Kit Digital Cybersecurity grants up to €29,000.

Cybersecurity is, alongside e-invoicing, the Kit Digital (Spain digitalization grant) category with the most real urgency for Spanish SMEs. Cyberattacks on small and medium-sized businesses have grown exponentially in recent years, and regulatory obligations regarding data protection and information security keep expanding. Kit Digital offers two specific cybersecurity categories with amounts ranging from €125 per device to €29,000 for advanced managed services.

The two Kit Digital cybersecurity categories

Cybersecurity for segments I, II and III

This category funds a managed cybersecurity service for 12 months that includes installation and configuration of antimalware on all company devices, continuous threat monitoring, vulnerability management and security updates, and basic incident response. The amount is €125 per device (up to 48 devices), which means a maximum of €6,000 for segment I companies.

Managed Cybersecurity EDR + MDR for segments IV and V

Segments IV and V access an advanced managed cybersecurity category that includes EDR (Endpoint Detection and Response) and MDR (Managed Detection and Response). This solution goes far beyond traditional antivirus: it incorporates advanced threat detection with artificial intelligence, automated incident investigation and containment, 24/7 monitoring with a managed SOC (Security Operations Center), basic forensic analysis and incident response. The amount reaches up to €29,000 for segment V, which allows the rollout of an enterprise-grade cybersecurity solution.

What your company needs: basic or managed cybersecurity

The decision between the two categories depends on the size of your company and its risk level. If your company has fewer than 50 employees and does not handle particularly sensitive information (health data, financial information, public sector data), the basic category provides adequate protection as a starting point.

If your company has more than 50 employees, operates in a regulated sector (healthcare, finance, public sector), handles personal data at scale or has suffered previous security incidents, the managed EDR + MDR cybersecurity category is the right choice. And if your company is a supplier to the public administration and needs to comply with the ENS (Spanish National Security Framework), this advanced category is practically indispensable.

How to justify the cybersecurity category

Justifying the cybersecurity category requires specific evidence that many beneficiaries are unaware of. The digitalization agent must provide evidence of installation of the antimalware or EDR software on every declared device, monthly monitoring reports proving the service has been active, a register of detected incidents and the response applied, evidence of updates and patches applied, and technical documentation of the security configuration implemented.

The most frequent mistakes in justifying this category are not being able to prove that the service has been active for the full 12 months, not having periodic monitoring reports, and declaring more devices than were actually protected.

Cybersecurity as an investment, not an expense

The average cost of a cyberattack on a Spanish SME exceeds €35,000, not counting reputational damage and customer loss. Compared with this risk, the investment financed by Kit Digital (which can be zero net cost for the company if the voucher covers the full service) is one of the most profitable decisions a business owner can make.

Furthermore, if your company needs to comply with GDPR, ENS or the upcoming NIS2 Directive, the investment in cybersecurity is not optional: it is a legal obligation whose breach can lead to significant penalties.

Preparing for new calls

Order TDF/39/2026 keeps the legal framework open for potential new Kit Digital calls funded by remaining budget. If your company was not a beneficiary of the cybersecurity category or needs to extend protection, we recommend performing a cybersecurity diagnosis to assess current risk level, identifying the technical solutions you need, selecting a digitalization agent specialized in cybersecurity and having all documentation ready to apply for the voucher as soon as a new opportunity opens.

In the meantime, financing alternatives include Kit Consulting (Spain advisory grant) in its cybersecurity category (for companies of 10 to 249 employees) and regional grants such as DigitalICE in Castilla y León or Digiempresas in Canarias.

See my article on Kit Consulting for cybersecurity and ISO 27001 to finance your security strategy.

Want to protect your company with Kit Digital cybersecurity grants? Let's talk. As a digitalization agent specialized in cybersecurity, I will advise you on the best solution for your risk level and prepare you for the next calls.

---

Authorship: Ángel Ortega Castro · independent consultant in strategy, quality and digitalization for SMEs.

Frequently asked questions

Who can apply?

SMEs, micro-enterprises and self-employed professionals with tax residency in Spain that meet size, seniority and eligibility requirements. Justifying the cybersecurity category requires specific evidence that many beneficiaries are unaware of.

What is the grant amount?

Maximum vouchers range from €125 per device (up to €6,000 in segment I) to €29,000 for advanced managed EDR + MDR cybersecurity in segment V.

What are the deadlines?

Each call publishes specific deadlines in the BOE; generally 6 months to formalize the agreement and 12 months to complete the engagement. This category funds a managed cybersecurity service for 12 months.

How is the grant justified?

Justification is filed in the official Red.es platform with technical rollout evidence, invoices and payment receipts. The most frequent mistakes are not proving 12 months of active service, missing monitoring reports, and declaring more devices than were actually protected.