Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.

Hungary’s MVM Paks Nuclear Power Plant is seeking professional support to run its cyber defence operations through 2026–2029. The four-year framework covers assessments, incident response and control-task support across process-control and information systems. The scope reaches core plant systems, signalling a determined push to harden critical infrastructure. See the full scope in Cyber Defense Operational Support.

What MVM Paks is buying

The buyer plans a framework for professional services to underpin the operational management of cyber defence. It bundles vulnerability assessment, risk analysis, incident management and expert engineering support for technological process-control and management systems.

Two task streams define the work:

Operational defence and incident management – detection, development of countermeasures, resolution management, evidence collection and evaluation, SOC workspace support, and recovery and reinforcement planning. Reinforcement plans must cover technological digital systems that the Nuclear Safety Division classifies as safety classes 3 and 4.
Control-task support – general professional management, defence preparation, professional licensing, performance evaluation, consulting and consultation. This includes document and plan preparation, analyses and technical background tasks, plus continuous on-site support at Paks.

The contractor must work with the plant’s technology stack, including Microsoft operating systems, VMware virtualisation, Schneider Electric Wonderware System Platform and Cisco networking devices.

Systems in scope and response expectations

Supported systems are grouped by role and protection level in the Cyber Defence Authority Zone:

Type A – programmable Technological Digital Systems whose primary task relates to nuclear process planning, data evaluation or decision support. These also include systems that support internal professional processes and rely on Expert Network defence services.
Type B – professional target systems, where confidentiality, integrity and availability of managed data are indirectly linked to technological processes or the IT systems that serve them (diagnostic, measuring and analytical systems).

Type A includes a wide set of plant and support platforms, such as the Technology IT Network (TSZH), block computer system, radiation protection monitoring (SER), performance monitoring (TER2), reactor protection (RVR), regulation and security protection (SZBVR), reactor performance regulator (RTSZ), diesel and turbine control and diagnostic systems, severe accident data capture (SBK), fire alarm supervision, earthquake monitoring, the unified digital radio system, and several reactor-physics computation systems including a full-scale block simulator. Waste management, climate monitoring and other auxiliary control systems also sit in scope.

Response requirements are tightly defined for Type A:

Working days, office hours: urgent cases – telephone assistance within two hours, on-site the same day; normal cases – telephone assistance within three hours, on-site the next working day.
Outside office hours: urgent – on-site the next working day; normal – on-site the second working day after notification.

Type B response expectations are not separately specified in the summary provided. Operational support in a SOC workspace is part of the remit, pointing to continuous coordination between detection, triage, response and lessons learned.

Commercial structure and resourcing

The buyer plans a framework contract valued at 471,000,000 HUF + VAT and undertakes to draw 70% of this amount. The framework covers the full 2026–2029 period with prescribed availability for incident and event management. Alongside the on-call response, the buyer has set annual planned quantities for control-task support:

Consulting, preparation, licensing, performance assessment and management support: 624 hours per year (2026–2029).
On-site professional resources (two persons): 440 working days in 2026, then 480 working days per year from 2027 to 2029.

The requirement for continuous on-site presence and a fixed annual hours envelope suggests a hybrid model: embedded engineering on the plant floor and a drawdown of specialist expertise for planning, documentation and assurance work.

Why this matters: nuclear-grade OT cyber operations

Published in October 2025, this procurement codifies a robust operational tempo for cyber defence across operational technology and supporting IT in a nuclear environment. Many of the listed systems sit close to safety, protection and reactor-physics functions, underscoring why incident handling, evidence-led remediation and reinforcement planning are central to the scope.

The emphasis on safety-class systems, simulators and diagnostic platforms shows the breadth of protection required: from the core reactor protection chain to training and analytical systems whose integrity shapes reliable operations. Aligning incident response and governance tasks (licensing, performance evaluation) in one contract can help tighten feedback loops from events into policy and engineering practice.

How it compares across Europe

This move aligns with a wider public-sector and critical-infrastructure shift towards sustained operational cyber support:

In July 2024, the Nuclear Regulatory Authority of the Slovak Republic sought broad support to manage IT infrastructure and information systems, including incident resolution and consultations, for its oversight role. The multi-service brief at the regulator level mirrors Paks’ need for steady incident handling and advisory capacity. See Support & Maintenance Services for UJD SR.
In March 2025, Hungary’s electricity transmission system operator MAVIR sought support for operating network and network security infrastructure, with continuous availability and troubleshooting governed over a fixed period. This parallels the focus on round-the-clock resilience for national energy assets. See Network Operations Support.
In October 2025, Enedis in France called for expertise to develop a new generation of control-command systems, covering virtualisation, specification, testing and hardware integration—an OT modernisation thrust that speaks to the same industrial control landscape. See PCCV Project Management Services.
In June 2022, Toulouse Metropole set up a framework for consulting, expertise and assistance in cybersecurity for both management IT and industrial information systems—explicitly bridging IT and OT security missions across an urban infrastructure. See Systems and technical consultancy services.
In May 2025, the MÁV-Volán Group in Hungary moved to expand core security capabilities—vulnerability management, Privileged Access Management, SIEM extension and Continuous Threat Exposure Management—illustrating a cross-sector uplift of operational security controls. See IT Security Systems Development.

There are also echoes in the healthcare sector’s operational support: in December 2024, the University Hospital in Brno sought cybersecurity support for VMware and enterprise backup stacks to sustain secure operations—technologies that also appear in Paks’ environment. See IT Infrastructure Cybersecurity Support.

What to watch

Key points to follow include how the chosen supplier meets the response-time demands for Type A systems, integrates with the plant’s SOC workspace, and delivers reinforcement plans for safety-classified systems. The framework’s fixed annual hours and on-site presence will test supplier capacity planning across four years. The buyer commits to draw 70% of the framework value, so monitoring actual call-offs against the plan will indicate the tempo of activity. The work schedule is referenced in the procedural documents; further operational detail sits in the technical specification attached to the participation invitation.

Across Europe, comparable procurements suggest continued investment in sustained, OT-aware cyber operations. Paks’ framework brings that trend into sharp focus at a nuclear facility, marrying incident response, engineering support and governance into one operational package.

MVM Paks Nuclear Power Plant tenders 2026–2029 cyber defence ops