1.     Introduction

CYSSME (Cybersecurity and Data Protection for Small, Medium and Micro Enterprises) is a European project supported by the  Digital Europe Programme (DEP) of the European Commission and aims to address Cybersecurity challenges faced by SMEs in Europe by providing European-originated solutions, technologies, and methodologies.

As part of CYSSME, carefully selected SMEs will be taken on a journey after an intake discussion and a preliminary High-Level Cybersecurity Assessment with highly experienced Cybersecurity experts. A Cybersecurity Auditor will hold an In-Depth Cybersecurity Assessment with a number of target company representatives, trying to ensure a proper situational insight that will serve as a baseline. A Cybersecurity Mentor will be assigned to the company and a roadmap to Cybersecurity improvements will be proposed, including specific Cybersecurity Implementations, timelines and milestones including solutions, advisory, training and knowledge transfer allowing the company to become self-sufficient in a timeframe of 3 to 6 months – depending on the situation.

These Terms and Conditions cover the interaction between you, the User, applying for a Cybersecurity improvement project with CYSSME through the intake form on the website (  https://cyssme.eu/support-for-sme/#apply), or otherwise engaging with CYSSME service offering, and the CYSSME Partners.

When applying for your free Cybersecurity improvement project, you will be in contact first with the CYSSME project Coordinator LSEC. Please note that as part of the CYSSME services, you will be engaging with several CYSSME Partners, depending on your needs.


2.     Definitions

2.1 CYSSME: The project, funded under grant agreement No 101128101 as part of the European Union’s Digital Europe Programme.

2.2 CYSSME Consortium: The entities collaborating under the CYSSME project to provide Cybersecurity solutions, Services, and support to SMEs, led by CYSSME project Coordinator LSEC. The full consortium can be found on the CYSSME website at https://cyssme.eu/about/partner/.

2.3 CYSSME Company : The organization that is intended to become the self-sustaining operating entity of the CYSSME activities, including the platform, services and SME support activities, intended to be created in the last year of CYSSME by one or multiple CYSSME Partners, that will be receiving the assets and intellectual property of CYSSME in order to ensure the seamless continuation of the activities. This will include all contractual arrangements, customers and vendor relations, the CYSSME platform and additional services.

2.4 CYSSME Beneficiary: any organisation, company, or entity that is part of the CYSSME Consortium

2.5 CYSSME Partner: any organization, company or entity and any third party involved in CYSSME by way of contract through the CYSSME Consortium.

2.6 CYSSME Platform: The platform developed by Beneficiaries LSEC and co-dex.eu through the CYSSME project including, but not limited to a repository of solutions, an assessment platform, mechanisms for market-matching, marketing activities, community activities, .. that either partially or as a whole can be licensed or franchised to other CYSSME Operators . [PG1]

2.7 CYSSME Operators: Organizations that have the intention to or operate part or the whole of the CYSSME Platform and related services, through an authorization

2.8 CYSSME Engagement Manager: The representative of a CYSSME Partner that is the main contact between the User and CYSSME, who will be managing the relation with the User with the intention to present the User to the CYSSME Auditor and / or CYSSME Mentor.

2.9 CYSSME Auditor: A CYSSME Partner who performs a Cybersecurity Assessment for the User’s (cybersecurity) organization, systems, applications, appliances, networks and/or infrastructure, … to be determined in consultation with the User and the CYSSME Engagement Manager..

2.10 CYSSME Mentor: A CYSSME Partner assigned to provide expert advice and help define the appropriate steps to strengthen a User’s Cybersecurity posture.

2.11 CYSSME Implementation Partner: A CYSSME Partner who will take care of the deployment and integration of customised Cybersecurity solutions within the User organization based on the results of prior assessments by the Cybersecurity Auditor and Cybersecurity Mentor.

2.12 User: you, the company, the organization, the SME or other stakeholder engaging with the CYSSME Platform or Services. SME means “Micro, small, and medium-sized enterprises”, as defined in EU law. In doubt whether this applies to you? More information at https://single-market-economy.ec.europa.eu/smes/sme-fundamentals/sme-definition_en.

2.13 Terms and Conditions: These general Terms and Conditions. These terms define the rights, obligations and responsibilities of the CYSSME Partners and Users

3.     Scope

3.1 These Terms and Conditions govern the use of the Services provided by the CYSSME Consortium and third parties selected by the CYSSME consortium, throughout the duration of the CYSSME Project or CYSSME Services executed, as well as the use of the CYSSME Platform.

3.2 These Terms and Conditions do not apply to individual (commercial and non-commercial / for free) follow-up engagements between Users and CYSSME Partners that take place outside the scope of the CYSSME project and Cybersecurity Journey.

