Ask our AI-chatbot
Apply now

Cyber security and resilience in the energy sector in the Nordic region

Important dates

04 Sep 2025

Webinar

30 Oct 2025

Webinar

Mid-February 2026

Response to application

01 Mar 2026

Earliest permitted project start

01 Jun 2026

Latest permitted project start

30 Nov 2026

Latest permitted project completion date

Important dates

Purpose

The aim of the call is to enhance cybersecurity resilience in the energy sector across the Nordic region through cross-border collaboration and innovation.  

We are looking for projects that aim to close the skills gap and strengthen the energy sector’s ability to detect, prevent and respond to increasingly complex cyber threats - especially across IT/OT systems. 

About the call for proposals

On behalf of the CRESCENDO initiative, the Research Council of Norway welcomes applications for projects aimed at strengthening cybersecurity resilience across the Nordic energy sector. With a focus on cross-border collaboration, innovation, and capacity building, this call targets the unique cybersecurity challenges faced by energy organisations, particularly of IT and OT systems. 

We will fund high-impact projects that deliver tailored cybersecurity services, address critical skills gaps and help align industry practices with EU frameworks, such as the NIS Directive and the Critical Entities Resilience (CER) Directive. Projects should demonstrate practical value and potential for adoption across the energy sector. 

Background 

The energy sector is facing growing cybersecurity challenges. Highly connected and increasingly digital, even small, local operations can trigger large-scale consequences across national borders. As Europe accelerates its green transition, the need for secure, reliable, and resilient energy systems has never been more urgent. 

CRESCENDO puts the Nordic region in the spotlight,not just for its advanced and diverse energy systems, but for its unique potential to drive innovation in cybersecurity. With energy production spanning hydropower, wind, offshore, nuclear and solar power, the region offers a real-world testbed for securing complex and decentralised infrastructures.  

Importantly, the Nordic countries bring a proven culture of cross-border collaboration, high trust and shared policy implementation, creating a strong foundation for piloting innovative solutions. Their heterogeneous environments expose a wide range of vulnerabilities, making lessons learned here highly relevant for Europe's broader energy landscape. The Nordic electricity system, among the most digitalised in the world, offers a unique opportunity to develop and test forward-looking solutions. Proposals may leverage this position to create models and practices with potential for replication across Europe. 

By addressing these challenges through research and innovation, CRESCENDO aims to deliver insights, tools, and approaches that strengthen cybersecurity across Europe,supporting the green transition and securing our shared energy future. 

Thematic framework 

We invite applicants to consider one or more of the following aspects in proposals: 

Risk Assessments 

  • Development of tailored risk assessment methodologies that address the unique characteristics of IT/OT convergence in Nordic electricity grids and production systems. 
  • Frameworks for assessing the impact of cyber incidents on grid reliability, safety, and continuity of service. 
  • New tools and metrics for evaluating cyber maturity in OT environments, including legacy systems. 
  • Sector-specific risk scenarios that incorporate geopolitical, supply chain, and technological dependencies. 

Security testing 

  • Safe and controlled testing methodologies for conducting penetration testing on operational environments without disrupting live grid operations. 
  • New tools and techniques designed specifically for simulating cyberattacks against OT protocols and ICS components. 
  • Validation environments (such as "digital twins") that enable realistic testing of cyber-physical attack vectors. 
  • Guidelines and standards for integrating penetration testing into regular security audits and compliance processes in the energy sector. 

Threat Modelling 

  • Threat modelling approaches that reflect the hybrid nature of cyber-physical systems and the cascading effects of OT compromise. 
  • Updated threat intelligence models tailored to the evolving tactics of adversaries targeting energy infrastructure (e.g., APTs, ransomware-as-a-service). 
  • Dynamic threat modelling tools that adapt to system changes, configurations, and newly discovered vulnerabilities. 
  • Methods for incorporating insider threats, human error, and social engineering into technical threat models. 

