TenderMetric Intelligence Team · Last Reviewed: April 2026 · Sources: TED Europa · EU Publications Office · European Commission
◆ EU Procurement Intelligence — Key Facts
  • The EU public procurement market is worth €2 trillion+ annually — approximately 14% of EU GDP
  • TED Europa publishes 700,000+ contract notices per year across all 27 EU member states
  • EU procurement thresholds in 2026: €143,000 (supplies/services, central) · €5.538M (works)
  • Open procedures account for ~67% of all above-threshold EU contracts — the most accessible route for new bidders
  • All above-threshold contracts must be published in the Official Journal of the EU (OJEU) under Directive 2014/24/EU
Back to Insights
Market Intelligence TM-INS-048 // MARCH 2026

EU Cybersecurity Tenders 2026: NIS2, ENISA, and Digital Security Procurement

Summary

EU cybersecurity procurement is growing faster than any other public sector technology category in 2026. The NIS2 Directive — which expanded mandatory cybersecurity requirements to 18 critical sectors and tens of thousands of entities when it entered into force in October 2024 — is generating a multi-billion-euro compliance procurement wave. Simultaneously, the EU Cyber Resilience Act (CRA), the European Cybersecurity Certification Scheme (EUCS) for cloud services, and the AI Act's security requirements are creating new mandatory procurement categories. ENISA (EU Agency for Cybersecurity) operates framework contracts worth hundreds of millions and coordinates EU-wide procurement exercises. Public sector cybersecurity spending across the EU is projected to exceed €12 billion annually by 2026. This guide covers the regulatory drivers, key contracting authorities, CPV codes, and strategic guidance for winning cybersecurity tenders in the EU public market.

NIS2: The Compliance Procurement Driver

Directive (EU) 2022/2555 (NIS2), which entered into force October 18, 2024, is the primary driver of mandatory cybersecurity procurement across the EU public and regulated-private sector. NIS2 expands the original NIS Directive's scope dramatically:

  • 18 critical sectors: Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, manufacture of critical products, food, chemicals, digital providers, and research.
  • Size threshold reduction: All medium and large entities in these sectors (50+ employees or €10M+ turnover) are in scope — estimated 160,000+ entities across the EU, up from ~5,000 under NIS1.
  • Mandatory measures: Risk management policies, incident response, business continuity, supply chain security, encryption, access control, vulnerability disclosure, multi-factor authentication — all require procurement of tools, services, and expertise.
  • Sanctions: Essential entities face fines up to €10M or 2% of global turnover; important entities face up to €7M or 1.4% of turnover — creating board-level urgency for compliance procurement.

For public sector suppliers, NIS2 means that every government ministry, agency, hospital network, utility, and transport operator across 27 member states must now demonstrate NIS2-compliant security measures — most of which require external procurement of services (penetration testing, SIEM/SOC, incident response retainers, awareness training) and technology (PAM, network monitoring, endpoint protection).

ENISA Framework Contracts

ENISA (the EU Agency for Cybersecurity, based in Athens and Heraklion) directly procures cybersecurity services and technology and also coordinates EU-wide joint procurement exercises. ENISA's annual procurement budget is approximately €30–40M, but its joint procurement exercises involve much larger volumes pooled across EU institutions and member states.

  • ENISA framework contracts: Cover cybersecurity assessments, threat intelligence, penetration testing, security awareness training, incident response support, and policy advisory services. Notices published on TED under ENISA's contracting authority code.
  • EU-CERT and CSIRT Network: ENISA coordinates the EU network of computer security incident response teams (CSIRTs) — member state CSIRTs regularly procure threat intelligence and incident response tools through coordinated exercises.
  • EU Cybersecurity Certification Scheme (EUCS): ENISA is developing the EUCS for cloud services — once finalised, public sector bodies procuring cloud will increasingly require EUCS-certified providers, creating a significant compliance market.
  • Contract notices: Monitor TED with ENISA as contracting authority; ENISA also publishes procurement notices on its website (enisa.europa.eu/publications/procurement).

