ENISA Procurement Guide: Bidding for EU Cybersecurity Agency Contracts

What ENISA Procures

ENISA's mandate has expanded significantly under the EU Cybersecurity Act (Regulation 2019/881), which made the agency permanent and gave it new responsibilities around cybersecurity certification and the European Cybersecurity Reserve. This expanded mandate translates into a broader and larger procurement portfolio:

• Research and threat intelligence studies: ENISA's flagship publications — including the annual Threat Landscape Report, reports on specific threat actors, sector-specific threat analyses, and technical guidelines — are mostly produced by contracted research firms and consultancies. Contract values: €50,000–€300,000 per study.
• Cybersecurity certification support: The EU Cybersecurity Act authorises ENISA to develop European Cybersecurity Certification Schemes (EUCS for cloud, EUCC for ICT products, EU5G for 5G). Developing these schemes requires external expert support for technical writing, stakeholder consultation, and standard-setting. High-value specialist contracts for experienced technical experts.
• Training programme development: ENISA develops and delivers training through the ENISA Academy — cybersecurity training for EU institutions, member state authorities, and national CSIRTs. Contracts for curriculum development, e-learning platform maintenance, and training delivery.
• Exercise support: ENISA runs Cyber Europe (the largest EU cyber exercise) and supports CSIRT capacity building. Exercise scenario design, facilitation, and evaluation require specialist external support.
• Event management: ENISA organises multiple major events annually including the European Cyber Security Month (ECSM), the ENISA conference series, and stakeholder workshops. Event management, logistics, translation, and communication services are regularly tendered.
• IT systems and data management: ENISA's internal IT infrastructure, knowledge management systems, and threat intelligence platforms are maintained through service contracts.
• Communication and publications: Design, printing, and digital publication services for ENISA's extensive publication library.

Tender Volumes and Contract Values

ENISA publishes procurement notices through three channels: TED (for contracts above EU thresholds), ENISA's own procurement page (enisa.europa.eu/about-enisa/procurement), and specific calls within framework contracts. Annual procurement spend is estimated at €15–25 million, distributed across 30–60 individual contract notices. The majority of contracts fall in the €20,000–€200,000 range — accessible to specialist SMEs and boutique consultancies — with a smaller number of larger framework agreements for ongoing services.

How to Find ENISA Tenders on TED

On TED, ENISA tenders can be found by:

• Contracting authority search: Filter by "European Union Agency for Cybersecurity" or "ENISA" in the buyer name field
• CPV code monitoring: ENISA research and advisory services typically use 73000000 (Research and development services), 72220000 (IT consultancy), and 80000000 (Training) codes
• Direct procurement page: enisa.europa.eu/about-enisa/procurement publishes open calls and results — bookmark this page for direct monitoring

Prior Information Notices (PINs) from ENISA are particularly valuable — they announce planned procurements 3–12 months in advance, giving you time to prepare a strong application or identify consortium partners.

Qualification Requirements for EU Institution Contracts

Bidding for ENISA contracts involves EU institution-specific procurement rules under the EU Financial Regulation (2018/1046). Key differences from national procurement:

• Exclusion grounds: Companies must declare they are not subject to exclusion grounds (bankruptcy, fraud convictions, tax irregularities) via a solemn declaration. The EU maintains the Early Warning System and Central Exclusion Database.
• Financial capacity: For contracts above €60,000, companies must demonstrate financial stability — typically via audited accounts for the last 2 years showing average annual turnover at least 1.5× the contract value.
• Technical capacity: Demonstrated via references (similar contracts completed in the last 3 years), CVs of key personnel, and relevant certifications.
• Language requirements: ENISA tenders are in English; bid documentation must be submitted in English.

Past Awards and Market Intelligence

ENISA publishes contract award notices on TED, and reviewing past awards is the most efficient way to understand the market. Major recipients of ENISA contracts include large cybersecurity consultancies (KPMG, Deloitte, PwC in the EU), specialist research firms, and smaller boutique cybersecurity research companies. ENISA actively works to increase SME contract wins — the agency's procurement team is receptive to questions at pre-tender stage (market consultations) and explicitly encourages subcontracting arrangements that enable SMEs to participate in larger contracts.

Tips for SMEs Bidding for ENISA Contracts

ENISA contracts are achievable for well-prepared small firms. Practical success factors: specialise — ENISA is more likely to award a niche research contract to a specialist boutique than a generalist. Build a publication record in your target area before bidding for research contracts — ENISA evaluates technical quality heavily and published research credentials signal genuine expertise. Consider consortium bids for larger contracts, partnering with a company with existing EU institution experience to demonstrate procedural competence. Engage at the consultation stage when ENISA publishes prior information notices — your input at this stage can influence the eventual specification in your favour. Finally, invest in high-quality bid writing: ENISA evaluators are sophisticated, and bids that are technically strong but poorly structured or written consistently underperform against expectation.