Open Tenders
Tenders/IT services: consulting, software development, Internet and support/ENISA
Open for submissionIT services: consulting, software development, Internet and support

Supporting ENISA for the provision of the EU Cybersecurity Reserve services to European Union Member States

Official description

The subject of this call is the conclusion of framework service contracts under 9 Lots with economic operators capable to support ENISA in the delivery of cybersecurity services in EU Member State

Plain-language summaryAI

Place of performance

See the official notice for the place of performance.

Who can apply
Selection · Criterion

I'll search for all the selection criteria comprehensively across all lots and criteria types.Now let me search for the remaining lot-specific criteria (T14–T19 for Lots 2–4) and T7.Now I have all the data needed. Let me compile the complete JSON output for all 9 lots. ```json [ { "lot": "Lot 1 - Austria", "criteria": [ { "criteria_title": "3.2.1 Legal and Regulatory Capacity - Criterion L1", "description": "Tenderers must prove that they have the legal capacity to perform the contract and the regulatory capacity to pursue the professional activity necessary to carry out the work subject to this call for tenders.", "basis_for_assessment": "This criterion applies to each entity (sole tenderer, member of the group in the case of a joint tender or subcontractor) for the tasks of their competence.", "evidence": "Proof of enrolment in a relevant trade or professional register.", "minimum_level_of_capacity": "Enrolment in a relevant trade or professional register." }, { "criteria_title": "3.2.2 Economic and Financial Capacity - Criterion F1", "description": "Tenderers must comply with the following selection criteria in order to prove that they have the necessary economic and financial capacity to perform the contract.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. a consolidated assessment of the combined capacities of all involved entities will be carried out.", "evidence": "· Copy of the profit and loss accounts and balance sheets for the last three years for which accounts have been closed from each concerned involved entity, or, failing that, appropriate statements from banks. The most recent year must have been closed within the last two financial years. · Complete the attached Annex 7 'Simplified Financial Statement' within the last three financial years.", "minimum_level_of_capacity": "Average yearly turnover of the last three financial years above EUR 500.000." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T1", "description": "The tenderer must prove to have a team of persons capable and available of carrying out the tasks and delivering the results as described and within the time frame in the Technical Specifications.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A list of educational and professional qualifications, submitted in the form of a Curriculum Vitae (CV), is required for each team member. The preferred format for the CV is the Europass format. The CVs must indicate the educational background (according to the European Qualifications Framework (EQF)), language proficiency in English (as per the Common European Framework of Reference for Languages (CEFR)), professional experience, and technical expertise. Additionally, the CVs must clearly indicate the exact start and end dates for each position held. The contracting authority reserves the right to conduct telephone interviews or use any other appropriate methods (such as online desk research) to verify the accuracy of the information provided in the CVs and to assess compliance with the specific requirements outlined in this tender. The precise contractual link with the tenderer must be specified.", "minimum_level_of_capacity": "The team must consist of the following minimum members by level of experience: · One (1) Contract/Project Manager · Three (3) Senior Expert (Incident Management) · Two (2) Intermediate Expert (Incident Management) · Three (3) Senior Expert (Preparedness support services) · Two (2) Intermediate Expert (Preparedness support services) · Two (2) Senior Expert (Exercises\\Trainings) · One (1) Intermediate Expert (Exercises\\Trainings)." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T2", "description": "The tenderer must prove experience in the field of Adversarial Tactics and Techniques Simulation (i.e., penetration testing) or similar Cybersecurity Posture Evaluation services as outlined in section 2.2 'Required Services' of the technical specifications using industry best practices as well as having proven service provision processes in place.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T3", "description": "The tenderer must prove experience in the field of supporting Incident Response and Crisis Management Plan Development or similar Cyber Readiness services such as Threat Landscape analysis and Maturity & Capabilities assessments as outlined in par. 2.2 'Required Services' of the Technical specifications (except the Organisational Cybersecurity Risk Assessment service which is covered in Criterion T6) in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 20.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T4", "description": "The tenderer must prove experience in supporting Cybersecurity Exercises and Trainings, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T5", "description": "The tenderer must prove experience in Cybersecurity Incident Management/Response services, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided, · official registration document of the HQ, subsidiary or (regional) office in the MS (if applicable). In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them. and/or Documentation that indicates the HQ, subsidiary or (regional) registered office address in the respective EU Member State (if applicable).", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project. At least one of the aforementioned projects must be delivered in the respective EU Member State or Have its HQ, subsidiary or (regional) office officially registered in the respective EU Member State." