CSA Cybersecurity Grants for Singapore SMEs — What You Can Claim in 2025

Why Cybersecurity Grants Matter for Singapore SMEs

Singapore's government has committed hundreds of millions of dollars to help businesses build cyber resilience — and a significant portion is earmarked specifically for SMEs. Yet the majority of eligible businesses either don't apply or apply incorrectly, missing out on substantial cost relief for projects they were already planning.

The grants landscape covers everything from baseline security tools and staff training to full ISO 27001 certifications and Cyber Trust Mark assessments. If you're a Singapore-registered SME spending on cybersecurity, the question isn't whether you qualify for a grant — it's which ones apply to your situation.

This guide cuts through the complexity. We cover the key grant schemes active in 2025, eligibility criteria, what each scheme funds, and the practical steps to apply — so your next cybersecurity investment costs significantly less than it otherwise would.

The Singapore Cybersecurity Grants Landscape

Singapore's cybersecurity funding flows through several agencies, each with its own mandate and eligibility criteria. The three primary channels relevant to SME cybersecurity spending are:

• Cyber Security Agency of Singapore (CSA) — Oversees the CyberSG TIG Catalogue and administers the Cyber Essentials and Cyber Trust Mark certification pathways with associated co-funding.
• Enterprise Singapore (EnterpriseSG) — Runs the Enterprise Development Grant (EDG) which can cover cybersecurity capability building, including ISO 27001 implementation and gap assessments.
• Infocomm Media Development Authority (IMDA) — Operates the SMEs Go Digital programme, which includes pre-approved cybersecurity solutions vendors that SMEs can engage with up to 50% subsidy.

Each programme has different funding caps, eligibility definitions, and approved vendor lists. Understanding how they complement each other — and how to stack them — is where most SMEs miss the opportunity.

Enterprise Development Grant (EDG) — Up to 50%

The EDG is administered by EnterpriseSG and is the most flexible grant for cybersecurity capability building. It supports projects that strengthen a company's core capabilities and enables businesses to build the internal capacity needed to operate more securely and competitively.

What it covers for cybersecurity

• ISO 27001 gap assessments and certification implementation projects
• Cyber Trust Mark readiness assessments and remediation work
• Security architecture reviews and technology risk management frameworks
• Business continuity planning with a cybersecurity component
• Staff capability development in cybersecurity roles

Eligibility

Your company must be registered and operating in Singapore, with at least 30% local shareholding. The project must be carried out by an approved consultant or solution provider. For cybersecurity projects, the consultant or assessor typically needs to be CREST-accredited or hold equivalent recognised credentials.

Funding quantum

Up to 50% of qualifying project costs are co-funded, with a cap that varies by project scope. For larger transformation projects, the cap can extend significantly. Applications must be submitted and approved before the project commences — retroactive claims are not accepted.

SMEs Go Digital — Pre-Approved Cybersecurity Solutions

IMDA's SMEs Go Digital programme takes a different approach: instead of funding bespoke projects, it pre-approves specific cybersecurity products and services at each tier of the programme. SMEs can engage any pre-approved vendor and automatically receive the subsidy — without a lengthy application process for each engagement.

How it works

The programme operates across industry-specific digital roadmaps. Cybersecurity solutions appear under the "Cybersecurity" pillar and are categorised by business size and need. Pre-approved solutions include endpoint detection and response (EDR) platforms, email security tools, multi-factor authentication systems, security awareness training platforms, and managed security services.

• SMEs (up to 200 employees): Up to 50% subsidy on pre-approved solutions
• Process is simple: Select a pre-approved vendor, sign the contract, claim subsidy through the vendor's disbursement process
• No cap on number of solutions — you can stack multiple pre-approved tools across the same project

Limitations to note

The subsidy only applies to solutions on the pre-approved list. If you want to deploy a specific tool or engage a specific vendor not on the list, you'll need to pursue the EDG route instead. The pre-approved list is updated periodically — check the IMDA business portal for current listings before committing to a vendor.

Cyber Essentials Mark and Cyber Trust Mark Funding

CSA operates two cybersecurity certification marks: the entry-level Cyber Essentials Mark and the gold-standard Cyber Trust Mark. Both have associated co-funding to reduce the cost barrier for SMEs pursuing certification.