4.     Acceptance of Terms and Modifications

4.1 By submitting the intake form, and/or accessing or using the CYSSME Platform or Services, Users acknowledge and agree to be bound by these Terms and Conditions.

4.2 The CYSSME Consortium reserves the right to modify or update these terms periodically. Users will be notified of any significant changes, and continued use of the CYSSME Platform or Services following such updates will constitute acceptance of the revised Terms and Conditions.

5.     CYSSME Services

5.1 CYSSME offers the following Services:

  • High-Level CYSSME Cybersecurity Assessment, CYSSME Cybersecurity mentorship & Cybersecurity Journey services mainly oriented towards SMEs, mainly oriented towards commerce, industry and high tech organisations
  • In-depth Cybersecurity audit or assessment services (CYSSME Assessment )
  • CYSSME Cybersecurity implementation services
  • The use of the CYSSME platforms
  • CYSSME Mentoring services
  • Other CYSSME support programs

5.2 The In-Depth CYSSME Cybersecurity Assessment is performed by a CYSSME Auditor and the CYSSME High-Level Cybersecurity Assessment, CYSSME Cybersecurity mentorship & CYSSME Cybersecurity Journey services are provided by a CYSSME Mentor who is assigned to a specific User. In addition, specific Cybersecurity implementation services may be needed for your specific case. Those services are provided by one or more CYSSME Implementation Partners. The CYSSME platform is provided to you by the CYSSME consortium.

5.3 The CYSSME consortium may offfer third parties to provide services on or via the CYSSME platform and as part of the CYSSME activities, in particular for Cybersecurity implementation services. These Terms and Conditions will also apply to services by third parties if they are provided to you through the CYSSME project as part of your free Cybersecurity improvement project.

5.4 As part of your free Cybersecurity improvement project you will receive services from different CYSSME partners, typically including all of the services mentioned under 5.1 above. To provide you with more clarity, a Statement of Work will be prepared on the specific services to be provided, indicating the specific CYSSME Partners involved in the services, what each CYSSME partner will do and what they will be responsible for. The Statement of Work may be updated during your free Cybersecurity improvement project. [PG2]

5.5 CYSSME is built upon the already existing Cybersecurity Solutions Frameworks, which connect to the CYSSME platform, amongst other offering a Cybersecurity application store containing both Open Source and commercially available technologies. Commercial technologies or commercial services may be suggested as part of your free Cybersecurity improvement project or to further mature your Cybersecurity posture during or after your free Cybersecurity improvement with CYSSME. Acquiring such services which might be suggested, but not covered in the Statement of Work of your CYSSME Cybersecurity improvement will be subject to specific contractual terms with the technology or service providers. [PG3]

6.     Obligations of the User

6.1 As the User, you must cooperate in good faith in the process of your CYSSME Cybersecurity improvement project. This includes in particular that you must provide the relevant CYSSME Partners acting as Cybersecurity Auditor, Cybersecurity Mentor or Cybersecurity Implementation Partner with access to all relevant systems, networks, facilities, and necessary information required for the assessments and audit activities and implementation services. Failing to do so, may have an adverse effect on your Cybersecurity maturity improvement. (This can include for instance forgetting to inform about the administrator roles who’s passwords had been compromised.)

6.2 As the User, you must designate a representative who will serve as the main contact point and provide timely assistance and cooperation to the CYSSME Partners acting as Cybersecurity Auditor, Cybersecurity Mentor or Cybersecurity Implementation Partner. Failing to do so may result in CYSSME services being withdrawn from the offering.

6.3 As the User, you must promptly address any vulnerabilities or issues identified during any of the CYSSME services mentioned in 5.1 above and take appropriate actions to mitigate the associated risks. Failing to do so may result in adverse effects on the Cybersecurity posture of the User.

6.4 As the User, you must ensure that all necessary permissions and authorisations are obtained to allow CYSSME Partners acting as CYSSME Auditor, CYSSME Mentor or CYSSME Implementation Partner to perform the relevant CYSSME service.

6.5 As the User, you must share any information relevant to your free Cybersecurity improvement project with the CYSSME project and CYSSME partners, without undue delay, as it becomes available, unless prohibited by law. This allows the CYSSME Partners acting as Cybersecurity Auditor, Cybersecurity Mentor or Cybersecurity Implementation Partner to tailor and adapt their services and to avoid issues.

