CFT-1748 - IT Security Operations and Testing, Business Continuity, Information Protection and Access Control Consultancy Services

The European Investment Bank has issued a call for tenders, designated as EIB/2024/OP/0002, aimed at acquiring IT Security Operations, Business Continuity, Information Protection and Identity and Access Management, and IT Security Testing consultancy services. The estimated total value of the tender is 56,355,128 EUR. This procurement is split into four distinct lots with various services and financial scopes.

Lot 1 focuses on IT Security Operations consultancy, which includes security engineering and security monitoring support. The estimated value for this lot is 38,758,276 EUR. Lot 2 is dedicated to Business Continuity consultancy services, helping to manage and structure the EIB's business continuity and disaster recovery framework, with an estimated value of 7,110,682 EUR. Lot 3 centers on Information Protection and Identity and Access Management consultancy, facilitating effective user access and information management systems, estimated at 5,859,675 EUR. Lot 4 addresses IT Security Testing services, covering areas such as penetration testing and compliance support, with an estimated value of 4,626,495 EUR.

The tender is structured as a framework agreement and is open to large enterprises and specialized IT security consultancy firms, not specifically designed for small to medium enterprises. Each lot allows single applicants to submit bids, with a maximum of five successful tenderers per lot. The EIB aims to establish long-term relationships with these providers over a maximum duration of 72 months.

The geographic eligibility primarily focuses on EU entities. Interested applicants must electronically submit their proposals by December 10, 2025, and are advised to register for a Personal Identification Code, which is mandatory for participation. All submissions will be evaluated based on the best price-quality ratio, ensuring that only qualified bidders can win the contracts. The documents detailing the tender's technical specifications, pricing forms, and model agreements are available for download.

Overall, this procurement opportunity represents a significant investment in cybersecurity consultancy by a major financial institution, aimed at enhancing its operational cybersecurity capabilities through expert service provision.

The European Investment Bank (EIB) has issued a call for tenders, EIB/2024/OP/0002, for IT Security Operations and Testing, Business Continuity, Information Protection and Access Control Consultancy Services. The TED reference for this tender is 175/2025 597248-2025. The estimated total value of this procurement is 56,355,128 EUR. The publication date was 12/09/2025.

The purpose of this Call for Tenders is to award Framework Agreements to up to 5 successful Tenderers per each lot for the provision of information security Services to support the Cybersecurity Division of the European Investment Bank Group.

The tender is divided into four lots:

Lot 1: Provision of IT Security Operations consultancy services. The services in scope include Security Engineering support, i.e. support regarding the incorporation and maintenance of security controls into the information system so that they become an integral part of the system’s operational capabilities and Security Monitoring support, i.e. assistance with regards to collecting and analysing indicators of potential security threats and triaging these threats with appropriate actions. The nature of the contract is for services. The maximum contract duration is 72 months. The award method is best price-quality ratio. The estimated value is 38,758,276 EUR. This is a framework agreement without reopening of competition. The main CPV code is 72000000 - IT services: consulting, software development, Internet and support. Additional CPV codes include 72212732 - Data security software development services, 72220000 - Systems and technical consultancy services, 72225000 - System quality assurance assessment and review services, 72253200 - Systems support services, 72800000 - Computer audit and testing services, 72820000 - Computer testing services and 72254100 - Systems testing services.

Lot 2: Provision of Business Continuity consultancy services. The services in scope include Business Continuity support, i.e. support in planning, building, running and managing EIB’s enterprise-wide Business Continuity Management Operational Framework and ICT Disaster Recovery support, i.e. assistance in designing and implementing EIB’s enterprise-wide ICT resilience and Disaster Recovery Management programmes. The nature of the contract is for services. The maximum contract duration is 72 months. The award method is best price-quality ratio. The estimated value is 7,110,682 EUR. This is a framework agreement without reopening of competition. The main CPV code is 72000000 - IT services: consulting, software development, Internet and support. Additional CPV codes include 72212732 - Data security software development services, 72220000 - Systems and technical consultancy services, 72225000 - System quality assurance assessment and review services, 72253200 - Systems support services, 72820000 - Computer testing services, 72800000 - Computer audit and testing services and 72254100 - Systems testing services.

