When a Donegal food production company applied for the Enterprise Ireland Cyber Security Review Grant, its managing director expected a bureaucratic process and a generic report. What he received was a structured, expert-written assessment of every security gap in his operation — email security, backup procedures, access controls, supplier risk, remote working practices — with a prioritised action plan and named owners for each item. The total cost to his company was €600. The grant covered the remaining €2,400. The report then became the basis for a successful Stage 2 improvement grant application worth €47,000 in additional funding.
That experience is more typical than most Irish SMEs realise. This guide explains exactly how the scheme works, who qualifies, and what happens during the review itself.
How the Two-Stage Scheme Works
The Enterprise Ireland Cyber Security Review Grant is Stage 1 of a two-stage pipeline. Stage 1 is a structured, independent expert assessment of your security posture, funded at 80% by Enterprise Ireland. Stage 2 — the NCC-IE Cyber Security Improvement Grant — funds the remediation work identified in Stage 1, at up to 80% of costs and a maximum of €60,000. You cannot access Stage 2 without completing Stage 1. The government designed it this way deliberately, so that improvement funding is spent on the right priorities rather than guesswork.
For Stage 1, the total project cost is fixed at €3,000. Enterprise Ireland covers €2,400. Your business pays €600. The project must use a qualified cybersecurity consultant who holds at least one of the following certifications: CISA (Certified Information Systems Auditor), CISSP (Certified Information Systems Security Professional), or CISM (Certified Information Security Manager). Not every IT company qualifies. Only consultants with these specific credentials can deliver a grant-eligible review.[^1]
What the Review Covers
The review examines 14 areas aligned to the NCSC Ireland's CyFUN Cyber Fundamentals Framework. These are not abstract categories — they are the specific areas where Irish SMEs are most commonly compromised: software updates and patch management, data backups and recovery testing, access management and multi-factor authentication, antivirus and endpoint protection, network security and firewall configuration, device management including mobile devices, cloud service configuration and risk, data security and handling procedures, website and social media security, remote working controls, third-party and supply chain risk, cyber awareness training for staff, incident response and business continuity planning, and cyber governance.
The output is a written report that rates your current cybersecurity level across each area, identifies specific vulnerabilities, ranks remediation actions by priority and business risk, assigns named owners within your company for each action, and provides time and cost estimates for remediation. This is the document that unlocks Stage 2 funding — it must include a formal Risk Score calculated by the consultant according to the NCSC framework.
Who Is Eligible
To qualify for Stage 1, your business must be a current Enterprise Ireland client with an assigned development advisor, and must be an Irish-registered company engaged in export-oriented or tradeable activities. If you are not currently an Enterprise Ireland client, you can apply through the Enterprise Ireland website — the process typically takes two to four weeks to establish a client relationship.
For businesses that are not Enterprise Ireland clients — typically micro-enterprises with fewer than 50 employees — the Local Enterprise Office Grow Digital Voucher is an alternative. This covers 50% of eligible cybersecurity costs up to €5,000 and is administered through your local LEO office. Contact your LEO to discuss the Digital for Business prerequisite that is required before applying.
Not sure whether your business qualifies for the Enterprise Ireland grant or the LEO voucher? Book a free 20-minute strategy call — we will confirm your eligibility, walk you through the application process, and deliver the review as a certified consultant, holding all three required certifications.
How to Apply for Stage 1
The application process is straightforward and typically takes one to two weeks for approval. Contact your Enterprise Ireland development advisor to request the grant — or apply directly through the Enterprise Ireland website at enterprise-ireland.com/cybersecurityreview. You will receive a Letter of Offer by DocuSign, and work can only begin and costs can only be incurred after this letter is issued. Once the review is complete, you submit your claim within six months of the Letter of Offer date along with the completed report and proof of payment. Enterprise Ireland reimburses the 80% grant within a few weeks of a successful claim.
An Garda Síochána's Garda NCCB has documented the types of incidents that the review is designed to prevent: ransomware entering through unpatched systems, credential compromise through absent MFA, payment fraud through inadequate staff training, and data breaches through poorly configured cloud services.[^2] The review addresses all of these systematically.
The Stage 2 NCC-IE Improvement Grant
After completing Stage 1 and receiving the formal report with its Risk Score, your business becomes eligible for the NCC-IE Cyber Security Improvement Grant — a substantially larger fund administered by the NCSC Ireland through the National Cybersecurity Coordination and Development Centre Ireland.
This grant covers 80% of the cost of implementing the priority recommendations from your Stage 1 report, with a minimum project cost of €25,000 and a maximum grant of €60,000. The 2024–2025 round awarded €1,806,405 to 52 Irish SMEs. A new round is expected in 2026, consistent with the government's February 2026 National Cyber Security Strategy commitment to targeted SME funding.
Procurement rules apply — you must obtain at least three written quotes for work under €50,000, or run an open tender process for larger projects. VAT is not covered by either grant.[^3]
Why This Matters for Your Board
Under NIS2, Irish directors have personal accountability for cybersecurity governance. The Enterprise Ireland Cyber Security Review Grant is one of the most cost-effective ways to demonstrate that your organisation is taking cybersecurity seriously. The Stage 1 report produces exactly the kind of structured, independent assessment that regulators and enterprise clients expect to see — a documented baseline, a prioritised action plan, and a clear governance trail that shows the board is fulfilling its oversight obligations.
For a business that has been putting off a proper security review because of cost, the grant eliminates the main barrier. A net cost of €600 to your business — with 80% covered by the state — is the most accessible entry point into structured, expert-led cybersecurity improvement available to Irish SMEs today.
What Next: Three Actions This Month
First, confirm your Enterprise Ireland client status this week. Contact your regional development advisor or visit the Enterprise Ireland website. The North-West regional office covers Donegal and surrounding areas. If you are already a client, request the Cyber Security Review Grant directly from your development advisor.
Second, choose a qualified consultant who holds the required certifications before applying. Confirm that your chosen consultant holds CISA, CISSP, or CISM — and holds them personally, not as a company claim. Pragmatic Security holds all three certifications and has delivered grant-funded reviews across multiple Irish sectors.
Third, act before the next NCC-IE grant round opens. Businesses that have completed Stage 1 will be positioned to apply for Stage 2 funding immediately when the next round opens. Those that have not will be starting from scratch while the budget fills. Given the government's commitment to expanding SME cybersecurity funding in 2026, the time to complete Stage 1 is now.
[^1]: NCSC Ireland — Advice for Organisations [^2]: An Garda Síochána — Cybercrime [^3]: Data Protection Commission Ireland
Related Reading
- Every Cybersecurity Grant Available to Irish SMEs in 2026
- NIS2 Compliance Checklist for Irish SMEs
- What Is a vCISO and Why Do Irish SMEs Need One?
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.