Expected impact and outcomes 

We encourage you to develop proposals that directly respond to the critical vulnerabilities and needs of today’s digitalised electricity systems in the Nordic region. The focus of this call lies at the intersection of Information Technology (IT) and Operational Technology (OT).

Modern electricity grids rely increasingly on smart technologies, IoT devices and remote management. This digital transformation not only creates more efficiency but also introduces serious cybersecurity risks. Where OT systems once operated in isolated environments, they are now deeply integrated with IT networks — exposing critical physical infrastructure to digital threats. 

We seek projects that address this evolving threat landscape and propose concrete, scalable solutions for hybrid scenarios and malicious cyberattacks, such as Advanced Persistent Threats (APTs), ransomware and supply chain vulnerabilities. 

Projects that receive funding are expected to: 

  • Enhance cyber resilience, especially among small and medium-sized enterprises (SMEs), reducing vulnerabilities and risk of cascading failures in the energy grid. 
  • Support the adoption of practical cybersecurity tools such as OT monitoring, penetration testing, and risk assessments. 
  • Develop critical IT/OT competencies and close existing skills gaps through targeted capacity building. 
  • Improve preparedness and response capabilities by integrating cybersecurity into emergency planning and joint exercises. 
  • Promote alignment with NIS and CER directives, ensuring compliance and strengthening regulatory readiness. 
  • Facilitate cross-border collaboration, knowledge sharing, and co-creation of scalable, repeatable cybersecurity solutions. 

We are seeking projects with a strong connection to practical application. We therefore encourage you to include hands-on exercises, tests or other applied components. The use of Cyber Range infrastructures is also welcome in this call of proposals. 

The call for proposals is available in English only. The English call text is legally binding.

European Union logo

Who is eligible to apply?

Eligible applicants include consortia of at least two entities, consisting of: 

  • One cybersecurity organisation 
  • One energy sector organisation 

Eligible organisations: 

  • Private companies (including start-ups, SMEs and large companies)
  • Universities and research centres
  • Other organisations that represent energy related operators in the Nordics
  • Public authorities 

Ownership and Control Assessment

Applicants must be established in the EU/EEA and may not have controlling ownership from outside the EU/EEA. Applicants may be asked to provide an overview of the ownership structure and rights holders who ultimately own or control the company. 

About SMEs in the CRESCENDO call 

As the Nordic energy sector includes small and medium-sized enterprises (SMEs) in its value chains, this call tries to address the challenges faced by those SMEs when meeting with more complex threats and regulatory demands. As a result, even if all types of companies are welcome to apply, the CRESCENDO initiative will encourage projects including SMEs in the energy sector as partners to apply.

SME Definition – Read the European Commission’s guidelines for the definition of SMEs: SME definition - European Commission

Who can participate in the project?

Requirements for the Project Owner  

The research organisation, public authority, company, or organisation listed as the project owner in the application form must have approved the submission of the application. The Project Owner submits the application on behalf of all partners. 

Requirements for the project manager 

There are no formal requirements regarding the project manager’s qualifications, but the competence and suitability of the project manager to carry out the project will be assessed by peer reviewers. 

The project manager must be employed by the Project Owner or by one of the partner organisations.

About project administrator

We also require a person to be registered as a project administrator in the application. The project administrator and project manager cannot be the same person.

What can you seek funding for?

You can apply for funding to cover the actual costs necessary to carry out the project. The Project Owner must obtain information on costs from the partners in the project. 

We require that you break down the project budget into the following cost types in your application: Staff Costs, Travel Costs, Equipment/Tech Consumables Costs (depreciation) and Subcontracting Costs. 

The application must include milestone activities for the entire project period.

Scope of support 

Funding up to 200 000 euro per project is available under this call. The Research Council will cover up to 50 percent of the total project costs, and applicants must provide the remaining as own financing. The amount of funding presumed available for this call for proposals is 1 euro million and is divided between approximately 10 projects.

The project can last up to 6 months. 

