HORIZON-CL3-2026-02-CS-ECCC: Cybersecurity Topics in Horizon Europe 2026-2027
An open single-stage Horizon Europe call managed by the ECCC that funds cybersecurity innovation in software security, AI robustness, and post-quantum cryptography through three topics with a EUR 56.2 million indicative budget.
HORIZON-CL3-2026-02-CS-ECCC: Cybersecurity Topics in Horizon Europe 2026-2027
The European Cybersecurity Industrial, Technology and Research Competence Centre (ECCC) has an open Horizon Europe call under the Civil Security for Society destination: HORIZON-CL3-2026-02-CS-ECCC. It is published as a multi-topic, single-stage call with an indicative budget of EUR 56.2 million and a deadline of 15 September 2026, 17:00 CEST.
This is a significant opportunity for consortia building strong European and globally relevant cybersecurity research and innovation proposals. It is especially useful for organisations that can partner across hardware, software, secure AI, cryptography, certification, and digital trust domains. The call includes three topical areas and is designed for teams that can deliver applied research and prototyping with real user/system impact.
Key details at a glance
| Field | Details |
|---|---|
| Program | Horizon Europe 2026-2027, Civil Security for Society |
| Opportunity code | HORIZON-CL3-2026-02-CS-ECCC |
| Implementer | ECCC |
| Status | Open (published 3 March 2026) |
| Opening date | 3 March 2026 |
| Deadline | 15 September 2026, 17:00 CEST |
| Deadline model | Single-stage |
| Total indicative budget | EUR 56.2 million |
| Topics | 3 topics |
| Topic 1 budget | EUR 20 million |
| Topic 2 budget | EUR 21.2 million |
| Topic 3 budget | EUR 15 million |
| Source page | ECCC funding opportunities page |
| Submission route | Funding and Tenders portal (call documents linked from ECCC page) |
| Source of official criteria | Official call documents on EU portal |
What this opportunity is (and what it is not)
This is not a general-purpose scholarship or fellowships program. It is a research and innovation funding call for project proposals in cybersecurity. The ECCC framing makes the emphasis explicit: the call supports the development of practical tools, methods, and systems to reduce cyber risk in software, hardware, AI, and cryptography.
The opportunity sits inside Horizon Europe, and its themes reflect both immediate operational needs and longer-term security architecture concerns. It focuses on three areas:
- Approaches and tools for software and hardware security and assessment (EUR 20m)
- Security, privacy, and robustness of AI models and systems (SecureAI) (EUR 21.2m)
- Advanced post-quantum cryptography and high-assurance fast cryptographic implementations (EUR 15m)
Because this is a single call with one deadline, teams should treat it as one coherent opportunity and decide which topic gives the strongest technical advantage for their collaboration.
Topic-by-topic interpretation
1) Software and hardware security and assessment
The first topic is targeted at improving security across the lifecycle of software and hardware. The ECCC call describes the type of outputs expected: tools and processes that can strengthen supply-chain security, secure design, secure development flows, and assessment methods that can feed into certification-like rigor.
What the topic text is practically asking for:
- security-by-design patterns and methods that can be embedded early,
- stronger supply-chain assurance and root-of-trust approaches,
- trusted chip and platform design work,
- testing, validation, and formal verification methods,
- hardware security assessment frameworks and potentially standards-informed outputs.
A strong project under this topic is usually interdisciplinary: hardware architects + secure firmware/software engineers + compliance/legal expertise often together produce proposals with higher credibility. Teams with operational pilots from semiconductor, industrial control, telecoms, or cloud infrastructure generally score well when they define measurable impact.
2) SecureAI: security, privacy, and robustness of AI systems
The second topic is large and strategically visible because it sits at the intersection of AI governance and security engineering. The publication explicitly mentions resilience against adversarial attacks, backdoors, and data poisoning, with a clear line toward practical AI deployment scenarios.
What a competitive idea often needs here:
- threat models that are specific (e.g., model inversion, model extraction, model corruption, prompt/data contamination scenarios),
- measurable robustness metrics and evaluation methodology,
- mitigation techniques with reproducible validation,
- privacy-preserving AI methods where appropriate,
- practical integration with AI Act-aligned governance expectations.
