Cybersecurity is no longer a luxury reserved for large corporations. Today, 60% of Spanish SMEs with fewer than 250 employees have suffered some form of cyberattack, according to industry data. Public administrations have responded accordingly: in 2025 and 2026 several programmes have been set up specifically designed to help SMEs finance or subsidise their digital protection investments. The problem is that few businesses have a clear picture of which programmes exist, what they actually cover and how to access them without wasting time. This article explains it with real figures and verified sources.
What cybersecurity grants exist in 2026 for Spanish SMEs?
In 2026 there are four main public funding routes for cybersecurity in SMEs: the ACTIVA Cybersecurity programme (free advisory service co-financed by European funds), the cybersecurity solution of the Kit Digital (economic voucher to contract certified solutions), regional programmes supported by INCIBE (calls such as CIBERREG in Cantabria) and INCIBE's own direct lines (the 017 helpline, training resources and free diagnostics). Each one serves a different moment and need, so it is common to combine them.
ACTIVA Cybersecurity: specialist advisory at no direct cost
The ACTIVA Cybersecurity programme is part of the Industria Conectada 4.0 initiative of the Ministry of Industry, Trade and Tourism, co-financed with ERDF funds from the European Union. Its objective is to provide SMEs, micro-enterprises and self-employed workers with expert accompaniment over four to five months to diagnose their cybersecurity situation and develop a personalised action plan.
The programme includes 20 hours of specialist consultancy delivered by certified companies with proven experience in cybersecurity projects. On completion, the company receives a Cybersecurity Plan with concrete measures prioritised according to the risk level identified. The company pays nothing directly: the service is provided in kind, financed by the Government through the School of Industrial Organisation (EOI), which manages the programme together with INCIBE.
With a total budget of more than 9 million euros and capacity to support thousands of SMEs across the national territory, it is one of the highest-impact programmes in terms of coverage. The only condition for access is being a legally constituted company in Spain, regardless of sector or number of employees. Registration is managed through the EOI platform.
What does the resulting Cybersecurity Plan cover?
The final deliverable of the programme is not generic. Consultants analyse the company's real technological infrastructure: operating systems, servers, remote connections, password management, backups, staff training and compliance with current regulations (ENS, GDPR, NIS2 where applicable). The action plan identifies critical vulnerabilities, proposes measures with estimated costs and prioritises the actions with the greatest immediate impact. For many SMEs, this diagnosis is the starting point for subsequently applying for the Kit Digital voucher and justifying the investment with sound criteria.
Kit Digital: the voucher for contracting cybersecurity solutions
The Kit Digital is the SME digitalisation programme managed by Red.es under the Recovery, Transformation and Resilience Plan, financed by NextGenerationEU European funds. It includes a specific category called «Cybersecurity» that allows the financing of technical protection solutions: advanced antivirus, encrypted communications, password management, intrusion detection and cloud backups, among others.
Voucher amounts vary according to the company segment. The following table summarises the tiers in force in active calls:
| Segment | Company size | Total Kit Digital voucher | Maximum amount for Cybersecurity |
|---|---|---|---|
| Segment I | 10 to 49 employees | 12,000 € | up to 6,000 € |
| Segment II | 3 to 9 employees | 6,000 € | up to 3,000 € |
| Segment III | 0 to 2 employees / self-employed | 3,000 € | up to 2,000 € |
| Segment IV | 50 to 99 employees | 25,000 € | up to 10,000 € |
| Segment V | 100 to 249 employees | 29,000 € | up to 14,500 € |
Note: maximum amounts per category are set out in the regulatory bases published by Red.es. The figures shown correspond to the calls in force in the first half of 2026 and may vary in new calls.
To access the Kit Digital voucher, the company must register on Acelera pyme (acelerapyme.gob.es), complete the digital diagnostics test and select an Accredited Digitalisation Agent who will deliver the service. The agent handles all administrative processing. The company does not advance the voucher amount: payment is made directly between Red.es and the agent after the service has been justified.
At Summum Sistemas we guide our clients through the entire process of accessing cybersecurity grants: from selecting the most suitable technical solution to coordinating with the digitalisation agent and post-implementation follow-up.
Advanced cybersecurity: the most comprehensive technical category
Since the latest amendments to the Kit Digital regulatory bases (Order TDF/39/2026), the programme incorporates an advanced cybersecurity sub-category that includes EDR (Endpoint Detection and Response) and MDR (Managed Detection and Response) solutions. These technologies go beyond traditional antivirus: they monitor device behaviour in real time, detect unknown threats through behavioural analysis and enable automated incident response. The subsidisable amount is calculated by number of protected users, with a per-user limit and a maximum total per segment.
Regional programmes supported by INCIBE: the case of CIBERREG
In addition to national programmes, several autonomous communities have launched their own calls for support for business cybersecurity, many of them in technical collaboration with INCIBE. A relevant and recent example is CIBERREG in Cantabria, launched in 2026 by SODERCAN with a budget of 150,000 euros. This programme covers up to 50% of eligible expenditure on cybersecurity, with a maximum of 20,000 euros per project, for investments made from 1 January 2025.
