1. Context and relevance
Cybersecurity has moved from a technical concern to a core pillar of European industrial, digital and security policy. The European Union is responding to escalating cyber threats, systemic vulnerabilities in digital supply chains and growing geopolitical pressure by tightening regulatory requirements and significantly increasing public investment in cybersecurity capabilities.
In this context, Malta has increasingly positioned itself as a potential European cybersecurity hub. Recent political and policy discussions underline the country’s ambition to play a stronger role in cybersecurity governance, innovation and compliance support at EU level. This positioning is particularly relevant at a time when the Cyber Resilience Act (CRA) fundamentally reshapes obligations for digital products placed on the EU market and when substantial EU funding remains available under Horizon Europe and the Digital Europe Programme.
For SMEs, technology providers, research organisations and public authorities, the convergence of regulation and funding creates both opportunity and risk. Organisations that understand how to translate regulatory requirements into credible, fundable project concepts are best positioned to benefit.
2. EU policy drivers shaping the cybersecurity landscape
2.1 From voluntary guidance to binding regulation
EU cybersecurity policy has evolved rapidly over the past decade. What was once dominated by voluntary frameworks and sector-specific rules has become a comprehensive regulatory architecture covering products, services and critical entities.
Key elements include:
– the Cyber Resilience Act, targeting products with digital elements;
– the NIS2 Directive, strengthening cybersecurity obligations for essential and important entities;
– the EU Cybersecurity Act, including certification frameworks and ENISA’s mandate.
Together, these instruments reflect a clear policy direction: cybersecurity is no longer optional, and market access increasingly depends on demonstrable compliance.
2.2 Why the Cyber Resilience Act is a game changer
The CRA introduces horizontal, legally binding cybersecurity requirements for hardware and software products that connect to networks or process data. It applies across sectors and business sizes, with limited exemptions.
Core obligations include:
– security-by-design and security-by-default principles;
– structured vulnerability handling and reporting processes;
– lifecycle security updates;
– technical documentation and conformity assessment linked to CE marking.
For many companies, particularly SMEs, these requirements represent a substantial shift in development, compliance and operational practices. At the same time, they open a clear space for innovation, tooling, services and support structures.
3. Where EU funding fits in
3.1 Horizon Europe: research, validation and systemic innovation
Under Horizon Europe, cybersecurity is primarily addressed within Cluster 3 (Civil Security for Society). Calls typically focus on:
– advanced cybersecurity technologies and architectures;
– cross-border cooperation and interoperability;
– large-scale pilots and validation in real-world environments.
Evaluators in Horizon Europe place strong emphasis on:
– scientific and technical excellence;
– relevance to EU policy objectives;
– credible pathways from research to deployment.
Projects that explicitly align technical work packages with CRA-related challenges (e.g. vulnerability management, secure development processes, certification readiness) tend to demonstrate stronger policy relevance and impact logic.
3.2 Digital Europe Programme: deployment and capacity building
The Digital Europe Programme complements Horizon Europe by funding deployment, skills and operational capacity rather than upstream research. In cybersecurity, this includes:
– cybersecurity infrastructure and competence centres;
– tools and services for SMEs and public administrations;
– training and upskilling related to compliance and operational security.
For organisations affected by the CRA, Digital Europe provides a pathway to move from conceptual readiness to practical implementation.
4. Malta’s potential role as a cybersecurity hub
Malta’s positioning is not primarily about scale, but about function. As a smaller Member State with an active digital policy agenda, Malta can act as:
– an implementation and testing environment for EU cybersecurity measures;
– a coordination hub for compliance-oriented services;
– a bridge between EU regulation and market uptake, particularly for SMEs.
This role aligns well with EU funding logic, which increasingly values implementation readiness, demonstrators and replicability across Member States.
For consortia preparing EU proposals, Malta can therefore be positioned not just as a geographical partner, but as a functional asset within work packages focused on validation, compliance support or capacity building.
5. Common weaknesses seen by evaluators
Across Horizon Europe and Digital Europe cybersecurity proposals, evaluators frequently criticise the same shortcomings:
1. Weak or implicit linkage to EU regulation, particularly the CRA
2. Overly generic cybersecurity objectives without clear regulatory relevance
3. Deliverables that do not translate into concrete compliance or operational outcomes
4. Lack of partners with real implementation or regulatory expertise
5. KPIs that measure activity rather than impact or readiness
6. Insufficient attention to exploitation, scalability and post-project uptake
7. Underdeveloped risk management for regulatory and implementation risks
6. Practical action plan for applicants
Organisations preparing cybersecurity-related EU proposals should follow a structured approach:
1. Map relevant EU policy and regulatory requirements (CRA, NIS2, certification schemes)
2. Identify where these requirements translate into technical, organisational or market gaps
3. Design work packages that explicitly address these gaps
4. Define deliverables linked to compliance, readiness or operational capability
5. Establish KPIs that measure regulatory alignment and practical impact
6. Build consortia combining technical, regulatory and user-side expertise
7. Integrate realistic risk management and mitigation measures
8. Develop clear exploitation and replication strategies
9. Align budgets with implementation ambition and value for money
7. How Nexuswelt supports
Nexuswelt supports organisations navigating the intersection of EU cybersecurity policy and EU funding with a strongly evaluator-oriented approach.
Our support includes:
– translating EU regulatory requirements into fundable project concepts;
– aligning proposal narratives with evaluator logic and policy priorities;
– structuring work packages, deliverables and KPIs focused on implementation readiness;
– supporting consortium design and partner positioning;
– reviewing proposals against common evaluator red flags.
Our focus is not on generic proposal writing, but on building credible, policy-aligned and implementable projects that stand up to evaluator scrutiny.
A typical next step for interested organisations is a structured proposal or concept review to assess policy fit, funding suitability and implementation credibility.
#CyberResilienceAct
#EUCybersecurity
#HorizonEurope
#DigitalEurope
#EUFunding
#MaltaInnovation
#CybersecurityPolicy
#DigitalResilience
#EUCompliance
#InnovationFunding