Cyber Essentials Mark

Designed for SMEs with limited IT resources, the Cyber Essentials Mark requires assessment against five baseline cybersecurity domains: asset management, secure configuration, software security, access control, and incident management. CSA co-funds a significant portion of the assessment fee when conducted through an approved Certification Body.

The assessment fee after co-funding typically nets out between $1,000–$3,000 for most SMEs — a low barrier for a credential that is increasingly requested by government procurement panels and enterprise clients.

Cyber Trust Mark

The Cyber Trust Mark is a more rigorous certification covering 113 cybersecurity practices across five risk levels. It signals to customers, partners, and regulators that your organisation has mature, independently verified cybersecurity controls. CSA co-funds a portion of the readiness assessment and certification costs, with the exact quantum depending on company size and the risk tier being assessed against.

Critically, companies that have already achieved Cyber Essentials Mark can apply the existing assessment work as partial evidence toward Cyber Trust Mark — reducing both time and cost for the second certification.

Sector-Specific Grants to Check

Beyond the general schemes, certain sectors have additional cybersecurity funding pools that are often overlooked:

Financial services

MAS-regulated entities (banks, payment institutions, capital markets firms, insurers) should check whether their regulator has any specific technology risk management co-funding or subsidised assessment programmes. MAS periodically runs industry-level initiatives — your compliance team or industry association will have the most current information.

Healthcare

The Ministry of Health and the Integrated Health Information Systems (IHiS) run separate cybersecurity capability-building programmes for healthcare providers, particularly around patient data protection and medical device security. Hospitals, clinics, and health tech companies should engage IHiS directly.

Critical Information Infrastructure operators

If your organisation has been designated as a Critical Information Infrastructure (CII) operator under the Cybersecurity Act, CSA provides direct advisory support and may offer targeted co-funding for specific hardening requirements. CII operators should maintain a direct relationship with their assigned CSA sector lead.

Practical Steps to Claim Your Grant

The single biggest reason SMEs miss out on grants is timing — they begin work before the grant is approved. Every scheme covered in this article requires pre-approval before project commencement. Here's the right sequence:

1. Define your project scope clearly. Grants are tied to specific deliverables. Vague "cybersecurity improvement" projects will be rejected. Define whether you're pursuing ISO 27001 certification, deploying specific tools, conducting a gap assessment, or achieving a specific certification mark.
2. Identify the correct grant(s). Match your project scope to the schemes above. If the project spans multiple activities (e.g., tool deployment + certification), identify which scheme applies to each component.
3. Engage an approved vendor or assessor. Most schemes require work to be done by an approved or accredited provider. For EDG, your consultant should be able to guide the grant application as part of their engagement. For Cyber Trust Mark and Cyber Essentials Mark, only approved Certification Bodies can conduct the assessments.
4. Submit the application and wait for approval. Do not sign contracts or begin work until you have written approval from the administering agency. Timelines vary: EDG applications typically take 6–8 weeks; SMEs Go Digital is near-instantaneous for pre-approved solutions.
5. Execute the project and claim. Complete the project, retain all invoices and deliverables, and submit your disbursement claim within the required window.

How Infinite Cybersecurity Helps You Maximise Grant Funding

Navigating Singapore's grants landscape requires knowing which programmes are active, which vendors are pre-approved, and how to structure your project scope for maximum co-funding. This is something we help our clients with as a standard part of every engagement.

As a CREST-accredited cybersecurity firm, Infinite Cybersecurity is eligible to be engaged under the EDG and related schemes for ISO 27001 implementation, gap assessments, MAS TRM readiness reviews, and Cyber Trust Mark preparation. We work with our clients upfront to structure the engagement in a way that maximises their grant entitlement — before a single invoice is raised.

For clients pursuing Cyber Essentials Mark or Cyber Trust Mark certification, we provide pre-assessment readiness work to ensure you enter the formal assessment in a strong position, avoiding costly re-assessments that erode the grant benefit.

We also maintain up-to-date knowledge of current grant quantum and eligibility rules — which change periodically — so you don't have to track them yourself.