About the CRESCENDO initiative

This call is part of the CRESCENDO initiative which is a project dedicated to bolstering cybersecurity preparedness and resilience within the Nordic energy sector. Funded by the EU through the Digital Europe Programme, CRESCENDO is a collaborative effort between the National Coordination Centres (NCCs) in Norway and Finland, the Norwegian University of Science and Technology (NTNU), and the Danish Energy Agency. 

The CRESCENDO project seeks to make a substantial contribution to the collective cyber resilience of the Nordic region and Europe while nurturing cross-border cooperation and mutual support.  

The outcomes of CRESCENDO will include sector-specific cybersecurity updates, tested methodologies, and policy recommendations directed at both national and international levels. Through these efforts, the project aims to establish a foundation for long-term collaboration and preparedness in a highly interconnected and increasingly digitalised energy landscape. 

The project’s overarching objectives will be pursued through a combination of activities, among them two calls for proposals, this one and the second one planned for 2027.

Relevant thematic areas for this call

This call addresses various areas within cyber security, particularly those noted above. We accept applications for funding for both applied research and innovation, with a focus on the energy sector.

Cyber security

Risk assessmentSecurity testingThreat modelling

Practical information

Requirements for this funding scheme

The application consists of an electronic application in My RCN web and at least two attachments. One of the attachments is a detailed project description with more details. My RCN web is the Research Council of Norway’s application system for research funding and is used for administrating the CRESCENDO call. The person submitting the application on behalf of the project partners needs to create a user in My RCN web. 

Please note that you can only submit the application once. If you submit the application before the deadline and subsequently see that it still needs to be changed, you can create a new application, e.g., as a copy of the one you have already submitted – and in this way submit a new version before the deadline expires. The application and all attachments must be written in English, and all attachments must be in PDF format. Be careful to upload the correct attachment type, as there are no technical restrictions on what kind of templates it is possible to upload in the application form.  

Mandatory attachments 

  • Project description. Use the standard template that you can download at the bottom of the page. 
  • CV for the project manager. Use the standard template that you can download at the bottom of the page. 

All required attachments should be included when submitting the application, otherwise the application will be rejected. 

Optional attachments 

  • CVs for key participants in the project. Use the standard template that you can download at the bottom of the page. 

We do not accept attachments submitted after the application deadline unless we have requested additional documentation. We will not consider documents and websites linked to in the application, or attachments other than those specified above.  

Application in My RCN web 

This CRESCENDO call deviates a bit from how the fields and text are in the web-based application form in My RCN web. As a result, here is a guide to how you should fill in the application in My RCN web. The numbered sections below correspond to each individual step that must be taken in the application form. The rest of the application will be submitted as a part of the mandatory attachments as mentioned above. 

  1. Project partners
    • When adding organisations in My RCN web, non-Norwegian organisations may ignore the organisation search box and manually enter their organisation’s details. The institution’s name does not need to be in Norwegian.
    • Do not add project partners in My RCN web, only add a project owner and other mandatory fields marked with *. Project partners will be included in the mandatory attachment.
    • You may add project participants, but this is not mandatory.
  2. Project info
    • No remarks.
  3. Funding scheme:
    • Under “Classification of scientific disciplines,” select “Annen informasjonsteknologi” as the discipline.
    • Do not fill in the fields “Other relevant programmes” or “If applying for additional funding, specify project number”.
    • For the final question, select “No”.
  4. Progress plan:
    • Fill out the “Dissemination of project results” as applicants need to present a credible plan for dissemination and communication activities which must include methods (publications, presentations, workshops and/or webinars) and targeted audiences.
  5. Budget: All numbers in this section will be in thousands NOK (see below), put in the year 2026, and only deal with the amount you apply funding for.
    • In the “Cost plan” section, put all costs under “Other operating expenses”. Break down the budget into the correct cost types in the specification field. The correct cost types are Staff Costs, Travel Costs, Equipment/Tech Consumables Costs (depreciation) and Subcontracting Costs.  
    • In the “Cost code” section, put all costs under “Abroad”.
    • In the “Funding plan” section, put all funding under “The Research Council”.
    • The “Fellowship” field can be ignored.
  6. Attachments:
    • Upload the project description and CVs using the provided templates. 

