Cybersecurity CPV Codes: Complete Reference for EU Procurement 2026

How CPV Codes Work — and Why They Fall Short for Cybersecurity

CPV codes are 8-digit numerical codes with a check digit, organised into a hierarchical taxonomy. The structure is: Division (first 2 digits) → Group (first 3 digits) → Class (first 4 digits) → Category (first 5 digits) → Sub-category (all 8 digits). For example, the code 72212730 breaks down as: 72 (IT services division) → 722 (software programming group) → 7221 (application software programming class) → 72212 (programming services category) → 72212730 (security software development).

The CPV system was designed in 2003 and last significantly revised in 2008. Both dates predate the modern cybersecurity category as a distinct discipline — concepts like SIEM, EDR, zero trust, and cloud security have no dedicated CPV divisions. The word "cybersecurity" does not appear anywhere in the CPV taxonomy's top-level divisions, which is why cybersecurity contracts scatter across IT services (Division 72), security equipment (Division 35), audit services (Division 79), and training (Division 80) depending entirely on how the contracting authority chose to frame their requirement.

This fragmentation creates a systematic monitoring problem. A contracting authority procuring a next-generation firewall might use 48730000-4 (security software package), 32420000-3 (network equipment), or 51000000-9 (installation services) — depending on whether the emphasis is the software licence, the physical appliance, or the deployment work. All three are legitimate classifications for essentially the same purchase. Unless you monitor all three code families, you will miss a portion of the market. The practical answer is to combine CPV code alerts with keyword alerts ("NIS2", "ISO 27001", "penetration test", "SIEM", "SOC") because contracting authorities are deeply inconsistent in their coding choices.

Country variation makes this worse. German contracting authorities tend to use CPV codes with greater precision — BAAINBw and similar agencies have standardised internal coding guidance. Italian authorities frequently apply broad parent codes and leave specificity to the contract title. French contracting authorities on the PLACE platform allow CPV filtering but keyword searching in French is often necessary to catch notices where the CPV is a generic IT code. Monitoring a single national market requires understanding that country's coding culture.

Security Software CPV Codes

• 48730000-4 — Security software package (top-level code; one of the highest-volume cybersecurity codes on TED)
• 48731000-7 — Security management software package
• 48732000-0 — Data security software package
• 48761000-0 — Anti-virus software package
• 48900000-7 — Miscellaneous software packages and computer systems
• 72212730-5 — Security software development services (rising sharply with NIS2-driven custom development mandates)
• 72212900-8 — Cybersecurity software development (explicitly named; use alongside 72212730)
• 72212517-6 — IT software development services (security applications)

Security Services CPV Codes — and How They Are Actually Used

The services codes require the most attention because they carry the highest misclassification rate. The most-searched cybersecurity service codes on TED by volume are 72220000-3, 48730000-4, 79212000-3, and 72212900-8 — but the specific use cases within each vary widely:

• 72220000-3 — Systems and technical consultancy services. The single most-used code for security architecture, NIS2 compliance consulting, and penetration testing — contracting authorities treat this as a catch-all for "expert cybersecurity advice". High volume, highly competitive.
• 72222300-0 — Information technology services (broad security services; frequently used when the authority cannot identify a more specific code)
• 72700000-7 — Computer network services (network security monitoring, SOC-as-a-service, managed detection and response)
• 72315000-6 — Data network management and support services (network security management, firewall administration)
• 72250000-2 — System and support services (managed security services, MSSP contracts)
• 72300000-8 — Data services (data security, data classification, DLP)
• 72600000-6 — Computer support and consultancy services (security helpdesk, incident response retainers)

Audit and Compliance CPV Codes

Security audits and compliance assessments are one of the fastest-growing segments following NIS2 transposition. The key code is 79212000-3 — auditing services — which covers ISO 27001 gap assessments, NIS2 compliance audits, and penetration testing reports commissioned as audit deliverables. It is one of the top-five most-searched cybersecurity codes on TED because it is consistently used by public administrations buying external audit services regardless of whether the subject is financial, IT, or specifically cybersecurity.

• 79212000-3 — Auditing services (security audits, ISO 27001 assessments, NIS2 compliance audits; high volume on TED)
• 79212100-4 — Internal audit services
• 79212300-6 — Statutory audit services
• 79131000-1 — Documentation services (data mapping, Records of Processing Activities, policy documentation)
• 79100000-5 — Legal services (data protection legal advice, DPO-as-a-service)
• 73000000-2 — Research and development services. A "watch code": ENISA and national cybersecurity agencies use this for research and threat intelligence study procurement. Not a primary security code but increasingly active.

