Training for Strengthening Cybersecurity Skills for SMEs

The Latin America and Caribbean Cyber Competence Centre (LAC4), a European Union project, and the General Secretariat of the Andean Community are making available to the public an “Organization Information Security Maturity Level Assessment” tool. This allows small and medium enterprises to measure their cybersecurity maturity level, detect areas for improvement, and adopt concrete action plans. 

This tool is based on the recommendations of the Estonian Information Security Standard (E-ITS https://eits.ria.ee),  the ENISA 2025 Threat Landscape Report, and includes management objectives from ISO 27002:2022.  

Additionally, in Europe, the Cyber Resilience Act (CRA) came into force in November 2024, reinforcing cybersecurity standards for products with digital components and requiring producers to ensure security throughout the product’s life cycle. Consequently, companies wishing to export digital products to the European common market must comply with this new regulation. 

To bridge information gaps and promote best practices, the European Union—through LAC4 and the Information System Authority of Estonia – is offering the “Cybersecurity Capacity Building Workshop for SMEs in the Andean Community.” Three selected SMEs from each Member Country (12 in total) will participate in a face-to-face training and networking event in Lima, Peru, from May 11 to 13, 2026. 

Target Audience  

This competition is aimed at SMEs located in Bolivia, Colombia, Ecuador and Peru that are currently developing products or services with digital components and are exporting—or have a real interest in exporting—to the European Union. 

Additionally, SMEs must have: 

• At least 3 years of sales (locally or abroad). 
• A team of at least 5 people. 
• No requirement to be officially registered as an SME in their home country. 

SMEs that have received financial benefits from the EU (sponsorships, cash, or seed capital) in the last 3 years, or entities doing business with EU-sanctioned countries/persons, are ineligible. 

Participation Requirements 

1. Complete the self-assessment  using the Information Security Maturity Level tool at https://mass.cloud.ut.ee/massui/#/ . Data must match the registration form, and the “SHARE DATA WITH SERVER/PROVIDER” option must be selected. 
2. Write a motivation letter (maximum 1 page) describing the venture, products offered, and plans for the European market. It must also explain how the company plans to share knowledge of the assessment tool within its local ecosystem and the importance of cybersecurity for the company. 
3. Complete the registration form available at and attach requested documents. 

By submitting the form, the SME confirms availability – in the event of selection – to attend the training in Lima from May 11–13, 2026. 

Selection Criteria 

Up to 3 winning SMEs will be selected per Andean country (12 total). Selection will be based on the direct benefit the course will have on the SME as described in the motivation letter. 

The following criteria will be considered to choose the selected SMEs: 

1. Analysis of the direct benefit that the training course will have on the SME (derived from the motivation letter and the results of the tool’s self-assessment) (…) 50% 
2. Scalability of the SME to enter or expand in the Andean and European markets (derived from the motivation letter). 30%  
3. Commitment of the SME to promote the use of the tool to the public (…) (derived from the motivation letter). 20% 
4. Commitment of the selected SME to designate two people per company (1 person in charge of information security, with technical and cybersecurity knowledge, and 1 person in charge of management or decision-making in the organization). The two designated persons must be collaborators (full-time or professional services) of the SME. 
5. The sponsorship covers transportation expenses for only one person per selected SME; therefore, the SME must cover the travel expenses of one of its participants. The sponsorship covers accommodation expenses for both persons from the SME. 

The results of the winning SMEs will be announced on April 21, 2026. 

Award Benefits 

Selected SMEs will have the right to designate two people from their company to participate in the cybersecurity training in Lima, Peru, from May 11 to 13, 2026. 

The two designated persons must be collaborators (full-time or professional services) of the SME; therefore, bringing third parties (family, friends, suppliers, customers, etc.) is not allowed. The designated persons must fulfill the following roles: 

• 1 person in charge of information security, with technical and cybersecurity knowledge.
• 1 person in charge of management or decision-making in the organization. 

The sponsorship includes: 

First and Second selected SME in Bolivia, Colombia, and Ecuador (6 SMEs in total): 

• Airfare for 1 person per selected SME from their country of origin (Bolivia, Ecuador, and Colombia) to the Republic of Peru (and vice versa). (This means the SME must cover the travel expenses of the second participant). 

• Lodging for the two designated persons from the SME at a hotel in Lima, Peru, with check-in on May 10 and check-out on the morning of May 13. The hotel will include breakfast service. 

• Meals for the two designated persons from the SME during the working sessions on 1th, 12th, and 13th of May (until noon). Dinners and any other additional meals must be covered by the participants. 

