A transport agency has opened market dialogue on cybersecurity and data protection expertise, signalling how public buyers are gearing up for tighter EU rules.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
Finland’s transport authorities are opening a market dialogue on specialist cybersecurity and data protection support, signalling how operators of critical networks are preparing for tighter EU-wide requirements. A prior information notice from Väylävirasto for a market dialogue for cybersecurity and data protection expert services sets out plans to source expert advice and security evaluation services for the Finnish Transport and Communications Agency, with the aim of strengthening information management and cyber resilience across key systems.
Published on 19th November 2025, the notice confirms that Väylävirasto is preparing a procurement focused on expert services in cybersecurity and data protection, alongside assessment services provided by security evaluation institutions. These services are being sought for the Finnish Transport and Communications Agency, indicating a coordinated effort across Finland’s transport and communications governance structure.
The text is brief but clear about its direction. It points to three core elements:
All three are framed as contributions to broader information management and cybersecurity initiatives. That combination suggests the authority is looking not only at technical protection of systems, but also at how data is governed and how security controls are validated in a formal, repeatable way.
Although the notice does not yet set out detailed service descriptions, volumes or contract models, it signals an intention to bring together advisory capability and structured security assessment. For suppliers, this points to a likely focus on capabilities that span both cybersecurity and data protection, and on demonstrable experience of working within formal evaluation or certification frameworks.
The initiative sits squarely in the context of the EU’s NIS 2 Directive, which has introduced new cybersecurity obligations and raised requirements for relevant organisations across the Union. Väylävirasto’s move to strengthen the capabilities of the Finnish Transport and Communications Agency aligns with this tightening framework, particularly in a sector that combines transport infrastructure with complex communications systems.
The notice’s emphasis on expert services and on security evaluation institutions reflects a shift in the way public bodies approach cyber risk. Instead of treating security as an add‑on to IT projects, it is being separated out as a distinct area of professional advice and independent assessment, to be procured in its own right. That aligns with the broader drive under new EU rules to make cybersecurity and data protection core governance issues rather than purely technical concerns.
For procurement teams, this means that future contracts linked to this dialogue are likely to be judged as much on their contribution to organisational resilience and compliance as on price. While the notice does not spell out evaluation criteria, the very decision to run a dedicated market dialogue on cybersecurity and data protection shows that these issues are moving up the list of strategic priorities.
The format of the notice is also significant. As a prior information notice framed around market dialogue, it follows a pattern that has become common across Finland and the wider Nordic public sector: structured pre‑procurement engagement to test ideas with suppliers before a full tender is drafted.
Security and resilience are a recurring theme in these dialogues. In September 2025, IT service provider 2M‑IT Oy issued a prior information notice for a cyber security solution, seeking information from providers on vulnerability management, automation tools and centralised log management for social and healthcare ICT. That notice, like Väylävirasto’s, uses market dialogue to map out what specialist cyber capabilities are available before locking in a procurement strategy.
Physical and operational security are receiving similar attention. In July 2025, Danish system operator Energinet launched a market dialogue on security solutions for physical security and surveillance products, asking suppliers about capabilities, geographical coverage, pricing factors and market developments. A month later, in August 2025, Finland’s Criminal Sanctions Agency opened discussions on security technical systems and related services for all its prisons, again using market dialogue as the starting point.
Transport infrastructure managers are doing the same for their control systems. On 7th November 2025, Banedanmark issued a request for information and market dialogue on a solution to monitor and diagnose railway telecommunications and signalling systems, explicitly to ensure that the upcoming tender aligns with what the market can deliver. Earlier, in June 2025, Helsinki’s metro operator Pääkaupunkiseudun Kaupunkiliikenne Oy sought supplier input on track reservation software for the metro to improve coordination of track work and build a long‑term partnership with a software supplier.
Digital oversight tools are part of the same picture. In June 2025, Liikenne‑ ja viestintävirasto, the Finnish Transport and Communications Agency Traficom, invited service providers to a market dialogue on an accessibility monitoring tool, with the explicit goal of preparing a new procurement by 2026. And in June 2025, Norway’s mapping authority Kartverket began a market dialogue on development competence and capacity for product‑based digital development.
Beyond security and ICT, Finnish authorities are using similar dialogues across routine services and supplies. In June 2025, the City of Savonlinna issued a market dialogue on cleaning agents, kitchen products, soft papers and waste bags, while in September 2025 the City of Tampere invited suppliers to discuss an upcoming procurement of corporate gifts and distribution products. In Sastamala, a September 2025 market dialogue on school transport followed the same pattern.
Seen against this backdrop, Väylävirasto’s cybersecurity‑focused dialogue looks less like an isolated technical exercise and more like part of a wider shift: using early engagement to shape how public bodies buy in the expertise and systems they need to meet rising expectations on security, resilience and service quality.
At this stage, the notice from Väylävirasto is about opening a conversation rather than launching a competition. It does not yet define contract structure, duration or commercial terms. Instead, it signals that the authority wants to understand how the market can provide specialist cybersecurity and data protection expertise, and how security evaluation institutions can support its information management and cybersecurity initiatives.
For potential suppliers, the message is that expertise spanning both cybersecurity and data protection will be central, and that the ability to support formal security assessments will matter. For policymakers and procurement practitioners, the notice will be one to track as NIS 2‑driven obligations continue to filter into day‑to‑day contracting. The eventual tender documents will show how far this early dialogue translates into detailed, enforceable requirements – and how public buyers in the transport and communications space choose to embed cybersecurity into their long‑term procurement plans.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.