A new rail-sector cybersecurity audit tender highlights how evolving EU rules are pushing critical services to invest in independent checks and governance.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
Europe’s new cybersecurity regime for essential services is starting to reshape public-sector buying. A national rail company’s move to commission independent cyber audits shows how operators of critical infrastructure are now expected to evidence compliance across their networks and information systems. Similar tenders in water, health, justice and local government point to a broad shift from ad-hoc IT spending towards structured security audits, frameworks and skills programmes.
In December 2025, Compania Nationala de Cai Ferate "CFR" - SA issued a contract notice for the acquisition of cybersecurity audit services. The tender explains that the work is required “to comply with the new framework for the cybersecurity of essential service networks and information systems in various sectors, including energy, transport, and health”. For a national rail company, that language signals a move from informal risk assessments to formal, external audits tied directly to legal obligations.
Transport infrastructure features repeatedly in this first wave of compliance-driven procurement. In September 2025, UM 0929 Bucuresti launched a contract to purchase an integrated information system for security and transit at national civil airports, designed to adhere to specified technical requirements. Then in December 2025, České dráhy, a.s. published a contract notice seeking an independent audit of the cybersecurity measures protecting its Safe Perimeter Information System, explicitly to ensure compliance with defined cybersecurity regulations.
Taken together, these rail and aviation projects show how operators of essential transport services are turning to independent auditors to validate their controls. Rather than focusing only on buying new hardware or software, the emphasis in these notices is on testing existing measures, mapping critical systems and producing documentation that can stand up to scrutiny under the European Union’s updated network and information security rules, including the NIS 2 Directive.
The same logic is visible in other regulated sectors. In July 2025, Northern Ireland Water Ltd invited qualified cybersecurity audit firms to propose for a comprehensive audit of its compliance with NIS Regulations and the Cyber Assessment Framework. The notice places regulatory language front and centre: the task is not just to probe systems, but to assess and evidence how far the organisation meets formal NIS requirements.
Health providers across the EU are following suit. In August 2025, Fakultní nemocnice Hradec Králové issued a contract notice for advisory and consulting services covering the analysis and implementation of a cybersecurity management system in compliance with relevant cybersecurity legislation. By December 2025, sihtasutus Tartu Ülikooli Kliinikum was moving towards a framework agreement for cybersecurity centre services and information security management.
Although a Portuguese notice from Unidade Local de Saúde de Gaia/Espinho, E. P. E. in August 2025 describes its requirement simply as an “Acquisition of Cybersecurity Services”, it sits in the same pattern. The procurement shows hospitals and health organisations turning to external expertise to assess their exposure, design or refine management systems, and demonstrate that they treat cybersecurity as a core component of patient safety and service continuity.
Beyond utilities and health, justice systems are strengthening their digital foundations. In July 2025, Ministerul Justitiei advertised an acquisition that bundles security subscriptions, updates, signatures and video conferencing with configuration, installation, commissioning, functional testing, personnel training and ongoing technical support. By combining technology, implementation and training in a single contract, the ministry is signalling that secure, fully supported communication tools are now basic infrastructure for the justice sector.
That same month, FOD Binnenlandse Zaken focused on the integrity of democratic processes. Its contract notice aims to establish a framework agreement for consultancy services related to testing, monitoring, cybersecurity and crisis-management preparation for federal elections.
Local and regional authorities are also pooling their needs through multi-year frameworks. In December 2025, SM Manche Numérique launched a framework agreement for information security services.
Viewed together, these notices show how the NIS 2 Directive and associated national rules are being translated into procurement requirements.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.