Third selected SME in Bolivia, Colombia, and Ecuador (3 SMEs in total): 

• Meals for the two designated persons from the SME during the working sessions on 11th, 12th, and 13th of May (until noon). Dinners and any other additional meals must be covered by the participants. 

The sponsorship does NOT include: 

• Land/air transfers for Peruvian SMEs from their city of origin to the city of Lima. 
• Ground transfers from the Lima airport to the designated hotel. 
• Airfare for the second person designated by the selected SMEs from Ecuador, Colombia, and Bolivia. 
• Airfare for participants of the third selected SME from each Member Country. 
• Lodging for participants of the third selected SME from each Member Country. 
• Per diems or cash grants for expenses related to the stay in the city of Lima, Peru. 

Sponsorship Exclusions 

Any other travel-related expenses, such as: medical insurance, visas, transfer costs from residence to the airport (and vice versa), activities outside of working hours, airline penalties, land or air transport costs due to participants’ non-compliance or tardiness, as well as any other item not expressly contemplated within the sponsorship coverage, will be at the exclusive expense and responsibility of the participants. 

Additional Conditions 

The event organizers reserve the right to extend the invitation to more SMEs wishing to participate in the event and cover their own transport and accommodation costs. 

Commitments of the Participants 

• The two participants for each SME must be of legal age and must attend all sessions of the course; therefore, they cannot alternate or be absent (in whole or in part) from the training without justification. 
• They must at all times follow the instructions and schedules defined by the organizers. 
• They must at all times act with respect toward others and comply with the laws of the Republic of Peru; therefore, they must refrain from performing illegal or immoral activities. 
• Refrain from transmitting or making public, in whole or in part, the contents of the training. 
• Providing false information during the application process or during the execution of the contest [is prohibited]. 

Activity Calendar 

Personal Data Processing Policy 

Contestants and participants grant their consent to the European Union to process the personal data included in the participation forms, which includes authorization to share said data with third-party providers of the European Union to execute the services derived from this sponsorship (including organizers, travel agencies, hotels, transport services, etc.). 

Such data will only be processed for the aforementioned purposes and may also be used to subsequently send contestants notices or notifications about other contests or services that the European Union makes available to the public. 

Should a person wish to revoke this consent, they must send an email with their request to the address:     

Instructions for the UT-MASS Self assessment tool for SMEs 

Step-by-step guide (English) 

1. Open the website
   Go to https://mass.cloud.ut.ee/massui/#/ and, in the pop-up window in the top-right corner, make a selection of language.
2. Roll down and push the button Continue 
3. Start the questionnaire (first-time users)
   If this is your first time using the assessment, click “Start a new questionnaire”. -> Continue
   The questionnaire will open. 
4. Answer using the color principle
   For each question, choose the option that best matches your situation:
   Red — the topic has not been addressed
   Green — the topic has been fully addressed
   If you are in between, decide whether it leans more:
   Yellow — more positive / mostly in place
   Orange — more negative / mostly not in place 
5. Complete all 10 pages
   Fill in the entire questionnaire (10 pages).
   Use the indicator on the top-left to see where you still have unanswered questions (it also shows which dimension still has gaps). 
6. If you need a break: download your progress
   If you want to pause, download your current progress using the download button in the top-right corner (Home icon).
   Later, when starting a new session, you can upload this file on the home page via “Open an existing answer file from local disk”.
   Note: Your answers are not stored anywhere else, so you must download/save your progress yourself if you want to keep it. 
7. After all questions: describe your organization and choose whether to submit data
   Once all questions are answered, a separate window will appear where you can describe your organization.
   Because the tool is still in the pilot phase, there is currently not enough data to show benchmarks.
   Only dimension-level and maturity-level averages are sent to the server (not your full detailed answers). You can also download the file yourself.
   You may choose not to send data to the central server (“Do not wish to participate in data collection”); in that case, you can proceed directly to your results and centrally we do not have the option to see that you participated at all. System provides in the pop-up window to download your data file and continue with results. 
8. Review results across 10 security dimensions
   The system will display your organization’s results across 10 security dimensions.
   Each dimension’s explanation is shown on the centre of the screen.
   Higher values are better. The goal is a balanced, even shape within the green area.
   The maturity-level lines at the bottom are intended to be roughly equally high (balanced maturity across areas). Try to interpret your results yourself, but we will explain them individually also during the training 
9. Re-using the system
   You can use the system multiple times. In repeat sessions, you don’t have to submit data to the central team each time. You can start by uploading your previously saved state and then adjust/update your answers as needed.