Software Development Tenders EU 2026: Bidding on Custom Software and Web Development Contracts

CPV Codes for Software Development Tenders

Software development procurement sits primarily within the CPV 72000000 (IT services) family, but you want the programming and development sub-branches specifically — otherwise you'll be drowning in managed services and helpdesk contracts that have nothing to do with custom builds. The codes to monitor:

• 72200000-7 — Software programming and consultancy services (primary umbrella code)
• 72210000-0 — Programming services of packaged software products
• 72212000-4 — Application software programming services
• 72212100-0 — Industry specific software development (e.g., sector-specific public sector applications)
• 72212480-5 — Sales, inventory and delivery software development services
• 72220000-3 — Systems and technical consultancy services (often used for architecture and design phases)
• 72230000-6 — Custom software development services (the most precisely applicable code)
• 72240000-9 — Systems analysis and programming services
• 72250000-2 — System and support services (maintenance and enhancement contracts post-development)
• 72310000-1 — Data processing services (for data engineering and backend processing projects)
• 72415000-2 — Internet site exploitation services (web hosting — often bundled with development)
• 72416000-9 — Application service providers (cloud-delivered applications)

Web development specifically often appears under 72413000-8 (World Wide Web (WWW) site design services). Mobile application development is frequently captured under 72212000-4 with keyword qualifiers. Always run keyword searches alongside CPV monitoring — contracting authorities are often imprecise in code selection, and some genuinely interesting contracts get filed in odd places.

Key Contracting Authorities

European Commission — DG DIGIT is one of the highest-value software development buyers in the EU. The Commission's digital directorate runs large multi-year framework agreements for custom application development, platform modernisation, and digital workplace tools. The DIGIT frameworks cover thousands of person-days of development annually across all Commission directorates. These are competitive, well-resourced tenders — and worth tracking even if you're not ready to bid on them yet, because the patterns you see there tend to filter down to national agencies within 18–24 months.

National digital transformation agencies are the other major category. Every EU member state has established a digital government body — France's DINUM, Germany's ITZBund, Italy's AGID, Estonia's RIA, Spain's SEDIA, the Netherlands' ICTU — and they all procure substantial custom software development through their own frameworks and direct tenders. The volumes vary significantly by country. Estonia punches well above its weight. Germany is large but slow-moving. Italy has improved considerably since AGID got its mandate sharpened.

Don't overlook tax and revenue authorities. Tax administration systems are among the most complex and highest-value software development contracts in Europe — the Irish Revenue Commissioners, French DGFiP, and German BMF all procure substantial custom development for tax processing and compliance systems. These contracts are technically demanding and highly political. Digital sovereignty concerns are acute here, which cuts both ways: it raises barriers, but it also means non-EU hyperscalers have limited leverage, and domestic developers with the right capabilities have a genuine edge.

Healthcare and social security systems generate some of the most varied development work on the market — electronic health records, patient portal development, prescription management, benefits administration platforms. The EU's European Health Data Space (EHDS) regulation is creating new cross-border interoperability software requirements that will drive procurement activity through 2026–2028. If you have any existing healthcare IT experience, now is the time to sharpen those credentials.

At the smaller end, local governments and municipalities are consistently active in the €200,000–€3 million range for smart city applications, citizen self-service portals, planning and building control systems, and back-office integration. This is where SMEs are most competitive. The volumes per contract are manageable, the technical scope is usually well-defined, and local relationships genuinely matter.

Contract Structures: Agile vs. Waterfall

The most significant structural shift in EU software development procurement over the past five years has been the move away from traditional waterfall contracting toward agile delivery frameworks. This isn't just a methodological preference — it changes your bid strategy, your team composition requirements, and your commercial model.

Under agile delivery frameworks, contracting authorities procure teams — Scrum teams, product squads — on a time-and-materials or capped-time-and-materials basis for defined discovery, alpha, beta, and live phases. Scope is managed through a product backlog owned jointly by the authority and the supplier. This approach dominates in progressive authorities, particularly in the Netherlands, Estonia, Ireland, and Denmark. The Government Digital Service model out of the UK — while post-Brexit — remains enormously influential as a benchmark across EU digital agencies.

Fixed-price milestones with agile delivery is a hybrid that's increasingly common in central and southern Europe, where political accountability requires fixed budgets but procurement officers have learned — sometimes the hard way — that purely waterfall specification doesn't work for software. Fixed prices are set per phase with defined outputs; delivery within phases is agile. This model shares risk. It's also the model that generates the most disputes, because scope definitions at phase boundaries are never as clean as they look in the contract.

Large software development framework agreements for capacity — particularly those run by national digital agencies — admit multiple suppliers and allocate work through mini-competitions or direct placements based on team availability, rate cards, and skill matching. Honest assessment: these are often staff augmentation frameworks dressed as development contracts. That's not necessarily bad for suppliers — predictable revenue, lower bid cost per engagement — but don't bid expecting to own the product vision.

For genuinely novel digital challenges, Article 31 of Directive 2014/24/EU allows Innovation Partnership procedures, combining R&D and commercial procurement in a structured phased approach. Still rare, but growing in areas like AI-powered public services. Worth watching if you're in that space.

Qualification Requirements

Most suppliers get this wrong: they think qualification for a software development tender is about having a list of certifications. It isn't. Certifications support your case. The actual differentiator is evidence.

