The purpose of this call is to obtain the following services:

— ICT coordination services;

— occasional support services on the topics of cyber and information security, necessary to secure conformance with Regulations including EU 2019/881 and ENISA tools, any upcoming rules in the area EU regulation and conformance with SESAR 3 JU Security, Information management and documentation policies, (including compliance with Regulation (EU) 2018/1725 (EUDPR); and

— quality management services, covering quality and information management activities, suitable to maintain and evolve SESAR 3 JU’s established Quality Management System (QMS) compliant with its quality policy and best industry practice standards (ISO9001 etc.), and to provide the administrator support for an existing information management system (IDMS) hosted on SharePoint with its distributed site manager configuration.

Lot 1 will result in an award of a direct service contract.

Services to be provided to SESAR 3 JU shall be performed in English and include, but not be limited to:

(a) technical expertise: documenting for approval, an evolving technology and information strategy by identifying the technical solutions to put in place; understanding and challenging the services of the ICT suppliers/service providers and their proposed solutions in the context of meeting agreed user needs, system configuration constraints, alignment with Eurocontrol ICT system configuration where possible, data protection and security obligations by intervention at architecture, system design and implementation levels as well as support (first and second line);

(b) governance and communication: implementing SESAR 3 JU governance rules by preparing and actively participating in the QICT Committee, monitoring ICT infrastructure and service delivery performance and reporting on it to the QICT Committee. Where needed preparing user communication and training activities;

(c) supplier management: coordinating the ICT activities between SESAR 3 JU, representing its users, and the external ICT suppliers/service providers who deliver the operational services;

(d) service configuration/delivery management: Preparing service agreements, independently validating and measuring the services delivered by the external SESAR 3 JU ICT suppliers/service providers and liaising with and communicating to SESAR 3 JU management and users;

(e) contract management: under the supervision of SESAR 3 JU, act as technical expert to monitor SESAR 3 JU ICT contracts and to participate in the procurement activities;

(f) project management: acting as technical expert of SESAR 3 JU ICT project activities, whether the projects are led by external ICT suppliers/service providers or result from internal corporate initiatives requiring the involvement of SESAR 3 JU ICT;

(g) ICT financial management: proposing the yearly SESAR 3 JU ICT budget in the context of the Biannual Work Plan preparation and monitoring its consumption by participating in the financial workflows as a technical expert of SESAR 3 JU and in the follow-up meetings with the external ICT suppliers/service providers;

(h) ICT asset management: maintaining the list and configuration of assets owned/rented by SESAR 3 JU and the lifecycle management of the owned and rented assets;

(i) process documentation/implementation, continuous improvement: advising SESAR 3 JU on service improvement activities, including process documentation;

(j) compliance with Data Protection Regulation 2018/1725 (EU DPR): acting in full compliance with Data Protection rules applicable to SESAR 3 JU, including preparation of necessary data protection records on ICT related processing activities and small-scale data protection impact assessments (DPIAs) or steering the preparation for large-scale data protection impact assessments when support from contracted external providers is necessary. Further, the DPO should be considered as a stakeholder of all IT projects and shall be involved to facilitate the protection of any personal data processed by the respective IT system. Data protection requirements shall be maintained and reviewed throughout the lifecycle of each IT project and the successful tenderer shall consult the DPO for a comprehensive overview of data protection requirements. All life cycle phases (inception, elaboration, design, construction, deployment and maintenance) of an IT system shall comply with the provisions of the EUDPR.

Lot 2 will result in an award of a framework service contract.

Services to be provided to SESAR 3 JU shall be performed in English and may include, but not be limited to:

(a) cyber and information security expertise: to develop an understanding of SESAR 3 JU ICT and information configuration and the associated security requirements (data protection, security obligations and organisational needs) in order to create and maintain a SESAR 3 JU Cybersecurity strategy and plan. Then to systematically monitor and assess the preparedness to threats, ensure that mitigations are in place, suitable recovery scenarios are available and SESAR 3 JU staff and contractors are appropriately trained;

(b) data protection expertise: in order to show compliance with the regulations applicable to SESAR 3 JU (EUDPR). The contractor shall contribute substantially to the performance of large Data Protection Impact Assessments (DPIAs) that would be unable to be performed with limited resources available in SESAR 3 JU (e.g. transition of the SESAR 3 JUs existing on premise SharePoint implementation to SharePoint in the cloud, integrated with MS TEAMS). These assessments shall analyse, identify and minimise the data protection risks resulting from proposed evolution/changes in the ICT and Information management of SESAR 3 JU;

(c) ICT business continuity: linked closely with the cyber and information security management services above, is the need to ensure the ICT part of SESAR 3 JU business continuity management plan is kept up to date. Specifically, that the plan contains an appropriate set of assessed scenarios (involving ICT) the consequences and actions to be taken by the organisation and clear instructions for all persons working at or with SESAR 3 JU should the plan need to be made live. The SESAR 3 JU already has such a plan dating from 2016, the responsibility of the selected contractor is to begin with a review, propose updates and provide content to SESAR 3 JU that will refresh the plan, including providing related SESAR 3 JU staff training, as appropriate. Linked to the cyber security point above, the future contractor may also be invited to perform penetration tests in support of testing the cyber and business continuity arrangements.

Lot 3 will result in an award of a direct service contract.

The services to be provided to SESAR 3 JU shall be performed in English and include:

(a) quality management: this service is to be delivered in accordance with best practices and standards, including ISO 9001. This includes responsibility for performing the role of quality manager for SESAR 3 JU, specifically advocating, a quality culture across SESAR 3 JU, maintaining the quality management system (QMS) in accordance with SESAR 3 JU quality policy and quality manual, and training staff from awareness to competence in process creation and their management;

(b) information and document management: this service is responsible as administrator and document manager to maintain SESAR 3 JU’s information structure and to provide support, functional and technical advice for the maintenance and evolution of its information and document management system (IDMS) and the introduction of the European Commission’s HAN (Hermes, ARES, NomCom) capability.