CFT-1747 - IT Security Hardware and Software

CFT-1747 is a European Investment Bank open tender to award a multiple-operator framework agreement (minimum 2, maximum 5 providers) for the supply and renewal of IT security hardware and software and associated services, with an estimated maximum envelope of €35,000,000 over a 4-year term plus two optional 1-year extensions. The award will be based on the most economically advantageous tender using a 30% quality / 70% price weighting and requires unconditional acceptance of the Service Level Requirements. Eligible tenderers must be established in an EU Member State, EEA country or specified Stabilisation and Association Agreement countries and meet selection criteria including relevant contract references and minimum turnover thresholds; submission is electronic via the EU eSubmission system. Key dates include the tender submission deadline of 15 June 2026 at 17:00 CET and publication of clarifications on the EU Funding & Tenders Portal.

What it funds

A Framework Agreement (up to 5 providers) for supply and renewals of IT security hardware and software (third-party vendor products) and associated services (installation, maintenance, license management, deliveries) for the European Investment Bank Group.

Who can apply

Economic operators established in an EU Member State, the EEA or in a country covered by the EU Stabilisation and Association Agreements. Consortia and subcontracting are permitted; bidders must meet exclusion, selection and experience requirements described in the Terms of Reference.

Funding / Contract value:Estimated total value €35,000,000 (over the full framework duration, renewals included). No guaranteed minimum call-off volume.

1. 1Procedure type: Open procedure to award a multiple-operator framework agreement with re-opening of competition.
2. 2Number of providers to be awarded: minimum 2, maximum 5 (subject to admissible tenders).
3. 3Framework duration: 4 years + two optional 1-year extensions (4+1+1).
4. 4Main place of performance: EIB headquarters, Luxembourg.

Key eligibility and selection highlights:minimum of 2 relevant contracts in the last 3 years (each with IT security product supply and invoiced value >= €1,500,000), annual overall turnover >= €10,000,000 for each of the last three audited financial years, and registration to carry out the professional activity under national law; full documentation required in tenders (administrative forms, technical proposal and pricing form).

How award is made:Award method: Best price-quality ratio. Quality weighting 30% (technical/operational model, on-time delivery approach, administration/license/document management) and Price weighting 70% (evaluated on a Total Financial Scenario using the provided Pricing Form).

Submission:Electronic via the EU eSubmission system (EU Login required). Tenderers must accept mandatory Service Level Requirements and complete Annexes (Terms of Reference, Annex A to J, Pricing Form, Administrative Forms, Model Framework Agreement and General Terms).

Opportunity summary

Procurement type:Open call for tenders (Call for Tenders reference EIB/2024/OP/0001 / TED reference 81/2026 286898-2026) issued by the European Investment Bank (EIB). Objective: award a multiple-operator Framework Agreement (maximum of 5 providers) for the supply of specific IT security hardware and software products (including renewals) manufactured/published by third-party vendors, and the provision of associated services. Estimated total value: €35,000,000 over the complete duration (including renewals). Framework duration: 4 years with two optional 1-year renewals (4 + 1 + 1 years). Main place of performance: EIB headquarters, Luxembourg.

Procedure type and award method:Open procedure. Framework agreement with reopening of competition (parallel call-off). Award method: best price-quality ratio (Quality weighting 30%, Price weighting 70%).

Key dates:TED publication date: 27/04/2026. Deadline for clarifications (as published): 07/05/2026 17:00 CET. Deadline for receipt of tenders: 15/06/2026 17:00 Europe/Luxembourg (CET). Public opening (non-public session): 16/06/2026 11:00 Europe/Luxembourg. Contract signature expected Q4 2026.

What is being procured (scope and technical overview)

Scope:supply and renewals of IT security hardware and software and related services for the EIB Group's IT security domain. The Framework Agreement covers procurement of products and associated services used in EIBG's IT security infrastructure and managed via a re-opening of competition mechanism for call-offs (Assignments / AToRs). The Agreement is multiple-operator (min 2, up to 5 providers) and does not guarantee minimum volumes; call-offs will be issued to the framework providers as needs arise.

1. 1Product categories in scope include (non-exhaustive): Web proxies, Email gateways, Firewalls, Remote access gateways, Privileged Access Management, Web Application Firewalls, IDS/IDP, Endpoint Security, Routers, Strong authentication, SIEM, Vulnerability management scanners, Cloud Access Security Broker, Antivirus, PKI management, Secret management, DNS security, Zero trust network access.
2. 2Typical vendors listed in the documentation include (random order): Cisco, Checkpoint, Palo Alto, F5, Wallix, Tenable, SentinelOne, Tufin, VENAFI, Netskope, HashiCorp, etc.
3. 3Associated services include: extended warranty, preloading OS/firmware/configuration, automated device enrolment (MDM), recycling, equipment tagging, maintenance/support contracts and license management tasks.

Procurement, contracting and award process details

Contracting modality:Framework Agreement with reopening of competition. Procedure for award of Assignments: EIB issues Assignment Terms of Reference (AToR) to all Framework Members; Members submit proposals; award based on set award criteria and weightings indicated in each AToR (price typically 60–80% and technical merit 20–40%). Contracts may be formalised as a Contract Template or as unilateral Purchase Order (Appendix B and E).

Estimated financial envelope:Estimated total value: €35,000,000 over the Framework Agreement term (renewals included). There is no guaranteed minimum spend or minimum number of call-offs.