Hardware and Infrastructure CPV Codes — and Their Misclassification Patterns

Hardware codes are where misclassification is most costly for vendors to miss. A next-generation firewall procurement may appear under 32420000-3 (the hardware), 48730000-4 (the software licence), or 51000000-9 (the installation services) — or all three as separate line items in a single contract. Security monitoring hardware presents the same problem: 35120000-1 (surveillance systems) is a "watch code" because authorities frequently use it for physical-digital hybrid security deployments — access control systems, security operations centre hardware, and perimeter monitoring equipment that also generates logs ingested by a SIEM.

• 35120000-1 — Surveillance and security systems and devices. Watch code: used for security monitoring hardware, perimeter systems, and access control appliances with cyber components.
• 32420000-3 — Network equipment (firewalls as hardware appliances; one of three possible codes for firewall procurement)
• 32422000-7 — Network components
• 35125300-2 — Security cameras (CCTV — physical security sometimes paired with cyber monitoring)
• 30200000-1 — Computer equipment and supplies (secure computing hardware, HSMs)
• 51000000-9 — Installation services. Often overlooked by cybersecurity vendors, but firewall and network security appliance deployments frequently appear here — always include it in hardware-focused monitoring.

Training and Education CPV Codes

80533100-0 is the primary watch code for the training segment and is growing significantly. NIS2 Article 20's explicit mandate for management-body training has pushed this code into much higher volume than it carried before 2023. Training contracts for awareness campaigns, phishing simulation platforms, and board-level programmes all flow through this code. Also note 80570000-0 (personal development training) — used specifically for CISO and executive-level security leadership programmes, which carry higher per-delegate values.

• 80533100-0 — Computer training services (cybersecurity awareness, technical security training; rising strongly since NIS2 transposition)
• 80000000-4 — Education and training services (broad parent code; some authorities use this instead of subcodes)
• 80510000-2 — Specialist training services (advanced security qualifications — CISSP, CISM, CEH programmes)
• 80531000-8 — Technical and vocational training services (hands-on technical skills: ethical hacking, incident response)
• 80570000-0 — Personal development training services. Watch code: used for CISO and executive security leadership development — higher value per contract than awareness training.

Setting Up TED Alerts: CPV Codes Are Not Enough

TED's alert system (ted.europa.eu) allows you to save searches and receive email notifications when matching notices are published. For cybersecurity specifically, CPV-only alerts will underperform — the taxonomy fragmentation described above means that keyword alerts are equally important. The effective strategy combines both layers:

• Create an account on TED and access the "My TED" section. Use Expert Search to combine multiple CPV codes with OR operators.
• Set up a parallel keyword alert for terms that appear in contract titles and descriptions regardless of CPV code: "NIS2", "ISO 27001", "penetration test", "penetration testing", "SIEM", "SOC", "security operations", "cyber awareness", "zero trust". These catch notices where the authority used a generic IT code.
• Filter by country if focused on specific member states, and supplement TED with national portals — BOAMP in France, Vergabe.de in Germany, TenderNed in Netherlands — which carry pre-threshold contracts (below €140,000 for services) that never appear on TED.
• Set notification frequency to daily; cybersecurity tenders have short response windows, often 3–4 weeks from publication to deadline.

A recommended starting CPV alert set for cybersecurity — covering software, services, audit, training, and hardware across all major code families: 48730000, 48761000, 72220000, 72222300, 72700000, 79212000, 80533100, 80570000, 35120000, 32420000, 73000000. Run this alongside keyword alerts for the terms above and you will capture the substantial portion of the market that CPV codes alone miss.

Most Active Codes by Volume and Codes to Watch in 2026

Highest volume cybersecurity codes in 2025 (by number of TED notices)

The top-five most-searched cybersecurity codes on TED by notice volume are: 72220000-3 (IT systems consultancy — the dominant code for security architecture and NIS2 consulting), 48730000-4 (security software), 79212000-3 (audit services — used heavily for security audits), 72212900-8 (cybersecurity software development), and 72222300-0 (broad IT services). These five codes collectively account for the majority of identifiable security contract activity on TED.

Codes to watch in 2026

72212730-5 and 72212900-8 are both rising as NIS2 pushes public bodies to commission custom security tooling rather than buying off-the-shelf. 80533100-0 is growing fast — NIS2 Article 20's management-body training mandate is generating a wave of awareness training contracts that did not exist at scale before 2023. 73000000-2 (R&D services) is worth tracking specifically for ENISA-funded research and national CERT procurement of threat intelligence capability. The hardware codes 35120000-1 and 32420000-3 are trending upward as government network security refresh cycles accelerate — particularly in Central and Eastern European member states increasing defence and resilience spending under NATO commitments.

TenderMetric's alert service monitors all relevant CPV codes and keywords simultaneously across TED and national portals, so a firewall tender misclassified under 51000000-9 (installation services) receives the same alert as one correctly filed under 48730000-4.