Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.

Portugal's Unidade Local de Saúde de Santo António, EPE is seeking a subscription-based integrated cyber threat detection and response platform, underlining how healthcare providers across the EU are moving towards continuous, managed security capabilities as new regulatory obligations on cyber resilience take hold.

Subscription security for a local health system

On 9th February 2026, Unidade Local de Saúde de Santo António, EPE published a contract notice for the acquisition of a subscription to an integrated cyber threat detection and response platform. The tender points to a service that can both identify malicious activity and support action against it, rather than a set of isolated tools.

The brief description highlights a subscription model and an integrated platform, and these two elements are revealing. A subscription typically provides ongoing access to security tooling and updates, while an integrated detection-and-response approach brings monitoring, alerting and remediation into a single environment.

The buyer is a local health unit, and its move mirrors a broader pattern. Public hospitals and regulators are appearing more often in cyber security tenders, treating threat detection and response as core infrastructure rather than an optional add-on.

Although the notice does not spell out the exact tools or service structure, the emphasis on an integrated platform and ongoing subscription places this procurement firmly in the same family as a growing number of Security Operations Centre and threat-intelligence contracts elsewhere in the EU.

From tools to services: SOC moves centre stage

Across Europe, public buyers are moving from buying discrete security products towards commissioning managed detection and response services built around Security Operations Centres (SOC).

Recent contract notices underline the trend:

• In January 2026, Landkreis Celle in Germany launched an email security platform procurement that includes integration with a SOC, tying routine communication security into central monitoring.
• On 3rd February 2026, French transport operator Tisséo Voyageurs published an SOC service contract to engage a qualified security incident detection provider to prevent and detect incidents, manage detection equipment and support incident handling.
• On 4th February 2026, Portugal’s securities market supervisor opened a SOCaaS procurement for Security Operations Center as a Service and associated platforms.
• In November 2025, the European Investment Bank issued an IT security managed services notice, aiming to establish an off-site SOC to provide continuous security monitoring and incident response for the EIB Group’s IT infrastructure.
• In October 2025, Lithuania’s environment ministry launched an SOC systems configuration and maintenance contract to implement and maintain recommended SOC tools for its subordinate institutions as part of a national SOC/CSIRT modular system.

Tooling for centralised monitoring is also being upgraded. In December 2025, Slovenia’s air traffic control company KONTROLA ZRAČNEGA PROMETA SLOVENIJE, d.o.o. published a cybersecurity software solution tender split into two lots: one for a SIEM solution with licences and support, and another for upgrading and supporting its existing ArcSight SIEM.

At the start of 2026, Slovakia’s Generálna prokuratúra SR launched its Cybersecurity Management II project to deploy tools for security monitoring and to strengthen ICT infrastructure security.

Taken together, these procurements point to a clear direction of travel: continuous monitoring and centralised incident handling, often delivered as managed services, are becoming standard expectations for public bodies handling sensitive or essential functions.

Healthcare and other essential services harden defences

Healthcare organisations appear repeatedly in this procurement wave. Alongside the Santo António local health unit’s move towards an integrated detection-and-response subscription, other hospitals and regulators are raising their security baseline.

In December 2025, the Czech maternity and child care institute Ústav pro péči o matku a dítě issued a cybersecurity IT solutions supply notice covering hardware and software to enhance cyber security, including high-speed network infrastructure and next-generation firewall solutions.

In February 2026, Portugal’s health regulator Entidade Reguladora da Saúde announced a contract for the acquisition of a cybersecurity infrastructure solution, showing that oversight bodies as well as providers are investing directly in dedicated security infrastructure.

Beyond health, other essential service sectors are under similar pressure. In October 2025, the Ministry of agriculture, forestry and water economy of the Republic of North Macedonia went to market for IT solutions for cyber protection aimed at preventing and protecting against cyber attacks.

In December 2025, Croatia’s Ministry of Sea, Transport and Infrastructure published a tender for a cyber attack recognition system capable of monitoring at least 2,500 IP addresses and using deep learning to detect threats, coupled with advanced defence functions.

Even where the focus is on assurance rather than new tools, regulatory demands are evident. In December 2025, Romanian rail infrastructure company Compania Nationala de Cai Ferate "CFR" - SA issued a cybersecurity audit services tender explicitly to comply with a new framework for the cybersecurity of essential service networks and information systems in sectors including energy, transport and health.

Against this backdrop, the Santo António health unit’s planned platform subscription aligns with broader EU requirements, including the strengthened obligations introduced under the NIS 2 Directive, for organisations that provide essential services or other key public functions to demonstrate robust cyber security arrangements.

Building skills, centres and orchestration

Alongside tools and managed services, many public buyers are investing in the skills, training and orchestration needed to run modern security operations.

In August 2025, Romania’s Universitatea Tehnica Gheorghe Asachi din Iasi launched a cybersecurity software and services procurement to acquire software packages and provide operationalisation and training services for a Cybersecurity Center as part of a digital transformation project.

In December 2025, Slovenská technická univerzita v Bratislave published a notice for the construction of a cybersecurity training centre, including a SOC platform, a GRC platform and the necessary hardware and software infrastructure to support training for different cybersecurity roles.

Public authorities are also targeting everyday staff behaviour. In October 2025, the Malta Information Technology Agency sought a cloud-based information security training platform that includes a phishing simulation tool and security awareness content.

Research institutions are experimenting with advanced orchestration. In November 2025, Romania’s Institutul National de Cercetare Dezvoltare pentru Fizica si Inginerie Nucleara "Horia Hulubei" launched a cybersecurity software platform project to deliver adaptive and autonomous orchestration of cybersecurity elements. The platform is intended to support safe experimental, operational and administrative activities, with a focus on automation, contextual enrichment, AI-assisted investigation and compliance with relevant regulations.

These projects show that buying an integrated detection-and-response platform, as in the Santo António tender, is only one part of the shift. Public bodies are also funding the people, processes and orchestration layers needed to run such platforms effectively.

A growing market for specialised capabilities

Several other recent procurements highlight how specific security functions are being sourced through targeted contracts, complementing broader platforms and SOC services.

In October 2025, Poland’s Ministry of Digital Affairs issued a notice to secure access to a Cyber Threat Intelligence platform at strategic level for entities within the national cybersecurity system.

That same month, the Czech Ministry of the Interior tendered for a forensic software subscription aimed at combatting cybercrime, while in December 2025 the Área Metropolitana de Barcelona sought a subscription to licences for products of the Sophos cybersecurity platform.

For suppliers, this diversity suggests demand both for broad, integrated offerings like the platform being procured by the Santo António health unit, and for highly focused services such as threat intelligence feeds, forensic tools, SIEM upgrades, licence subscriptions and specialist audit work.

Outlook

The Santo António contract notice is concise, but its timing and design make it part of a wider shift. As EU cybersecurity obligations, including those under the NIS 2 Directive, tighten for operators of essential services and other critical activities, more public bodies are looking for subscription-based, integrated ways to detect and respond to threats.

With SOC services, national monitoring frameworks, training centres and orchestration platforms already moving through the procurement pipeline, cyber security looks set to remain a recurring theme in health and other essential services tenders over the coming years.

Follow Tenderlake on LinkedIn for concise insights on public-sector tenders and emerging procurement signals.