6.6 As the User, you must familiarize yourself with the Statement of Work for your free Cybersecurity improvement project (see 5.4 above) and the different CYSSME Partners involved in providing services to you. It remains your duty, as the User, to do your due diligence on the CYSSME Partners proposed to you, as identified in the statement of work. If you have concerns about any CYSSME Partner, it is your prerogative to ask questions and/or stop your free Cybersecurity improvement project in case your concerns cannot be addressed to your satisfaction. [PG4] 

6.7 As the User, you must familiarize yourself with the full content of these Terms and Conditions.

7.     Obligations of the CYSSME Auditor

7.1 The CYSSME Partner acting as a CYSSME Auditor shall assign qualified personnel with expertise in Cybersecurity and auditing to conduct the audit for the User.

7.2 The CYSSME Partner acting as a CYSSME Auditor shall perform the In-Depth Cybersecurity Audit (CYSSME Assessment) with due care, skill, and in accordance with industry best practices, applicable laws, and regulations.

7.3 The CYSSME Partner acting as a CYSSME Auditor shall provide the assigned CYSSME Mentor with regular progress updates and promptly communicate any significant findings or concerns during the In-Depth Cybersecurity Assessment.

7.4 The CYSSME Partner acting as a CYSSME Auditor shall provide the CYSSME Partner acting as a CYSSME Mentor with a detailed report on the audit, detailing the findings, vulnerabilities, and recommendations resulting from the audit.

7.5 The CYSSME Partner acting as a CYSSME Auditor shall maintain the confidentiality and security of all information obtained or accessed during the In-Depth Cybersecurity Audit and shall not disclose any such information to third parties without the prior written consent of the User, except where required by law.

8.     Obligations of the CYSSME Mentor

8. Obligations of the CYSSME Mentor

8.1 The CYSSME Partner acting as a CYSSME Mentor shall assign qualified personnel with expertise in Cybersecurity to analyse the CYSSME Auditor’s report and provide clear explanations and tailored recommendations to the User.

8.2 The CYSSME Partner acting as a CYSSME Mentor shall maintain the confidentiality and security of all information obtained or accessed during the provision of its services and shall not disclose any such information to third parties without the prior written consent of the User, except where required by law.

9.     Obligations of the Cybersecurity Implementation Partner(s)

9.1 The CYSSME Partner acting as a CYSSME Implementation Partner shall assign qualified personnel with expertise in Cybersecurity to conduct the implementation services for the User.

9.2 The CYSSME Partner acting as a CYSSME Implementation Partner shall perform the Cybersecurity implementation services with due care, skill, and in accordance with industry best practices, applicable laws, and regulations.

9.3 The CYSSME Partner acting as a CYSSME Implementation Partner shall provide the assigned Cybersecurity Mentor with regular progress updates and promptly communicate any significant findings or concerns.

9.4 The CYSSME Partner acting as a CYSSME y Implementation Partner shall maintain the confidentiality and security of all information obtained or accessed during the provision of its services and shall not disclose any such information to third parties without the prior written consent of the User, except where required by law.

10.  Information sharing between different CYSSME Partners providing services to the same User

10.1 You, as the User, hereby allow the CYSSME Partners providing services to you to share information between them, as needed for the provision of services as part of your free Cybersecurity improvement project. The CYSSME Partners shall put in place between them any contractual arrangements for data sharing as required by applicable Law.

10.2 CYSSME Partners shall keep any information only as long as needed for the purposes of providing the services and as required by the CYSSME project (including funder requirements).

10.3 Both the User and any involved CYSSME Partners agree shall generally treat all information exchanged in connection with this agreement as confidential and shall not disclose it to any third party without the prior written consent of the other party, except as required by law.

10.4 The obligation of confidentiality shall remain in effect even after the conclusion of the User’s participation in the CYSSME Project.

11.  Warranties and Liability

11.1 The CYSSME Partners do not make any warranties or guarantees regarding the sufficiency or fitness for purpose of the CYSSME services and CYSSME solutions, or any technology or services directly or indirectly referenced or endorsed by CYSSME or CYSSME Partners.

11.2 The CYSSME Partners shall not be liable for any indirect, consequential, or incidental damages, including but not limited to, loss of data, loss of revenue or profits, or business interruption. The CYSSME Partners shall not be liable for direct damages, unless caused by willful misconduct, gross negligence or where the direct damage concerns bodily harm to a natural person. [PG5]

11.3 The CYSSME Partners shall not be held liable for errors, issues, or data breaches that arise due to any action or undertaking of the User, where the CYSSME Partner had no direct control or involvement.

11.4 The CYSMME Partners shall not be held responsible for any delays or failures in performance due to circumstances beyond their control, including natural disasters, legal restrictions, or government actions.

