The evaluation assessed the direct and indirect impacts of Finnish Transport and Communications Agency's National Cyber Security Centre's National Coordination Centre's (NCC-FI) financial support for SMEs to implement stateofart information and cyber security solutions and innovations. The main methods and data sources of the evaluation were analysis of project plans, applications and data, beneficiaries survey, expert interviews, literature review and validation workshop.
In terms of direct impacts to beneficiaries, the evaluation found that the financial support has well fulfilled its purpose and its direct impact to beneficiaries can be considered high. Almost all the projects (95 %) stated that they have successfully implemented their technology upgrading and reached the project goals. The companies were also reporting increased resilience against cyber-attacks. In terms of indirect impacts, the evaluation was looking at effects on cyber security market and overall national cyber security capacity. The financial support has generated some additional demand for the provision of IT services with the volume of around EUR 0.9 million. The services were mainly provided by Finnish companies. The purchased technological solutions were mainly those provided by international large-scale companies. In terms of proportionality and appropriateness, it seems clear that the volume (2 MEUR) is limited, when considering the national needs. Therefore, volume is appropriate either as a targeted support and incentive to address certain identified challenges. The grant size (max EUR 60 thousand) could be equally effective in a slightly smaller form (e.g. EUR 20 thousand), thus allowing for more grants to be delivered.
The evaluation recommends that further support for companies to upgrade their cyber security should be ensured, the effectiveness could be increased by decreasing the size of individual grants, while expanding the number of given grants, the instrument should support holistic approach to cyber security and encourage companies to take actions beyond adoption of technology and that financial support should be complemented with non-financial support, such as technical guidance and sharing of good (process) practices, to enhance its effectiveness.