Agency launches tender for cybersecurity consultancy services
A central agency seeks support for threat monitoring and incident response as regulation-driven cybersecurity obligations tighten across the public sector.
A central agency seeks support for threat monitoring and incident response as regulation-driven cybersecurity obligations tighten across the public sector.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
Public bodies across Europe are rethinking how they buy cybersecurity, as the European Union Agency for Cybersecurity (ENISA) seeks external support for monitoring, threat hunting and incident response across its own systems through a new Cybersecurity Consultancy Services contract.
On 28th May 2026, ENISA published a contract notice seeking support “for the implementation of cybersecurity regulations through monitoring, analysis, threat hunting, and incident response consultancy services for IT systems managed by ENISA.”
For an agency best known for shaping policy and issuing guidance, this is a clear signal that regulation is now being translated into concrete, operational requirements. The work is closely tied to the NIS 2 Directive, which has increased cybersecurity obligations for public-sector organisations and operators of essential and important services. ENISA is looking for a partner that can help it live up to the standards it promotes across the Union.
The scope suggests a blend of managed security and expert advisory support. The services focus on four main activities:
The notice does not disclose details such as contract value, duration or service levels. But the emphasis on both continuous monitoring and on-demand incident response indicates that the chosen supplier is likely to become a core part of ENISA’s defensive posture, not just an occasional adviser.
Framing the requirement as “implementation of cybersecurity regulations” also sets a strong expectation: the contractor will need to be fluent not only in technical detection and response, but also in how those activities demonstrate compliance with NIS 2 and related frameworks.
ENISA’s move sits within a visible surge in managed security and security operations centre (SOC) contracts across the European public sector.
On 14th January 2026, the European Investment Bank launched a contract notice for IT Security Managed Services, seeking an off-site Security Operations Center to provide 24/7 security monitoring and incident response for the EIB Group’s IT security infrastructure. This is a textbook example of a large institution turning to an external SOC rather than building everything in-house.
On 27th February 2026, shared ICT provider IKT Agder IKS issued a notice for Security Monitoring and Response, covering the establishment and maintenance of security monitoring for its environment. The focus there, as with ENISA, is on continuous visibility backed by incident response capability.
Transport is following a similar path. On 26th May 2026, the Helsinki Region Transport Authority advertised a Cybersecurity Management Service covering management and monitoring, with a fixed-term contract that may be extended indefinitely. A day later, on 27th May 2026, Prague’s public transport operator sought Cybersecurity Consulting Services to improve protection and resilience for its IT and OT infrastructure.
Municipal government is not far behind. On 19th May 2026, the City Council of Majadahonda launched a contract for Cybersecurity Operations Center Services, covering the establishment or continuation of an SOC and compliance with national cybersecurity standards.
Critical infrastructure operators are taking a similar route. On 17th March 2026, Enedis SA went to market for Cybersecurity Services to ensure protection, detection, incident response and regulatory compliance of its information systems, combining cyber defence activities with threat intelligence reporting.
Even law enforcement is looking for outside help. On 19th March 2026, the Swedish Prison and Probation Service, Kriminalvården, published a tender for IT Security Consulting Services, including specialists in information security, IT security auditing, threat intelligence and incident response, with an optional incident response retainer.
Seen together, these notices show that ENISA is not an outlier. A broad range of institutions are now buying cybersecurity as an ongoing, operational service, often packaged with advisory and compliance support.
The wording of ENISA’s notice – supporting the “implementation of cybersecurity regulations” – underlines how compliance has become a direct driver of procurement. NIS 2 has raised expectations on governance, incident handling and reporting, and many of the recent tenders are framed in those terms.
On 22nd December 2025, state railway company Compania Nationala de Cai Ferate "CFR" - SA sought Cybersecurity Audit Services to comply with a new framework for the cybersecurity of essential service networks and information systems in sectors including energy, transport and health. Audit findings there are intended to demonstrate adherence to regulatory requirements, not just to improve security in isolation.
Healthcare is feeling similar pressure. On 11th May 2026, Wojewódzki Szpital Dziecięcy in Bydgoszcz issued a tender for Patient Registration and Cybersecurity Services. Alongside an automated voice service and a central IT events monitoring system, the contract includes an audit for NIS 2 compliance, updates to information security management system documentation and cybersecurity training.
Central government bodies are also turning to external expertise. On 24th April 2026, a department responsible for housing, local government and heritage published a tender for Cyber Security Support Services, seeking expert ICT security consultants to provide managed support including policy development, security consulting, testing, incident management and compliance assistance.