This is not just “build AI security theory.” It is expected to create demonstrable protections that reduce risk for real systems. The call language explicitly references robust federated learning and real-time anomaly detection, which hints that implementations with operational relevance are favoured over purely conceptual outputs.
3) Post-quantum cryptographic foundations and high-assurance implementations
The third topic is forward-leaning and strongly aligned with infrastructure modernization and national security concerns. It expects high-assurance cryptographic approaches that are useful for secure wallet-like ecosystems, entity authentication, and communication over insecure channels.
Key practical implication:
- teams should propose implementation-oriented cryptographic components,
- provide evidence that performance and security trade-offs are considered,
- show how solutions can be integrated into real-world software/hardware flows,
- include formal verification or strong assurance arguments where possible.
Because this topic has a clear technical emphasis, consortiums that can combine academic cryptographers, protocol engineers, and industrial deployment partners usually have clearer execution plans.
Who this call fits best
The opportunity is best for organisations that can operate in a consortium model. Although the source page on its own only states the official implementation path and topics, Horizon Europe-style calls typically benefit from multi-partner collaboration because the work spans development, validation, and deployment domains.
Strong-fit profiles:
- universities/research organisations proposing novel methods,
- cybersecurity SMEs with prototyping capacity,
- industrial firms with real deployment environments,
- system integrators who can show transfer-to-market pathways,
- national or regional networks with prior EU program experience.
Commonly under-served profiles in many proposals are solo proposals with limited validation capacity and projects that list excellent science but no credible implementation roadmap.
Eligibility and administrative prerequisites
The ECCC page explicitly points teams to the official Funding & Tenders portal for full criteria and documents. The safest interpretation is:
- Treat this as an EU institutional participation process with official call documents as binding,
- Validate eligibility requirements before starting final draft writing,
- Check participant types, cost models, and legal entity eligibility.
Because the specific line-by-line eligibility text is on the portal and not fully replicated on the ECCC summary page, use a two-step compliance method:
- Pre-screen all partners against the call docs for legal status, residence, country coverage, and consortium composition constraints.
- Map each budget line to eligible cost categories and assign accountability before writing technical sections.
Any unknown eligibility point should be treated as unresolved until the portal documents are confirmed. In a strong application process, teams keep a dedicated “eligibility evidence sheet” with signed institutional declarations, legal registration details, and participant roles tied to work packages.
Application workflow and timeline planning
The call has one opening and one deadline window, which helps planning:
- published: 3 March 2026,
- open: 3 March 2026,
- single-stage submission deadline: 15 September 2026 at 17:00 CEST.
A practical build plan:
March–April 2026: topic selection and partner alignment
- Select one primary topic and one alternate based on capability.
- Confirm where evidence can be produced by September.
- Form partner consortium with clear roles in research, engineering, validation, and project management.
April–May 2026: concept refinement
- Draft technical objectives and impact statements.
- Define expected outputs and measurable deliverables.
- Confirm whether the project scale fits topic budget boundaries and likely award levels.
June 2026: draft technical package
- Prepare full description, methodology, milestones, risks, and dissemination plan.
- Define work packages so evaluation criteria can be addressed directly.
July–August 2026: compliance and budget lock-in
- Finalize legal/compliance annexes.
- Align cost model, consortium statements, and declarations.
- Run a pre-submission compliance audit.
By 15 September 2026
- Submit only once through official channel with all required files.
Applicants often underestimate timing; most problems come from late legal/budget validation, not from technical writing.
Required materials and application package expectations
The call page does not publish a full package list by itself, but calls under this model usually require clear project narrative, participant roles, budget tables, and risk/impact sections. Build with a conservative “complete dossier” mindset:
- coherent project summary aligned to one topic only,
- technical work plan with milestones and outcomes,
- consortium agreement readiness,
- budget justification by partner and work package,
- dissemination and exploitation plan,
- data management and IP strategy,
- compliance evidence and required institutional registrations.
Before final submission, do a “document integrity” pass to remove missing references, inconsistent acronyms, and unresolved claims. Proposals rejected at final stages are often technically strong but fail in structure and validation.
How this call is usually evaluated
The specific scoring grid is in the portal documents, but the call’s wording strongly suggests evaluation quality on four practical dimensions:
Technical relevance to the chosen topic
- direct match to defined cyber issues,
- clear problem framing tied to actionable outputs.
