A major EU financial institution is tendering wide-ranging IT security consultancy, signalling growing demand for services that meet tougher cyber rules.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
A new round of framework agreements for information security services at the European Investment Bank Group points to how EU institutions are reorganising cyber defence, business continuity and testing to keep pace with tougher regulatory expectations such as the NIS 2 Directive.
Published on 5th December 2025, the contract notice confirms that the European Investment Bank Group plans to award framework agreements for information security services to support its Cybersecurity Division. The work spans four core areas: IT security operations, business continuity, information protection and IT security testing.
The move, set out in the framework for information security services, underlines that the Bank is treating cybersecurity not as an isolated technical problem but as a combination of day-to-day operations, data protection and organisational resilience.
The NIS 2 Directive aims to raise cybersecurity standards across many sectors. Although the notice is concise, the decision to structure the work as framework agreements suggests the Bank expects recurring and varied needs as it strengthens defences under a more demanding regulatory regime.
The notice highlights four service domains:
Bringing these domains under one procurement allows the Cybersecurity Division to coordinate advisory, operational and testing support, rather than sourcing each piece in isolation. It also reflects a broader European trend: cyber resilience is now framed as an end-to-end objective, not just a matter of firewalls or occasional audits.
The Bank’s plans land in a year where public bodies across Europe have leaned heavily on framework agreements to secure cyber expertise.
In September 2025, BlueLight Commercial Limited launched a cyber security services framework for UK police forces and other agencies. That multi-supplier open framework is set to cover penetration testing, incident response, audits and training, mirroring the mix of strategic and operational support now in demand.
In June 2025, Czech public broadcaster Česká televize went to market for cybersecurity services covering penetration testing, IT consulting and audit work. Here too, the emphasis is on regular assurance and expert advice rather than ad hoc testing.
The Republic of Austria, together with Bundesbeschaffung GmbH and other contracting authorities, issued an IT services framework agreement in June 2025 that explicitly includes NIS auditing, NIS consulting and identity management, alongside digital design, DevOps engineering and business and data analysis. Security is treated as a standard component of large-scale IT services, not a separate niche.
Shared IT providers and local authorities are following a similar path. In July 2025, French inter-municipal body SICTIAM opened a consultation for cybersecurity solutions and services, combining hardware, software, managed security services, and audit and consulting assignments to enhance information systems security for its beneficiaries.
In September 2025, Manche Numérique launched a framework agreement for IT security services that spans support, audits, maintenance and incident response for the organisation and its members. The scope closely echoes the EIB Group’s focus on operations, assurance and response.
Financial regulators are also strengthening their consulting rosters. In November 2025, France’s financial markets authority, Autorité des marchés financiers, advertised a framework for information systems security consulting covering four areas: risk analysis, audit services, technical assistance for projects and incident response.
At the same time, the European Central Bank has sought candidates for consultancy services in financial market infrastructure and payments, with lots dedicated to innovation, testing, project management and information security. And in July 2025, Deutsche Bundesbank launched a digital euro consulting framework in which cyber security sits alongside DevOps and quality management support.
Municipal buyers are no exception. In November 2025, Norrköpings kommun in Sweden issued a framework for IT and information security consulting to support its digitisation work, asking for flexible staffing for a range of assignments, primarily on site.
Taken together, these notices show a common pattern. Public buyers in finance, broadcasting, policing and local administration now treat cyber security, testing and business continuity as standing needs that require sustained external support, not one-off projects.
Another trend visible in 2025 is the way security and identity management are being woven into wider IT consultancy frameworks.
MD-IT GmbH, for instance, is seeking to conclude framework agreements for IT consulting services that cover technical support for development projects, IT operations, project management, digitalisation organisation and information security, with a substantial volume of person-days.
German housing company STADT UND LAND Wohnbauten-Gesellschaft mbH has gone to market for IT service contracts that bundle SAP and Microsoft support with network security and identity management. And the National Bank of Belgium has issued an IT consultancy framework agreement that includes identity and access management and security among a list of specialist domains.
Against this backdrop, the European Investment Bank Group’s decision to frame IT security operations, business continuity, information protection and security testing within a dedicated set of frameworks looks like a deliberate choice to give cyber resilience its own structured, long-term sourcing channel, while still allowing it to interface with broader IT work.
The Bank’s notice offers only a high-level description of the planned framework agreements, with no detail yet on volumes, specific work packages or how the four service areas will be organised in practice.
As the NIS 2 Directive’s ambitions continue to influence public bodies, the balance between dedicated cyber frameworks like this one and multi-purpose IT agreements that incorporate security will be worth tracking. For suppliers, the message is clear: expertise in operations, testing, business continuity and information protection is no longer optional at the margins of public-sector IT — it is moving to the centre of how major institutions plan and buy their digital defences.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.