Back to blog
    Pentesting

    Pentest Subsidies in Belgium: How the kmo-portefeuille and VLAIO Cut Your Security Costs

    Sectricity Security TeamFebruary 4, 2026

    Since February 2026 the Flemish kmo-portefeuille funds advisory services for cybersecurity only, at 45% support for small companies. Here is how Belgian SMEs combine it with VLAIO improvement tracks to cut the cost of a pentest.

    kmo-portefeuilleSubsidiesVLAIO

    TL;DR

    • Since 1 February 2026 the Flemish kmo-portefeuille only funds advisory services on one topic: cybersecurity. A pentest with proper reporting and recommendations falls squarely in that category.
    • Small companies receive 45% support, medium-sized companies 35%, with a ceiling of EUR 7,500 per calendar year. The percentages apply to the amount excluding VAT.
    • For larger security projects, VLAIO cybersecurity improvement tracks cover 50% of external guidance between EUR 7,100 and EUR 39,000 excluding VAT (35% for non-SMEs that fall under NIS2).
    • You apply online, select the theme cybersecurity, and the increased support percentage is applied automatically. The provider must be registered for the kmo-portefeuille; Sectricity is.

    For many Belgian SMEs the main objection to a penetration test is not the value, it is the price tag. What few companies realise is that Flanders actively subsidises exactly this kind of security work. Since the reform of February 2026, cybersecurity is even the only advisory topic the kmo-portefeuille still supports. If you run a small or medium-sized company in Flanders, a substantial part of your pentest budget can come back as a subsidy.

    What is the kmo-portefeuille?

    The kmo-portefeuille is a low-threshold support instrument from the Flemish government (VLAIO) for SMEs that buy training or advice from registered service providers. In 2025 almost 55,000 companies submitted more than 125,000 applications, so this is not an obscure niche programme. You request the support online, VLAIO adds its share to your digital wallet, and you pay the provider partly with that wallet.

    Since February 2026: advisory support is cybersecurity only

    On 23 January 2026 the Flemish Government decided to narrow the advisory service of the kmo-portefeuille as part of a broader savings round. Since 1 February 2026, advice on any topic other than cybersecurity no longer qualifies. Marketing advice, HR advice, general digitalisation advice: all out. Cybersecurity advice: still in, and still at the increased support percentage.

    For security work this is good news in disguise. The budget that used to be spread across every possible consulting topic is now reserved for the one category where SMEs structurally underinvest. Training also remains supported for all eight future-oriented themes, including cybersecurity awareness training.

    How much support do you get?

    For cybersecurity advice and training the increased percentages apply: a small company receives 45% support, a medium-sized company 35%. For comparison: other training themes sit at 30% and 20%. The ceiling is EUR 7,500 of support per calendar year, and the percentages are calculated on the amount excluding VAT.

    Whether you count as small or medium-sized follows the European SME definition: small means fewer than 50 full-time equivalents and a turnover or balance sheet total of at most EUR 10 million; medium-sized means fewer than 250 full-time equivalents and a turnover of at most EUR 50 million or a balance sheet total of at most EUR 43 million. VLAIO determines your size automatically at your first application of the year, based on National Bank data, and group structures count.

    Does a pentest qualify?

    Yes, provided two conditions are met. First, the engagement must genuinely be advice: an analysis of your security posture that ends in a written report with findings and concrete recommendations. A penetration test is a textbook example, because the deliverable is exactly that: an expert assessment of where you are vulnerable and what to fix first. Pure implementation hours, such as configuring firewalls for you, are not advice.

    Second, the provider must be registered for the kmo-portefeuille. Sectricity is a registered service provider, and several of our current pentest engagements for Flemish SMEs run with kmo-portefeuille support.

    Larger projects: VLAIO cybersecurity improvement tracks

    Is your security project bigger than a single assessment? Then look at the VLAIO cybersecurity improvement tracks (cybersecurity verbetertrajecten). In these tracks a recognised service provider analyses your security, draws up an action plan and guides the implementation. VLAIO subsidises 50% of the cost for SMEs and sheltered workshops, on projects between EUR 7,100 and EUR 39,000 excluding VAT. Companies that are too large to be an SME but fall under the NIS2 directive still receive 35%.

    Note that these tracks run through a select group of service providers recognised by VLAIO specifically for this programme. If an improvement track fits your situation better than a standalone assessment, we are happy to point you to the right entry point; the analysis work we do, such as pentests and cloud configuration audits, often feeds directly into such a track.

    How the application works

    • Agree the scope and quote with your provider first, so you know the exact project amount excluding VAT.
    • Log in to the Flemish e-desk for entrepreneurs and open a new kmo-portefeuille application. Select the service type advice and the theme cybersecurity; the increased percentage is applied automatically.
    • Enter the registration number of your provider and the project amount, then deposit your own share into the digital wallet. VLAIO adds the subsidy.
    • Pay the provider invoice from the wallet (excluding VAT; the VAT goes directly to the provider as usual).

    A worked example

    Take an external penetration test of EUR 4,600 excluding VAT. A small company selects the theme cybersecurity and receives 45% support: EUR 2,070. The net cost of the pentest drops to EUR 2,530. A medium-sized company receives 35%, or EUR 1,610, and pays EUR 2,990 net. Both stay comfortably below the yearly ceiling of EUR 7,500, which leaves room for a follow-up assessment or awareness training in the same year.

    Frequently Asked Questions

    Can a penetration test be funded through the kmo-portefeuille?

    Yes. A penetration test that ends in a proper report with findings and recommendations qualifies as cybersecurity advice, which is exactly the category the kmo-portefeuille still supports since February 2026. The test must be purchased from a service provider that is registered for the kmo-portefeuille.

    How much subsidy does a small company get for a pentest in Flanders?

    A small company receives 45% support on the amount excluding VAT, a medium-sized company 35%. The support ceiling is EUR 7,500 per calendar year. On a pentest of EUR 4,600 excluding VAT, a small company therefore receives EUR 2,070 in support and pays EUR 2,530 net.

    What changed in the kmo-portefeuille on 1 February 2026?

    Since 1 February 2026 the advisory service of the kmo-portefeuille is limited to one topic: cybersecurity. Advice on any other subject no longer qualifies for support. Training remains supported for all eight future-oriented themes, and the support percentages and the EUR 7,500 yearly ceiling stayed the same.

    What is a VLAIO cybersecurity improvement track?

    A cybersecurity improvement track is a separate VLAIO programme for larger security projects. VLAIO covers 50% of the cost of external guidance for SMEs and sheltered workshops on projects between EUR 7,100 and EUR 39,000 excluding VAT. Companies that are too large to qualify as an SME but fall under the NIS2 directive receive 35%. These tracks run through a select group of service providers recognised by VLAIO.

    How do I apply for kmo-portefeuille support for a pentest?

    You apply online through the kmo-portefeuille in the Flemish e-desk for entrepreneurs. In the application you select the theme cybersecurity, after which the increased support percentage is applied automatically. Your provider gives you the registration number and the project details you need for the application.

    Related services and resources

    Curious what a subsidised assessment would look like for your organisation? Our penetration testing services cover external, internal, web application and API testing, and our cloud pentest and configuration audit maps identity and configuration risks in Microsoft 365, Entra ID and Azure. If you first want a feel for realistic budgets, read our breakdown of what a pentest costs in Belgium, the Netherlands and the EU. Mention the kmo-portefeuille when you request a quote and we prepare the numbers so the application takes you minutes, not hours.