Scientific and engineering quality
- novelty, rigor, and feasibility,
- realistic architecture and validation approach.
Societal/economic security impact
- contribution to safer software/hardware ecosystems,
- potential EU-wide relevance,
- resilience implications.
Implementation and sustainability
- work package quality,
- partner competence,
- exploitation and uptake route.
A winning proposal typically explains why its approach will move beyond research reports into deployable systems.
Common mistakes and how to avoid them
Trying to serve all topics at once
- Pick one primary topic and keep it coherent. A broad “spread” often looks unfocused.
Weak deployment path
- Especially in cybersecurity, reviewers look for how outputs are tested and transferred.
- Include concrete pilots, testbeds, and integration points.
No measurable outcomes
- Define success metrics from day one: detection rates, false positives, latency, compliance impact, assurance coverage, etc.
Eligibility assumptions without confirmation
- Never assume country/type constraints or cost limits; verify in official documents.
Poor integration between technical and budget logic
- If budget language does not map to work packages, reviewers perceive weak feasibility.
Underestimating post-submission compliance burden
- Keep legal/finance docs aligned to submission timing, not after.
Reviewer expectation checklist before you press submit
- Is the proposal tightly mapped to one of the three topics and not a generic cybersecurity project?
- Are security threats/risks explicitly modeled and measurable?
- Does the consortium include roles for implementation, validation, and transition?
- Are cryptographic and AI sections technically deep but not disconnected from deployment?
- Can each work package justify requested resources?
- Are all mandatory fields in the official portal form prepared before submission window closes?
If the answer to several items is “not yet”, use the extra time to strengthen before finalization.
Practical next steps for teams
For industry-led teams
- Position the project around implementation needs in production environments.
- Emphasize measurable security gains and deployment complexity reduction.
- Ensure partners cover testing, threat-modeling, and operations.
For research-led teams
- Convert methods into applied outputs with a clear adoption path.
- Keep at least one industrial testing or pilot anchor.
- Build legal/IP and exploitation sections early so proposals are not rejected for weak transfer readiness.
For mixed academic-industry consortia
after choosing one topic, define governance so scientific novelty and deployment priorities are balanced at each work package level. If these teams present integrated ownership, they often perform better in evaluation than teams where roles are fragmented.
Why this remains relevant for 2026-2027 funding cycles
This call is tagged under the 2026-2027 Horizon Europe framework, making it directly relevant for organisations planning longer innovation pipelines. The deadline is within this cycle and still open as of today’s metadata date, so the window is practical, not archival. The focus on AI robustness and post-quantum direction also aligns with current strategic priorities in regulation, critical infrastructure, and enterprise security modernization.
The call’s structure (single-stage with multiple connected topics) is useful for teams that can focus quickly and avoid broad thematic drift. For those already building secure AI or cryptographic systems, this is likely one of the most directly aligned EU-level funding opportunities available in 2026.
FAQ
Is this call limited to one country?
No official country-specific restriction is shown on the ECCC summary page itself, but the call is under Horizon Europe and the Funding & Tenders portal documents govern eligible participation. Check those documents to confirm country, organisational, and collaboration requirements.
Is the full amount guaranteed for one project?
No. EUR 56.2 million is indicative for the full call across three topics. Actual award amount depends on proposal quality, competitiveness, and available budget.
Can teams submit more than one proposal?
The call is single-stage and topic-based; teams should avoid spreading effort across too many topics unless the consortium strategy is clearly justified. Submitting multiple proposals may increase administrative complexity and can weaken quality.
Is this only for security companies?
No. The call is open to proposals with relevant capability profiles. Academic and industrial collaborations are common for this type of Horizon call.
Where do I submit?
ECCC directs applicants to the EU Funding and Tenders portal for documents and submission details.
Official links
- Primary opportunity page (ECCC): HORIZON-CL3-2026-02-CS-ECCC
- Official call documents hub (as linked from ECCC): EU Funding & Tenders portal
- Work programme context: Horizon Europe 2026-2027 Civil Security for Society
Next action
Before writing, verify the current portal status and download the call documents now. Confirm the budget tables and submission forms exactly as required for your selected topic. Because this is a live single-stage call, the safest path is early compliance and topic discipline.