Eligibility and participation

Market access limitation (pass/fail):participation limited to economic operators established in a Member State of the European Union (EU) or the European Economic Area (EEA), and to operators established in countries subject to Stabilisation and Association Agreements currently listed (Albania, North Macedonia, Montenegro, Serbia, Bosnia and Herzegovina, Kosovo). This limitation applies to the tenderer and, in case of a joint tender, to each consortium member; it does not apply to subcontractors. Consortia (joint tenders) and subcontracting are permitted in compliance with the General Administrative and Submission Clauses and Terms of Reference.

Eligible applicant types:Eligible applicants: SMEs and large enterprises, system integrators, authorized resellers, value-added distributors, managed service providers, IT hardware vendors, software publishers, professional services firms, consortiums and public-private consortia that meet the market access limitation. Universities/research institutes may participate if they meet the market access rules and can supply the products/services (but this is principally a supplier/procurement opportunity rather than a research grant).

Selection and exclusion criteria (summary)

Tenders will be evaluated on exclusion, selection and award criteria. Exclusion:standard grounds listed in Form 5 (criminal convictions, bribery, fraud, money laundering, tax/social security non‑payment, insolvency, etc.). Selection criteria include technical/professional capacity, economic/financial capacity and legal capacity.

1. 1Technical and professional capacity (T1): Tenderer must demonstrate at least two (2) relevant contracts in the last 3 years, each of minimum 1-year duration, each with product supply value invoiced of at least €1,500,000, and covering one or more of the product categories listed in Annex A. References must be submitted using Annex D (Contract Reference Form); EIB may contact reference clients to verify.
2. 2Economic and financial capacity (F1): For each of the last three financial years, the tenderer must have an annual overall turnover of at least €10,000,000. Proof: financial statements and Form 6 (Economic and Financial Capacity). Alternative auditor statement may be accepted in exceptional cases.
3. 3Legal capacity: certificate of registration in trade or professional register in country of establishment (or equivalent proof) is required.

Mandatory requirements and award criteria

Tenders must first pass mandatory technical/compliance requirements (pass/fail). Key Mandatories: explicit and unconditional acceptance of the Service Level Requirements (SLRs) as specified in Appendix 1 and compliance with technical specifications in Annex A. Only tenders that pass these mandatories proceed to quality and financial scoring.

Award scoring and ranking:Quality (technical) score: max 100 points across three sub-criteria: (1) organisational and operational model (40 points, minimum 20), (2) proposal to ensure on-time delivery (30 points, minimum 15), (3) approach/methodology for administration, licensing and document management (30 points, minimum 15). A minimum overall technical score of 60 points and minimum per-criterion thresholds must be met or tender is rejected. Financial scoring: lowest Total Financial Scenario receives 100 points; other bids scaled inversely (Fs = 100 * Fm / F). Final score = Q x 30% + Fs x 70%. Top ranking up to 5 tenders (subject to sufficient admissible tenders) will be awarded the Framework Agreement.

Contract and commercial terms

Framework agreement is multiple-operator with reopening of competition. Call-offs are limited in cost and duration as defined in each AToR. Prices in the Tender are firm for first two years (Fixed-Pricing Period). After 2 years, annual indexation may apply following request within 3 months before end of fixed period; indexation formula is based on HICP Luxembourg (or stated index in contract). EIB is VAT-exempt (Article 21 Protocol No 7). Maximum aggregate value across all framework members: €35,000,000 (excluding VAT). No guaranteed volume.

Ordering, delivery and acceptance:Call-offs follow reopening of competition procedures. Typical lifecycle: EIB issues AToR to Framework Members; members reply with proposals; EIB awards; contract/PO is signed; Service Provider delivers products and services complying with delivery requirements (Annex A §4.3). Products accepted after written acknowledgement by EIB or 10 business days after delivery to EIB premises, whichever occurs first. Service Providers must supply all vendor entitlement documents, licenses, support level documentation and transfer them to EIB.

Service Levels, reporting and administration

Service Level Requirements (SLRs) are defined at Framework level in Appendix 1. SLRs cover contract management, ordering and delivery processes, monthly delivery reporting, SLA measurement and penalties. Service Providers must implement processes to measure and report SLA compliance. Monthly Delivery Reports are mandatory (Annex J template) and must be submitted by the 10th calendar day of the following month to it-contracts@eib.org. Asset and Contract Management reports (quarterly) and an annual renewals report are required. The Service Provider shall maintain an online central repository and ordering portal for EIB with shopping basket, history, export capability and contract/license database.

Penalties and quality monitoring:SLR monitoring: SLR targets are mapped to measurable KPIs (see Appendix 1). Penalties apply where performance falls below targets: no penalties if performance >= 95%; penalties of 5% of assignment value for performance between 80% and <95%; penalties of 10% of assignment value for performance <80%. The maximum cap on penalties for any assignment is 10% of that assignment value. Progress and quality meetings occur every six months.

Procurement documentation and submission

Procurement Documents (in order of priority):Contract Notice; General Administrative and Submission Clauses (GASC); Model Framework Agreement (and appendices including Bank General Terms and Conditions for ICT Services); Terms of Reference and Annexes (Annex A Technical Specifications, Annex B Technical Proposal Form, Annex C Pricing Form, Annex D Contract Reference Form, Annex E Model Framework Agreement, Annex F General Terms & Conditions for ICT, Annex G Contract template, Annex H GASC, Annex I Administrative Forms, Annex J Monthly Delivery Report Template). Tenderers must upload required administrative forms (Forms 1–6), the technical proposal (per Annex B) and the financial proposal (Annex C Pricing Form) via the eSubmission system (use eSubmission link in the call). Submission is electronic only for this procedure. EU Login account required and two-factor authentication will be mandatory for EU Login from mid/late 2026 — tenderers should ensure EU Login 2FA is available for submission.

