What is the Cybersecure Company Program and what actions are eligible for subsidies?

The goal is to improve the digital preparedness of companies based in Galicia against cyber threats.

It finances the adoption of cybersecurity measures and services provided by approved providers, aimed at strengthening the protection of critical assets, reducing the risk of incidents and improving prevention capabilities (see Eligible Actions section)

General conditions for eligible expenses:

• Specialized cybersecurity services.
• Provided by approved provider entities.
• Performed since the date of application for aid.

Types of eligible actions/services:

• Conducting an initial maturity and risk assessmentThis includes conducting technical audits aimed at evaluating the company’s digital maturity and cybersecurity risks, as well as preparing a technical report with recommendations and proposals for improvement, when the beneficiary company deems it necessary, especially in cases where it does not have a recent diagnosis in accordance with recognized standards.

• Access to specialized pay-per-use services for 12 months, adapted to the needs identified, taking into account the following technical itineraries:

1. Cloudification IaaS (Infrastructure as a Service):actions aimed atSecure migration of infrastructures to cloud environments, including data access management, operational continuity, backups, and associated risk control.
2. ITaaS (Information Technology as a Service) Securization:implementation andSecure operation of IT infrastructures, such as incident detection and response systems (SOC, EDR, MDR or equivalents), monitoring and alert management.
3. OtaaS Securization (Operational Technology as a Service):Deployment of security solutions in industrial environments, including OT networks, SCADA or PLC systems, and real-time asset visibility and traffic monitoring tools.

• The execution of complementary actions of single provision, suchsuch as: ethical hacking tests, cybersecurity awareness and sensitization actions, implementation of security policies based on recognized standards such as ISO/IEC 27001, the National Security Scheme (ENS) or the NIS2 Directive, as well as strategic support services such as CISO as a Service, aimed at defining, monitoring and supervising the company’s cybersecurity plan.

The following will not be eligible for subsidies:

• Actions initiated before the application.
• Recurring expenses unrelated to the subsidized action or ordinary maintenance of existing infrastructure.
• Hardware or physical equipment.
• Internal costs of the requesting company or provided by its own staff.

Who is it aimed at?

Individual entrepreneurs or legal entities, regardless of size, who meet the following requirements may be eligible for this aid:

• Registered office or place of work in Galicia where the subsidized activity takes place.
• Validly constituted at the time of submitting the application.
• Be up to date with AEAT/SS/Autonomous Community
• Not to incur in causes of arts. 10.2 and 10.3 of Law 9/2007 of June 13 on subsidies of Galicia, nor to fail to comply with the obligations of art. 11 of the aforementioned law.
• The following cannot be beneficiaries:
  • Companies that provide similar cybersecurity services (potential approved providers).
  • Companies subject to an order to recover aid.

What type of aid is available?

These are grants awarded on a non-competitive basis, meaning they will be granted strictly in the order in which applications are received.

They are subject to de minimis regulations.

They are incompatible with any other for the same expenses.

What is the amount of the aid?

The aid intensity is 75% of the eligible expenses, with a maximum limit of €30,000.

The minimum eligible expenditure is€18,000 and a maximum of €40,000.Projects with a lower budget will not be eligible for aid.

What are the deadlines for applying for aid and for carrying out the projects?

Application deadline: from the sixth working day after the publication of the Resolution on the approval of cybersecurity providers at 09:00 (currently pending resolution; its publication is estimated for the end of October 2025) until 15/11/2025 at 14:00 hours.

Deadline for the execution of services, expenses and payments: as established in the concession resolution and, in any case, before 30/11/2026.

What is the procedure for justifying expenses and receiving aid?

If the applicant company is awarded the aid, it must:

• Execute the expenseseligible for subsidies within the period approved in the grant resolution and, in any case, before November 30, 2026.
• Make payments within the expenditure execution deadlineand always within the maximum legal payment deadlines to suppliers.

The justification of expenses will be submitted through the approved provider, by means of one or more grant payment requests within the following time periods:

• In the event of recognition of expenses in the year 2025, you must submit a payment request with a deadline of 26/12/2025.
• For the 2026 year, a partial payment request can be submitted between 1 and 30/04/2026 and a final request no later than 30/11/2026.

The aid will be made effective through direct payment by Igape to the approved provider entity that provides the services, of 75% of the eligible expenditure, once the justification of the action has been validated.

The beneficiary company will only have to pay the approved supplier 25% of the eligible taxable base and the VAT of the entire invoice.

Links of interest

Terms and conditions of the call for applications:

https://igape.gal/gl/axudas/ultimas-axudas/axuda/940?return=aW5kZXgucGhwP29wdGlvbj1jb21fb3J0aWdhcGUmdmlldz1heHVkYXMjdWx0aW1hcy1heHVkYXM=#sp-main-body

Link to the Igape electronic aid application portal:

https://spiga-sede.igape.es/

Public catalog of approved provider entities for the program:

https://igape.gal/gl/entidades-homologadas-ciber