Lot 3: Provision of Information Protection and Identity and Access Management consultancy services. The services in scope include Identity and Access Management support, i.e. assistance in the handling of end-users and technical teams’ requests related to access management, authentication management, recertification process, contribution to architectural design, optimization of operational processes, contribution to risk assessments and Information Protection Analyst support, i.e. assistance in conducting/defining feasibility studies, gap analysis, architectural design, governance and operational models in the different domains of the Information Protection such as information classification, data leakage prevention, information management, etc. The nature of the contract is for services. The maximum contract duration is 72 months. The award method is best price-quality ratio. The estimated value is 5,859,675 EUR. This is a framework agreement without reopening of competition. The main CPV code is 72000000 - IT services: consulting, software development, Internet and support. Additional CPV codes include 72212732 - Data security software development services, 72220000 - Systems and technical consultancy services, 72225000 - System quality assurance assessment and review services, 72253200 - Systems support services, 72254100 - Systems testing services, 72800000 - Computer audit and testing services and 72820000 - Computer testing services.

Lot 4: Provision of IT Security Testing services. The services in scope include IT Security Penetration Testing Services covering, but not limited to, EIB’s applications penetration testing, web and mobile applications, network penetration testing, social engineering including physical intrusion, Red and Purple Teaming support, i.e. assistance in designing and running structured and comprehensive scenario-based cyber incident testing on live systems using recognized frameworks (e.g., MITRE ATT@CK, CBEST...) and IT Security Audit and Compliance support, i.e. assistance in testing the effectiveness of security controls and risk mitigations plans based on EIB’s Internal Control Framework (ICF). The nature of the contract is for services. The maximum contract duration is 72 months. The award method is best price-quality ratio. The estimated value is 4,626,495 EUR. This is a framework agreement with reopening of competition. The main CPV code is 72000000 - IT services: consulting, software development, Internet and support. Additional CPV codes include 72212732 - Data security software development services, 72220000 - Systems and technical consultancy services, 72225000 - System quality assurance assessment and review services, 72253200 - Systems support services, 72254100 - Systems testing services, 72800000 - Computer audit and testing services and 72820000 - Computer testing services.

Key milestones for all lots:

TED publication date: 12/09/2025
Date and time of public opening: 11/12/2025 11:00 Europe/Luxembourg
Deadline for receipt of tenders: 10/12/2025 15:00 Europe/Luxembourg
Contracting authority is not bound to reply to questions submitted after: 26/11/2025 07:00 Europe/Luxembourg

The following documents are available for download:

Terms of Reference (Published on 12/09/2025, Version 1, No translations available, applies to All lots)
Annex A - Technical Specifications (Published on 12/09/2025, Version 1, No translations available, applies to All lots)
Annex B - Technical Proposal Form (Published on 12/09/2025, Version 1, No translations available, applies to All lots)
Annex C.1 - Pricing Form Lot 1 (Published on 12/09/2025, Version 1, No translations available, applies to Lot 1)
Annex C.2 - Pricing Form Lot 2 (Published on 12/09/2025, Version 1, No translations available, applies to Lot 2)
Annex C.3 - Pricing Form Lot 3 (Published on 12/09/2025, Version 1, No translations available, applies to Lot 3)
Annex C.4 - Pricing Form Lot 4 (Published on 12/09/2025, Version 1, No translations available, applies to Lot 4)
Annex D.1.1 Model Framework Agreement (Lots 1 - 3) (Published on 12/09/2025, Version 1, No translations available, applies to Lot 1, Lot 2, Lot 3)
Annex D.1.2 Model Framework Agreement (Lot 4) (Published on 12/09/2025, Version 1, No translations available, applies to Lot 4)
Annex D.2 - General Terms & Conditions for ICT services for Framework Agreements (Published on 12/09/2025, Version 1, No translations available, applies to All lots)

Submissions must be sent exclusively via electronic submission.

Some frequently asked questions (FAQ) regarding the eSubmission system:

