Public sector opens wave of SOC and cyber incident management procurements
A Walloon procurement for incident management services reflects how European public bodies are investing in SOC capabilities to meet tighter cyber rules.
A Walloon procurement for incident management services reflects how European public bodies are investing in SOC capabilities to meet tighter cyber rules.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.
Service public de Wallonie is seeking a provider to build a new, centralised cybersecurity incident management structure for its IT services, underlining how tighter European cyber rules such as the NIS 2 Directive are pushing public bodies towards Security Operations Centre models.
On 26th December 2025, Service public de Wallonie published a contract notice for Cybersecurity Incident Management Services. The administration is looking for a service provider to establish a cybersecurity structure covering prevention, detection, management and coordination of responses to incidents affecting the IT services of the Walloon Public Service.
The wording points to more than a technology upgrade. Rather than buying isolated tools, the buyer wants an end-to-end incident management capability. The selected provider will need to spot attacks, orchestrate how they are handled and ensure that lessons feed back into stronger prevention and detection across the organisation.
The brief aligns with the Security Operations Centre (SOC) model that many public bodies are now adopting. Although the notice does not use the term SOC, the emphasis on systematic detection, structured incident handling and coordinated response reflects the approach encouraged by the EU’s NIS 2 Directive, which is raising expectations for cyber-resilience in public-sector organisations.
At its core, the Walloon administration is asking for a single structure that can:
The notice is brief and leaves some operational details open, such as the precise service levels or whether the provider will combine on-site and remote support. But the direction of travel is clear: incident response is becoming a specialised, centralised service rather than an ad-hoc task scattered across different IT teams.
The Walloon move sits within a wider wave of SOC-focused procurements across Europe. On 14th November 2025, the Scottish Prison Service issued a prior information notice for SOC services for cyber resilience, seeking a Security Operations Centre service to enhance cyber-threat monitoring and management across its networks. That notice explicitly ties the project to the Scottish Government's Public Sector Action Plan on Cyber Resilience, showing how policy initiatives are translating into concrete SOC requirements.
In July 2025, Vlaamse Landmaatschappij launched a framework agreement to outsource SIEM/SOC services. Its requirements combine 24/7 monitoring and first-line support for ICT cybersecurity incidents with monthly reporting and close collaboration on incident response, reflecting a desire for both constant cover and ongoing analytical insight. On 21st October 2025, Région Grand Est followed a similar path, seeking to enhance and maintain an outsourced security operations centre backed by a managed EDR/EPP solution and centralised log management for its digital directorate.
Spanish public authorities are moving in the same direction. On 3rd December 2025, the Government of La Rioja published a contract to establish a Cybersecurity Operations Center to improve monitoring, detection, analysis and response to cyber threats. In November 2025, the City Council of Granada launched its own tender for cybersecurity operations centre services, calling for managed 24x7 SOC support to protect municipal information and services, with a strong focus on prevention, detection and response.
Operators of essential services are also turning to managed SOC models. On 20th November 2025, Vlaamse Maatschappij voor Watervoorziening cvba (De Watergroep) sought a partner to deliver 24/7 cybersecurity monitoring for the IT and OT infrastructure of The Water Company. Earlier, on 14th August 2025, Service Coordination Achats announced that the National Railway Company of Luxembourg would outsource incident detection and response capabilities for both IT and OT environments, as set out in its cybersecurity SOC services tender.
The shift towards off-site and shared services is even more evident in multi-client arrangements. On 3rd November 2025, the European Investment Bank opened a procurement for IT security managed services centred on an off-site SOC, providing continuous security monitoring and incident response for the EIB Group's IT infrastructure. And on 22nd December 2025, govdigital eG sought cooperative SOC services that would offer hybrid and fully managed SOC models for itself and its clients, with an emphasis on security monitoring, detection and reporting.
Alongside central administrations and infrastructure operators, universities and healthcare institutions are building out SOC capabilities. On 7th August 2025, the University of Gdańsk tendered for the implementation and provision of a SOC service to improve cybersecurity and resilience against cyberattacks. Earlier in August 2025, Wojewódzki Szpital Zespolony im. L. Rydygiera w Toruniu sought comprehensive services for a monitoring system covering teleinformation and network infrastructure, combining SOC functionality with delivery, implementation, configuration, maintenance and employee training.
Capacity-building is a recurring theme. On 12th December 2025, Slovenská technická univerzita v Bratislave advertised a project to build a comprehensive training platform for various cybersecurity roles, including a SOC platform, a GRC platform and the necessary hardware and software infrastructure. On 22nd December 2025, sihtasutus Tartu Ülikooli Kliinikum sought a framework agreement for cybersecurity centre services alongside information security management services, indicating a longer-term effort to combine operational security monitoring with information security management rather than focusing solely on tools.
National-level bodies are structuring their SOC environments more formally too. On 27th October 2025, Lietuvos Respublikos aplinkos ministerija went to market for the implementation and maintenance of recommended SOC tools for institutions under the ministry, as part of a national SOC/CSIRT modular system. Two days later, on 29th October 2025, SID - Slovenska izvozna in razvojna banka, d.d., Ljubljana sought a wide-ranging SOC package including SOC support, SIEM software licences, cyber-threat response automation, threat hunting and training delivered at the bank's location.
Across these procurements, a common baseline is emerging: continuous monitoring, integration of multiple environments and clear expectations around incident response and staff capability. The Walloon contract aligns with that baseline by asking its chosen provider to take responsibility for prevention, detection, management and coordinated response across the IT services of the Walloon Public Service.
The Walloon notice offers only limited detail at this stage, and it does not spell out how the new structure will interact with any national or sector-wide arrangements. What it does make clear is that incident prevention, detection and coordination are being treated as core services in their own right, rather than secondary tasks for overstretched IT teams.
As more public bodies follow similar paths—whether through shared SOCs, off-site managed services or in-house centres backed by external expertise—the market for incident management in the public sector is clearly expanding, as the 2025 pipeline of SOC-related procurements shows. Upcoming awards and future notices will indicate how far buyers prioritise shared platforms and cooperative models, and how strongly NIS 2-driven requirements continue to shape public-sector cybersecurity contracts.
Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.