On the rise of cyber cascade

Why regulation, not hype, is driving cybersecurity cascade funding, and what that means for how you write.

Cybersecurity cascade funding has grown for a reason that makes it unusually durable: regulation, not fashion, is driving it. The Cyber Resilience Act and NIS2 turned security from a competitive nice-to-have into a legal obligation for whole categories of products and operators. EU programmes, Digital Europe and the European Cybersecurity Competence Centre among them, have followed with cascade and FSTP calls aimed squarely at SME uptake. Demand rooted in law does not evaporate when a hype cycle ends; it compounds as deadlines approach.

For applicants, the implication is specific, and most miss it. Evaluators in these calls are not looking for the most novel security tool. They are looking for the clearest line from your capability to a named compliance gap the call exists to close. The strongest applications read like compliance arguments: they name the regulation, the obligation it creates, the actors it affects, and exactly how the proposed work closes the gap. The weakest read like product brochures, feature after feature, with the regulatory "so what" left for the evaluator to infer.

The written rigour is the same as any Horizon programme. What is call-specific is the framing. If your work helps an SME or an operator meet an obligation it cannot currently meet, say that first, say it plainly, and let everything else support it.

From our practice · Eucade