Summary
Cybersecurity audit and security assessment services form a large and growing category within EU public procurement, driven by the NIS2 Directive (October 2024 transposition deadline), GDPR compliance obligations, DORA requirements for the financial sector, and the practical need to document security posture before regulators arrive. The NIS2 mandate for security audits across 18 critical sectors and 10,000+ newly in-scope organisations has created a 3-5 year audit procurement wave that is still in its early phase. Government cybersecurity audit contracts range from β¬10,000 annual vulnerability reviews for small municipal IT departments to β¬300,000+ multi-year compliance assessment programmes for national infrastructure operators.
Types of Cybersecurity Audits Procured by Government
Government cybersecurity auditing spans a range of assessment types with meaningfully different skills requirements, qualification demands, and contract values. Understanding which type a specific tender is procuring determines both bid eligibility and competitive positioning.
ISO 27001 gap assessment and ISMS certification support covers analysis of an organisation's information security management system against ISO 27001:2022 requirements, gap identification, remediation roadmap production, and often support for the Stage 1/Stage 2 certification audit. Per-engagement value: β¬15,000ββ¬60,000. The bidding company itself typically needs ISO 27001 certification to be credible β an organisation whose auditors are not themselves certified to the standard they are assessing raises immediate evaluator concern.
NIS2 compliance audit assesses the organisation's cybersecurity measures against NIS2 Article 21 requirements β risk management, incident handling, supply chain security, cryptography, access control, and asset management. NIS2 Article 21 specifies these requirements verbatim in contracting authority procurement specs, having been transposed into national law across most member states through 2024-2025. Per-engagement value: β¬20,000ββ¬80,000. Demand is running high and will remain elevated for 3-5 years as newly in-scope organisations work through their first audit cycles.
GDPR and data protection audit covers independent assessment of data protection practices, records of processing activities, DPIA quality, technical security measures for personal data, and third-party processor due diligence. Per-engagement value: β¬15,000ββ¬50,000. These contracts are often combined with NIS2 assessments, since the technical security controls required under both frameworks substantially overlap.
Vulnerability assessment and penetration testing combined contracts cover technical scanning, active exploitation testing, and reporting of security exposures across defined target systems. Annual contracts for ongoing vulnerability management run β¬20,000ββ¬100,000; combined penetration test and audit packages typically fall in the β¬30,000ββ¬150,000 range. These are frequently structured as framework agreements with call-off instructions for individual system assessments.
Security architecture review and supply chain audit are the fastest-growing segments. Architecture reviews assess network segmentation, identity and access management, encryption posture, and cloud security configuration against NIST CSF, CIS Controls, or national equivalents. Supply chain security audits assess third-party ICT vendors and managed service providers under NIS2 Article 21(2)(d) β organisations must document and assess risks from their supply chains, and few have the internal capability to do this systematically without external support.
Regulatory Drivers of Audit Procurement
The demand for public sector cybersecurity audits is anchored in hard regulatory obligations, not discretionary governance ambition. NIS2 Article 21 requires covered entities to implement "regular security testing" and "security assessments" β language that national supervisory authorities and contracting authorities are now writing directly into their procurement specifications. When the NIS2 Article 21 text appears verbatim in a tender specification's technical requirements, the buyer is not interpreting the regulation β they are procuring precisely what the regulation requires, and the supplier must demonstrate they deliver precisely that.
ENISA (European Union Agency for Cybersecurity, headquartered in Athens) procures cybersecurity audit services for its own programmes and publishes guidelines that directly shape what member state CERTs and national cybersecurity authorities require from their contracted auditors. DIGIT (the European Commission's internal IT directorate) runs EU-level cybersecurity audit frameworks that cover Commission institutions β access to these frameworks provides both revenue and the most prominent reference credential in the European market. National CERTs, ministries of defence and interior, and critical infrastructure operators in energy, water, and transport are the dominant buyers below EU-institution level.
DORA (Digital Operational Resilience Act) adds a separate audit wave for the financial sector: EBA-supervised institutions β which include publicly owned banks and development finance institutions β must conduct ICT risk assessments and third-party provider audits under DORA Article 16 timelines starting 2025. This creates demand from public financial institutions that sits outside the standard NIS2 procurement wave and is often managed through separate framework agreements with financial sector IT audit experience requirements.
Key CPV Codes
- 79212000 β Auditing services (primary code for compliance and security audits)
- 72220000 β Systems and technical consultancy services (technical security assessments)
- 79212100 β Internal audit services
- 72212730 β Security software development services (sometimes used for vulnerability scanning tool supply)
- 79131000 β Documentation services (audit report production, RoPA audit)
- 72222300 β Information technology services (combined audit and advisory)
Keyword monitoring for "security audit", "information security assessment", "cybersecurity review", "ISO 27001 audit", "NIS2 assessment" across TED and national portals is essential β many audit contracts are published under broad service codes that do not reveal their cybersecurity content in the CPV alone.
