โ—† TenderMetric Intelligence Team ยท Last Reviewed: April 2026 ยท Sources: TED Europa ยท EU Publications Office ยท European Commission
โ—† EU Procurement Intelligence โ€” Key Facts
  • โœ“ The EU public procurement market is worth โ‚ฌ2 trillion+ annually โ€” approximately 14% of EU GDP
  • โœ“ TED Europa publishes 700,000+ contract notices per year across all 27 EU member states
  • โœ“ EU procurement thresholds in 2026: โ‚ฌ143,000 (supplies/services, central) ยท โ‚ฌ5.538M (works)
  • โœ“ Open procedures account for ~67% of all above-threshold EU contracts โ€” the most accessible route for new bidders
  • โœ“ All above-threshold contracts must be published in the Official Journal of the EU (OJEU) under Directive 2014/24/EU
โ† Back to Insights
Sector Guide TM-INS-073 // MARCH 2026

SOC and SIEM Tenders EU: Security Operations Centre Procurement Guide

Summary

Security Operations Centre (SOC) services and SIEM platform procurement represent some of the largest and highest-value cybersecurity contracts in European public procurement. The EU Cyber Solidarity Act has directly funded national SOC establishment, while NIS2 compliance is driving demand for managed detection and response among thousands of public bodies that cannot sustain in-house 24/7 security monitoring. SIEM contracts for Splunk, Microsoft Sentinel, IBM QRadar, and competing platforms โ€” plus the managed services to operate them โ€” are among the fastest-growing segments on TED. This guide explains the market, what is being bought, and how to position for it.

SOC-as-a-Service Procurement Growth

The fundamental driver of SOC procurement is a staffing crisis: EU public sector organisations face severe shortages of qualified security operations analysts. The EU Cybersecurity Skills Framework estimates a shortage of over 300,000 cybersecurity professionals across the EU, with the public sector disproportionately affected due to salary constraints relative to private sector competitors.

This shortage makes SOC-as-a-Service the pragmatic option for the majority of public bodies with NIS2 detection and monitoring obligations. Rather than building and staffing an internal SOC โ€” requiring multiple analysts per shift for genuine 24/7 coverage, plus SIEM infrastructure, threat intelligence feeds, and incident response capability โ€” organisations procure this as a managed service.

Key procurement categories within SOC services:

  • Fully managed SOC: Complete outsourcing of security monitoring. The provider supplies platform, analysts, processes, and reporting. Contract values โ‚ฌ200Kโ€“โ‚ฌ5M+ per year for significant public bodies.
  • SOC co-management: Provider operates SIEM and tier-1/2 analysis; client retains tier-3 and incident response. Hybrid model increasingly favoured by authorities wanting to build internal capability over time.
  • MDR (Managed Detection and Response): Endpoint-focused variant combining EDR tooling with analyst oversight. Often procured separately from network SOC services.
  • CSIRT/CERT services: Computer Security Incident Response Team support โ€” particularly relevant for national-level procurement under the Cyber Solidarity Act.

SIEM Platform Contracts

Many public bodies procure the SIEM platform itself separately from managed services, through software licensing contracts. The dominant platforms appearing in EU public procurement:

  • Microsoft Sentinel: Gaining rapidly due to deep integration with the Microsoft 365 environments already prevalent in government. Azure-native, consumption-based pricing. Often included in broader Microsoft enterprise agreements.
  • Splunk Enterprise/Cloud: Long the incumbent in large government environments. High capability, high cost. Cisco acquisition has raised data sovereignty concerns in some EU member states.
  • IBM QRadar: Strong in defence-adjacent and intelligence-community-adjacent procurement. On-premise deployment option maintains appeal for air-gapped environments.
  • Elastic SIEM / OpenSearch: Open-source options appearing in cost-sensitive procurement, particularly in smaller member states and local government.
  • EU-origin platforms: Data sovereignty concerns are driving some member states to prefer European-headquartered SIEM vendors, creating an opening for vendors like LogPoint (Denmark) and others.

24/7 Monitoring Requirements

NIS2 Article 21 requires significant entities to be capable of detecting and responding to incidents continuously. Contracts for SOC services therefore typically specify:

  • 24/7/365 monitoring with defined response SLAs (e.g., acknowledge critical alerts within 15 minutes)
  • Minimum analyst staffing levels per shift
  • Escalation procedures and named incident response contacts
  • Integration with national CSIRT/CERT for incident reporting under NIS2 Article 23 (24-hour early warning, 72-hour full notification)
  • Threat intelligence feeds and regular threat landscape reporting
  • Monthly KPI reporting covering alert volumes, detection rates, mean-time-to-detect, and mean-time-to-respond

Key CPV Codes

  • 72700000 โ€” Computer network services (primary code for managed network security and SOC)
  • 72212730 โ€” Security software development services
  • 48730000 โ€” Security software package (SIEM platform licensing)
  • 72222300 โ€” Information technology services
  • 72250000 โ€” System and support services (managed service operations)
  • 72315000 โ€” Data network management and support services

Qualification Requirements

SOC and SIEM contracts carry the highest qualification bars in cybersecurity procurement, reflecting the sensitive nature of the access involved:

  • ISO 27001 certification โ€” mandatory for virtually all SOC service contracts
  • ISO 27035 (Incident Management) โ€” increasingly specified alongside 27001
  • SOC 2 Type II report โ€” for cloud-delivered SOC services, particularly in contracts with data residency requirements
  • National CSIRT accreditation โ€” in several member states, operating a CSIRT/CERT requires formal accreditation by the national authority
  • Data residency documentation โ€” proof that all monitoring data remains within EU jurisdiction; US Cloud Act exposure is a disqualifying factor in some tenders
  • Demonstrable 24/7 operational capability โ€” staffing schedules, analyst CVs, escalation matrices

Key Differentiators When Bidding

SOC tenders are highly competitive and often evaluated on quality scores of 70% or more. Winning differentiators include: demonstrated knowledge of the specific threat landscape facing the contracting authority's sector; existing integrations with the platforms already deployed in the client environment; a proven track record of detecting and responding to incidents (case studies, metrics, references); a clear knowledge transfer plan if the client wants to build internal capability; and EU data residency commitments backed by legal guarantees. Providers that can demonstrate alignment with national CSIRT frameworks and offer seamless NIS2 incident reporting support will score significantly higher than those offering generic SOC services.

End of Briefing // TenderMetric Intelligence Systems โ€” TM-INS-073

Related Articles

Sector Guide
EU Cybersecurity Tenders 2026: How to Win Government Security Contracts
Regulations
NIS2 Directive Procurement: Security Contracts Driven by EU Regulation
Regulations
EU Framework Agreements Explained
โ—†
TenderMetric Intelligence Team
EU Procurement Research & Analysis ยท Last updated April 2026
Analysis compiled from TED Europa (Official Journal of the EU), European Commission procurement data, and CPV code classifications. TenderMetric tracks 10,000+ active EU procurement notices across all 27 member states, updated daily from the TED open data feed.
Get Weekly EU Tender Alerts
New tenders from TED Europa across all 27 EU member states โ€” every Monday. Free forever.
โ—† EU Procurement Intelligence at a Glance
10K+
Active tenders tracked
27
EU member states
โ‚ฌ2T+
Annual market value
Daily
Data refresh from TED
โ—† EU Contract Value Distribution (above-threshold)
Works contracts (construction, infrastructure) ~52%
Services contracts (IT, consulting, healthcare) ~35%
Supplies contracts (equipment, goods) ~13%
SME award rate (% of contracts to SMEs) ~45%
Source: European Commission Public Procurement Statistics โ€” approximate figures based on TED Europa data.
โ—† EU Procurement Lifecycle (Open Procedure)
Day 1
Contract Notice Published (TED)
Day 1โ€“35
Tender Preparation & Submission
Day 35โ€“70
Evaluation & Clarifications
Day 70โ€“85
Standstill Period (10 days)
Day 85
Contract Award Decision
Day 90+
Contract Signature & Start
Timeline is indicative. Open procedure minimum: 35 days from publication to submission deadline (Directive 2014/24/EU).
โ—†
About the Author
TenderMetric Research Team
EU Procurement Intelligence Specialists ยท tendermetric.com
Our analysts monitor 10,000+ EU procurement notices daily across construction, IT, healthcare, defense, and energy sectors. All data sourced from TED Europa and the EU Publications Office.
๐Ÿ“‹ 10K+ tenders tracked ๐Ÿ‡ช๐Ÿ‡บ 27 member states ๐Ÿ”„ Updated: April 2026
โ—† Common Questions About EU Procurement
What is TED Europa and where do EU tenders come from? +
TED (Tenders Electronic Daily) is the online version of the Supplement to the Official Journal of the EU, published by the EU Publications Office. It publishes procurement notices above EU thresholds from all 27 member states, EU institutions, and affiliated bodies โ€” approximately 700,000+ notices per year. TenderMetric aggregates and enriches this data daily.
What are the EU procurement thresholds in 2026? +
For 2026โ€“2027, the EU procurement thresholds are: โ‚ฌ143,000 for supplies and services by central government authorities; โ‚ฌ221,000 for supplies and services by sub-central authorities; โ‚ฌ5,538,000 for works contracts. Utilities and defence sectors have separate thresholds. Contracts above these values must be published on TED.
Can non-EU companies bid on EU public tenders? +
Third-country participation depends on international agreements. Countries covered by the WTO Government Procurement Agreement (GPA) โ€” including the US, UK, Canada, Japan, and others โ€” generally have access to EU tenders above GPA thresholds. Countries without GPA coverage may be excluded from specific lots. Always check the contract notice for nationality restrictions.
What is an ESPD and is it required? +
The European Single Procurement Document (ESPD) is a self-declaration form used across the EU as preliminary evidence of a bidder's suitability. It replaces multiple national certificates at the tender stage โ€” you only need to submit the actual certificates if you win. The ESPD is mandatory for all above-threshold EU procurements and can be completed via the eESPD online service.
How can SMEs compete for EU public contracts? +
SMEs win approximately 45% of EU public contracts by value. Key strategies: focus on lots (contracting authorities must divide large contracts into lots where feasible); form consortia with complementary firms; target sub-central authorities (municipalities, regions) where competition is lower; use framework agreements as a stepping stone to larger contracts. The ESPD simplifies the qualification process specifically to reduce SME burden.
Browse Active EU Tenders
By Sector: Construction IT Services Healthcare Engineering Energy Environment Education Defense Software Transport R&D Finance
By Country: Germany France Italy Spain Poland Netherlands Belgium Sweden Austria Greece Portugal Czech Republic