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T6", "description": "The tenderer must prove experience in Organisational Cybersecurity Risk Assessment services in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T7", "description": "The tenderer must prove experience in the cybersecurity subscription services to provide Risk Monitoring services, as outlined in par. 2.2 'Required Services' of the Technical specifications, either as an in-house or as a third-party product, covering areas such as attack surface monitoring, risk monitoring for assets of a particular entity, sector or in the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,00." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T8", "description": "The tenderer must prove experience in ensuring the highest degree of professional integrity, independence, responsibility and ensures the permanence and continuity of expertise as well as the required technical resources.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Code of Conduct and Ethics, or equivalent evidence.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T9", "description": "The tenderer must comply with applicable rules on the protection of classified information and must have in place appropriate measures, between any relevant subsidiaries and sub-contractors to protect confidential information relating to the service, and in particular evidence, findings and reports.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Policy on handling sensitive/classified information (EUCI), agreements with other parties, etc.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T10", "description": "The tenderer must prove that its governing structure is transparent, not likely to compromise its impartiality and the quality of its services or to cause conflicts of interest.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Documentation on the governance structure related to service delivery and the process used to identify and declare conflict of interest.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T11", "description": "The tenderer must ensure security of their IT systems and any hardware and software used for the delivery of the services, including keeping the systems up to date and with no active exploited vulnerabilities.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Security management policies and procedures describing how the tenderer ensures the security of their IT systems including any hardware and software used during the delivery of the services.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T12 (AT1) - Lot 1 Specific", "description": "The tenderer must be able to provide services in the Member State's official language.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "The CVs for the profiles identified must indicate the language proficiency of the Member State's official language as per the CEFR.", "minimum_level_of_capacity": "At least one team member proposed for each of the 3 Expert Profiles (Incident Management, Preparedness support services and Trainings & Exercises) must be able to deliver services in the Member State's official language at least at level C1 according to the CEFR." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T13 (AT2) - Lot 1 Specific", "description": "The tenderer must prove experience in drafting deliverables for projects in the Member State's official language.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least two (in total) of the project references provided to satisfy criteria T2 - T7 must include deliverables delivered in the Member State's official language." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T14 (AT3) - Lot 1 Specific", "description": "The tenderer must ensure that all backend systems, platforms, and infrastructure components used for the delivery of Incident Management/Response services - including any systems to which deployed agents or tools connect - are hosted and operated exclusively within the European Economic Area (EEA), either in the tenderer's own infrastructure or in a European-based data centre or cloud environment. Cloud services used to process any kind of beneficiary's data, are only permitted from European headquarter-based companies. In general, it has to be ensured that no operational data, service communications, or processing activities are routed through or dependent on infrastructure hosted by non-European cloud service providers or subject to non-EU/EEA legal jurisdiction, that may conflict with EU data protection, confidentiality, or security requirements.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Security management policies, infrastructure architecture documentation, hosting declarations, contractual evidence, cloud provider agreements or equivalent procedures describing: · the hosting location of systems and services used during service delivery; · the cloud or infrastructure providers used; · the measures implemented to ensure that operational and security-related data remain hosted and processed within the EU/EEA and are not dependent on non-European cloud provider infrastructure; and · the controls in place to mitigate risks related to non-EU jurisdictional access or transfer of sensitive data.", "minimum_level_of_capacity": "At least 1 document demonstrating that the tenderer's hosting and data residency practices comply with the above requirement, issued or implemented by the tenderer or a relevant sub-contractor/platform provider." } ] }, { "lot": "Lot 2 - Belgium", "criteria": [ { "criteria_title": "3.2.1 Legal and Regulatory Capacity - Criterion L1", "description": "Tenderers must prove that they have the legal capacity to perform the contract and the regulatory capacity to pursue the professional activity necessary to carry out the work subject to this call for tenders.", "basis_for_assessment": "This criterion applies to each entity (sole tenderer, member of the group in the case of a joint tender or subcontractor) for the tasks of their competence.", "evidence": "Proof of enrolment in a relevant trade or professional register.", "minimum_level_of_capacity": "Enrolment in a relevant trade or professional register." }, { "criteria_title": "3.2.2 Economic and Financial Capacity - Criterion F1", "description": "Tenderers must comply with the following selection criteria in order to prove that they have the necessary economic and financial capacity to perform the contract.