NIS2 Directive Procurement: Security Contracts Driven by EU Regulation

NIS2 Scope: Who Is Affected

NIS2 dramatically expands the scope of the original NIS Directive. It applies to medium and large enterprises (50+ employees or €10M+ turnover) operating in critical sectors, plus all public administration bodies at national and regional level regardless of size.

Essential entities (subject to the strictest obligations and supervision):

• Energy (electricity, oil, gas, hydrogen, district heating)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health (hospitals, laboratories, pharmaceutical manufacturers)
• Drinking water and wastewater
• Digital infrastructure (DNS, TLDs, cloud, data centres, CDNs, trust services, telecoms)
• ICT service management (B2B managed services)
• Public administration at central and regional level
• Space

Important entities (subject to oversight and significant obligations):

• Postal and courier services
• Waste management
• Chemicals manufacture and distribution
• Food production, processing, and distribution
• Manufacturing (medical devices, electronics, machinery, motor vehicles)
• Digital providers (online marketplaces, search engines, social networks)
• Research organisations

What NIS2 Entities Must Procure

Article 21 of NIS2 specifies the minimum security measures that covered entities must implement. For entities without mature in-house security functions — which includes most public authorities and many regulated organisations — these requirements translate directly into service procurement:

• Penetration testing and vulnerability assessments — to identify and remediate weaknesses before mandatory reporting obligations kick in
• Incident detection and response — 24/7 monitoring and the ability to respond to and report significant incidents within 24 hours (early warning) and 72 hours (full notification)
• SIEM platforms — Security Information and Event Management tools to collect, correlate, and analyse security event logs across the organisation
• Security awareness training — mandatory programmes for staff and board-level executives, including simulation exercises
• Supply chain security assessments — audits and risk assessments of third-party ICT vendors and managed service providers
• Cryptography and key management — implementation of encryption across communications and data at rest
• Multi-factor authentication — MFA deployment across all critical systems and privileged access
• Business continuity and disaster recovery — tested backup systems, crisis management plans, and recovery procedures

Procurement Timeline and Urgency

The NIS2 transposition deadline was October 17, 2024. However, implementation across member states has been uneven — several countries transposed late, and enforcement is still ramping up. This creates a procurement urgency window throughout 2025 and 2026 as:

• National supervisory authorities begin active compliance monitoring and inspections
• The first significant fines for non-compliance are issued (essential entities face fines up to €10M or 2% of global turnover)
• Boards and senior management face personal liability for cybersecurity failures, creating top-down pressure to procure compliance services quickly
• Insurance companies begin conditioning cyber coverage on demonstrable NIS2 compliance

This urgency means many NIS2-driven contracts are being tendered on accelerated timescales, sometimes using negotiated procedures with short response windows. Monitor TED daily for notices in relevant sectors.

Key CPV Codes for NIS2-Driven Contracts

• 72220000 — Systems and technical consultancy (NIS2 gap assessments, compliance consulting)
• 72212730 — Security software development services
• 72212517 — IT security application development
• 79212000 — Auditing services (compliance audits, supply chain audits)
• 80533100 — Computer training services (security awareness)
• 72700000 — Computer network services (network monitoring, SOC)
• 48730000 — Security software package (SIEM, endpoint protection)

Opportunity Size and Market Dynamics

ENISA estimates that NIS2 will require affected entities to increase cybersecurity budgets by an average of 22% — and for many previously unregulated organisations moving from zero to compliant, the real increase is far higher. Applied across the estimated 160,000 covered entities in the EU, the incremental procurement generated by NIS2 compliance is estimated at €5–8 billion over the 2024–2027 implementation window.

Public bodies are particularly significant buyers because they must use formal procurement processes for most services above national thresholds (typically €140K for services). Unlike private sector NIS2 entities that can contract informally, public authority cybersecurity spending flows through TED and national procurement portals — making it visible and systematically targetable by vendors with the right market intelligence tools.

Positioning Your Firm for NIS2 Contracts

Firms that win NIS2-related contracts consistently do two things well. First, they explicitly frame their services in NIS2 language — referencing specific articles, obligations, and compliance timelines in their bid documents. Evaluators who are scrambling to achieve compliance respond far better to a vendor that speaks their regulatory language than one presenting generic security services.

Second, they offer packaged compliance pathways rather than point solutions. A tender for "NIS2 gap assessment and remediation roadmap" is more valuable to a contracting authority than separate tenders for a gap assessment, a penetration test, and a training programme. If your firm can offer a credible end-to-end NIS2 compliance service — even through subcontracting partnerships — you will win more work and at higher contract values.