Ciberseguridad

Cybersecurity with public funding

Spanish SMEs can access public programmes that cover between 60 % and 100 % of the cost of implementing digital protection. Summum Sistemas identifies the right scheme, prepares the application and carries out the technical measures so that nothing is left unprotected.

Active programmesActiva Ciberseguridad · Kit Digital · PYME Ciberseguridad
FundingNextGenEU · PRTR · INCIBE funds
ScopeSMEs and micro-enterprises · Castilla y León · Canarias

70 % of cyber attacks in Spain hit SMEs, according to INCIBE data. The reason is straightforward: SMEs hold valuable assets — customer records, payment data, intellectual property — but have historically under-invested in protecting them. The average cost of an incident for a company with fewer than 50 employees exceeds 35,000 euros in recovery, lost productive time and reputational damage. Against that risk, current public programmes fund security tools and services that were previously out of reach for businesses without a dedicated IT department.

The Activa Ciberseguridad programme, managed by INCIBE and EOI under the Recovery Plan (PRTR), offers each qualifying company an advisory service valued at 2,140 euros: a technical diagnosis, a prioritised roadmap and awareness workshops for the team. Kit Digital, meanwhile, funds the deployment of concrete solutions — managed firewalls, threat detection, encrypted backup, identity management — with vouchers of up to 6,000 euros for companies with 3 to 9 employees and up to 12,000 euros for those with 10 to 49. In 2026, Order TDF/39/2026 has reactivated remaining funds from previous calls, meaning opportunities still exist for businesses that have not yet applied for a voucher.

These funding lines are accompanied by the NIS2 regulatory framework: the European directive — whose Spanish transposition is going through parliamentary process in 2026 — requires companies in essential and important sectors to implement minimum security measures, risk management, incident notification and personal accountability at board level. Although the final Spanish law has not yet been published, the European Commission has already launched infringement proceedings against non-transposing Member States, so waiting is not a viable strategy. Summum Sistemas structures the technical roadmap so that every subsidised investment also serves to comply with NIS2 when the law comes into force. For the governance and regulatory compliance analysis of NIS2, we coordinate with the Summum Consultoría team, which owns that domain within the group.

The Cybersecurity with public funding process.

The process · four stages
01

Diagnosis and eligibility

We audit the current security posture (asset inventory, exposure, existing controls) and verify which calls are open and which ones the company qualifies for based on its CNAE code, size and autonomous community. We deliver a gap report with prioritisation by real risk.

02

Application and processing

We prepare the technical and administrative documentation required by each programme (descriptive report, action plan, certificates). We guide the company through the electronic submission and follow up the file until the grant award decision.

03

Technical deployment

We deploy the solutions covered by the grant: EDR/XDR on endpoints, next-generation firewalls, centralised identity management (MFA, SSO), encrypted backups on sovereign cloud, and continuous monitoring by a managed SOC — all integrated with existing ERP and CRM systems.

04

Training, justification and maintenance

We train staff on the new tools and secure habits (phishing awareness, password hygiene, device management). We prepare the financial and technical justification report for the granting body and establish an annual maintenance and review plan to keep protection up to date.

What is included

What Cybersecurity with public funding includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Cybersecurity diagnosis

    Technical analysis of the perimeter, endpoints, internal network, access management and backups. Gap report prioritised by impact and ease of remediation.

  • Grant application

    Identification of applicable programmes (Activa Ciberseguridad, Kit Digital, PYME Ciberseguridad 2026), drafting of the technical report and full processing before INCIBE, Red.es or the relevant regional body.

  • Endpoint and network protection

    Deployment of EDR/XDR, NGFW firewalls, network segmentation, DNS filtering and Zero Trust access control. Integration with existing Microsoft 365 or Google Workspace environments.

  • Identity and access management

    Implementation of multi-factor authentication (MFA), single sign-on (SSO) and least-privilege access policies. Reduces the attack surface against credential theft.

  • Encrypted backup and recovery

    Encrypted backup solution on sovereign EU cloud, with documented periodic restoration tests. Ensures business continuity against ransomware or hardware failure.

  • Justification and final audit

    Preparation of all justification documentation (invoices, deployment evidence, technical reports) to close the grant file and, where applicable, to support the granting body's audit.

Frequently asked questions about Cybersecurity with public funding.

Can my company apply for Activa Ciberseguridad if it already has a Kit Digital voucher?

Yes. Activa Ciberseguridad and Kit Digital are independent programmes with different funding sources. The first provides free advisory and diagnostic services; the second funds the deployment of specific solutions. Combining them is common practice: the Activa Ciberseguridad diagnosis guides exactly which solutions to invest the Kit Digital voucher in.

How much does Kit Digital cover for cybersecurity?

The cybersecurity category within Kit Digital covers up to 2,000 euros for Segment III companies (0–2 employees), up to 2,000 euros for Segment II (3–9 employees) and up to 2,000 euros for Segment I (10–49 employees), within the overall voucher that can reach 12,000 euros. Order TDF/39/2026 has reactivated remaining funds, so open applications still exist in certain autonomous communities in 2026.

Does the NIS2 directive apply to my SME even though it has not yet been transposed in Spain?

If your company operates in an essential or important sector as defined by NIS2 (energy, transport, health, digital infrastructure, managed service providers, among others), the European directive is directly applicable as a reference framework. Spain has the Draft Law on Cybersecurity Coordination and Governance going through parliamentary process in 2026 and the European Commission has already launched infringement proceedings. Waiting for the Spanish law to act is the highest-risk scenario; starting now also allows co-funding the measures with existing public grants.

What is the difference between a managed SOC and Kit Digital solutions?

Kit Digital funds the deployment of tools (licences, configuration, commissioning). A managed SOC is a continuous 24×7 monitoring service that analyses the alerts generated by those tools and responds to incidents. Both are complementary: the tools detect, the SOC acts. Summum Sistemas offers both layers and manages their integration.

Can Summum Sistemas support a company in the Canary Islands?

Yes. We have an office in Las Palmas and have been supporting SMEs in Castilla y León and the Canary Islands since 2007. Grant processing can be carried out remotely for any company in Spain; technical deployment is supported by the local team when the service requires it.