Call for tenders: EU seeks cyber security expertise
The EU cyber security authority ENISA is looking for private service providers for the EU and member states. They are to strengthen IT security.
The EU's cyber security is also to be strengthened with the help of private companies. The EU is currently seeking support from the private sector as part of a tender for all 27 member states and the European Network Security Agency ENISA. A total of 28 million euros is available.
How can cyber security in the European Union be strengthened? This is impossible with government measures alone - which is why the EU now wants to purchase support services for all individual member states and ENISA, the EU authority responsible for network and information security, in a total of 28 lots.
Three-year planning horizon
The tender is intended to ensure services for three years. The text of the contracts to be awarded clearly states what the bidders for the contract are to provide: The framework contracts are to provide support services for the member states and ENISA for a total of four areas. This starts with training material and training courses and competitions in accordance with the European Cybersecurity Framework (ECSF), i.e. classic capture-the-flag competitions. However, two other tasks are likely to be much more important: The private service providers are to help detect security vulnerabilities, assist in testing cybersecurity capabilities and collaborate on suggestions for improvement.
The service providers are expected to cover almost the entire range of the digital attack surface: whether Scada systems, Internet-of-Things end devices, IT or industrial control systems, anyone who wants to play a part in the ENISA project must be able to do everything or compete together with allies as a bidding consortium. Risk monitoring and threat assessment services are also to be provided by the private sector. And in the event of specific incidents, external services should also be available if required: In the case of incident management tasks, for example, forensic evidence gathering or incident management by the external companies should be possible.
Companies applying for the "German Lot" number 11 must have the appropriate security clearances for incident response and pentesting - alternatively EU or NATO security clearances. A special feature of the EU tender is that ENISA is named as the contracting authority and responsible body for the entire process - national supervisory authorities such as the German Federal Office for Information Security (BSI) do not formally play a role.
The exclusion criteria are a special feature of the tenders: Companies bidding for the contracts must be "EU-controlled". In other words, ownership must lie within the European Union and actual economic control must be exercised from within the EU. To ensure this, there are three cumulative criteria- anyone who does not meet all of them and provide evidence that they are not under foreign control is automatically excluded. Normally, the principle of cost-effectiveness applies above all to EU tenders: the provider with the largest scope of services within the scope of the funds made available would be awarded the contract. Interested companies have until September 23 to submit their bids and documents individually or jointly via the Ausschreibungsportal of the EU.
(olb)