Summary
Cybersecurity training and awareness has become one of the highest-volume, lowest-barrier-to-entry segments in EU public procurement cybersecurity. NIS2 Article 20 explicitly mandates that management bodies of covered entities receive cybersecurity training and that organisations ensure their staff have adequate security awareness. This legal obligation is generating hundreds of training contracts annually across EU public bodies, from e-learning platform licences at β¬15,000 per year for small municipalities to multi-year managed awareness programmes at β¬500,000+ for national government departments. This guide covers what is being procured, CPV codes, qualification requirements, and how training companies and consultancies can win these contracts.
Why Cybersecurity Training Is a Mandatory Procurement
NIS2 Article 20 (Governance) is the most directly procurement-driving provision of the directive. It requires that management bodies of essential and important entities β which includes the boards and senior leadership of public administration bodies β approve cybersecurity risk management measures, oversee their implementation, and receive training to identify and assess cybersecurity risks and management practices.
This is not a soft recommendation. Under NIS2, management bodies can be held personally liable for cybersecurity failures. This liability creates a powerful personal incentive for senior officials to ensure training is procured, documented, and completed β and that the training is credible enough to demonstrate due diligence to a regulator.
Beyond leadership, Article 21(2)(g) requires covered entities to implement "basic cyber hygiene practices and cybersecurity training" for all staff. For public authorities with hundreds or thousands of employees, this cannot be delivered through informal internal sessions β it requires a contracted training provider with a scalable platform and documented completion tracking.
Types of Training Procured by Government
- Security awareness e-learning platforms: The largest segment by contract volume. Annual licences for platforms (KnowBe4, Proofpoint Security Awareness, Mimecast, and EU alternatives) delivering modular online training to all staff. Typical contract values: β¬15,000ββ¬150,000 per year depending on headcount.
- Phishing simulation services: Often bundled with e-learning. Regular simulated phishing campaigns with click-rate reporting and targeted training for employees who fall for simulations. Creates measurable KPIs for security posture improvement.
- Tabletop and crisis simulation exercises: Facilitated scenarios where leadership teams and incident response personnel walk through a simulated cyberattack β ransomware, data breach, or DDOS β to test decision-making, communication, and response procedures. Typical value: β¬10,000ββ¬50,000 per exercise.
- CISO and board-level training: Specialist programmes for executives, covering cyber risk quantification, regulatory obligations under NIS2 and GDPR, and strategic decision-making during incidents. Often delivered as workshops by senior consultants.
- Technical security training: Hands-on training for IT and security teams β ethical hacking, secure coding, cloud security, incident response. Often certified programmes leading to CISSP, CISM, CEH, or CompTIA qualifications.
- Role-specific modules: Targeted awareness for high-risk roles β HR staff handling personal data, finance staff exposed to payment fraud, procurement staff managing supply chain risks.
Key CPV Codes
- 80533100 β Computer training services (primary code for cybersecurity awareness and technical training)
- 80000000 β Education and training services (broad code sometimes used)
- 80510000 β Specialist training services
- 80531000 β Technical and vocational training services
- 48731000 β Security management software package (for phishing simulation platforms)
- 72222300 β Information technology services (sometimes used for e-learning platform provision)
Training contracts are among the easiest to find via keyword search: "security awareness", "cybersecurity training", "phishing simulation", "sensibilisation cybersΓ©curitΓ©", "Cybersicherheitsschulung" across European procurement portals.
Contract Structures and Framework Agreements
Security awareness training frequently appears in framework agreements run by central purchasing bodies, allowing individual public bodies to call off training services without running a full tender. Relevant national frameworks include pan-government IT services frameworks (which often include a training lot) and dedicated e-learning frameworks. For suppliers, getting onto a national framework is a high-value investment β once listed, individual call-off contracts can be issued without competitive tender, often with minimal formality for contracts below national simplified threshold values.
Qualification and Competing Successfully
Training contract qualification requirements are lighter than technical cybersecurity service contracts, making them accessible to smaller providers:
- Demonstrated experience delivering cybersecurity training to public sector organisations (references from 2β3 comparable clients)
- GDPR-compliant platform with EU data residency (user data from EU public authority employees must not leave EU jurisdiction)
- Evidence of training effectiveness β completion rates, pre/post knowledge assessments, phishing susceptibility trending
- Qualifications of training facilitators for instructor-led elements
- Customisation capability β ability to adapt content to the authority's specific environment, branding, and threats
Winning training tenders hinges on demonstrating genuine behaviour change rather than compliance tick-boxing. Evaluators increasingly ask for evidence of measurable outcomes, so vendors with strong metrics and case studies showing reductions in phishing susceptibility or security incident rates have a significant advantage. Multilingual content capability is particularly valued in multinational EU institution contracts.