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. a consolidated assessment of the combined capacities of all involved entities will be carried out.", "evidence": "· Copy of the profit and loss accounts and balance sheets for the last three years for which accounts have been closed from each concerned involved entity, or, failing that, appropriate statements from banks. The most recent year must have been closed within the last two financial years. · Complete the attached Annex 7 'Simplified Financial Statement' within the last three financial years.", "minimum_level_of_capacity": "Average yearly turnover of the last three financial years above EUR 500.000." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T1", "description": "The tenderer must prove to have a team of persons capable and available of carrying out the tasks and delivering the results as described and within the time frame in the Technical Specifications.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A list of educational and professional qualifications, submitted in the form of a Curriculum Vitae (CV), is required for each team member. The preferred format for the CV is the Europass format. The CVs must indicate the educational background (according to the EQF), language proficiency in English (as per the CEFR), professional experience, and technical expertise. Additionally, the CVs must clearly indicate the exact start and end dates for each position held. The precise contractual link with the tenderer must be specified.", "minimum_level_of_capacity": "The team must consist of the following minimum members: · One (1) Contract/Project Manager · Three (3) Senior Expert (Incident Management) · Two (2) Intermediate Expert (Incident Management) · Three (3) Senior Expert (Preparedness support services) · Two (2) Intermediate Expert (Preparedness support services) · Two (2) Senior Expert (Exercises\\Trainings) · One (1) Intermediate Expert (Exercises\\Trainings)." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T2", "description": "The tenderer must prove experience in the field of Adversarial Tactics and Techniques Simulation (i.e., penetration testing) or similar Cybersecurity Posture Evaluation services as outlined in section 2.2 'Required Services' of the technical specifications using industry best practices as well as having proven service provision processes in place.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T3", "description": "The tenderer must prove experience in the field of supporting Incident Response and Crisis Management Plan Development or similar Cyber Readiness services such as Threat Landscape analysis and Maturity & Capabilities assessments as outlined in par. 2.2 'Required Services' of the Technical specifications (except the Organisational Cybersecurity Risk Assessment service which is covered in Criterion T6) in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 20.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T4", "description": "The tenderer must prove experience in supporting Cybersecurity Exercises and Trainings, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T5", "description": "The tenderer must prove experience in Cybersecurity Incident Management/Response services, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided, · official registration document of the HQ, subsidiary or (regional) office in the MS (if applicable).", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project. At least one of the aforementioned projects must be delivered in the respective EU Member State or Have its HQ, subsidiary or (regional) office officially registered in the respective EU Member State." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T6", "description": "The tenderer must prove experience in Organisational Cybersecurity Risk Assessment services in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T7", "description": "The tenderer must prove experience in the cybersecurity subscription services to provide Risk Monitoring services, as outlined in par. 2.2 'Required Services' of the Technical specifications, either as an in-house or as a third-party product, covering areas such as attack surface monitoring, risk monitoring for assets of a particular entity, sector or in the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,00." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T8", "description": "The tenderer must prove experience in ensuring the highest degree of professional integrity, independence, responsibility and ensures the permanence and continuity of expertise as well as the required technical resources.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Code of Conduct and Ethics, or equivalent evidence.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T9", "description": "The tenderer must comply with applicable rules on the protection of classified information and must have in place appropriate measures, between any relevant subsidiaries and sub-contractors to protect confidential information relating to the service, and in particular evidence, findings and reports.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Policy on handling sensitive/classified information (EUCI), agreements with other parties, etc.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T10", "description": "The tenderer must prove that its governing structure is transparent, not likely to compromise its impartiality and the quality of its services or to cause conflicts of interest.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Documentation on the governance structure related to service delivery and the process used to identify and declare conflict of interest.