UK procurement explores a hybrid outsourced SOC with 24/7 MDR, forensics and threat intel, mirroring wider shifts linked to NIS 2 and rising resilience needs.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
A UK financial services body is preparing the ground for a hybrid, outsourced Security Operations Centre that runs around the clock. The plan calls for managed detection and response, digital forensics, incident response and threat intelligence, integrated with existing systems. It signals how regulatory pressure, including the push embodied in NIS 2, is reshaping how public authorities resource cyber defence.
In October 2025, the Financial Services Compensation Scheme published a prior information notice for a Managed Security Operation Centre. The model is described as hybrid and outsourced, implying a coordinated set‑up alongside in‑house capability.
Beyond these core elements, the notice does not state tooling, contract value or timelines. But the emphasis on integration hints at a broad, multi‑source monitoring footprint.
The move aligns with the push for stronger, continuous security operations seen across the public sector and reflected in NIS 2. Capacity and skills are perennial constraints. In May 2022, the Netherlands’ Ministry of Finance used a market consultation to explore how to improve its SOC “despite the scarcity” of expertise, underscoring the resourcing challenge (link).
Hybrid or co‑managed models are increasingly common. In November 2023, National Grid ESO sought input on an interim managed cyber SOC and a strategic SIEM, alongside support to build and transition to an in‑house centre—an explicit hybrid trajectory (link). And in October 2025, HMRC opened a market discussion on enhancing its SOC with advanced technology and expertise aimed at long‑term collaboration (link).
The financial services and wider public sectors offer clear markers for scope and operating models.
In November 2023, the Financial Ombudsman Service moved to procure a fully managed SOC to operate 24/7/365, handle incident triage and response, tune SIEM and SOAR, hunt threats, deliver digital forensics and drive process improvement—with additional cyber resources available on demand (link).
Courts and regulators are following a similar path. The Courts Service sought co‑managed 24/7 monitoring and threat detection in December 2024 (link). In December 2023, the European Investment Bank signalled plans for a 24/7 off‑site SOC plus on‑ and off‑site incident response, explicitly geared to containing and recovering from possible data breaches (link).
National competition authorities have also invested. In December 2023, the Netherlands’ ACM went to market for SOC services delivered as an MDR solution to modernise threat detection and response, with the notice citing €4.5 million (excl. VAT) (link).
Critical infrastructure operators are broadening the brief. In May 2023, Belgium’s Sibelga chose to avoid building an internal SOC and instead pursue a cloud‑based MDR service (hybrid if needed) covering IT and OT, including EDR, NDR, industrial‑protocol NIDS, SOAR, CSIRT, threat intelligence and threat hunting—with an option to extend to XDR (link).
The scheme’s emphasis on integration is significant. In March 2023, it outlined a comprehensive SOC requirement spanning SIEM, threat intelligence, vulnerability scanning, reporting and service tuning. That notice set out log ingestion across on‑premises and Azure—covering firewalls, routers and switches; virtual and physical servers and endpoints; Microsoft 365; Azure services such as DDoS, WAF, Application Gateway, NSG, Key Vaults and Log Analytics; HSMs; websites and applications; authentication and authorisation services; endpoint protection; Microsoft Defender for Cloud; third‑party applications; and more. It also called for dashboards, onboarding support, account and service management, and tuning to reduce false positives (link).
While the current prior information notice is higher‑level, the integration requirement suggests the selected provider will need to work with a diverse estate and coexist with existing tooling and processes. That aligns with the hybrid models seen elsewhere, where providers tune SIEM/SOAR stacks, deliver MDR and forensics, and collaborate closely with internal teams.
This is an early market signal rather than a full specification. Key points to watch include how the scope balances provider‑run functions (24/7 MDR, incident response, forensics and threat intelligence) with internal oversight, and how integration with existing systems is structured. The notice gives no indication of budget, contract length or specific technologies.
Across the UK and Europe, recent procurements show an appetite for continuous monitoring, SIEM/SOAR optimisation, proactive threat hunting and access to incident response and forensics on demand. The hybrid SOC described here sits squarely within that trend.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.