EU Cybersecurity Tenders 2026: NIS2, ENISA, and Digital Security Procurement

NIS2: The Compliance Procurement Driver

Directive (EU) 2022/2555 (NIS2), which entered into force October 18, 2024, is the primary driver of mandatory cybersecurity procurement across the EU public and regulated-private sector. NIS2 expands the original NIS Directive's scope dramatically:

• 18 critical sectors: Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, manufacture of critical products, food, chemicals, digital providers, and research.
• Size threshold reduction: All medium and large entities in these sectors (50+ employees or €10M+ turnover) are in scope — estimated 160,000+ entities across the EU, up from ~5,000 under NIS1.
• Mandatory measures: Risk management policies, incident response, business continuity, supply chain security, encryption, access control, vulnerability disclosure, multi-factor authentication — all require procurement of tools, services, and expertise.
• Sanctions: Essential entities face fines up to €10M or 2% of global turnover; important entities face up to €7M or 1.4% of turnover — creating board-level urgency for compliance procurement.

For public sector suppliers, NIS2 means that every government ministry, agency, hospital network, utility, and transport operator across 27 member states must now demonstrate NIS2-compliant security measures — most of which require external procurement of services (penetration testing, SIEM/SOC, incident response retainers, awareness training) and technology (PAM, network monitoring, endpoint protection).

ENISA Framework Contracts

ENISA (the EU Agency for Cybersecurity, based in Athens and Heraklion) directly procures cybersecurity services and technology and also coordinates EU-wide joint procurement exercises. ENISA's annual procurement budget is approximately €30–40M, but its joint procurement exercises involve much larger volumes pooled across EU institutions and member states.

• ENISA framework contracts: Cover cybersecurity assessments, threat intelligence, penetration testing, security awareness training, incident response support, and policy advisory services. Notices published on TED under ENISA's contracting authority code.
• EU-CERT and CSIRT Network: ENISA coordinates the EU network of computer security incident response teams (CSIRTs) — member state CSIRTs regularly procure threat intelligence and incident response tools through coordinated exercises.
• EU Cybersecurity Certification Scheme (EUCS): ENISA is developing the EUCS for cloud services — once finalised, public sector bodies procuring cloud will increasingly require EUCS-certified providers, creating a significant compliance market.
• Contract notices: Monitor TED with ENISA as contracting authority; ENISA also publishes procurement notices on its website (enisa.europa.eu/publications/procurement).

EU Institutions: DIGIT and OIB Framework Contracts

The European Commission's Directorate-General for Informatics (DIGIT) manages the largest EU institution cybersecurity framework contracts, covering hundreds of millions in security services, software, and infrastructure across EU institutions, bodies, and agencies.

• DIGIT major frameworks: DIGIT-TM-2021 (IT services including cybersecurity), DIGIT-COR (infrastructure), and forthcoming DIGIT security-specific frameworks — being on these frameworks opens access to call-off contracts across 50+ EU institutions and agencies.
• CERT-EU: The EU Institutions' cybersecurity service procures penetration testing, threat intelligence, and security tooling; notices published via TED under OIB (Office for Infrastructure and Logistics in Brussels) contracting authority.
• EDA (European Defence Agency): Procures cybersecurity for defence-related activities under Directive 2009/81/EC; security clearance requirements apply.

Cyber Solidarity Act: A New Procurement Category

The EU Cyber Solidarity Act, adopted in 2024, establishes an EU Cybersecurity Reserve — a mutual assistance mechanism allowing member states to draw on pre-contracted standby incident response capacity during major cross-border cyber incidents. The Reserve is funded at EU level and procured centrally by ENISA or designated bodies. Expected contract values for reserve capacity providers exceed €100 million in aggregate, covering 24/7 on-call incident response teams, forensic investigation capacity, and recovery support services. This creates a new, structurally funded procurement category — separate from NIS2 compliance spending — that will run as a recurring contract cycle. Suppliers targeting this market must demonstrate rapid deployment capability across multiple member states and hold relevant security clearances.

EU Cyber Resilience Act (CRA) Procurement Impact

The EU Cyber Resilience Act, applying from 2027 (with some provisions from 2026), will require that all "products with digital elements" sold in the EU market meet mandatory cybersecurity requirements throughout their lifecycle. For public procurement, this creates significant implications:

• Technical specifications: Contracting authorities will require CRA compliance documentation in tender technical specifications for any ICT product procurement from 2026 onwards.
• Supply chain security: Contracting authorities are increasingly requiring Software Bills of Materials (SBOMs) and supplier security attestations — following NIS2 supply chain security obligations.
• Market opportunity: CRA compliance verification, gap assessment, and security certification services are a growing procurement category — particularly for national cybersecurity agencies conducting market surveillance.

CPV Codes for Cybersecurity Procurement

Monitoring the right CPV codes is essential for finding cybersecurity tenders efficiently:

• 72200000: Software programming and consultancy services (broad category including security software)
• 72212517: IT security software development
• 72222300: Information technology services (including security audits)
• 72225000: Computer network support and management
• 72315100: Data network management
• 79417000: Safety consultancy services (risk assessment)
• 48730000: Security software packages (includes firewalls, intrusion detection)
• 35120000: Surveillance and security systems

Many cybersecurity contracts are also published under broader IT service codes (72000000–72920000). Keyword searches for "cybersecurity," "information security," "penetration testing," "SIEM," and "SOC" in TED's full-text search supplement CPV-based monitoring.

Win Strategy for Cybersecurity Tenders

• Certifications as selection criteria: ISO 27001 certification is increasingly a mandatory selection requirement rather than award criterion differentiator. SOC 2, ISO 27017 (cloud), and ISAE 3402 certifications add weight. Ensure certifications are current before bidding.
• NIS2 compliance expertise: Demonstrate specific NIS2 implementation experience in your methodology — contracting authorities (particularly public sector bodies and utilities) want vendors who understand the regulatory context of their procurement.
• Security clearances: Some national government cybersecurity contracts require security-cleared personnel — typically national (EU SECRET equivalent) or higher. This is a significant market access barrier worth planning for.
• Data residency: Public sector clients increasingly specify that data processed under cybersecurity contracts must remain within the EU (sometimes within the specific member state). Cloud-based SOC or SIEM solutions must demonstrate EU data residency.
• Framework vs. direct award: Getting on national cybersecurity framework agreements (e.g., Crown Commercial Service CCS in UK, UGAP in France, CLUSIF-affiliated in Belgium) enables direct call-offs without full tendering. Pursue framework membership proactively.