Compliance
The Government of Navarra has an open call to fund the digitalisation of companies, and cybersecurity is fully part of it: it covers up to 80% of a Master Plan. We explain what it is, how it affects your security and two examples with figures.
Protecting a company has a cost, but a good part of that investment can be financed with public funds. In Navarra there are grants for company cybersecurity: an open call, designed for exactly that, which rewards what brings the most order to your security, having a plan.
These are the Grants to promote the digital enterprise from the Government of Navarra, a grant for the digital transformation of companies that fully includes cybersecurity. They are aimed at SMEs, sole traders, companies, cooperatives, foundations and associations with an establishment in Navarra and registered for the IAE business tax. The public sector and some primary sectors are excluded. The maximum is 30.000 € of grant per company and it is resolved in order of submission until the available budget is exhausted.
There is one operational detail worth understanding well, because it changes how you plan it: it is not a discount on the invoice, it is a reimbursement. The company contracts, carries out and pays for the project in full, and the grant arrives afterwards, once justified, provided the application falls within the budget and meets the requirements. First you pay, then you recover. That is why applying as early as possible and keeping the documentation impeccable carries so much weight.
What is interesting about this grant is not just the money, it is that it pushes you to do things in the right order. First you put things in order: a Master Plan that looks at your organisation, identifies the risks and decides what to protect and in what order. Then you execute: the actions that plan prioritises. And it turns out the call funds both phases, with the highest intensity right in the first one.
Put another way, the plan stops being an expense and becomes the key to the rest: it is funded at 80% and, on top of that, it opens the line that funds what the plan itself recommends.
The call has several modalities. These are the ones that matter for a cybersecurity project, with their grant intensity:
| Line | What it is for | Grant |
|---|---|---|
| Type C.1 | Advice to draw up the plan (digital transformation or cybersecurity) | 80% |
| Type B | Cybersecurity actions included in that plan | 45% |
| Type A.2 | Deploy solutions with the plan already underway | 40% |
| Type A.1 | Deploy solutions without a prior plan | 35% |
| Type C.2 | Train your team in digital skills | 90% |
The reading is clear: the most rewarding path starts with the Master Plan in line C.1, at 80%, and continues with the actions in line B, at 45%.
A cybersecurity Master Plan fits as a Cybersecurity Plan in the advice line, with an intensity of 80% and a maximum eligible expense of 7.500 € per plan. With those numbers, it looks like this:
| What you pay and carry out | 7.500 € |
| Grant you can recover (80%) | 6.000 € |
| Effective cost after the grant | 1.500 € |
You pay the 7.500 € and, if your application falls within the budget and meets the requirements, you recover 6.000 € in the reimbursement. The real cost of the plan stays at 1.500 €.
Here is the other half of the move. The actions the plan identifies, for example a pentesting, are funded in line B at 45%, provided they are included in the plan you have just made. With a pentesting of 9.000 €, a realistic amount for a test with serious scope, the calculation is this:
| What you pay and carry out | 9.000 € |
| Grant you can recover (45%) | 4.050 € |
| Effective cost after the grant | 4.950 € |
To go through this line, the pentesting must be included in the plan. That is why the order matters: first the plan, which opens the door, and then the actions it prioritises.
Two reasons come together right now. The first is the grant: it is open and covers 80% of the plan, but on a first-come basis and with a closing date. The second is regulation, which no longer leaves cybersecurity as something optional, with NIS2, DORA, the ENS for working with the public administration and the Cyber Resilience Act knocking at the door.
That is why it is worth not making a generic plan, but one aligned with the framework that actually applies to you. A plan like that does not end up as a PDF: it leaves you on track to comply and to certify, and it makes every action you fund afterwards add up in the same direction.
Depending on your activity, the plan is anchored to one framework or another. If your focus is the company's information systems and you want a certifiable management system, the reference is ISO 27001. If you have industrial environments or OT operations, the framework is IEC 62443. If you work with the public administration or are its supplier, your one is the ENS. And if you manufacture or sell products with digital components, the horizon is the European Cyber Resilience Act. The Master Plan is the point where it is decided which of them takes the lead and how the path towards it is ordered.
At Meta-Data we do the full journey. We draw up your cybersecurity Master Plan aligned with the framework that applies to you, we leave it ready to fit into the call's advice line and, from there, we execute the actions the plan itself prioritises, from a pentesting to whatever is needed.
And since the grant arrives as a reimbursement, justifying carries as much weight as doing. That is why we also support you in that part: we prepare the technical report and the project evidence so the documentation is solid and the application goes out with the maximum guarantees. You choose the project, we remove the friction for you.
If you want to take advantage of the call, we plan it with you, from the diagnosis to the justification. Tell us about your case and we will tell you where to start.
Get in touchFAQ
SMEs, sole traders, companies, cooperatives, foundations and associations with an establishment in Navarra and registered for the IAE business tax. The public sector and some primary sectors are excluded.
You pay and carry out the project in full, and the grant arrives afterwards as a reimbursement, provided your application falls within the available budget and meets the requirements. That is why it pays to apply early.
To go through the 45% line, the action must be included in the plan. That is why it makes sense to start with the Master Plan: it is funded at 80% and opens the door to the rest.
Yes. We draw up the Master Plan and the actions, and we prepare the technical report and the project evidence. Since the grant arrives as a reimbursement, a solid justification is key to collecting it.