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T11", "description": "The tenderer must ensure security of their IT systems and any hardware and software used for the delivery of the services, including keeping the systems up to date and with no active exploited vulnerabilities.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Security management policies and procedures describing how the tenderer ensures the security of their IT systems including any hardware and software used during the delivery of the services.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T15 (BE1) - Lot 2 Specific", "description": "The tenderer must prove experience in delivering services in the Member State's 3 official languages (Dutch, French and German).", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "The CVs for the profiles identified must indicate the language proficiency of the Member State's 3 official languages as per the CEFR.", "minimum_level_of_capacity": "The Contract Manager must be able to deliver services in Dutch and French at least at level B2 according to the CEFR. The team members proposed for the Expert Profiles for Incident Management and Preparedness support services must be able to deliver services in the Member State's 3 official languages collectively for each of the 2 aforementioned categories of services at least at level C1 according to the CEFR." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T16 (BE2) - Lot 2 Specific", "description": "The tenderer must prove experience in drafting deliverables in all the Member State's 3 official languages (Dutch, French and German).", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least three of the project references submitted to meet criteria T2-T7 must include deliverables in the Member State's 3 official languages. Across these references, at least one deliverable must be provided in each of the 3 languages." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T17 (BE3) - Lot 2 Specific", "description": "Specific Team members of Criterion T1 engaged in service delivery for Incident Response services or Cyber security Posture Evaluation services must possess security clearance.", "basis_for_assessment": "This criterion will be checked against the sole tenderer or group members in case of a joint tender and subcontractors entrusted with Incident Response and Cybersecurity Posture Evaluation services indicated in par. 2.2.1 of 'Part 2 Technical Specifications'.", "evidence": "A declaration/statement by the tenderer confirming that the aforementioned personnel meet the minimum required security clearance level.", "minimum_level_of_capacity": "One senior expert profile in Incident Management and one senior expert profile in Preparedness support services must have at least National or EU CONFIDENTIAL security clearance or NATO equivalent." } ] }, { "lot": "Lot 3 - Czech Republic", "criteria": [ { "criteria_title": "3.2.1 Legal and Regulatory Capacity - Criterion L1", "description": "Tenderers must prove that they have the legal capacity to perform the contract and the regulatory capacity to pursue the professional activity necessary to carry out the work subject to this call for tenders.", "basis_for_assessment": "This criterion applies to each entity (sole tenderer, member of the group in the case of a joint tender or subcontractor) for the tasks of their competence.", "evidence": "Proof of enrolment in a relevant trade or professional register.", "minimum_level_of_capacity": "Enrolment in a relevant trade or professional register." }, { "criteria_title": "3.2.2 Economic and Financial Capacity - Criterion F1", "description": "Tenderers must comply with the following selection criteria in order to prove that they have the necessary economic and financial capacity to perform the contract.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. a consolidated assessment of the combined capacities of all involved entities will be carried out.", "evidence": "· Copy of the profit and loss accounts and balance sheets for the last three years for which accounts have been closed from each concerned involved entity, or, failing that, appropriate statements from banks. The most recent year must have been closed within the last two financial years. · Complete the attached Annex 7 'Simplified Financial Statement' within the last three financial years.", "minimum_level_of_capacity": "Average yearly turnover of the last three financial years above EUR 500.000." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T1", "description": "The tenderer must prove to have a team of persons capable and available of carrying out the tasks and delivering the results as described and within the time frame in the Technical Specifications.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A list of educational and professional qualifications, submitted in the form of a Curriculum Vitae (CV), is required for each team member. The preferred format for the CV is the Europass format. The CVs must indicate the educational background (according to the EQF), language proficiency in English (as per the CEFR), professional experience, and technical expertise. The precise contractual link with the tenderer must be specified.", "minimum_level_of_capacity": "The team must consist of the following minimum members: · One (1) Contract/Project Manager · Three (3) Senior Expert (Incident Management) · Two (2) Intermediate Expert (Incident Management) · Three (3) Senior Expert (Preparedness support services) · Two (2) Intermediate Expert (Preparedness support services) · Two (2) Senior Expert (Exercises\\Trainings) · One (1) Intermediate Expert (Exercises\\Trainings)." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T2", "description": "The tenderer must prove experience in the field of Adversarial Tactics and Techniques Simulation (i.e., penetration testing) or similar Cybersecurity Posture Evaluation services as outlined in section 2.2 'Required Services' of the technical specifications using industry best practices as well as having proven service provision processes in place.