Projects must be collaborative.

To lead a collaborative project your organisation must be a UK registered business of any size. The consortium must contain at least one UK registered micro, small or medium sized enterprise (SME) claiming grant funding on this application.

To collaborate with the lead, your organisation must be one of the following UK registered:

• business of any size
• academic institution
• charity
• not for profit
• public sector organisation
• research and technology organisation (RTO)

You must ensure that no single partner accounts for more than 70% of the total eligible costs.

Subcontractors are allowed in this competition.

A business can only lead on one application but can be included as a collaborator in a further two applications.

Your project must:

• have total grant funding request of between £250,000 and £750,000
• be led by a UK registered business
• have at least one other project partner
• contain at least one UK registered micro, small or medium sized enterprise (SME) claiming grant funding on this application
• carry out all of its project work in the UK
• intend to commercially exploit the results in the UK
• start by 1 August 2026
• end by 31 January 2028
• last between 12 and 18 months

Any funded organisation needs to carry out their project work in the UK and must intend to exploit the project results from or in the UK.

The aim of this competition is to drive the growth of secure and resilient software supply chains in the UK, through the adoption of the Software Security Code of Practice (SSCoP). The Codes of Practice, and the UK government’s Cyber Essentials scheme, set out good practices to reduce cyber security risks which are not being sufficiently addressed by industry. Before applying, you are strongly advised to read the Software Security Code of Practice and the Implementation Guidance in full.

The Software Security Code of Practice is designed to support software vendors and their customers in reducing the likelihood and impact of software supply chain attacks and other software resilience incidents. These kinds of attacks and disruptions are often caused by avoidable weaknesses in software development and maintenance practices.

Organisations should implement applicable DSIT codes of practice as a minimum, although more stringent measures may be needed in higher risk contexts such as Critical National Infrastructure, (CNI).

The SSCoP is aimed at senior leaders in software vendor organisations to ensure that the measures outlined in the SSCoP are prioritised and followed through within the organisation. With clarity on the software vendor’s responsibilities, those senior leaders can ensure that relevant teams across their organisations take the necessary steps to meet those expectations, and have the resources, tools and knowledge they need to do so.

For businesses, early adoption of these codes can act as stepping stones towards new markets, incoming UK regulations or standards, For example, the NHS Cyber Security Charter for Suppliers already includes SSCoP. The codes also present new market opportunities for innovative companies to develop products and services that support SSCoP adoption.

Your project must:

• increase adoption, awareness and implementation of the SSCoP
• drive the commercial growth of cyber resilient technology supply chains in the UK
• increase the baseline level of cyber resilience of UK software supply chains.
• support at least 2 or more of the 4 SSCoP Themes

To support the technical teams implementing the Software Security Code of Practice, NCSC have provided implementation guidance. This guidance provides more detailed information about how the principles can be implemented. It will also signpost to existing guidance and frameworks where possible.

Your project can focus on one or more of the following:

• tools, techniques and systems to accelerate or incentivise adoption, implementation and assurance of the SSCoP
• engagement, training and communicating to drive adoption of SSCoP across both the supply chain and customers
• enabling, informing and upskilling procurement professionals and specifiers to drive adoption through contracts and negotiations
• tools, data, metrics and testing that use the SSCoP to improve understanding of the cyber resilience of complex software systems
• tools, data, measurements and techniques that accelerate or automate SSCoP compliance or assurance
• enabling integration or translation of the SSCoP into sectors and supply chains such as energy infrastructure, defence, advanced connectivity, transport
• development of automated analysis tools and techniques for SSCoP compliance of AI generated code
• developing measurable and reproducible uses of AI to aid compliance to the SSCoP
• mapping of SSCoP to pre-existing frameworks or standards such as ISO27001, Cyber Assessment Framework, NIS2, ETSI TS104223, SLSA, etc
• development of sector-specific guidance and tools, especially for non-cyber experts, to help in supplier management
• enabling or demonstrating SSCoP adherence and adoption in cloud CI/CD pipelines
• enabling market differentiation for SSCoP compliant vendors

(This list is not exhaustive.)

Innovate UK will hold an online briefing at 11am on Wednesday 25 March: click here to register for a place. A recording and slides will be available afterwards.

If you would like help to find a collaboration partner, contact Innovate UK Business Connect’s Digital team.