The purpose of this call is to obtain the following services:
— ICT coordination services;
— occasional support services on the topics of cyber and information security, necessary to secure conformance with Regulations including EU 2019/881 and ENISA tools, any upcoming rules in the area EU regulation and conformance with SESAR 3 JU Security, information management and documentation policies, (including compliance with Regulation (EU) 2018/1725 (EUDPR); and
— quality management services, covering quality and information management activities, suitable to maintain and evolve SESAR 3 JU’s established quality management system (QMS) compliant with its quality policy and best industry practice standards (ISO 9001 etc.), and to provide the administrator support for an existing information management system (IDMS) hosted on SharePoint with its distributed site manager configuration.
Lot 1 will result in an award of a direct service contract.
Services to be provided to SESAR 3 JU shall be performed in English and include, but not be limited to:
a) technical expertise: documenting for approval, an evolving technology and information strategy by identifying the technical solutions to put in place; understanding and challenging the services of the ICT suppliers/service providers and their proposed solutions in the context of meeting agreed user needs, system configuration constraints, alignment with Eurocontrol ICT system configuration where possible, data protection and security obligations by intervention at architecture, system design and implementation levels as well as support (1
b) governance and communication: implementing SESAR 3 JU governance rules by preparing and actively participating in the QICT Committee, monitoring ICT infrastructure and service delivery performance and reporting on it to the QICT Committee. Where needed preparing user communication and training activities;
c) supplier management: coordinating the ICT activities between SESAR 3 JU, representing its users, and the external ICT suppliers/service providers who deliver the operational services;
d) service configuration/delivery management: preparing service agreements, independently validating and measuring the services delivered by the external SESAR 3 JU ICT suppliers/service providers and liaising with and communicating to SESAR 3 JU management and users;
e) contract management: under the supervision of SESAR 3 JU, act as technical expert to monitor SESAR 3 JU ICT contracts and to participate in the procurement activities;
f) project management: acting as technical expert of SESAR 3 JU ICT project activities, whether the projects are led by external ICT suppliers/service providers or result from internal corporate initiatives requiring the involvement of SESAR 3 JU ICT;
g) ICT financial management: proposing the yearly SESAR 3 JU ICT budget in the context of the biannual work plan preparation and monitoring its consumption by participating in the financial workflows as a technical expert of SESAR 3 JU and in the follow-up meetings with the external ICT suppliers/service providers;
h) ICT asset management: maintaining the list and configuration of assets owned/rented by SESAR 3 JU and the lifecycle management of the owned and rented assets;
i) process documentation/implementation, continuous improvement: advising SESAR 3 JU on service improvement activities, including process documentation;
j) compliance with Data Protection Regulation 2018/1725 (EU DPR): acting in full compliance with Data Protection rules applicable to SESAR 3 JU, including preparation of necessary data protection records on ICT related processing activities and small-scale data protection impact assessments (DPIAs) or steering the preparation for large-scale data protection impact assessments when support from contracted external providers is necessary. Further, the DPO should be considered as a stakeholder of all IT projects and shall be involved to facilitate the protection of any personal data processed by the respective IT system. Data protection requirements shall be maintained and reviewed throughout the lifecycle of each IT project and the successful tenderer shall consult the DPO for a comprehensive overview of data protection requirements. All life cycle phases (inception, elaboration, design, construction, deployment and maintenance) of an IT system shall comply with the provisions of the EUDPR.