Mandatory submission formats and templates:Tenderers must use Annex B (Technical Proposal Form) structure; Annex C Pricing Form must be completed without alterations (cells in red must be filled). Annex D (Contract Reference Form) used for references (2–5 references). Administrative Forms (I) Forms 1–6 must be completed and signed. Electronic copies must match paper originals in case originals are requested after award. For eSubmission, signed scanned originals of required signed forms must be uploaded where requested and originals sent by post on the first working day after electronic submission if the procedure requests.

Evaluation process, standstill and contracting

Evaluation follows:formal opening (administrative check), exclusion check, selection criteria verification, mandatory requirements check, technical and financial scoring. Up to five highest-ranking admissible tenders will be awarded the Framework Agreement subject to sufficient admissible tenders. After award decision, EIB notifies tenderers and applies a standstill period (15 calendar days for paper notifications or 10 days for electronic notifications) before contract signature. The successful tenderer must produce original supporting documents for exclusion/selection checks (e.g., certificates, audited accounts) within the timeframe set by EIB prior to signature. Additional contractual administration documents (Vendor Information Form, bank account statement, registration extract) will be required before contracting and for payment set-up.

Commercial & legal templates and obligations

Model documents provided:Model Framework Agreement (Annex E) and Contract template (Annex G), Bank General Terms and Conditions for ICT Services (Appendix C), General Administrative and Submission Clauses (Annex H). The Framework Agreement includes standard clauses on IP, warranties, penalties, suspension, termination (including for insolvency and exclusion events), confidentiality (Annex III confidentiality undertaking), data protection (Appendix C Annex II), audit and reporting rights. Service Providers must agree to EIB’s contractual terms and cannot submit own general conditions. Joint tenders must accept joint and several liability and may be required to form a legal entity for contract signature if requested by EIB.

Practical and operational requirements

Delivery to EIB premises in Luxembourg requires advance notification by email (it-contracts@eib.org) at least one working day prior to delivery and specific delivery information (PO/contract number, carrier, license plate for dedicated transport, unloading time, parcel dimensions and contents). EIB accepts deliveries by regular courier to reception or by dedicated transport to the ramp. Each delivery must be accompanied by delivery note/waybill and vendor entitlement documentation. Monthly Delivery Report template (Annex J) must be used. The Service Provider will manage entitlement registrations, create a contracts database, maintain a repository with access for designated EIB staff, monitor renewals and provide an ordering portal with shopping cart and purchase history.

Questions specific to categorisation and structured data

The sections below interpret the opportunity to extract structured fields requested by procurement users and tender preparers. Each answer reproduces the information published in the Procurement Documents (Terms of Reference and Annexes).

Eligible Applicant Types:Eligible applicant types include: SMEs and large enterprises, system integrators, authorized resellers, distributors, managed service providers, software publishers, hardware vendors, professional services firms, joint venture/consortia (consortium members must each meet market access limitation), and subcontractors (subcontractors are not subject to the market access limitation). Public entities established in the EU/EEA or Stabilisation and Association Agreement countries are eligible to tender where they meet participation criteria.

Funding Type:This is a public procurement (tender) for a framework agreement. The financial mechanism is a procurement framework agreement with call-off contracts (supply and services) funded by the EIB operating budget and purchase orders; not a grant, loan or equity instrument.

Consortium Requirement:Consortium/joint tender is permitted but not mandatory. Tenderers may submit as sole tenderer or in a consortium. If a consortium wins, joint and several liability applies; EIB may require a legal form to be adopted for contracting. Consortium members must each meet market access limitation.

Beneficiary Scope (Geographic Eligibility):Eligible tenderers must be established in EU Member States or EEA countries or in countries subject to Stabilisation and Association Agreements (explicitly listed in the Terms of Reference: Albania, North Macedonia, Montenegro, Serbia, Bosnia and Herzegovina, Kosovo). Subcontractors may be from other countries but cannot be used to circumvent the market access limitation.

Target Sector:Target sectors: Information and Communication Technology (ICT), specifically IT security / cybersecurity hardware and software (firewalls, proxies, email gateways, PAM, IDS/IDP, endpoint security, vulnerability management, SIEM, WAF, PKI, etc.).

Mentioned Countries:Mentioned country: Luxembourg (main place of performance and EIB headquarters). Market access eligible countries explicitly mentioned: Albania, North Macedonia, Montenegro, Serbia, Bosnia and Herzegovina, Kosovo. Contracting authority: European Investment Bank (Luxembourg).

Project Stage:Procurement is for deployment/operational stage: supply, renewal and maintenance of production-grade IT security hardware and software and related services. Assignments will include procurement, installation, configuration, license/entitlement management, maintenance and warranty services.

Funding Amount:Estimated total value: €35,000,000 over the Framework Agreement duration (renewals included). This is an estimated ceiling, not a guaranteed amount; no minimum guaranteed expenditure.

Application Type:Open call (public tender). Submission method: electronic submission via the EU eSubmission application (access via the Funding & Tenders Portal link provided in the call). Use of eSubmission is mandatory for this procurement.

Nature of Support:This is a commercial supply and services contract: the service provider will receive monetary payments for delivered products and services under call-off contracts. Non-financial outputs include licence and entitlement transfers, documentation, and administrative services. Benefits are monetary (procurement payments) and service delivery (products, support).

Application Stages:The selection and award process comprises these stages: 1) eSubmission receipt (formal/administrative check and opening); 2) exclusion and selection checks (pass/fail on market access, exclusion, capacity); 3) mandatory compliance checks (e.g., SLR acceptance); 4) technical evaluation (quality scoring); 5) financial evaluation and combined scoring; 6) award decision and standstill; 7) pre-contract checks and contract signature. Total stages: 7 (including post-award pre-contract checks).

