A new multi-layer cyber procurement brings together testing, governance, identity and backup tools, illustrating how regulation is reshaping digital security.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
A new procurement from CIVIS for a full suite of cybersecurity tools and services signals how tightening regulation, including the NIS 2 Directive, is pushing public bodies towards more integrated and resilient digital defences.
Published on 7th November 2025, the procurement from CIVIS sets out a broad ambition: to bring most of the organisation's core cybersecurity needs under one contract. The notice covers protective solutions, penetration testing services, governance software, identity management, security awareness programmes, immutable backups and archiving for the organisation's information systems.
That mix spans prevention, detection, governance and recovery. Protective solutions and penetration testing point to a focus on identifying and closing technical vulnerabilities. Governance software and identity management suggest a drive to tighten access control and document how decisions are made. Awareness programmes bring staff into scope, recognising that behaviour is as important as technology. Immutable backups and archiving, meanwhile, emphasise that critical data must remain available and trustworthy even after an incident.
The timing and breadth of the CIVIS competition mirror a wider 2025 shift in European and UK public procurement, where cybersecurity tenders increasingly refer to compliance and regulatory pressure. In May 2025, the Czech city of Svitavy launched a Cybersecurity Tools Procurement that bundles network security, next generation firewalls, backup and archiving, endpoint protection and log management, explicitly framed as being in compliance with cybersecurity regulations.
On 25th August 2025, Dutch organisations VNG Realisatie and Bizob issued a joint Cyber Resilience Procurement for products and services that help bodies manage cyber risks and comply with regulations. The tender offers a structured portfolio divided into lots, designed to match differing maturity levels and to encourage participation from a wide range of suppliers.
Similar language appears in the Czech capital. The municipal district of Prague 14, in an October 2025 Cybersecurity Enhancement Services notice, seeks hardware and software to improve cybersecurity while ensuring compliance with relevant legal and regulatory standards. At hospital level, Klaudián Hospital in Mladá Boleslav is procuring Cybersecurity Software Tools that promise two-factor authentication, privileged account management and data loss prevention to bolster security preparedness and compliance.
Against that backdrop, CIVIS's emphasis on governance software, identity management and awareness programmes sits squarely within a compliance-led agenda. Rather than focusing purely on technical controls, the organisation is signalling that processes, documentation and user behaviour must all stand up to scrutiny under newer cybersecurity rules, including the NIS 2 Directive.
The CIVIS competition also reflects a move away from one-off purchases towards ongoing cybersecurity services. The notice speaks of "various cybersecurity services and tools", combining technology with activities such as penetration testing and awareness training that need to be delivered and refreshed over time.
Elsewhere in Europe, that trend is even more explicit. In August 2025, German health insurer BARMER published a Managed Security Services tender to implement a modern security and network architecture with centralised security event management, built around Managed SOC and Managed Connectivity Security. Sweden's Inera AB followed in October 2025 with a Cybersecurity Services competition, seeking a comprehensive range of services for both proactive protection and reactive remediation.
France's SICTIAM is taking a similar path. Its July 2025 Cybersecurity Solutions and Services consultation combines hardware, software and managed security services with audit and consulting work to strengthen the information systems security of its beneficiaries. In Estonia, the national development cooperation centre launched an Information and Cybersecurity Services framework in November 2025 covering consulting, software development and infrastructure components.
Even in the UK, where different legislative drivers apply, BlueLight Commercial is assembling a multi-supplier Cyber Security Services Framework for police forces and other agencies. Published in September 2025, it spans penetration testing, incident response, audits and training, giving forces the option to draw on external expertise rather than build all capabilities in-house. Together, these examples suggest that public buyers now see managed services and frameworks as central to sustaining cyber resilience.
The inclusion of immutable backups and archiving in the CIVIS scope underlines a further shift: cyber resilience is no longer limited to perimeter defence. By specifying that backups should be immutable, the organisation is prioritising data that cannot be altered or deleted once written, strengthening its ability to restore systems after an incident.
Resilience features prominently in other 2025 procurements. On 10th November 2025, transport operator RegioJet issued a Cybersecurity and Resilience Tools tender for a disaster recovery solution and backup infrastructure, including a virtualisation disaster recovery cluster, software for virtual server replication, backup solutions, a data vault and data centre services. The Czech town of Veselí nad Moravou is investing in Cybersecurity Tools for City Hall, pairing privileged user access management and enhanced authentication with backup and virtualisation servers, log analysis, network traffic analysis and vulnerability management.
Other municipalities are going deeper into infrastructure-level defence. The town of Orlová, for example, is procuring Cybersecurity Systems Delivery that covers IP address management, network access control, vulnerability testing, honeypot systems, privileged account management and threat detection. While each of these projects has its own emphasis, they share a common recognition that recovery, monitoring and access control are now as important as traditional firewalls or antivirus tools.
Public-sector investment in cybersecurity during 2025 stretches far beyond central administrations and city halls. Universities are installing labs and platforms to train the next generation of specialists. In May 2025, Universitatea Ovidius Constanța launched a Software Packages for Laboratories tender to equip testing and cybersecurity laboratories, including delivery, installation, configuration, commissioning and personnel training. In August 2025, Universitatea Tehnică Gheorghe Asachi din Iași went to market for Cybersecurity Software and Services Procurement to support a new Cybersecurity Center as part of its digital transformation project.
At Univerzita Mateja Bela v Banskej Bystrici, a July 2025 Cyber Security Enhancement for UMB notice seeks a comprehensive solution to improve the security of the university's metropolitan network and electronic services, with data storage, firewalls, monitoring tools, implementation services and operator training. Healthcare institutions are following suit: Ústav pro péči o matku a dítě is buying Cybersecurity IT Solutions that range from network infrastructure and endpoint protection to a ServiceDesk tool, a next-generation firewall and mobile device management.
Critical and specialist agencies are also upgrading. Romania's Serviciul de Telecomunicații Speciale is acquiring Cybersecurity Software for Emergency Services to strengthen protection of the 112 emergency service, with tools for vulnerability management, data flow monitoring, web application assessment and secure remote access. Finland's border guard, Rajavartiolaitos, is procuring Cyber Surveillance Solutions spanning servers, firewalls, encryptors, device cabinets, workstations and software licences. In North Macedonia, the Ministry of agriculture, forestry and water economy is seeking IT Solutions for Cyber Protection aimed squarely at preventing and protecting against cyber attacks.
The CIVIS Cybersecurity Solutions Procurement is short on technical detail, but its breadth is striking. By combining protective tools, penetration testing, governance software, identity management, awareness programmes and immutable backups, the organisation is moving towards a more integrated model of cybersecurity.
For suppliers, the pattern across 2025 tenders points to several themes to watch: multi-year frameworks that bundle hardware, software and services; growing demand for managed security operations; and a stronger link between security investment, regulatory compliance and staff training. As new rules such as the NIS 2 Directive take hold, public buyers are likely to continue consolidating their cyber requirements into wider, more strategic procurements of the kind now being pursued by CIVIS.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.