How to apply for a KPO grant? Step-by-step instructions

2. Manipulations of parameters of water treatment plants (Water Treatment Plants) - In Szczytno - a recording showing manipulation of the control elements of the water treatment plant (operating parameters).

- In the towns of Tolkmicko, Małdyty, Sierakowo – attacks on water treatment plants.

3. Attacks on sewage treatment plants - In Witków (Greater Poland Voivodeship) - manipulations in the central sewage pumping station.

- In Kuźnica – confirmed incident involving the sewage treatment plant.

4. Attacks on hydropower plants - Manipulation of hydropower plant parameters (e.g. control panel) – example: hydropower plant where the generated power was allegedly set to "zero".

- Attempted attacks that may have affected water supplies, although direct effectiveness has not been confirmed in many cases.

5. Propaganda/media recordings showing hacking - Cybercrime groups publish recordings showing access to automation systems (ICS/OT), manipulation of settings, changes of PINs, and device operating parameters.

- Such materials are often of a propaganda nature – the aim is to show that systems are vulnerable and build the reputation of hackers.

Cyberattacks on water and sewage infrastructure are becoming increasingly common, demonstrating the vulnerability of these systems to digital threats. Therefore, this grant application is important for entities seeking to enhance their security and better protect water supplies and the environment.

Who and what companies can benefit from the grant? What conditions must be met?

- The grantee may be an entity operating in the field of collective water supply , covered by the national cybersecurity system, and utilizing operational technologies in industrial control systems. In practice, these include:

• Water and sewage companies that are operators of essential services (in accordance with the Act on the National Cybersecurity System).
• Commercial law companies carrying out public utility tasks.
• Public finance sector units (e.g. municipalities, inter-municipal associations).

As part of the EY eligibility analysis, we will conduct a full verification of your company's eligibility.

What are the key deadlines for applying for a grant?

The grant application process will last only until October 2, 2025 , meaning there is limited time to prepare your application. Applicants should complete their documentation and verify eligibility as soon as possible.

The eligible expenditure period runs from January 1, 2025, to June 30, 2026, or until the project ends, as specified in the grant agreement. This allows interested entities to include both activities that have already begun and those planned for the near future.

What activities and expenses can be financed by the grant?

The grant can be used to finance a variety of activities related to improving the organization's cybersecurity level across four areas: organizational, competency, technical, and infrastructure. For example, eligible expenses include audits and updating security documentation, employee training, and implementing new technical solutions in IT and OT (e.g., purchasing hardware, software, monitoring and backup tools, and physical security of critical infrastructure). Certifications and team competency development are also included in the cost list.

The examples provided are not exhaustive – the scope of eligible costs is much broader. We encourage you to contact the EY team directly for a personalized needs analysis and full verification of expenditure eligibility.

How can I practically prepare for the application and implementation? I'd appreciate step-by-step instructions.

- Step 1: Eligibility Assessment - Check whether your company qualifies as an entity eligible to apply under the call for proposals. - Check the available de minimis aid pool in the context of applicable regulations.

- Conduct an initial review of your enterprise's cybersecurity management maturity – determine current status and needs.

Step 2: Needs analysis and planning - Identify key gaps and threats in IT/OT systems. - Determine which actions (organizational, competency, technical) are most needed.

- Estimate implementation costs based on market research for individual solutions.

Step 3: Preparation of documentation - Prepare complete application documentation with required attachments, including project description, schedule, budget, and justification of expenses.

- Complete the mandatory form confirming your realistic proposal to increase immunity.

How do you increase your chances of success? Do you have any other practical advice for grant applicants?

- To successfully apply for the "Cybersafe Waterworks" program, it is worth implementing a structured and comprehensive approach, covering all key stages of the process:

• Create a comprehensive project.
• Don't underestimate the formalities – ensure that all documents are correct and complete, avoid generalities and underestimating costs.
• Show how the project relates to real needs and threats – justify the choice of solutions in the context of specific problems present in your organization.
• Plan the evaluation of project effects – indicate how you will monitor the achievement of planned indicators.

By following the steps and tips above, you will increase your chances of having your application assessed positively and will significantly improve the level of cybersecurity in your organization.

What are the most common mistakes when applying for a grant?

- There are several of them. Mainly:

• Imprecise cost estimates or too general a description of planned activities, which makes it difficult to assess the feasibility and effectiveness of the project.
• Lack of clear link between the project and the specific cybersecurity threats and actual needs of a given water company.
• Incomplete application documentation or formal errors that may result in rejection of the application already at the formal assessment stage.
• Focusing solely on purchasing equipment, omitting organizational and training activities that are crucial for permanently improving the level of cybersecurity.
• Lack of proper definition of project indicators.

As you can see, applying to the “Cybersafe Waterworks” program requires a thorough needs analysis, a comprehensive approach to cybersecurity, and meticulous documentation preparation.

***

Answers to the questions were prepared by experts: Kamil Pszczółkowski – Senior Manager, Cyber ​​Security, EY Polska Róża Kraśnicka – Manager, Business Tax Advisory, EY Polska Roman Łopaciński – Manager for Strategic Partnerships, EY Polska