On the regulatory side, sector-specific standards add further weight. Also on 24th April 2026, Berufsgenossenschaft Rohstoffe und chemische Industrie went to market for Consulting Services for Information Security, seeking extensive professional support to safeguard information security according to BSI Basic Protection.
Some buyers are structuring their needs across governance, audits and training from the outset. On 23rd February 2026, A.S.T.R.I.D. NV launched a multi-lot contract for Cybersecurity Services, with one lot focused on security governance consultancy and the other on security audits and training, to be awarded to different suppliers.
Even state-owned enterprises outside traditional critical sectors are being drawn in. On 20th January 2026, Valstybės įmonė Valstybinių miškų urėdija issued a prior information notice for Cyber Threat Management Services, covering threat monitoring, incident management, reporting and training with a focus on national security compliance.
Against this backdrop, ENISA’s own requirement looks less like a one-off purchase and more like part of a broader realignment, where compliance and operational resilience are procured together.
The repeated use of the word “consultancy” in ENISA’s notice is telling. Many public bodies lack the in-house capacity to interpret regulations, tune security tools and lead complex incident responses. They are buying not just tools and monitoring, but expertise.
National authorities are trying to address the skills gap at scale. On 9th December 2025, Directoratul National de Securitate Cibernetica published a contract notice for a Cybersecurity Skills Enhancement Project, aiming to analyse and document cybersecurity skill needs and their impact on key economic and public administration actors, and to create a toolkit to improve their cybersecurity maturity.
On 18th December 2025, the Malta Information Technology Agency followed with a tender for Cyber Security Training Programmes, explicitly aimed at enhancing knowledge and skills to address the cybersecurity skills gap.
Local administrations are also leaning on external consultants. On 10th December 2025, Norrköpings kommun sought a framework for IT and Information Security Consulting to support increasing digitalisation, with flexible staffing for various assignments primarily on-site.
Healthcare purchasers are experimenting with “CISO as a service” and specialist support. On 18th March 2026, the National Treatment Purchase Fund advertised ICT Security Support Services, focused on Chief Information Security Officer services and expert cyber security support. The housing and local government department’s April 2026 tender for managed cybersecurity support reinforces the same model.
Smaller agencies are outsourcing more broadly. On 21st May 2026, safefood went to market for ICT Managed Services Provision, including service desk support, endpoint management, monitoring, maintenance, patch management, identity and Microsoft environment support, backup and recovery and professional engineering services. On 8th May 2026, Stichting Halt issued a similar call for ICT Managed Services, covering workplace management, service desk support, Microsoft 365 and network management, plus ICT improvement projects.
Other buyers are investing in advanced detection. On 20th February 2026, a Ministry of Health launched a contract for a Cyber Threat Intelligence Solution to provide a comprehensive platform for real-time threat detection and analysis in the healthcare sector, including sensors and warranty support. On 9th March 2026, Spain’s INCIBE sought a Cybersecurity Solution Implementation to enhance prevention, detection, protection and response for its services.
Hospitals are embedding cybersecurity requirements into broader IT contracts. Also on 9th March 2026, Oblastní nemocnice Trutnov a.s. issued a tender for IT Infrastructure Maintenance Services, explicitly requiring adherence to specific cybersecurity regulations and ISO standards.
Within this landscape, ENISA’s new consultancy contract occupies a strategic position. It blends SOC-style functions (monitoring, threat hunting, incident response support) with the regulatory insight of a high-level cybersecurity authority.
The ENISA notice is short on commercial and technical detail, giving no indication of contract value, duration or the precise delivery model. Yet the combination of continuous monitoring, proactive threat hunting and incident response consultancy points to a long-term, embedded relationship with whichever supplier emerges.
Observers will be watching how far the agency chooses to centralise these capabilities with a single contractor, and how the eventual solution reflects the balance between off-site SOC services and in-house response teams. The way ENISA structures this work may influence how other EU institutions interpret and operationalise their own regulatory obligations.
Across the notices published from December 2025 through May 2026 – from SOC contracts and cyber audits to training programmes and skills initiatives – cybersecurity has become a routine, multi-year procurement concern rather than a series of occasional projects. ENISA’s contract is another sign that, under NIS 2 and related frameworks, regulation, operations and skills are converging into a single, sustained demand for specialised cybersecurity services.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.