Agile and Scrum methodology evidence is what evaluators are really after. Not a SAFe certificate, not a Scrum.org PSM badge — though those help — but case study demonstration of sprint delivery, retrospective processes, and product owner collaboration in a real delivery context. If you've done the work, document it specifically. If you can't point to a real project, the certification alone won't save you.

Prior government software delivery is weighted heavily, and for understandable reasons. Public sector software delivery is genuinely different from commercial work — procurement constraints, governance requirements, accessibility mandates, security vetting of staff, change management in large organisations, and political complexity all create friction that experienced teams navigate and inexperienced teams don't. Evaluators typically require 2–3 comparable contracts delivered in the past five years. "Comparable" means similar value, similar technology stack, similar scope. A €3 million e-commerce build does not make you qualified for a €3 million government case management system.

ISO 27001 is effectively mandatory for any development contract involving personal data, government systems, or sensitive information. Beyond the certificate, contracting authorities are assessing secure coding practices (OWASP Top 10 awareness, code review procedures, vulnerability management), penetration testing capability, and supply chain security for third-party components. The certificate is the entry ticket. What you say about how you actually work is what scores.

Named key personnel — senior architect, lead developer, project manager or scrum master, QA lead — are standard request items. CVs proposed at bid stage are often contractually committed. Substitutions require written authority approval. This creates talent retention risk for winning firms, so think carefully before naming someone you're not confident you can retain for the contract duration.

Open Source, Interoperability, and Data Sovereignty

Three policy frameworks increasingly shape what you can actually build and how you can deploy it in a public sector software contract. Getting these right at architecture stage is infinitely easier than retrofitting them.

On EU Open Source Software Policy: the Commission's Open Source Software Strategy and the Joinup platform reflect a strong preference — not yet a legal mandate — for open source delivery. Many national digital agencies now specify that custom software developed with public funds must be published under an open source licence, typically EUPL — European Union Public Licence or Apache 2.0, and made available for reuse by other public bodies. The practical implication is that you cannot rely on proprietary lock-in as a client retention strategy in this market. If that's your business model, you'll need to rethink it before bidding on contracts that have open source delivery requirements.

The EU Interoperability Framework (EIF) mandates that public sector digital services be designed for interoperability — open standards, no proprietary interfaces, data portability. Software development contracts increasingly specify EIF compliance and conformance with national interoperability architectures: Italian eGov framework, German XÖV standards, and their equivalents. This isn't boilerplate — evaluators do actually check whether your proposed architecture meets these requirements.

On data residency and cloud: contracting authorities increasingly require data to remain within the EU/EEA, compliance with the EU Cloud Code of Conduct, and in sensitive sectors — health, finance, defence — national territory-only processing. Using a US hyperscaler's EU-region data centre may or may not satisfy this, depending on the authority's assessment of extraterritorial legal risk under US law. That's a real question you need to answer before committing a deployment architecture, not an afterthought.

Accessibility: EN 301 549 and WCAG 2.1 AA

The Web Accessibility Directive (2016/2102/EU) requires all public sector digital services to meet the EN 301 549 standard, which harmonises with WCAG 2.1 Level AA at the web layer and extends to desktop and mobile applications. This isn't optional, and "we'll address accessibility after go-live" is not an answer that will land well with evaluators who've seen that film before.

In practice, this means:

• Accessibility must be designed in from the discovery phase — retrofitting is expensive and often inadequate
• Your technical proposal should explicitly address accessibility in the architecture and UI/UX approach
• An independent accessibility audit (VPAT/ACR or equivalent) is typically required as a delivery milestone before go-live
• Accessibility statements must be published for public-facing services, documenting compliance status and remediation plans
• Some contracting authorities require assistive technology testing — screen readers including NVDA, JAWS, VoiceOver; keyboard-only navigation; zoom to 400% — as part of acceptance testing

If you're bidding on a public sector digital contract and you don't have in-house accessibility expertise, you either need to build it or bring in a specialist. Evaluators probe this in technical proposals, and "we'll follow WCAG guidelines" without specifics is a red flag, not a reassurance.

SME Opportunities

Software development is one of the more SME-accessible sectors in EU public procurement. The capital requirements are low compared to most sectors. Specialist expertise is the primary differentiator. And many contracts are deliberately sized for small, focused teams — which is where you often get the best quality work anyway.

Lot structure for SMEs: large development frameworks are typically divided by technical specialism — front-end/UX, back-end/API, data engineering, mobile, security review — and by maximum team size. This allows a 5-person boutique to bid meaningfully for a 2–4 person team lot rather than being squeezed out by enterprise players. Look for these lot structures before deciding whether a framework is worth pursuing.

Some national authorities have gone further. Estonia's RIA, Ireland's DPER, and the Netherlands' Rijksoverheid have explicitly designed procurement procedures to be accessible to innovative startups — using Competitive Dialogue, Innovation Partnership, and Prior Market Consultation to bring new market entrants into the process. These are worth monitoring specifically if you're a smaller firm with a strong capability in an emerging area.

Finally, rate card frameworks — time-and-materials panels published by national agencies, analogous to the UK's G-Cloud — allow SMEs to list services without bespoke bid effort for each opportunity. The initial admission bid is the investment; after that, individual assignments come through at much lower cost to bid. If you're operating in a market where these frameworks exist, getting on them should be a strategic priority.