Success Rates:Success rate depends on number of admissible tenders; up to 5 Framework Agreements will be awarded, provided sufficient admissible tenders are received. EIB does not publish a definitive success rate; applicants should assume competitive selection with only top scoring candidates (max 5) awarded.

Co-funding Requirement:No co-funding from the tenderer is required. This is a procurement for supplies and services, not a grant.

Application templates and structure (how the forms look and how to prepare)

Mandatory forms and templates are provided in the Procurement Documents and must be used without modification. Key forms and templates included in the call documents:

1. 1Annex B - Technical Proposal Form: structured document that tenderers must follow; responses should address the three qualitative award criteria and follow word/page limits where indicated.
2. 2Annex C - Pricing Form: Excel workbook with Fixed product list, Discounts/Markups and Instructions worksheets. Tenderers must not add rows or change the structure. Cells highlighted in red are mandatory and failure to fill them leads to rejection. Prices firm for first 2 years and maximum unit prices quoted are binding for call-offs (subject to indexation conditions in contract).
3. 3Annex D - Contract Reference Form: used to present 2–5 references for Criterion T1 (Relevant experience). Each reference must provide contract details, client information and description of scope.
4. 4Annex I - Administrative forms (Forms 1–6): Tenderer Contact Form (Form 1); Deed of Undertaking (Form 2); Consortium member declaration (Form 3); Subcontractor declaration (Form 4); Declaration on honour (Form 5 - exclusion/conflict); Form 6 Economic and Financial Capacity (turnover figures and supporting financial statements).
5. 5Annex J - Monthly Delivery Report Template: required monthly delivery reporting format; Service Providers must submit reports by the 10th calendar day of the following month to it-contracts@eib.org.
6. 6Model Framework Agreement, ICT General Terms & Conditions and Contract Template (Annexes E, F, G): define contractual obligations, liability, IP, data protection, audit rights, SLAs, termination and service levels.

Preparation guidance:complete Forms 1–6 (administrative), prepare the Technical Proposal following Annex B structure (organisation/operational model; delivery/ logistics; administration/license/document management approach and tools), complete the Annex C Pricing Form without structural changes, supply 2–5 valid contract references in Annex D, and ensure all mandatory technical SLRs are accepted. Upload all required scanned signed originals where requested. Use eSubmission and ensure EU Login with 2-factor authentication is active for account access and submission.

How to apply (practical steps)

1) Create / ensure EU Login account and enable two-factor authentication. 2) Prepare and complete Forms 1–6 and supporting documentation (financial statements, registration extracts, certificates, references). 3) Prepare Technical Proposal (Annex B) and Financial Proposal (Annex C Excel pricing form filled according to instructions, signed). 4) Use the eSubmission link from the Funding & Tenders Portal opportunity page to upload the tender before the stated deadline. 5) Keep originals of signed administrative forms to submit if requested after award notification. 6) Monitor procurement Q&A page on the EU Funding & Tenders Portal and adhere to deadlines for clarifications (last date: 27/05/2026 is noted in documents as final date to submit questions to contracting authority in some places).

Risks, important notes and tips

1. 1Market access limitation is an immediate pass/fail requirement: tenderers must be established in EU/EEA or specified SAA countries (consortium members individually must meet it).
2. 2Complete all mandatory cells in the Pricing Form and Annexes exactly as required: missing mandatory cells or unpermitted changes to the forms will lead to rejection.
3. 3Accepting the SLRs without reservation is mandatory. Tenders that do not explicitly accept them will be rejected.
4. 4Provide 2 eligible, verifiable contract references meeting the scope/value/duration requirements—EIB may contact clients for validation and will invalidate unverifiable references.
5. 5Use the eSubmission system and ensure EU Login 2FA is set up ahead of time; system technical requirements and browser guidance are provided in public eSubmission documentation.
6. 6No guarantees of volume—Framework does not imply minimum call-off volumes; treat the estimated €35M as ceiling only.
7. 7Review and accept the Model Framework Agreement (Annex E), Appendix C (ICT General Terms and Conditions) and contractual clauses including IP, data protection, audit, and termination clauses before bidding—EIB requires unconditional acceptance.
8. 8Sustainability and environmental requirements: EIB requests sustainability plans and may request Paris Alignment Strategy and CSR reports within 12 months after contract start; annual sustainability reviews are required.

Documents available to download (high priority)

• Terms of Reference (CFT-1747) (Annex A Technical Specifications included).
• Annex A - Technical Specifications (Detailed scope, delivery, SLRs, environmental and administrative requirements).
• Annex B - Technical Proposal Form.
• Annex C - Pricing Form (Excel workbook).
• Annex D - Contract Reference Form.
• Annex E - Model Framework Agreement (Framework Agreement template).
• Annex F - General Terms & Conditions for ICT Services (Appendix C in Agreement).
• Annex G - Contract template (Call-off contract template).
• Annex H - General Administrative and Submission Clauses (GASC).
• Annex I - Administrative forms (Forms 1–6).
• Annex J - Monthly Delivery Report Template.
• TED notice and contract notice on the EU Tenders Electronic Daily (TED) platform.

Contact, support and Q&A

All questions on procurement process and clarifications must be submitted via the Funding & Tenders Portal Q&A functionality or as instructed in the Terms of Reference (eSubmission Q&A). Contact for procurement administrative matters: corporate-procurement@eib.org. For eSubmission technical issues consult the EU eSubmission help and IT helpdesk guidance linked in the call. Public Q&A is made available on the call page; EIB is not bound to reply to questions submitted after the stated deadline in the GASC/Terms of Reference.

