SOC and SIEM Tenders EU: Security Operations Centre Procurement Guide

SOC-as-a-Service Procurement Growth

The fundamental driver of SOC procurement is a staffing crisis: EU public sector organisations face severe shortages of qualified security operations analysts. The EU Cybersecurity Skills Framework estimates a shortage of over 300,000 cybersecurity professionals across the EU, with the public sector disproportionately affected due to salary constraints relative to private sector competitors.

This shortage makes SOC-as-a-Service the pragmatic option for the majority of public bodies with NIS2 detection and monitoring obligations. Rather than building and staffing an internal SOC — requiring multiple analysts per shift for genuine 24/7 coverage, plus SIEM infrastructure, threat intelligence feeds, and incident response capability — organisations procure this as a managed service.

Key procurement categories within SOC services:

• Fully managed SOC: Complete outsourcing of security monitoring. The provider supplies platform, analysts, processes, and reporting. Contract values €200K–€5M+ per year for significant public bodies.
• SOC co-management: Provider operates SIEM and tier-1/2 analysis; client retains tier-3 and incident response. Hybrid model increasingly favoured by authorities wanting to build internal capability over time.
• MDR (Managed Detection and Response): Endpoint-focused variant combining EDR tooling with analyst oversight. Often procured separately from network SOC services.
• CSIRT/CERT services: Computer Security Incident Response Team support — particularly relevant for national-level procurement under the Cyber Solidarity Act.

SIEM Platform Contracts

Many public bodies procure the SIEM platform itself separately from managed services, through software licensing contracts. The dominant platforms appearing in EU public procurement:

• Microsoft Sentinel: Gaining rapidly due to deep integration with the Microsoft 365 environments already prevalent in government. Azure-native, consumption-based pricing. Often included in broader Microsoft enterprise agreements.
• Splunk Enterprise/Cloud: Long the incumbent in large government environments. High capability, high cost. Cisco acquisition has raised data sovereignty concerns in some EU member states.
• IBM QRadar: Strong in defence-adjacent and intelligence-community-adjacent procurement. On-premise deployment option maintains appeal for air-gapped environments.
• Elastic SIEM / OpenSearch: Open-source options appearing in cost-sensitive procurement, particularly in smaller member states and local government.
• EU-origin platforms: Data sovereignty concerns are driving some member states to prefer European-headquartered SIEM vendors, creating an opening for vendors like LogPoint (Denmark) and others.

24/7 Monitoring Requirements

NIS2 Article 21 requires significant entities to be capable of detecting and responding to incidents continuously. Contracts for SOC services therefore typically specify:

• 24/7/365 monitoring with defined response SLAs (e.g., acknowledge critical alerts within 15 minutes)
• Minimum analyst staffing levels per shift
• Escalation procedures and named incident response contacts
• Integration with national CSIRT/CERT for incident reporting under NIS2 Article 23 (24-hour early warning, 72-hour full notification)
• Threat intelligence feeds and regular threat landscape reporting
• Monthly KPI reporting covering alert volumes, detection rates, mean-time-to-detect, and mean-time-to-respond

Key CPV Codes

• 72700000 — Computer network services (primary code for managed network security and SOC)
• 72212730 — Security software development services
• 48730000 — Security software package (SIEM platform licensing)
• 72222300 — Information technology services
• 72250000 — System and support services (managed service operations)
• 72315000 — Data network management and support services

Qualification Requirements

SOC and SIEM contracts carry the highest qualification bars in cybersecurity procurement, reflecting the sensitive nature of the access involved:

• ISO 27001 certification — mandatory for virtually all SOC service contracts
• ISO 27035 (Incident Management) — increasingly specified alongside 27001
• SOC 2 Type II report — for cloud-delivered SOC services, particularly in contracts with data residency requirements
• National CSIRT accreditation — in several member states, operating a CSIRT/CERT requires formal accreditation by the national authority
• Data residency documentation — proof that all monitoring data remains within EU jurisdiction; US Cloud Act exposure is a disqualifying factor in some tenders
• Demonstrable 24/7 operational capability — staffing schedules, analyst CVs, escalation matrices

Outcome-Based SLAs: The New Standard

SOC contract structures are shifting from MSSP (Managed Security Service Provider) retainer models toward outcome-based contracts. Contracting authorities in Germany, France, the Netherlands, and Belgium are now routinely specifying measurable detection and response metrics as binding SLA requirements. The benchmarks that appear most frequently in 2025–2026 award notices:

• Mean Time to Detect (MTTD): <4 hours for critical and high-severity incidents
• Mean Time to Respond (MTTR): <1 hour for critical incidents (initial containment action)
• Alert false positive rate: <5% for tier-1 escalations in some specifications

Bidders who cannot demonstrate these metrics from existing operational contracts — backed by case studies with actual figures — are increasingly excluded at the technical evaluation stage. Generic claims of "industry-leading detection capability" without supporting data are scored at or near zero in MEAT evaluations with structured scoring matrices.

What Wins SOC Tenders

SOC tenders are highly competitive and evaluated on quality scores of 70% or more in most specifications. The factors that separate winning bids from credible also-rans: demonstrated knowledge of the specific threat landscape facing the contracting authority's sector; existing integrations with the platforms already deployed in the client environment; a proven track record presented with actual MTTD/MTTR figures from comparable engagements; a clear knowledge transfer plan for clients who want to build internal capability over time; and EU data residency commitments backed by legal documentation rather than general assurances. Providers that can demonstrate alignment with national CSIRT frameworks and offer documented NIS2 Article 23 incident reporting workflows will consistently score higher than providers offering equivalent technical capability without this regulatory alignment.