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T3", "description": "The tenderer must prove experience in the field of supporting Incident Response and Crisis Management Plan Development or similar Cyber Readiness services such as Threat Landscape analysis and Maturity & Capabilities assessments as outlined in par. 2.2 'Required Services' of the Technical specifications (except the Organisational Cybersecurity Risk Assessment service which is covered in Criterion T6) in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 20.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T4", "description": "The tenderer must prove experience in supporting Cybersecurity Exercises and Trainings, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T5", "description": "The tenderer must prove experience in Cybersecurity Incident Management/Response services, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity, including official registration document of the HQ, subsidiary or (regional) office in the MS (if applicable).", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project. At least one of the aforementioned projects must be delivered in the respective EU Member State or Have its HQ, subsidiary or (regional) office officially registered in the respective EU Member State." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T6", "description": "The tenderer must prove experience in Organisational Cybersecurity Risk Assessment services in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T7", "description": "The tenderer must prove experience in the cybersecurity subscription services to provide Risk Monitoring services, as outlined in par. 2.2 'Required Services' of the Technical specifications, either as an in-house or as a third-party product, covering areas such as attack surface monitoring, risk monitoring for assets of a particular entity, sector or in the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,00." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T8", "description": "The tenderer must prove experience in ensuring the highest degree of professional integrity, independence, responsibility and ensures the permanence and continuity of expertise as well as the required technical resources.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Code of Conduct and Ethics, or equivalent evidence.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T9", "description": "The tenderer must comply with applicable rules on the protection of classified information and must have in place appropriate measures, between any relevant subsidiaries and sub-contractors to protect confidential information relating to the service, and in particular evidence, findings and reports.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Policy on handling sensitive/classified information (EUCI), agreements with other parties, etc.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T10", "description": "The tenderer must prove that its governing structure is transparent, not likely to compromise its impartiality and the quality of its services or to cause conflicts of interest.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Documentation on the governance structure related to service delivery and the process used to identify and declare conflict of interest.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T11", "description": "The tenderer must ensure security of their IT systems and any hardware and software used for the delivery of the services, including keeping the systems up to date and with no active exploited vulnerabilities.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Security management policies and procedures describing how the tenderer ensures the security of their IT systems including any hardware and software used during the delivery of the services.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T18 (CZ1) - Lot 3 Specific", "description": "The tenderer must be able to provide services in the Member State's official language.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "The CVs for the profiles identified must indicate the language proficiency of the Member State's official language as per the CEFR.", "minimum_level_of_capacity": "At least one team member proposed for each of the 3 Expert Profiles (Incident Management, Preparedness support services and Trainings & Exercises) must be able to deliver services in the Member State's official language at least at level C1 according to the CEFR." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T19 (CZ2) - Lot 3 Specific", "description": "The tenderer must prove experience in drafting deliverables in the Member State's official language.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity. The list shall include details of: · customer, contact name, telephone number and address, · start and end date · amount and brief description of services provided. In case of projects still ongoing, only the portion completed during the reference period will be taken into consideration. As supporting documents for each project reference, the contracting authority may request statements issued by the clients and take contact with them.", "minimum_level_of_capacity": "At least two (in total) of the project references provided to satisfy criteria T2 - T7 must include deliverables delivered in the Member State's official language." } ] }, { "lot": "Lot 4 - Denmark", "criteria": [ { "criteria_title": "3.2.1 Legal and Regulatory Capacity - Criterion L1", "description": "Tenderers must prove that they have the legal capacity to perform the contract and the regulatory capacity to pursue the professional activity necessary to carry out the work subject to this call for tenders.", "basis_for_assessment": "This criterion applies to each entity (sole tenderer, member of the group in the case of a joint tender or subcontractor) for the tasks of their competence.", "evidence": "Proof of enrolment in a relevant trade or professional register.", "minimum_level_of_capacity": "Enrolment in a relevant trade or professional register." }, { "criteria_title": "3.2.2 Economic and Financial Capacity - Criterion F1", "description": "Tenderers must comply with the following selection criteria in order to prove that they have the necessary economic and financial capacity to perform the contract.