The contract consists of two lots that will be awarded to different suppliers.

Lot 1 “Security Governance”
Comment: The following services must be considered for this lot:

- Consultancy services regarding strategy and policy drafting;
- Consultancy services in the context of new projects;
- Cybersecurity context, global trends and technological monitoring.

For the activities of lot 1 (security governance), ASTRID expects a consultant (or a team of consultants, depending on the available skills within the service provider organization) to provide services for a maximum of 110 days per year, spread throughout the year. Activities will be carried out based on a mutually agreed work plan, resulting from the need to develop new security frameworks/policies, revise existing policies, or address specific security-related issues.

Lot 2 “Security Audits, Advanced Threat Readiness, Cyber Training and Awareness”
Comment: The following services must be considered for this lot:

- Security audit: ethical hacking - penetration tests;
- Application security audit;
- Forensics analysis: gathering evidence after an attack;
- Training and staff awareness, notably by organizing phishing campaigns.

The procedure takes place in successive phases to gradually reduce the number of offers to negotiate.

The contracting authority reserves the right to award the contract based on the initial offers without conducting negotiations.