolidation or division , the period of operation of the longest-standing dissolving company, whose assets or part thereof have been transferred to the successor company, shall also be taken into account for the purposes of assessing the period of operation.

- on the date of submission of the application, demonstrate that they are a manufacturer of a product with digital elements within the meaning of Regulation (EU) 2024/2847 of the European Parliament and of the Council (EU) 2024/2847 of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

Grant will be provided as part of financial support to third parties in accordance with the terms of the "GRANT AGREEMENT Project 101127837 — TestCert-SK" concluded between the European Union represented by the European Commission (EC) and the NSA. Project 101127837 — TestCert-SK is funded by the Digital Europe Programme.

Grant will be paid in a single instalment at the end of the project, following approval of the final report.

Payment of the grant is conditional upon the submission of accounting documents, the fulfilment of project indicators, the submission of the final report and documentation prepared within the framework of the project. The beneficiary is obliged to maintain analytical accounting records of expenditure relating to the supported project.

For more information please visit: https://ncca.nbu.gov.sk/vyzva-na-predkladanie-ziadosti-o-nenavratny-financny-prispevok-nfp-na-podporu-zvysovania-kybernetickej-odolnosti-produktov-v-ramci-financnej-podpory-tretim-stranam/?csrt=3188211923617740323

[1]    Act No. 513/1991 Coll., the Commercial Code, as amended.

[2]    As set out in Annex I to Commission Regulation (EU) No 651/2014 of 17 June 2014 declaring certain categories of aid compatible with the internal market in accordance with Articles 107 and 108 of the Treaty (OJ L 187, 26 June 2014).

[3]    Example: If an applicant submits an application in 2024, the immediately preceding accounting period is deemed to be the accounting period for 2023, provided that this accounting period is not shorter than 12 months. The above applies where the accounting period coincides with the calendar year. In the case of a financial year, the procedure is similar.

[4]    Example: If the applicant submits an application in 2024, the accounting period immediately preceding the accounting period referred to in the previous indent is deemed to be the accounting period for the year 2022, provided that this accounting period is not shorter than 12 months. The above applies where the accounting period coincides with the calendar year. In the case of a financial year, the procedure is the same.

[5]    The threshold values for the individual size categories are available in the document at the following link: https://op.europa.eu/sk/publication-detail/-/publication/79c0ce87-f4dc-11e6-8a35-01aa75ed71a1

[6]    Pursuant to Section 69 of Act No. 513/1991 Coll., the Commercial Code, as amended.

[7]    https://eur-lex.europa.eu/legal-content/SK/TXT/HTML/?uri=OJ:L_202402847