System for Intrusion Detection (SzA) in Dessau Roßlau with a basic duration of 36 months (from 01.2026 to 12.2028; option until 12.2030)

LOT-0001
System for Intrusion Detection (SzA) in Dessau Roßlau.
The Dessau Supply and Transport Company mbH [DVV] is the central service provider for energy supply, mobility, and urban infrastructure in Dessau-Roßlau. As a municipal enterprise, DVV operates the Dessau municipal services and is responsible for the secure supply of electricity, gas, heating, and water to the citizens. In addition, DVV operates public transportation (ÖPNV) and is committed to the expansion and modernization of urban traffic and supply infrastructure.

The DVV-Dessau, as a particularly important institution in the sense of the NIS2 directive (EU) 2022/2555 and as an operator of critical facilities, is subject to increased requirements for cybersecurity and resilience. Given the increasing number and professionalism of cyber attacks on municipal companies and suppliers, as well as the requirements of the legislator, DVV-Dessau has decided to significantly enhance the protection of office systems and adjacent OT systems through an externally operated Security Operations Center (SOC) with integrated components for intrusion detection and response.

As part of this procurement, an external SOC consisting of EDR-/XDR technologies (Endpoint Detection & Response / Extended Detection & Response) as well as a SIEM solution (Security Information and Event Management) is to be introduced by the external contractor. The service will be supplemented by an incident response and forensic performance. This overall system will hereby be referred to as the "System for Intrusion Detection (SzA)".

The planned concept consists of two central service components as well as two technical solutions:

Service components by the contractor:
1. 24/7 Managed Security Operations Center (MSOC):
2. 24/7 Incident Response (IR):

Technical solutions by the contractor:
1. Security Information and Event Management (SIEM):
2. Endpoint Detection and Response (EDR) / Extended Detection and Response (XDR):

A detailed description of the service points can be found in Annex C
Service description including Annex C 1 DVV system landscape.

To receive this confidential information (=detailed service description as Annex C including Annex C 1 DVV system landscape), it is necessary to submit the confidentiality declaration attached as Annex A via bidder message to the contracting authority. Only after the submission of this signed declaration will the applicant receive the complete tender documents by sending the detailed service description via a simple bidder message. The confidentiality declaration should be submitted by 15.08.2025!

The following minimum requirements are mandatory for the execution of the services according to Annex C Service Description Point 3.5:

- All correspondence related to the fulfillment of the contract is conducted both orally and in writing exclusively in the German language (at least C2 level).

- The contractor must provide the client with continuous access to the management interface of the EDR-/XDR solution as well as the SIEM solution. The acquisition, control, implementation, and maintenance of the SIEM solution as well as the EDR-/XDR solution are fully the responsibility of the contractor.

- The response time of the MSOC to alarms of priority P1 (critical) and P2 (high) is a maximum of 1 hour. This timeframe begins with the automatically generated alarm from the SIEM or EDR-XDR solution or a ticket from the client. It includes a qualified assessment of the incident by the MSOC analyst or the monitoring solution as well as the initiation of a response jointly agreed upon with the client in advance, including the corresponding information to the client.

- The contractor ensures compliance with the client's data storage requirements by ensuring a log retention of 6 months in the SIEM system (Hot Storage). Overall, data access must be guaranteed for a period of 12 months.

- The SIEM system must be capable of processing a daily log volume of 80-110 GB. Processing at least 100 GB per day and all log sources from the client's system landscape must be included in the price. An adjustment of the log volume by the client leads to a proportional adjustment of the license costs for the technical SIEM solution and the MSOC service.

- The technical SIEM and EDR/XDR solution as well as the MSOC service must be operational in the client's infrastructure according to the tender information. An overview of the system landscape is attached to the tender documents as file DVV System Landscape (Annex C1 of the tender documents).

- All services, functions, data storage, and processing related to the contract will be conducted in compliance with data protection regulations according to GDPR within the EU or the EEA. The physical Managed Security Operations Center of the contractor as well as the SOC staff of the contractor are based in the European Economic Area (EEA). (Annex B4)

- The technical solution includes a reporting and user interface as well as a clearly structured dashboard.

- The contractor assumes the development and maintenance of specific SIEM use cases for the client and adapts them individually and in consultation with the client's requirements.

The basis for the contract for the services will be an EBV-IT contract provided and tailored to the facts.

The EBV-IT contract, including annexes, is included in the tender documents completed. The EBV-IT contract, including annexes, forms the basis of the contractual relationship between the client and the contractor and must be accepted by the contractor.