Castilla y León also has grant lines for cybersecurity R&D projects, managed by the regional government, aimed at SMEs with their registered office in the region. Companies based in Valladolid, Burgos, Palencia or Aranda de Duero can combine these regional grants with the national Kit Digital, provided the same expenditure is not subsidised twice (non-concurrence rule on the same concept).
The general pattern in these regional calls is to finance: acquisition of security hardware (firewalls, appliances), specialist software licences, external cybersecurity consultancy services and technical staff training. It is advisable to monitor the Official State Gazette (BOE) and regional bulletins (BOCYL in Castilla y León, BOC in Cantabria, etc.) to avoid missing application deadlines.
Free INCIBE resources: the 017 helpline and maturity diagnostics
Regardless of grants, INCIBE (National Cybersecurity Institute) makes available to SMEs and self-employed workers a set of highly practical free services:
- Helpline 017: free cybersecurity helpline, available during extended hours. Also accessible via WhatsApp (900 116 117) and Telegram (@INCIBE017). Handles queries on incidents, fraud and technical questions.
- Self-diagnostics test: online tool at incibe.es that allows a company to assess its cybersecurity maturity level in under 20 minutes, with an instant results report and recommendations.
- +Cybersecurity Programme: second edition of the training and awareness initiative aimed at SMEs, micro-enterprises and self-employed workers across the national territory, with in-person and online workshops.
- Sector guides: INCIBE publishes best-practice guides tailored to specific sectors (retail, industry, healthcare, professional services) available for free download.
Using these free resources before applying for a grant is a smart move: the prior diagnosis strengthens the technical justification of the application and helps to prioritise which Kit Digital category to invest the voucher in.
How to combine the programmes to maximise impact
The optimal strategy for an SME starting from scratch in cybersecurity typically follows this sequence:
- Free diagnostics with the INCIBE test or through the ACTIVA Cybersecurity programme (at no cost). Identifies real gaps.
- Action plan with clear priorities, derived from the diagnostics. This document serves as the basis for any subsequent grant application.
- Kit Digital voucher application in the cybersecurity category, with a digitalisation agent who implements the chosen technical solution.
- Complementary regional grants if there is an open call in the autonomous community (CIBERREG, JCYL lines, etc.) to finance additional hardware or consultancy.
- Ongoing team training through INCIBE resources and the offer of digitalisation agents, who typically include awareness sessions.
Summum Sistemas has been accompanying SMEs in technology and digitalisation projects for over two decades — since 2007. We know the Kit Digital application process from the inside, having managed more than 2,000 projects under this umbrella. If you want to know which grants apply to your specific company, the first step is a no-obligation situation analysis: request your cybersecurity diagnostics here.
Legal obligations that reinforce the need to act
Beyond grants, it is worth remembering that cybersecurity is not only a subsidised investment opportunity: in many cases it is a legal obligation. The GDPR (General Data Protection Regulation) requires every company that processes personal data to implement adequate technical and organisational measures to ensure its security. Non-compliance can result in fines of up to 4% of total annual global turnover or 20 million euros, whichever is greater.
Furthermore, the forthcoming transposition of the NIS2 Directive into Spanish law will expand the perimeter of entities obliged to have cybersecurity management systems in place, including suppliers in sectors such as energy, transport, food, critical manufacturing and digital services. For SMEs operating as suppliers to essential entities, NIS2 compliance will also be a business continuity requirement.
Frequently asked questions
Can an SME benefit from both Kit Digital and ACTIVA Cybersecurity at the same time?
Yes, they are complementary programmes. ACTIVA Cybersecurity provides the diagnostics and action plan; Kit Digital finances the technical implementation. There is no incompatibility between them, since the first is an in-kind consultancy service and the second is a voucher for technology solutions. It is advisable to start with ACTIVA to clearly define which solution will be implemented with the Kit Digital voucher.
Are cybersecurity grants compatible with other regional subsidies?
Generally yes, as long as the same expenditure is not financed twice. The rule is that the total public aid for the same eligible expenditure must not exceed 100% of the actual cost. If a company receives a 50% regional subsidy for a firewall, it can top up with Kit Digital to cover the remaining 50%, but cannot exceed the total cost of the good or service. Each call sets its own concurrence rules: it is essential to read the regulatory bases before applying.
What is a «digitalisation agent» and how do you choose one?
A digitalisation agent is a technology company that has passed Red.es' accreditation process to provide solutions within the Kit Digital. It can be a software company, a technology consultancy or a systems integrator. The official agent catalogue is available at acelerapyme.gob.es. The choice of agent is free; the most advisable approach is to select one with demonstrable experience in cybersecurity implementations and, if possible, with references in your sector or company size.
Does the INCIBE 017 helpline serve only individuals or also businesses?
The 017 helpline serves both individuals and businesses and self-employed workers. For businesses, it offers guidance during active security incidents (ransomware, phishing, unauthorised access), help reporting cybercrime and advice on preventive measures. The service is free and confidential. INCIBE also has an incident reporting form on its portal (incibe.es/reporte-amenaza-vulnerabilidad) for cases requiring more detailed technical follow-up.