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. a consolidated assessment of the combined capacities of all involved entities will be carried out.", "evidence": "· Copy of the profit and loss accounts and balance sheets for the last three years for which accounts have been closed from each concerned involved entity, or, failing that, appropriate statements from banks. The most recent year must have been closed within the last two financial years. · Complete the attached Annex 7 'Simplified Financial Statement' within the last three financial years.", "minimum_level_of_capacity": "Average yearly turnover of the last three financial years above EUR 500.000." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T1", "description": "The tenderer must prove to have a team of persons capable and available of carrying out the tasks and delivering the results as described and within the time frame in the Technical Specifications.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A list of educational and professional qualifications, submitted in the form of a Curriculum Vitae (CV), is required for each team member. The preferred format for the CV is the Europass format. The CVs must indicate the educational background (according to the EQF), language proficiency in English (as per the CEFR), professional experience, and technical expertise. The precise contractual link with the tenderer must be specified.", "minimum_level_of_capacity": "The team must consist of the following minimum members: · One (1) Contract/Project Manager · Three (3) Senior Expert (Incident Management) · Two (2) Intermediate Expert (Incident Management) · Three (3) Senior Expert (Preparedness support services) · Two (2) Intermediate Expert (Preparedness support services) · Two (2) Senior Expert (Exercises\\Trainings) · One (1) Intermediate Expert (Exercises\\Trainings)." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T2", "description": "The tenderer must prove experience in the field of Adversarial Tactics and Techniques Simulation (i.e., penetration testing) or similar Cybersecurity Posture Evaluation services as outlined in section 2.2 'Required Services' of the technical specifications using industry best practices as well as having proven service provision processes in place.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T3", "description": "The tenderer must prove experience in the field of supporting Incident Response and Crisis Management Plan Development or similar Cyber Readiness services such as Threat Landscape analysis and Maturity & Capabilities assessments as outlined in par. 2.2 'Required Services' of the Technical specifications (except the Organisational Cybersecurity Risk Assessment service which is covered in Criterion T6) in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 20.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T4", "description": "The tenderer must prove experience in supporting Cybersecurity Exercises and Trainings, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T5", "description": "The tenderer must prove experience in Cybersecurity Incident Management/Response services, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity, including official registration document of the HQ, subsidiary or (regional) office in the MS (if applicable).", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project. At least one of the aforementioned projects must be delivered in the respective EU Member State or Have its HQ, subsidiary or (regional) office officially registered in the respective EU Member State." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T6", "description": "The tenderer must prove experience in Organisational Cybersecurity Risk Assessment services in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T7", "description": "The tenderer must prove experience in the cybersecurity subscription services to provide Risk Monitoring services, as outlined in par. 2.2 'Required Services' of the Technical specifications, either as an in-house or as a third-party product, covering areas such as attack surface monitoring, risk monitoring for assets of a particular entity, sector or in the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,00." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T8", "description": "The tenderer must prove experience in ensuring the highest degree of professional integrity, independence, responsibility and ensures the permanence and continuity of expertise as well as the required technical resources.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Code of Conduct and Ethics, or equivalent evidence.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T9", "description": "The tenderer must comply with applicable rules on the protection of classified information and must have in place appropriate measures, between any relevant subsidiaries and sub-contractors to protect confidential information relating to the service, and in particular evidence, findings and reports.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Policy on handling sensitive/classified information (EUCI), agreements with other parties, etc.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T10", "description": "The tenderer must prove that its governing structure is transparent, not likely to compromise its impartiality and the quality of its services or to cause conflicts of interest.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Documentation on the governance structure related to service delivery and the process used to identify and declare conflict of interest.