Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.

A Portuguese municipality has moved to buy Security Operation Center (SOC) services to strengthen cyber defences. The plan reflects expanding obligations under the NIS 2 Directive and the broader public-sector shift towards outsourced security operations.

What is being bought and why now

In May 2025, Município de Almada published a contract notice for the acquisition of SOC services to enhance cybersecurity operations. The notice, titled Security Operation Center Services, signals a decision to bolster cyber operations through specialist external support.

The notice is concise. It does not set out technical requirements or tooling, but the intent is clear: raise capability by procuring SOC services rather than building everything in-house. The timing matters. Public bodies across the EU are translating NIS 2 into concrete procurement steps, often opting for managed SOC models to meet monitoring and response expectations without lengthy internal build programmes.

What a SOC buy can include

Recent tenders show the scope of SOC projects varies, but they often combine design, monitoring and response with tooling and upskilling. Examples include:

Monitoring and operations: In May 2024, a Portuguese employment agency sought “cybersecurity services for security monitoring and operations” over a defined period (May 2024).
Design and implementation with licences: The University of Cyprus specified SOC design, implementation and software licences, with renewal options (January 2025).
SIEM/SOAR tooling: Lisbon’s metropolitan transport body combined SOC services with SIEM–SOAR software acquisition (July 2025).
Threat hunting and training: Slovenia’s development bank specified SIEM licences, cyber‑threat automation, threat hunting and training on site (October 2025).

Depending on the organisation, SOC procurements may emphasise 24/7 coverage. For instance, a Swedish municipal IT consortium sought an “ongoing 24/7 monitoring service” (October 2025).

Portugal’s public sector is moving

Almada’s step sits within a growing domestic pattern. In September 2023, Município de Sintra sought SOC services for at least 1,200 machines over 36 months (September 2023). In May 2024, a national employment agency launched a one‑year monitoring and operations buy, indicating a phased approach (May 2024). Lisbon’s metropolitan transport authority looked to pair services with SIEM–SOAR in July 2025 (July 2025), and the central digital modernisation agency published its own SOC services notice in November 2025 (November 2025).

Together, these procurements show a spectrum of needs and timelines. Some bodies opt for shorter monitoring contracts to establish coverage and test service models; others commit to multi‑year, device‑based scope with explicit licensing and integration requirements.

A wider European pattern

Beyond Portugal, public bodies across Europe continue to commission SOC capabilities:

In Germany, Dortmunder Stadtwerke AG sought SOC services in April 2025 (April 2025).
In Slovenia, the national bank moved to establish and implement a SOC in January 2025 (January 2025).
In Croatia, the national water‑management body sought SOC services in February 2025 (February 2025).
In Lithuania, VĮ Registrų centras commissioned 24‑month SOC services in July 2023 (July 2023), and Via Lietuva followed with a SOC services buy in June 2024 (June 2024).
In Sweden, Trollhättans kommun procured the establishment of a SOC in June 2025 (June 2025).

Contract structures vary, too. In France, Agglo‑Pays‑Dreux set out a composite arrangement in June 2023 combining a fixed‑price element with a call‑off framework, and split managed SOC and licensing from broader cybersecurity services, with firm and optional tranches (June 2023).

Timelines and scope: what recent notices suggest

Almada’s notice does not state a duration or device count. Elsewhere, terms and scope differ widely:

12 months: Monitoring and operations for a year were sought by a Portuguese employment agency (May 2024).
24 months: Lithuania’s VĮ Registrų centras specified a two‑year SOC term (July 2023).
36 months: Município de Sintra set a three‑year term for at least 1,200 machines (September 2023).

These examples point to a pragmatic mix: some buyers start with short cycles to establish baseline capability; others move directly to multi‑year coverage tied to clear asset counts and licence packages.

Outlook

Watch for technical detail when Município de Almada moves from notice to award: the chosen mix of monitoring hours, tooling and any training commitments will show how the municipality balances risk, cost and speed of implementation. Further tender activity is likely through 2025, with additional SOC procurements already visible across the region — from public administration in Portugal (November 2025) to municipal and sectoral buys in Sweden and elsewhere (October 2025). For buyers, the pattern is clear: align with NIS 2, decide what to manage internally, and use the market to fill the gaps.