Financial support provided by the National Coordination Centre improved the cybersecurity of companies

Information security now!

Published 11.02.2025 14:16

In the period 2023–2024, the National Coordination Centre of Traficom’s Finnish Cyber Security Centre granted a total of approximately EUR 2 million in financial support to micro-enterprises and SMEs for the implementation of state-of-the-art information and cyber security solutions and innovations. According to an assessment of the impacts of the financial support prepared by 4Front Oy, the support had significant impacts on the cyber security of the financial support recipients. In addition, the financial support can be expected to have a positive impact on national cyber security capacity, for example through the financial support recipients’ customer relationships and supply chains.

In 2023–2024, a total of about EUR 2 million in financial support was granted to 50 microenterprises and small and medium-sized enterprises. Half of the total financial support budget (approx. EUR 1 million) was granted to small enterprises (<50 employees), EUR 500,000 to medium-sized enterprises (<250 employees) and EUR 500,000 to micro enterprises (<10 employees). A total of 187 applications were received, and the total amount of financial support applied was around EUR 7 million. The support granted ranged from EUR 6,622 to EUR 60,000 per project. The financial support covered a maximum of 75% of the total project costs. The average size of the projects was approximately EUR 40,000.

Kuvio 4. Myönnetty rahoitustuki ja tuettujen projektien määrä yrityskoon mukaan. Lähde: Traficom — Figure 4. Financial support granted and the number of supported projects by company size. Source: Traficom

Of the financial support recipients, 44/50 replied to a questionnaire for financial support recipients carried out in connection with the assessment. Based on the survey, the projects aimed to solve a wide range of information security and cyber security challenges. Their goals were most commonly related to data protection (e.g. customer data, such as health data, trade secrets, financial transactions, critical infrastructure, other sensitive personal data), network security and administrative security. Approximately 55% of the respondents reported that the project also aimed to improve the security of their device or operational technology.

Kuvio 11. Kysymys: Millaisiin toimintoihin projektissa toteutettu tieto/kyberturvan parantaminen kohdentuu (suoraan tai välillisesti asiakkaiden kautta)? n=44 (N=50) Lähde: Kysely tuen saajille — Figure 11. Question: What types of activities will the project's information/cyber security improvements focus on (either directly or indirectly through customers)? n=44 (N=50) Source: Survey for financial support recipients

According to the assessment, the financial support succeeded in achieving the objectives set for it and its direct impacts on the recipients were assessed as significant. The objectives of the financial support included strengthening the applicant companies’ own capabilities to protect themselves against information and cyber security threats and to strengthen national cyber security capacity. The majority of the financial support recipients operate in the ICT, health, digital services and digital infrastructure sectors. Beneficiaries report that they have an indirect effect on sectors considered critical for society, for instance through their customer relationships and supply chains. As a result, financial support can also be assessed to have a wider positive impact on society.

Kuvio 25. Kuvattuna sektoreittain tuen vaikutuksia suorasti sekä epäsuorasti. Kysymys: Toimiiko 1) organisaationne jollain seuraavista toimialoista tai 2) vaikuttaako toimintanne välillisesti näiden toimialojen organisaatioiden tietoturvaan (esim. asiakkuuden kautta)? n=44 (N=50). Luokittelu perustuu NIS2-säädöksen kriittisten toimialojen luokitteluun. Lähde: Kysely tuen saajille — Figure 25. A breakdown of the direct and indirect impacts of the financial support by sector. Question: 1) does your organisation operate in one of the following sectors or 2) do your activities have an indirect impact on the information security of organisations in these sectors (e.g. through a customer relationship)? n=44 (N=50). The classification is based on the division of critical sectors in the NIS2 Directive. Source: Survey for financial support recipients

In view of the short-term results, approximately 80% of the survey respondents estimated that the project had improved the company’s ability to react to threats, increased information security awareness throughout the organisation and enabled the development of information security while paying attention to the enterprise architecture. By integrating cyber security into the enterprise architecture, companies create a coherent, efficient and resilient environment that not only protects their assets but also supports strategic growth and compliance and promotes positive security impacts on the companies’ networks. 77% of the respondents reported that, during the project, they had introduced automated systems to detect threats. 65% also reported having updated their information security processes and operating principles, and nearly 60% reported having organised information security training for their personnel. Although the results of the measures appear to be comprehensive and thorough, only 40% reported that they had carried out information security audits and assessments during the project.

The fact that 82% of the respondents reported that the project helped them identify new development needs related to information security serves as a good prediction of the long-term impacts of the financial support and a change in the recipients’ mindset. Around 60% of the respondents also mentioned that they are now better equipped to comply with regulations and standards such as NIS2 and GDPR. Half of the respondents reported that they had succeeded in reducing the number of cyber incidents.

Previous experience in impact assessments shows that financial support is more effective when complemented with non-monetary support, such as technical and expert support. This impact assessment suggests that, in addition to financial support, the recipients should be offered technical support and platforms for sharing the best practices with other organisations.

According to the assessment, financial support with a required own contribution is typical and likely to be the most appropriate support instrument in view of the objectives. However, the current annual financial support budget (EUR 1 million is insufficient to solve the challenges related to information and cyber security in Finnish companies. The volume is considered appropriate as an allocated support and incentive to address specific identified challenges. Meanwhile, an individual sum of financial support (max. EUR 60,000) could also be equally effective if the sum was smaller (e.g. EUR 20,000), which would allow granting financial support for a larger number of companies and possibly increase the impacts of the support.

The market impact of the financial support has been limited. The financial support has generated a demand for IT services amounting to approximately EUR 0.9 million. Typically, the funded projects involved the procurement of information security solutions from multinational companies, and to integrate them, consultancy services were purchased from Finnish IT service companies. As a result, the financial support increases the demand for domestic services to some extent, but the introduced solutions were mainly products and services of multinational companies. The estimated total value of the Finnish cybersecurity market is EUR 1.3 billion and the sector is increasingly focused on services. The global market for cybersecurity products and services was estimated to amount to EUR 160 billion in 2023 and is expected to grow by EUR 523 billion by 2032.

The survey sent to the beneficiaries also examined the financial support recipients’ satisfaction with the financial support amount and terms and the processes for granting the financial support. The recipients reported that the financial support amount was adequate and the terms and that the financial support terms and the application process were appropriate. The tight schedule for using the financial support was considered the biggest challenge, which was also visible to the funding authority in that the financial support recipients reported that the costs incurred in the project were lower than planned.

The impact assessment was used to measure the impact of an EU-funded project granted to the National Coordination Centre of Traficom’s Finnish Cyber Security Centre. The results can also be utilised in other call rounds for financial support that may be arranged in the future.

The impact assessment and its abstract are available on the Traficom website (External link).

More information: ncc-fi@traficom.fi

4Front Oy carried out an impact assessment for the National Cyber Security Centre on the financial support granted by the National Coordination Centre in the period 2023–2024. The impact assessment was carried out using a theory-based approach (Theory-of-change), and the material used included data obtained from call and funding documentation, a survey for financial support recipients, expert interviews, a research review, and a validation workshop.

The National Coordination Centre was granted financial support from the Digital Europe Programme, of which Traficom’s National Cyber Security Centre granted a total of EUR 2 million to third parties in the period 2023–2024. The financial support was primarily used to strengthen SMEs’ own capabilities and Finland’s national capacity and infrastructure to protect against cyberattacks.

More information about the financial support: Nationally granted financial support (External link)