EU Institutions: DIGIT and OIB Framework Contracts

The European Commission's Directorate-General for Informatics (DIGIT) manages the largest EU institution cybersecurity framework contracts, covering hundreds of millions in security services, software, and infrastructure across EU institutions, bodies, and agencies.

  • DIGIT major frameworks: DIGIT-TM-2021 (IT services including cybersecurity), DIGIT-COR (infrastructure), and forthcoming DIGIT security-specific frameworks — being on these frameworks opens access to call-off contracts across 50+ EU institutions and agencies.
  • CERT-EU: The EU Institutions' cybersecurity service procures penetration testing, threat intelligence, and security tooling; notices published via TED under OIB (Office for Infrastructure and Logistics in Brussels) contracting authority.
  • EDA (European Defence Agency): Procures cybersecurity for defence-related activities under Directive 2009/81/EC; security clearance requirements apply.

EU Cyber Resilience Act (CRA) Procurement Impact

The EU Cyber Resilience Act, applying from 2027 (with some provisions from 2026), will require that all "products with digital elements" sold in the EU market meet mandatory cybersecurity requirements throughout their lifecycle. For public procurement, this creates significant implications:

  • Technical specifications: Contracting authorities will require CRA compliance documentation in tender technical specifications for any ICT product procurement from 2026 onwards.
  • Supply chain security: Contracting authorities are increasingly requiring Software Bills of Materials (SBOMs) and supplier security attestations — following NIS2 supply chain security obligations.
  • Market opportunity: CRA compliance verification, gap assessment, and security certification services are a growing procurement category — particularly for national cybersecurity agencies conducting market surveillance.

CPV Codes for Cybersecurity Procurement

Monitoring the right CPV codes is essential for finding cybersecurity tenders efficiently:

  • 72200000: Software programming and consultancy services (broad category including security software)
  • 72212517: IT security software development
  • 72222300: Information technology services (including security audits)
  • 72225000: Computer network support and management
  • 72315100: Data network management
  • 79417000: Safety consultancy services (risk assessment)
  • 48730000: Security software packages (includes firewalls, intrusion detection)
  • 35120000: Surveillance and security systems

Many cybersecurity contracts are also published under broader IT service codes (72000000–72920000). Keyword searches for "cybersecurity," "information security," "penetration testing," "SIEM," and "SOC" in TED's full-text search supplement CPV-based monitoring.

Win Strategy for Cybersecurity Tenders

  • Certifications as selection criteria: ISO 27001 certification is increasingly a mandatory selection requirement rather than award criterion differentiator. SOC 2, ISO 27017 (cloud), and ISAE 3402 certifications add weight. Ensure certifications are current before bidding.
  • NIS2 compliance expertise: Demonstrate specific NIS2 implementation experience in your methodology — contracting authorities (particularly public sector bodies and utilities) want vendors who understand the regulatory context of their procurement.
  • Security clearances: Some national government cybersecurity contracts require security-cleared personnel — typically national (EU SECRET equivalent) or higher. This is a significant market access barrier worth planning for.
  • Data residency: Public sector clients increasingly specify that data processed under cybersecurity contracts must remain within the EU (sometimes within the specific member state). Cloud-based SOC or SIEM solutions must demonstrate EU data residency.
  • Framework vs. direct award: Getting on national cybersecurity framework agreements (e.g., Crown Commercial Service CCS in UK, UGAP in France, CLUSIF-affiliated in Belgium) enables direct call-offs without full tendering. Pursue framework membership proactively.
End of Briefing // TenderMetric Intelligence Systems — TM-INS-048