Summary — What is this opportunity about and how to explain it?

CFT-1747 is an EIB open procurement to create a multi-provider Framework Agreement for IT security hardware and software products and associated services used by the EIB Group. Up to five suppliers will be selected following an open and competitive evaluation (technical + financial), then EIB will issue call-offs (re-opening of competition) to obtain specific products, updates, renewals and associated services when required. The procurement requires suppliers to be established in the EU/EEA or specified Stabilisation and Association Agreement countries, to submit mandatory administrative forms, to demonstrate relevant experience (2 references >= €1.5M each, 1+ year duration) and financial capacity (annual turnover >= €10M), to accept EIB’s Service Level Requirements and contractual terms without reservation, and to deliver products/services to EIB’s headquarters in Luxembourg under EIB’s delivery and reporting rules. Tenderers must submit a structured technical proposal and a completed pricing form via the eSubmission system by the deadline. The procurement is primarily targeted at ICT hardware/software vendors, authorized resellers, integrators and service providers operating in cybersecurity and enterprise IT security domains. The Framework Agreement provides flexibility for EIB to procure on-demand, with ordering via competitive call-offs and contractual protections for EIB including SLAs, reporting, auditing and sustainability commitments.

Opportunity Overview

CFT-1747 is a European Investment Bank framework agreement tender for the supply of IT security hardware and software products and associated services. This is a procurement opportunity, not a grant or funding programme. The EIB seeks to establish relationships with up to five service providers to supply security products and services on a call-off basis over a multi-year period.

Contracting Authority:European Investment Bank (EIB), headquartered in Luxembourg. The EIB is the financing institution of the European Union and operates under its own legal framework.

Key Opportunity Details

Estimated Total Value:€35,000,000 over the complete duration of the framework agreement including all renewals. This represents the maximum potential expenditure; there is no guaranteed minimum spend, no obligation to award any specific volume, and no guarantee the maximum will be reached.

Contract Duration:Initial term of 4 years, renewable by two additional periods of 1 year each, for a potential total of 6 years. Expected start date is Q4 2026.

Number of Service Providers:A minimum of 2 and maximum of 5 service providers will be selected, provided sufficient admissible tenders are received. This is a multiple-operator framework with reopening of competition for individual assignments.

Estimated Call-Off Contracts:Approximately 75 individual call-off contracts are anticipated over the framework period.

Scope of Services

Service providers must supply specific IT security hardware and software products manufactured or published by various third-party vendors, along with associated services. The scope includes new hardware purchases, upgrades, maintenance services, software licenses, support services, and ancillary services such as extended warranty, equipment recycling, and device enrolment for Mobile Device Management.

Product categories in scope include web proxies, email gateways, firewalls, remote access gateways, privileged access management, web application firewalls, intrusion detection and prevention systems, endpoint security, routers, strong authentication systems, security information and event management, vulnerability management scanners, cloud access security brokers, antivirus solutions, PKI management, secret management, DNS security, and zero trust network access solutions.

Common manufacturers and vendors currently in the EIB infrastructure include Cisco, Checkpoint, Palo Alto, F5, Wallix, Tenable, and numerous others. The EIB emphasizes standardization while supporting diversity among hardware manufacturers where possible.

Eligibility and Participation Criteria

Geographic Eligibility:Participation is limited to economic operators established in a Member State of the European Union or the European Economic Area, as well as operators in countries subject to Stabilisation and Association Agreements (currently Albania, North Macedonia, Montenegro, Serbia, Bosnia and Herzegovina, and Kosovo). This restriction applies to the tenderer or each consortium member but not to subcontractors. Subcontracting may not be used to circumvent this market access limitation.

Submission Method:Electronic submission via the eSubmission system is mandatory. Tenders submitted by postal service, email, or other means will be rejected.

Consortium and Subcontracting:Joint tenders by consortia are permitted. Subcontracting is permitted but the tenderer retains full liability. All consortium members are jointly and severally liable for contract performance.

Selection Criteria

Technical and Professional Capacity:Tenderers must demonstrate experience of at least 2 contracts, each with similar scope, scale and complexity, completed or ongoing within the last 3 years before the submission deadline. Each reference contract must demonstrate experience in supplying IT security hardware and software products from one or more of the specified categories, have a minimum duration of 1 year, show a minimum value of €1,500,000 in IT security products already supplied and invoiced in the last 3 years, and be with one of the following client types: national public sector organisations, EU institutions or bodies, international public organisations, multilateral development banks, financial services institutions subject to ECB/EBA/ESMA/EIOPA supervision, or private companies with at least 2,000 employees. Between 2 and 5 contract references may be submitted using the Contract Reference Form.

Economic and Financial Capacity:Tenderers must have an annual overall turnover of at least €10,000,000 for each of the past three financial years for which accounts have been closed and final audited figures are available. Financial statements or equivalent documentation proving stable financial position must be provided, along with completed Form 6 of the Administrative Forms for EIB Tenders.

Legal Capacity:Tenderers must prove registration to pursue the professional activity under national law, evidenced by a certificate of registration in relevant trade or professional registers, or equivalent documentation such as VAT registration if formal registration is not required.

Exclusion Criteria

Tenderers and consortium members must not be in any of the exclusion situations specified in EU Directive 2014/24/EU, including criminal convictions for participation in criminal organisations, corruption, fraud, terrorist offences, money laundering or terrorist financing, child labour or human trafficking, breaches of tax or social security obligations, bankruptcy or insolvency, breaches of environmental or labour law, grave professional misconduct, early termination of prior contracts due to deficiencies, serious misrepresentation, undue influence, or being subject to EIB exclusion decisions or sanctions. A signed Declaration on Honour on exclusion criteria and selection criteria and on absence of conflict of interest (Form 5) must be provided.