11.5 Each CYSSME Partner is solely liable for direct damage resulting from its own actions. You, as the User may only hold the specific CYSSME Partner liable that performed the particular Cybersecurity service that gave rise to the damage. In case damage arises due to advice from one CYSSME Partner and implementation by another CYSSME Partner, the User must first hold the CYSSME Partner responsible for the implementation liable, identified based on the Statement of Work. [PG6]

11.6 Under no circumstances can you as the User hold the CYSSME Coordinator liable for the sole reason that they were the practical point of contact and acted as a hub to connect you to CYSSME Partners and services during your free Cybersecurity improvement project. Liability is only possible, as per sections 11.2 and 11.5 above, in case of wilful misconduct or gross negligence by the CYSSME Coordinator, with a casual link between that conduct and the direct damage you suffered. [PG7]

11.7 The liability of any individual CYSSME Partner is limited to EUR 1500,00], except where the direct damage concerns bodily harm to a natural person. [PG8]

12.  Data Protection and Privacy

12.1 The CYSSME consortium adheres to the European Union’s General Data Protection Regulation (GDPR) when handling personal data. As a User, your personal data will be used solely for the purposes of the CYSSME project, namely to render services to you as part of your free Cybersecurity improvement project and to handle any reporting obligations to the funder of the project, i.e. the European Commission.

12.2 The CYSSME Partners involved in your free Cybersecurity improvement project will, where they must share any data as per section 10 above that qualifies as personal data, put in place the necessary arrangements required by the GDPR. This may include signing a data processing agreement between you, as the User, and all involved CYSSME Partners providing services to you. [PG9]

12.3 CYSSME Partners shall keep any personal data only as long as needed for the purposes of providing the services and as required by the CYSSME project (including funder requirements).

12.4 The CYSSME Partners will put in place appropriate technical and organizational measures to ensure the security of any personal data handled.

13.  Intellectual Property

Ownership of IP

13.1 All intellectual property rights related to the tools, software, methodologies, and technologies provided or used by the CYSSME Partners, including but not limited to those used in the Cybersecurity Implementations and assessments, remain the exclusive property of the respective CYSSME Partner or third-party owner. Nothing in these Terms and Conditions shall transfer or grant any ownership rights to the User, unless explicitly agreed upon in writing by the IP owner.

Expert advice and knowledge sharing

13.2 Any knowledge, expertise, or methodologies shared by the Cybersecurity Mentor, Cybersecurity Auditor, Cybersecurity Implementation Partner or other experts during the provision of services under the CYSSME Project is considered proprietary to the respective CYSSME Partner or expert. The User may use this knowledge solely for the purposes of improving its own Cybersecurity posture but may not disclose, redistribute, or commercialise such knowledge without prior written consent from the CYSSME Partner or expert.

Use of tools and technologies

13.3 Unless otherwise indicated during your free Cybersecurity improvement project, you , as t he User are granted a limited, non-exclusive, and non-transferable license to use the tools, software, and technologies provided during the Cybersecurity Implementations solely for the purposes of improving your own Cybersecurity posture and for the duration of your free Cybersecurity improvement project. You, as the User, are prohibited from copying, modifying, distributing, or creating derivative works based on these tools and technologies unless explicitly authorised in writing by the respective CYSSME Partner or third-party owner. [PG10]

Confidentiality

13.4 You, as the User, agree to maintain the confidentiality of all tools, technologies, and expert knowledge shared during the project. This obligation shall remain in effect even after the conclusion of the User’s participation in the CYSSME Project, and the User shall take all reasonable steps to prevent unauthorized disclosure or use of such proprietary information.

Infringement

13.5 If you become aware of any unauthorized use or infringement of the intellectual property of a CYSSME Partner, you, as the User, must promptly notify the CYSSME Consortium and cooperate fully in any enforcement actions taken by the IP owner.

14.  Governing Law and Dispute Resolution

14.1 These Terms and Conditions are governed by Belgian law. The provisions of these Terms and Conditions shall be interpreted, whenever possible, in a manner that makes them valid and enforceable under applicable law.

14.2 In the event of a dispute arising from the use of the CYSSME Platform or related Services, the User agrees to first attempt to resolve the matter through negotiations. If negotiations fail, the courts of Brussels will have exclusive jurisdiction over any disputes concerning the validity, interpretation, enforcement, performance, or termination of these Terms and Conditions.

15.  Miscellaneous

15.1 These terms supersede all prior agreements, understandings, and communications, whether written or oral, between the User and the involved CYSSME partners relating to the subject matter covered in these Terms and Conditions.

15.2 If any provision, or any part of a provision, is found to be invalid, illegal, or unenforceable, the remainder of the provision and these Terms and Conditions shall remain in full force as if the invalid, illegal, or unenforceable provision or part of the provision had never been included.