Regional authority tenders end-to-end CSIRT support services
A Basque regional agency is tendering extensive CSIRT support as public bodies across Europe invest in monitoring, threat intel and incident response.
A Basque regional agency is tendering extensive CSIRT support as public bodies across Europe invest in monitoring, threat intel and incident response.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
Basque cybersecurity authorities are seeking extensive external support to expand and professionalise their central incident response team, underlining how public bodies are reshaping cyber defences in line with tougher EU cybersecurity rules.
On 15th December 2025, Agencia Vasca de Ciberseguridad (Cyberzaintza) published a contract notice for cybersecurity services for its CSIRT. The authority wants a provider to cover the full life cycle of its incident response function: planning, deployment, day-to-day execution and ongoing monitoring.
The brief goes beyond staffing an incident team. It calls for support to the tools and processes that sit around it: intelligence platforms, threat intelligence services, proactive attack surface management, incident response capabilities, phishing campaigns and help with managing initiatives led by the Operations Department. Together, these elements point to a multi-lot contract designed to strengthen both the technical core of the CSIRT and its wider operating environment.
Planning and deployment services suggest the provider will help shape how the CSIRT is organised and how its services are rolled out across Cyberzaintza’s stakeholders. Execution and monitoring of CSIRT services then anchor the operational side: handling incidents, tracking activity and ensuring that detection and response processes function as intended.
Support for “intelligence tools” and “threat intelligence” indicates a focus on understanding the threat landscape, not just reacting when systems raise alerts. Proactive attack surface management points to continuous mapping and testing of exposed systems, so weaknesses can be found and addressed before they are exploited. The inclusion of phishing campaigns brings the human factor into scope, with simulated attacks and awareness work to test and improve user behaviour.
Finally, the reference to managing Operations Department initiatives shows that Cyberzaintza is looking for help to coordinate and drive its internal cybersecurity projects. This is less about a single technology and more about governance: making sure cyber initiatives are prioritised, tracked and delivered in a consistent way.
The combination of services Cyberzaintza is procuring reflects a clear shift from purely reactive security to a more active defence model. Continuous monitoring of CSIRT services, coupled with threat intelligence and attack surface management, creates a loop in which information about threats feeds directly into detection rules, testing and operational practice.
This approach mirrors the emphasis of the NIS 2 Directive on stronger incident response and monitoring capabilities. NIS 2 places more weight on organisations having clear processes to detect, manage and learn from incidents, supported by better use of threat information. By bundling threat intelligence, tooling support and incident response capabilities into a single package, Cyberzaintza is aligning its incident function with these expectations.
The phishing component is notable. Many public-sector cyber tenders focus on infrastructure, but this specification explicitly calls for phishing campaigns. That signals a recognition that users remain a common entry point for attackers, and that testing and training them is as important as tuning firewalls or log collectors.
Put together, the work envisaged by Cyberzaintza spans several workstreams:
For suppliers, that mix favours teams that can combine incident-handling experience with tooling expertise, threat analysis and programme management. For other public buyers, it offers a template for how to bundle services that together meet the new regulatory baseline.
The Basque CSIRT tender sits within a clear pattern. Across Europe in 2025, public bodies have been commissioning similar combinations of monitoring, threat intelligence, incident response and operations-centre capabilities.
In June 2025, Portuguese healthcare provider Unidade Local de Saúde de Gaia/Espinho, E. P. E. launched a Cybersecurity Services Acquisition, signalling a similar reliance on external expertise to secure critical health infrastructure.
In July 2025, Lithuania’s Valstybinė ligonių kasa prie Sveikatos apsaugos ministerijos issued a notice for Cyber Threat Monitoring Services. That contract focuses on collecting log records from information systems and monitoring them for threats and incidents, underlining how central log management and analysis have become in meeting monitoring requirements.
Later, in October 2025, Lithuania’s Ministry of Environment followed with a tender for SOC Systems Configuration and Maintenance. This centres on implementing and maintaining Security Operations Center tools for institutions under the ministry, as part of a national SOC/CSIRT modular system. It illustrates how some Member States are building shared platforms to serve multiple agencies.
At the European level, the Council of Europe Development Bank moved in a similar direction. In August 2025 it sought Cyber Threat Intelligence and Response Services, combining proactive monitoring of cyber threats with a retained incident response capability for major events. The pairing of intelligence and response mirrors Cyberzaintza’s focus on intelligence tools and incident response capabilities.
Regional administrations are also building out their own operations centres. On 3rd December 2025, the Government of La Rioja published a notice for a Cybersecurity Operations Center for La Rioja, aimed at improving monitoring, detection, analysis and response to cyber threats for the regional government.
Beyond the EU’s current Member States, the trend extends into candidate countries. On 6th November 2025, the Ministry of Digital Transformation of North Macedonia issued a tender for a Cyber-Incident Analysis Platform to support its government CSIRT, again blending tooling, analysis and response.
Policy work is reinforcing these operational investments. In November 2025, the European Union Agency for Cybersecurity (ENISA) advertised a contract for Cybersecurity Studies and Market Analyses, covering large-scale studies, market analysis, capacity building and tool-based professional services. That work will help shape how EU institutions and Member States understand the market for exactly the kind of services Cyberzaintza is now buying.
Taken together, these procurements show a converging agenda: investment in CSIRTs and SOCs, better log and threat monitoring, integrated threat intelligence and response, and more structured management of cyber initiatives. The Basque CSIRT contract is one piece of this broader European build-out.
The NIS 2 Directive is driving much of this activity by setting higher expectations for how organisations prepare for and manage cyber incidents. It stresses enhanced incident response, better monitoring of information systems and greater use of threat intelligence to anticipate and mitigate attacks.
Cyberzaintza’s specification tracks these themes closely. By asking for planning, deployment, execution and monitoring of CSIRT services, it addresses the need for coherent incident processes rather than ad hoc reactions. By including support for intelligence tools, threat intelligence and proactive attack surface management, it emphasises foresight as well as reaction. And by mandating phishing campaigns, it brings user behaviour into the scope of compliance and resilience.
For suppliers, this kind of tender signals demand for integrated offerings that can cover operations, tooling and advisory work in a single framework. For other public-sector buyers, it provides a reference on how to stitch together multiple service elements into one contract that speaks directly to regulatory obligations.
The outcome of Cyberzaintza’s CSIRT procurement will show how far regional authorities choose to rely on external partners for core incident-response capacity versus specialist support services. It will also highlight which combinations of threat intelligence, monitoring and phishing capabilities public buyers now see as baseline rather than optional.
More broadly, as further notices of this kind appear alongside those from La Rioja, Lithuania, North Macedonia and EU bodies, the picture of what “good” public-sector cyber resilience looks like under NIS 2 will become clearer – and tenders like Cyberzaintza’s will be key reference points for that emerging standard.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.