Related Articles

Market Intelligence
EU AI and Digital Transformation Tenders 2026: Winning Public Technology Contracts
READ ANALYSIS →
Sector Guide
EU IT Services Tenders 2026: Winning Public Technology Contracts
READ ANALYSIS →
Defense
EU Defense and Security Tenders 2026: Military, Police, and Intelligence Procurement
READ ANALYSIS →
TenderMetric Intelligence Team
EU Procurement Research & Analysis · Last updated April 2026
Analysis compiled from TED Europa (Official Journal of the EU), European Commission procurement data, and CPV code classifications. TenderMetric tracks 10,000+ active EU procurement notices across all 27 member states, updated daily from the TED open data feed.
Get Weekly EU Tender Alerts
New tenders from TED Europa across all 27 EU member states — every Monday. Free forever.
◆ EU Procurement Intelligence at a Glance
10K+
Active tenders tracked
27
EU member states
€2T+
Annual market value
Daily
Data refresh from TED
◆ EU Contract Value Distribution (above-threshold)
Works contracts (construction, infrastructure) ~52%
Services contracts (IT, consulting, healthcare) ~35%
Supplies contracts (equipment, goods) ~13%
SME award rate (% of contracts to SMEs) ~45%
Source: European Commission Public Procurement Statistics — approximate figures based on TED Europa data.
◆ EU Procurement Lifecycle (Open Procedure)
Day 1
Contract Notice Published (TED)
Day 1–35
Tender Preparation & Submission
Day 35–70
Evaluation & Clarifications
Day 70–85
Standstill Period (10 days)
Day 85
Contract Award Decision
Day 90+
Contract Signature & Start
Timeline is indicative. Open procedure minimum: 35 days from publication to submission deadline (Directive 2014/24/EU).
About the Author
TenderMetric Research Team
EU Procurement Intelligence Specialists · tendermetric.com
Our analysts monitor 10,000+ EU procurement notices daily across construction, IT, healthcare, defense, and energy sectors. All data sourced from TED Europa and the EU Publications Office.
📋 10K+ tenders tracked 🇪🇺 27 member states 🔄 Updated: April 2026
◆ Common Questions About EU Procurement
What is TED Europa and where do EU tenders come from? +
TED (Tenders Electronic Daily) is the online version of the Supplement to the Official Journal of the EU, published by the EU Publications Office. It publishes procurement notices above EU thresholds from all 27 member states, EU institutions, and affiliated bodies — approximately 700,000+ notices per year. TenderMetric aggregates and enriches this data daily.
What are the EU procurement thresholds in 2026? +
For 2026–2027, the EU procurement thresholds are: €143,000 for supplies and services by central government authorities; €221,000 for supplies and services by sub-central authorities; €5,538,000 for works contracts. Utilities and defence sectors have separate thresholds. Contracts above these values must be published on TED.
Can non-EU companies bid on EU public tenders? +
Third-country participation depends on international agreements. Countries covered by the WTO Government Procurement Agreement (GPA) — including the US, UK, Canada, Japan, and others — generally have access to EU tenders above GPA thresholds. Countries without GPA coverage may be excluded from specific lots. Always check the contract notice for nationality restrictions.
What is an ESPD and is it required? +
The European Single Procurement Document (ESPD) is a self-declaration form used across the EU as preliminary evidence of a bidder's suitability. It replaces multiple national certificates at the tender stage — you only need to submit the actual certificates if you win. The ESPD is mandatory for all above-threshold EU procurements and can be completed via the eESPD online service.
How can SMEs compete for EU public contracts? +
SMEs win approximately 45% of EU public contracts by value. Key strategies: focus on lots (contracting authorities must divide large contracts into lots where feasible); form consortia with complementary firms; target sub-central authorities (municipalities, regions) where competition is lower; use framework agreements as a stepping stone to larger contracts. The ESPD simplifies the qualification process specifically to reduce SME burden.
Browse Active EU Tenders
By Sector: Construction IT Services Healthcare Engineering Energy Environment Education Defense Software Transport R&D Finance
By Country: Germany France Italy Spain Poland Netherlands Belgium Sweden Austria Greece Portugal Czech Republic