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T11", "description": "The tenderer must ensure security of their IT systems and any hardware and software used for the delivery of the services, including keeping the systems up to date and with no active exploited vulnerabilities.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "Security management policies and procedures describing how the tenderer ensures the security of their IT systems including any hardware and software used during the delivery of the services.", "minimum_level_of_capacity": "At least 1 document that has been issued or implemented by the tenderer." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - No Additional Lot-Specific Criteria - Lot 4 (Denmark)", "description": "No additional country-specific selection criteria are specified for Lot 4 - Denmark beyond the common criteria T1-T11.", "basis_for_assessment": "Not provided", "evidence": "Not provided", "minimum_level_of_capacity": "Not provided" } ] }, { "lot": "Lot 5 - Estonia", "criteria": [ { "criteria_title": "3.2.1 Legal and Regulatory Capacity - Criterion L1", "description": "Tenderers must prove that they have the legal capacity to perform the contract and the regulatory capacity to pursue the professional activity necessary to carry out the work subject to this call for tenders.", "basis_for_assessment": "This criterion applies to each entity (sole tenderer, member of the group in the case of a joint tender or subcontractor) for the tasks of their competence.", "evidence": "Proof of enrolment in a relevant trade or professional register.", "minimum_level_of_capacity": "Enrolment in a relevant trade or professional register." }, { "criteria_title": "3.2.2 Economic and Financial Capacity - Criterion F1", "description": "Tenderers must comply with the following selection criteria in order to prove that they have the necessary economic and financial capacity to perform the contract.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. a consolidated assessment of the combined capacities of all involved entities will be carried out.", "evidence": "· Copy of the profit and loss accounts and balance sheets for the last three years for which accounts have been closed from each concerned involved entity, or, failing that, appropriate statements from banks. The most recent year must have been closed within the last two financial years. · Complete the attached Annex 7 'Simplified Financial Statement' within the last three financial years.", "minimum_level_of_capacity": "Average yearly turnover of the last three financial years above EUR 500.000." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T1", "description": "The tenderer must prove to have a team of persons capable and available of carrying out the tasks and delivering the results as described and within the time frame in the Technical Specifications.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A list of educational and professional qualifications, submitted in the form of a Curriculum Vitae (CV), is required for each team member. The preferred format for the CV is the Europass format. The CVs must indicate the educational background (according to the EQF), language proficiency in English (as per the CEFR), professional experience, and technical expertise. The precise contractual link with the tenderer must be specified.", "minimum_level_of_capacity": "The team must consist of the following minimum members: · One (1) Contract/Project Manager · Three (3) Senior Expert (Incident Management) · Two (2) Intermediate Expert (Incident Management) · Three (3) Senior Expert (Preparedness support services) · Two (2) Intermediate Expert (Preparedness support services) · Two (2) Senior Expert (Exercises\\Trainings) · One (1) Intermediate Expert (Exercises\\Trainings)." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T2", "description": "The tenderer must prove experience in the field of Adversarial Tactics and Techniques Simulation (i.e., penetration testing) or similar Cybersecurity Posture Evaluation services as outlined in section 2.2 'Required Services' of the technical specifications using industry best practices as well as having proven service provision processes in place.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 35.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T3", "description": "The tenderer must prove experience in the field of supporting Incident Response and Crisis Management Plan Development or similar Cyber Readiness services such as Threat Landscape analysis and Maturity & Capabilities assessments as outlined in par. 2.2 'Required Services' of the Technical specifications (except the Organisational Cybersecurity Risk Assessment service which is covered in Criterion T6) in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 20.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T4", "description": "The tenderer must prove experience in supporting Cybersecurity Exercises and Trainings, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity.", "minimum_level_of_capacity": "At least 3 similar (in scope and complexity) projects completed in the last three years preceding the deadline for submission of tenders, with a minimum value for each of them € 15.000,0

Selection · Criterion

0. The tenderer's share must be at least 50% of each reference project." }, { "criteria_title": "3.2.3 Technical and Professional Capacity - Criterion T5", "description": "The tenderer must prove experience in Cybersecurity Incident Management/Response services, as outlined in par. 2.2 'Required Services' of the Technical specifications, in at least one of the 27 EU Member States.", "basis_for_assessment": "This criterion applies to the tenderer as a whole, i.e. the consolidated assessment of combined capacities of all involved entities will be carried out.", "evidence": "A Project References List as Annex 8 meeting the minimum level of capacity, including official registration document of the HQ

Contract value
€18,000,000
Deadline7 Jul 2026
Time left-1 days left
BuyerENISA - European Union Agency for Cybersecurity
ProcedureOpen procedure

Published 21 May 2026 · rebuilt nightly from the official notice.