Cybersecurity Training Tenders EU: Awareness and Education Contracts

Why Cybersecurity Training Is Now a Mandatory Procurement

NIS2 Article 20 (Governance) is the most directly procurement-driving provision of the directive. It requires that management bodies of essential and important entities — which includes the boards and senior leadership of public administration bodies — approve cybersecurity risk management measures, oversee their implementation, and receive training to identify and assess cybersecurity risks and management practices. This provision does not apply only to IT departments: it applies to the chief executive, the board, the minister — whoever constitutes the management body of a covered entity.

This is not a soft recommendation. Under NIS2, management bodies can be held personally liable for cybersecurity failures, with maximum fines of €10 million or 2% of global turnover for essential entities. That personal liability creates a powerful incentive for senior officials to ensure training is procured, documented, and completed — and that it is credible enough to demonstrate due diligence to a national regulator during an audit.

Beyond leadership, Article 21(2)(g) requires covered entities to implement "basic cyber hygiene practices and cybersecurity training" for all staff. For public authorities with hundreds or thousands of employees, this cannot be delivered through informal internal sessions — it requires a contracted training provider with a scalable platform and documented completion tracking. The combination of the Article 20 board-level mandate and Article 21 all-staff requirement means most covered entities need two separate procurement vehicles: an executive programme and a mass-participation awareness platform.

Named buyers active in this space include EU-OSHA (Bilbao) for health and safety awareness training that increasingly incorporates cybersecurity modules, ENISA (Athens/Heraklion) for technical training development and certification of training content, and NATO CCDCOE (Tallinn) for advanced technical exercises used by national defence and cybersecurity agencies. National CERTs — including BSI (Germany), ANSSI (France), NCSC-NL (Netherlands), and CERT-PL (Poland) — regularly procure national awareness campaign delivery and exercise facilitation services.

Types of Training Procured by Government — with Contract Value Ranges

The training market for public sector cybersecurity breaks into five distinct procurement types, each with its own CPV code pattern, qualification bar, and typical value range. Understanding which type you are competing for matters — the evaluation criteria, qualification thresholds, and likely competitors differ substantially:

• E-learning platform licences: Annual licences for platforms (KnowBe4, Proofpoint Security Awareness, Mimecast, and EU-hosted alternatives with GDPR-compliant data residency) delivering modular online training to all staff with completion tracking. Typical contract value: €15,000–€150,000 per year depending on headcount. Tendered under CPV 80533100-0 or 48731000-7.
• Phishing simulation and awareness campaigns: Often bundled with the platform — simulated phishing campaigns with click-rate reporting, targeted remedial training for staff who fail, and a measurable susceptibility trend line for regulators. Typical value: €20,000–€80,000. The measurable KPI element is what makes this attractive to procurement evaluators.
• Tabletop and crisis simulation exercises: Facilitated scenarios where leadership teams and incident response personnel walk through a simulated cyberattack — ransomware, data breach, or DDoS — testing decision-making, communication, and response procedures. Typical value: €10,000–€50,000 per exercise. NATO CCDCOE runs the most advanced version of these for national agencies; private providers compete on national and regional authority contracts.
• CISO and board-level development programmes: Specialist programmes covering cyber risk quantification, NIS2 personal liability, and crisis communication — often delivered as half-day or full-day workshops by senior consultants with hands-on sector experience. Typical value: €50,000–€200,000 for a multi-session programme.
• Technical skills training: Hands-on training for IT and security teams — ethical hacking, secure coding, cloud security, incident response. Often certified programmes (CISSP, CISM, CEH, CompTIA Security+) with per-seat costs at €2,000–€5,000. Typical contract value: €30,000–€150,000. Accreditation through bodies like CompTIA, ISACA, (ISC)², EC-Council, or CREST membership for technical penetration testing training is usually a mandatory qualification requirement.
• Role-specific awareness modules: Targeted content for high-risk roles — HR staff handling personal data, finance staff exposed to payment fraud, procurement officers managing supply chain risks. Usually procured as an add-on to an existing awareness platform contract or as a standalone call-off under a framework.

Key CPV Codes

• 80533100 — Computer training services (primary code for cybersecurity awareness and technical training)
• 80000000 — Education and training services (broad code sometimes used)
• 80510000 — Specialist training services
• 80531000 — Technical and vocational training services
• 48731000 — Security management software package (for phishing simulation platforms)
• 72222300 — Information technology services (sometimes used for e-learning platform provision)

Training contracts are among the easiest to find via keyword search: "security awareness", "cybersecurity training", "phishing simulation", "sensibilisation cybersécurité", "Cybersicherheitsschulung" across European procurement portals.

Framework Agreements: The Primary Route to Repeat Business

Security awareness training frequently appears in framework agreements run by central purchasing bodies, allowing individual public bodies to call off training services without running a full tender. Most large public bodies — national ministries, major agencies, NHS bodies in the UK, federal entities in Germany — run 4-year training frameworks with multiple providers per lot. This multi-supplier structure is standard precisely because training needs vary by audience and no single provider dominates. For suppliers, getting onto a national framework is a high-value investment — once listed, individual call-off contracts are issued without competitive tender, often with minimal formality for contracts below national simplified threshold values.

Pan-government IT services frameworks (which typically include a training lot alongside software and support) are the most common vehicle. Dedicated e-learning or digital skills frameworks are less common but growing. Suppliers should treat framework bids as a primary market entry strategy rather than pursuing individual tenders in isolation — a single framework position can generate multiple years of call-off revenue without re-tendering.

Language requirements are a material qualification factor at the call-off stage. Most member states specify that training delivery must be in the national language — even if the underlying content platform is English, the facilitation, customisation, localised phishing simulation templates, and support must be in the local language. Suppliers without in-country delivery capability either need a local partner or must limit themselves to countries where English-medium delivery is accepted (primarily the Nordic countries, Netherlands, and Ireland for EU institutions).

Qualification Requirements and How to Win

Training contract qualification requirements are lighter than technical cybersecurity service contracts, making this segment genuinely accessible to smaller and specialist providers. The standard qualification bar across European public procurement includes:

• Demonstrated experience delivering cybersecurity training to public sector organisations — typically references from 2–3 comparable clients within the last 3 years, specifying audience size and contract value
• Accreditation through recognised bodies: CompTIA, ISACA, (ISC)², EC-Council partnerships for awareness and certification programmes; CREST membership for technical penetration testing training; ISO 29993 (Learning services outside formal education) certification is increasingly requested as a general quality indicator for training organisations
• GDPR-compliant platform with EU data residency — user completion data, phishing test results, and assessment scores for EU public authority employees cannot be processed outside EU jurisdiction. This is a disqualifying criterion for non-EU cloud platforms that cannot demonstrate an EU data residency option.
• Evidence of training effectiveness — completion rates, pre/post knowledge assessment scores, phishing susceptibility improvement statistics. Evaluators increasingly request outcome metrics rather than input descriptions.
• Customisation capability — the ability to adapt scenario content, branding, and simulated phishing templates to the authority's specific sector, systems, and threat environment

The differentiation in evaluation comes down to outcomes evidence. Evaluators at public bodies — who are increasingly familiar with security awareness as a regulated obligation — score bids that demonstrate measurable behaviour change substantially higher than bids describing content features. A provider that can show, with anonymised case study data, that a comparable public sector client reduced phishing click rates from 24% to 7% over 18 months is proposing a measurably different service from one that lists module topics.