About project budget and Norwegian kroners (NOK) in My RCN web

The full project budget and funding plan for each project should be provided in the attached project description in PDF format. Then, all amounts should be in euros (EUR). However, in My RCN web it will be something different due to technical constraints. 

In the application form at My RCN web, applicants should only put the amount that is being sought i.e., the own financed part of the project can be ignored in My RCN web. This means that if a project has budgeted costs of 200.000 euros, we know that 100.000 euros of those will be covered by own financing, while the rest 100.000 euros will be sought for through the CRESCENDO call (due to 50 per cent funding rate). Only the 100.000 euros that is being sought for should be included in My RCN web as costs in the project, and in the funding plan. The own financing, i.e. half of the project budget, can be ignored in My RCN web. 

Moreover, the amount used in My RCN web should be in thousands of NOK, not in EUR. When calculating NOK, the exchange rate should be based on an average exchange rate taken from the European Central Bank's website. The average exchange rate you should use is 11.6702.  

Assessment criteria

Applications will be assessed by external referees based on Excellence, Impact and Implementation. The administration will assess the application based on relevance when looking at the purpose of the call. 

Excellence

Originality/Novelty
• The extent to which the concept is sound, credible and novel.

Solidity
• The extent to which the project objectives are clear and relevant.
• The quality of the proposed deliverables from the project.

Impact

Potential
• The extent to which the expected effects are specified.
• The extent to which expected impacts on the system and societal levels are specified.

Knowledge sharing and exploitation
• The quality of the proposed communication and dissemination activities.
• The extent to which it is credible that the proposed outputs will contribute to the specified effects and impact.

Implementation

Project Manager and project group
• The extent to which the Project Manager and project group are qualified and have the necessary expertise and are positioned to implement the project.
• The extent to which management structures and procedures are appropriate.

Plans and management
• The extent to which the work plan is clear and understandable, and the time table realistic
• The extent to which objectives and measures are coherent.
• The extent to which the project has the support of the leadership of the Project Owner and any partners, and the allocation of roles in the project is clear.
• The extent to which the budget is realistic and appropriate, and resources are allocated so that each of the partners can fulfil their role.
• The extent to which potential risks have been discussed.

Relevance to the call for proposals

The extent to which the project satisfies the guidelines and stipulations set out in the call for proposals.

Administrative procedures

We assess your application as it is submitted. Once the application deadline has passed, we first check that all formal requirements are met. Applications that do not satisfy these requirements will be rejected.

The applications will be assessed by a panel of three referees. Each referee will assess each application by assigning a mark from 1 to 7 for the criteria Excellence, Impact and Implementation.

The final mark on each criterion will be given by the average of the marks given by the individual referees. The threshold for each criterion is 4. If there is a large gap between the referees’ average (over 4.5) on one criterion, a fourth referee will be included in the evaluation of the application.

Applications will receive a main score calculated from the scores for each criterion: Excellence (weighted 30%), Impact (weighted 40%), and Implementation (weighted 30%). Applications with an average of the marks above 4 will be considered for funding.

The administration will then give a relevance mark based on how well the application could support CRESCENDO’s overall goals. The relevance mark is used, together with the average of the marks, to select the projects that will receive funding. In case two projects end up with the same average mark, priority will be given to projects with women project participants. Finally, we aim for a balanced portfolio of projects across the thematic areas mentioned above.

Create application

Applications for Cyber security and resilience in the energy sector in the Nordic region should be created on My RCN Web. Application templates should be filled and uploaded in the application.

Create application

Messages at time of print 8 October 2025, 21:31 CEST

No global messages displayed at time of print.