Award Criteria and Evaluation

Award Method:The most economically advantageous tender based on best price-quality ratio, with quality weighted at 30 percent and price weighted at 70 percent.

Mandatory Requirements:Tenderers must accept without reservation and explicitly commit to comply with the Service Level Requirements as described in Appendix 1 of the Technical Specifications. Failure to comply results in tender rejection.

Qualitative Award Criteria:A maximum of 100 points awarded based on three criteria: (1) quality of the proposed organizational and operational model to supply products and services (40 points maximum, 20 points minimum required); (2) quality of the proposal to ensure on-time delivery of products and services (30 points maximum, 15 points minimum required); and (3) quality of the proposed approach, methodology and tools for administration, assignment, license and document management tasks (30 points maximum, 15 points minimum required). Tenders not meeting 50 percent of the minimum score per criterion and 60 percent of total points are rejected.

Financial Award Criterion:The tender with the lowest Total Financial Scenario receives 100 points. Other tenders receive scores in inverse proportion to their Total Financial Scenario according to the formula: Fs = 100 x Fm / F, where Fs is the financial score, Fm is the lowest tender's total, and F is the tender's total.

Final Score Calculation:Final Score = (Qualitative Score x 30 percent) + (Financial Score x 70 percent). The top 5 ranking tenders with the highest final scores will be awarded the framework agreement, provided a sufficient number of admissible tenders are received. In case of a tie, the tenderer with the highest price score is deemed most economically advantageous.

Key Deadlines and Milestones

The EIB is not bound to reply to clarification requests submitted less than 5 working days before the tender deadline. All clarifications and amendments to procurement documents will be published on the EU Funding and Tenders Portal at least 6 calendar days before the submission deadline.

Tender Structure and Documentation Requirements

Tenders must be submitted in three parts:Part I (Administrative Information and Exclusion and Selection Criteria), Part II (Technical Proposal), and Part III (Financial Proposal). All tenderers must complete the Administrative Forms for EIB Tenders (Forms 1-6), including the Tenderer Contact Form, Deed of Undertaking, Consortium Member Declaration (if applicable), Subcontractor Declaration (if applicable), Declaration on Honour on exclusion and selection criteria, and Economic and Financial Capacity form.

Technical Proposal Requirements:The technical proposal must strictly adhere to the award criteria and address: (1) the proposed organizational and operational model for supplying products and services, including evaluation of acquisition channels and processes to remediate underperformance; (2) the proposed process for requesting products, responding to requests, approving purchase orders, and ordering products, including delivery processes and compliance with delivery requirements; and (3) the proposed approach, methodology and tools for administration, assignment, license and document management tasks, including acquisition channel administration, assignment and license management, and hardware maintenance.

Financial Proposal Requirements:The financial proposal must be based on the Pricing Form provided in Annex C. Tenderers must fill in all cells highlighted in red in the Fixed Product List and Discounts/Markups worksheets. Prices must be quoted inclusive of all costs and expenses directly and indirectly connected with delivery and service performance. Prices must be in Euro and exclude VAT (as the EIB is exempt). Prices shall be firm for the first 2 years; annual indexation may apply thereafter using the Harmonised Index of Consumer Prices for Luxembourg. The maximum unit prices quoted represent the maximum the service provider will charge when responding to call-off requests; lower prices may be quoted but not higher ones.

Service Level Requirements and Performance

Service providers must accept and comply with Service Level Requirements covering delivery times, quality of products, and performance standards. The EIB will establish a multi-year relationship based on mutual understanding, trust, and achievement of agreed quality measures. Service Level Agreements are detailed in Appendix 1 of the Technical Specifications and define minimum service requirements, metrics, measurement methods, and penalties for underperformance.

Penalties for Non-Performance:Penalties apply when service providers fail to meet Service Level Targets. The maximum cap on penalties for failure to meet any or all Service Level Targets is 10 percent of the assignment value. Penalties are calculated per assignment and reflected on invoices.

Reporting and Monitoring:Service providers must provide mandatory monthly delivery reports to the EIB detailing compliance with agreement terms, including items delivered, items pending delivery, delivery status, and Service Level Agreement compliance. Reports must be submitted by the 10th day of the following calendar month. Quarterly Asset and Contract Management Status Reports are also required. Progress and quality meetings occur every 6 months via video conference to discuss product and service quality, logistics, technical performance, and Service Level Agreement indicators.

Product Quality and Delivery Requirements

Product Quality Standards:All IT security hardware, software, spare parts, and accessories must be original, brand new, and authorized for distribution on the EU market. In exceptional circumstances (such as global chip shortages), certified refurbished products with warranty may be proposed. Refurbished products must have at least 12 months warranty and be tested for functionality and defects.

Delivery Requirements:Products must be delivered to EIB headquarters in Luxembourg by the agreed delivery date. Service providers assume all risk of loss and costs for repair, replacement, or refurbishment caused by accident, misuse, abuse, or failure to deliver in accordance with the contract. Delivery must be reported to it-contracts@eib.org at least one working day in advance, specifying contract number, purchase order number, planned delivery date and time, delivery company name, license plate (for dedicated transport), estimated unloading time, number and dimensions of parcels, and parcel contents. Each parcel must be clearly marked with contract and purchase order numbers, contracting authority name and address, service provider name, parcel contents, and EIB contact person.

Product Acceptance:Products are inspected for conformity upon delivery to EIB premises. Products are deemed accepted after either written acknowledgement by the EIB or 10 business days after delivery, whichever comes first. The service provider retains risk and title to products until delivery and acceptance, upon which risk and title transfer to the EIB. Service providers must provide all relevant entitlement certificates, vendor support level descriptions, and related documentation with product delivery.