Qualification Requirements
Cybersecurity audit contracts specify both organisational certification and individual professional credentials. Most contracts require a combination; the specific combination required depends on the audit scope.
ISO 27001 Lead Auditor (IRCA-certified) is the most commonly specified individual qualification for security audit contracts β an essentially universal prerequisite for ISO 27001 gap assessment and ISMS certification support work. The IRCA certification body is typically specified by name in French and UK-adjacent tenders; equivalent Lead Auditor status from accredited certification bodies is accepted under mutual recognition in other member states.
CISA (Certified Information Systems Auditor) from ISACA is widely specified in Eastern and Northern European government procurement for IT audit roles. It is particularly prominent in Polish, Czech, and Baltic state government tenders where IT audit methodology is prioritised alongside cybersecurity-specific skills.
CISSP (Certified Information Systems Security Professional) is specified for senior auditors on complex architecture review, multi-system assessment, and programme-level engagements. It signals breadth of security knowledge beyond pure audit methodology.
CIPP/E (Certified Information Privacy Professional / Europe) is required for GDPR-adjacent audit roles β DPO function reviews, Records of Processing Activity audits, and DPIA adequacy assessments. Contracting authorities procuring combined NIS2/GDPR assessments frequently specify both ISO 27001 LA and CIPP/E on the same contract.
Organisational ISO 27001 certification for the bidding company is required in a significant proportion of contracts β the logic being that an organisation assessing others' ISMS should operate a certified one itself. References of 2β3 comparable audit engagements completed within the last 3 years remain standard, with client name, scope description, contract value, and a contactable reference verifier.
Framework Agreements and Contract Structures
Most national governments and large ministries procure cybersecurity audit services through multi-year framework agreements rather than one-off contracts. The UK NCSC's CyberFirst supply frameworks, France's ANSSI-approved service provider list (PASSI β Prestataires d'Audit de la SΓ©curitΓ© des SystΓ¨mes d'Information), and Germany's BSI qualified vendor lists each function as approved supplier frameworks that contracting authorities draw from for individual call-off contracts. Entry into these frameworks is itself a competitive tender process, typically requiring demonstration of methodology, qualified personnel, and past performance β but once in, the framework provides a multi-year pipeline of call-off opportunities without repeated competitive bids from scratch.
Framework lots are typically structured by audit scope: network and infrastructure security assessments in one lot, application security and code review in a second lot, organisational and governance audits (ISO 27001, NIS2 policy) in a third, and physical security or clearance-level-required assessments in a fourth. Specialist companies with deep expertise in one area compete for specific lots rather than the entire framework β this lot structure is an explicit design choice by contracting authorities to maintain access to specialist suppliers who cannot credibly bid across all audit disciplines.
For suppliers without framework access, annual retainer contracts with individual ministries or agencies are the alternative route. These guarantee a volume of audit days per year deployable across assessment types as needs arise β predictable revenue, lower bid cost per pound of contract value, and an opportunity to build the institutional knowledge that makes renewal near-automatic when the framework period ends.
Winning Strategy for Cybersecurity Audit Tenders
Audit tenders are evaluated heavily on methodology quality and credential specificity β not on price, which is typically weighted 30-40% versus 60-70% for quality. Winning bids demonstrate a structured, repeatable audit methodology explicitly mapped to the specific framework required (ISO 27001:2022, NIS2 Article 21, NIST CSF 2.0, CIS Controls v8, COBIT 2019); deliverable templates submitted with the bid so evaluators can assess report quality before award; named auditors with specific relevant credentials and sector experience cited by name rather than anonymised as "Senior Auditor A"; and active independence β the bid must demonstrate the audit team has no conflicts of interest with the systems being assessed, which matters particularly for retender audits where the incumbent supplier may also be bidding.
Sector-specific experience is the most differentiated scoring criterion in practice. An auditor who has assessed 20 hospital IT departments and can name equivalent organisations they have audited is substantially more credible bidding for a health ministry contract than a generalist with a longer overall reference list. When evaluating sector fit, contracting authorities read reference descriptions carefully β a reference that names the buyer, describes the exact scope, and quantifies the findings (e.g., "identified 14 critical NIS2 Article 21 gaps, produced remediation roadmap implemented within 90 days") scores significantly above a generic description of comparable work. Write your references as audit reports in miniature, not as capability statements.