Administration, License and Document Management

At no additional cost, service providers must perform administration, assignment, license and document management tasks related to vendors' contractual and technical documentation delivered with products. These tasks include registering EIB entitlements with product vendors, maintaining an up-to-date entitlements database, managing a central database of all product-related contracts in a secure online location with full access for designated EIB staff, maintaining a repository of all contractual and technical documents with full access for designated staff, monitoring contract expiration and renewal periods and notifying the EIB at least 60 business days before expiration, monitoring license management and reporting requirements and notifying the EIB at least 60 business days in advance, and maintaining an ordering portal with shopping basket, purchase history, data export, and list prices.

Service providers must deliver quarterly Asset and Contract Management Status Reports and annual reports listing all software, license, and maintenance renewals expiring by year-end. Upon termination or cancellation of the agreement, service providers must transfer all contracts databases, repositories, and related knowledge to the EIB as part of exit assistance services.

Environmental and Sustainability Requirements

The EIB is committed to Green, Circular and Sustainable Procurement aligned with the European Green Deal. Service providers must comply with Green, Circular and Sustainability criteria and conditions set out in the specifications. The EIB Group has set an absolute carbon emission reduction target of 12.4 percent in 2025 compared to base year 2018 and aims to achieve Paris alignment by 2025.

Sustainability Plans:Awarded service providers must provide, within 12 months after contract start, a Paris Alignment Strategy and, if applicable, a Corporate Sustainability Report. If a service provider does not have a Paris Alignment Strategy, the EIB will offer guidance to support its development. Service providers must provide annual updates and progress reports on carbon reduction targets and corporate sustainability performance. An annual Sustainability review meeting will discuss progress on decarbonization targets, sustainability plan actions and results, calculation methodology, and relevant changes in the annual Corporate Sustainability Report.

EMAS Compliance:Service providers are highly encouraged to implement all requirements of the EMAS regulation and/or ISO 14001:2015 or equivalent in service delivery. Service providers should endeavour to take all measures necessary to ensure compliance with the EIB Group EMAS Environmental Policy.

Contract Terms and Conditions

Framework Agreement Structure:The framework agreement establishes the terms under which the EIB may award individual assignments to service providers through a call-off mechanism with reopening of competition. The framework agreement does not obligate the EIB to order any minimum volume of products or services, nor does it guarantee any specific volume will be awarded or that the maximum value will be reached.

Call-Off Procedure:When the EIB determines a need for services, it will send an Assignment Terms of Reference to all framework members including the scope of services, quantities, delivery time, place of delivery, delivery requirements, associated services description, other relevant conditions, award criteria and weightings, closing date for proposals, pricing mechanism, and required information. Framework members submit proposals in response. The EIB awards each assignment according to the award criteria set out in the Assignment Terms of Reference, with award criteria typically being total price including discounts and delivery (60-80 percent) and technical merit (20-40 percent). All framework members that submit proposals are notified of the award results.

Pricing and Payment Terms:Prices quoted in the tender are fixed and non-revisable for the first 2 years of the framework agreement. Following the fixed-pricing period, annual indexation may apply if either party requests it in writing within 3 months before the end of the fixed-pricing period. Indexation uses the Harmonised Index of Consumer Prices for Luxembourg according to the formula: Ri = Ro x (Ii / Io), where Ro is the current price, Ri is the new price, Io is the HICP index of the month of the tender or last indexation, and Ii is the HICP index of the month in which the revision application was made. Unless otherwise instructed, service providers issue invoices at the beginning of each calendar month covering services provided during the preceding month. Invoices must reference the corresponding purchase order and contract reference numbers and contain required information. The EIB makes payment within 30 days of receipt of a correct invoice. Compensation is exempt from VAT under Article 21 of Protocol 7 on Privileges and Immunities of the European Union.

Intellectual Property Rights:Unless otherwise provided in a contract, service providers grant the EIB a worldwide, irrevocable right to use delivered outcomes and software for ordinary business purposes for the contract duration. The license is non-exclusive unless agreed otherwise and covers all forms of use known at contract conclusion. The license includes rights to use, modify, further develop, and dispose of work protected by intellectual property rights. Upon contract termination or expiration, the license automatically terminates and the EIB must de-install and permanently delete all software including copies within 10 business days.

Warranties:Service providers warrant that deliverables will be compatible with the EIB's IT system and environment and will not contain computer code designed to disrupt operations or any harmful, malicious, or hidden procedures. Deliverables must conform to specifications for 6 months after acceptance (the Warranty Period). If the EIB receives updates or upgrades during the Warranty Period, a new warranty period equal to the original period applies from the update or upgrade date. Service providers must promptly remedy any non-conformity at no additional cost during the contract duration and warranty period. Service providers indemnify the EIB against claims, losses, or expenses arising from warranty breaches.

Liability and Indemnification:Service providers are liable to the EIB for any direct and foreseeable damages arising from performance or non-performance of the contract, including acts and omissions of service provider personnel, failure to submit deliverables in accordance with specifications, and failure to meet agreed service levels. Direct damages include costs of reconstructing or reloading data, implementing work-arounds for service failures, replacing lost or damaged goods, procuring replacement services from alternate sources, overtime and related expenses, regulatory penalties for non-compliance, and loss or damage to data. Where the service provider is a joint venture or consortium, liability applies jointly and severally to all entities comprising the service provider.

Termination Rights:The EIB may terminate the framework agreement at any time by giving the service provider 1 month's written notice. The EIB may terminate immediately if the service provider is in material breach of obligations, engages in conduct bringing the EIB into disrepute, is in a conflict of interest situation, ceases or resolves to cease substantial business operations, is subject to insolvency proceedings, breaches data protection obligations, fails to comply with applicable laws, engages in prohibited conduct, was in an exclusion situation at contract award, had a serious infringement of EU obligations declared by the Court of Justice, has material changes affecting the contract not remedied within a reasonable notice period, or has weaknesses in managing confidential or sensitive data. Service providers may terminate by giving 3 months' written notice unless otherwise provided in the contract.

Compliance and Governance Requirements

Data Protection and Confidentiality:Service providers must treat all information acquired from the EIB as confidential and comply with banking secrecy and legal confidentiality duties. Where service providers keep or control EIB data or access to systems containing such data, they must assure accessibility, authenticity, availability, integrity, privacy and safety. Service providers must specify locations where services are provided and data is processed and notify the EIB in advance of any location changes. Service providers must ensure EIB data and systems can be accessed, recovered and returned in easily accessible format in case of insolvency, resolution, discontinuation of business, or contract termination. Service providers must comply with appropriate security standards and any data and system security procedures, measures, tools and policies notified by the EIB. The EIB has the right to conduct security penetration testing including threat-level penetration testing to assess cyber and ICT security measures. Service providers must ensure access to EIB data and systems is granted on a strict need-to-know and least privilege basis. In case of material breach or potential material breach of security or confidentiality obligations, service providers must notify the EIB as soon as reasonably practicable and perform an investigation and take appropriate remedial measures.

Sanctions and Compliance:Service providers undertake not to breach or cause the EIB to breach any sanctions or restrictive measures imposed by competent bodies. Service providers must inform the EIB in writing as soon as possible of any Sanction Event where the service provider, its personnel, or any entity that owns, controls, or directs the service provider breaches or becomes the target of a sanction, or where a country or territory in which such entities are located becomes the target of a sanction. Service providers must maintain appropriate internal controls and safeguards to prevent sanction violations. These undertakings are only sought and given to the extent permissible under applicable anti-boycott rules such as EU Regulation 2271/96.

Audit and Inspection Rights:Service providers must cooperate with the EIB, its internal auditors, and any EU institution or body with authority to audit EIB activities, including the European Data Protection Supervisor. Service providers must maintain accurate records and supporting documentation for service performance, current service levels, and all amounts chargeable to the EIB. The EIB, its internal auditors, designated representatives, and any EU institution or body with audit authority have guaranteed and periodic access to accounts, records, and other information relating to contract performance. Access implies the right to verify relevant data and perform on-site inspections. If services relate to an outsourced function, EIB internal control functions must have access to any documentation relating to outsourced functions at any time without difficulty. Service providers can be requested such access during the contract duration and for 5 years following contract expiry or termination. The EIB receives reasonable advance notice prior to on-site visits unless impossible due to emergency, crisis, regulatory reasons, or if notice would make the audit ineffective. Where service providers rely on third-party certifications and audit reports, the EIB has the right to request expansion of certification or audit scope to other relevant systems and controls, provided requests are reasonable and legitimate from a risk management perspective, and retains the right to perform individual audits at its discretion.

Insurance Requirements:Service providers must maintain throughout the contract duration, at their own expense and to the EIB's satisfaction, insurance covering work activity and comprehensive general liability insurance including professional liability coverage. Upon request, service providers must promptly provide evidence to the EIB showing such insurance has been taken out.

Important Applicant Information

Language Requirements:Tenders must be submitted in English or French, as both are working languages of the EIB. Any third-party certificates or documents whose original language is not English or French must be submitted in the original language together with an English or French translation.

Tender Validity Period:Tenders must remain valid for at least 6 months following the tender submission deadline. The successful tenderer must maintain its offer for a further 4 months from the date of written notification of the EIB's intention to award the contract.

Standstill Period:The EIB will not conclude the contract with the successful tenderer until a standstill period of 10 calendar days (for electronic notification) has elapsed, running from the day after simultaneous dispatch of notifications to successful and unsuccessful tenderers.

Post-Award Documentation:The successful tenderer must provide original certificates and documents listed in the Declaration on Honour within a time limit defined by the EIB and preceding contract signature. The successful tenderer must also complete the EIB's Vendor Information Form with supporting documents including a recent bank account identification statement and an extract of corporate registration. Contract signature is conditional upon provision of these original certificates and documents.

Costs and Compensation:The EIB will not be responsible for or pay for expenses or losses incurred by tenderers in preparing tenders or during the tender evaluation period. Tenderers participate in EIB procurement procedures on the understanding that they would not be entitled to any form of compensation, particularly should the EIB decide to discontinue the procedure before contract signature.

Contact and Support Information

For further information on this call for tenders or related matters, contact the European Investment Bank, Financial Controls, Procurement and Purchasing Division, 98-100 boulevard Konrad Adenauer, L-2950 Luxembourg, or email corporate-procurement@eib.org. Requests for clarification must be submitted via the eTendering platform at the link indicated in the contract notice. The EIB will publish replies at least 6 calendar days before the tender submission deadline. In case of maladministration, complaints may be lodged to the EIB Group Complaints Mechanism within one year from the date when the alleged action, decision or omission could reasonably be known by the complainant. Complainants unhappy with the EIB's reply may seek review by the European Ombudsman. The European Court of Justice is responsible for hearing appeal procedures.

Footnotes

1. 1This analysis is based on the official EU Funding and Tenders Portal documentation for CFT-1747 as of April 2026. Applicants should verify all information directly with the official procurement documents and portal, as requirements and deadlines may be subject to updates or amendments published on the EU Funding and Tenders Portal.