How to proceed if the system is slow or doesn’t work while uploading/downloading documents? Make sure to use the latest versions of Google Chrome or Mozilla Firefox. If the issue persists, clear the cache and cookies on the Internet browser.
Which Internet browsers does eSubmission support? Use the latest versions of Google Chrome or Mozilla Firefox. For the most up-to-date technical recommendations, click on the link System Requirements.
Is it possible to view the details of the submission after the deadline? No, the content of the submission is not accessible after submitting the tender as the system encrypts all attachments upon upload.
Where can I find my submissions in Manage My Area, in the Funding & Tenders portal? Depending on the type or step of procedure, submissions can be found in ‘My Submission(s)’: tenders in response to open calls for tenders, requests to participate in restricted calls, and ESPD requests.
Which size should attachments have? eSubmission accepts files that are less than 50 MB in size.
How should I name attachments in eSubmission? Name the attachments for the tender draft following the System Requirements. Attachment names must adhere to specific conditions.
Can I submit a video in eSubmission? Check the System Requirements of eSubmission.
I received an invitation from the F&T Portal but cannot view the procurement documents. Invited candidates can only see the procurement documents after having selected an organisation. Go to F&T Portal, “My Invitations”. Click on “Select Organisation” from the “Action” column.
Do I need to validate my PIC in order to submit a tender in eSubmission? The Personal Identification Code (PIC) is mandatory to participate in a call for tenders as a sole candidate/tenderer or as a member of a group (consortium).
I have an issue uploading a file in eSubmission and it’s giving me an error. What do I do? Make sure it follows the technical requirements of the system.
How many attachments can I upload per submission? The maximum number of documents the system will allow you to upload per tender is 200 files.
Why do tenderers need a PIC? It is mandatory to register for a PIC if you intend to submit a tender or a request to participate.
How do I register my organisation and get a Participant Identification Code (PIC)? First, check if the organisation is already registered using the Search PIC tool under 'How to Participate' > Participant Register.
How many languages does the system support? The system is multilingual and supports all 24 official EU languages.
Which is the character set encoding in the system? The character set encoding is UTF-8.
Does the system use encryption to ensure the integrity and the confidentiality of the information? Yes, the system encrypts all uploaded documents, using an asymmetric key as an encryption mechanism.
Which file types does the system support? The supported file types depend on the type of submission you want to make. The allowed file types are specified within the system requirements linked to the procedure in question.
Can I view and edit my draft submission? Until the deadline for the submission has been reached, submissions in the draft status can be edited, viewed and deleted.
In the submission report, under the name of our entity, "Legal form: UNKNOWN" is displayed while in the system, our legal form was correctly displayed. Is this a problem for the submission? No, it is just a display issue. This is not blocking for you: you can submit.
I sent my submission on time and a few days later, I received an automatic email informing me that the deadline for the reception of submissions had been reached. Does this mean that my submission was not correctly sent? No, this is an auto-generated notification sent when the time limit of receipt defined for the call for tenders has been reached. Until then, you had the possibility of withdrawing your submission.

In summary, this is a call for tenders by the European Investment Bank seeking consultancy services to bolster its cybersecurity division. The tender is structured into four distinct lots, each focusing on a specific area of IT security: IT Security Operations, Business Continuity, Information Protection and Identity and Access Management, and IT Security Testing. Companies can bid on one or more lots, and the EIB intends to award framework agreements to up to five successful tenderers per lot. The total estimated value of the tender is significant, and the contracts are set for a duration of 72 months. The submission process is electronic, and the documentation provides detailed technical specifications, pricing forms, and draft contract agreements. The FAQ section addresses common technical queries related to the eSubmission system, ensuring a smooth application process for interested parties. This opportunity is aimed at specialized IT security firms capable of providing expert consultancy and support services to a major European financial institution.

Eligible Applicant Types: The opportunity is open to tenderers capable of providing the specified information security services. The specific types of organizations that can apply are not explicitly mentioned, but it is implied that they should be consulting firms or service providers specializing in IT security.

Funding Type: The funding type is procurement, specifically awarding framework agreements for services.

Consortium Requirement: The opportunity does not explicitly state whether a single applicant or a consortium is required. However, the possibility of awarding framework agreements to up to 5 successful tenderers per lot suggests that both single applicants and consortia could be eligible.

Beneficiary Scope (Geographic Eligibility): The geographic eligibility is not explicitly stated, but given that it is a European Investment Bank tender, it is likely open to entities within the EU and potentially the EEA.

Target Sector: The target sector is ICT, specifically information security and cybersecurity.

Mentioned Countries: Luxembourg is mentioned as the location for the public opening of tenders.

Project Stage: The project stage is for the provision of services, indicating a need for established and operational service providers rather than projects in early stages of research or development.

Funding Amount: The estimated total value of the tender is 56,355,128 EUR. The estimated values for each lot are: Lot 1: 38,758,276 EUR, Lot 4: 4,626,495 EUR, Lot 3: 5,859,675 EUR, Lot 2: 7,110,682 EUR.

Application Type: The application type is an open call for tenders, with electronic submission.

Nature of Support: The beneficiaries will receive service contracts for providing IT security consultancy services.

Application Stages: The application process involves submitting a tender, which will then be evaluated based on the best price-quality ratio. The exact number of stages is not explicitly mentioned, but it involves at least one stage of submission and evaluation.

Success Rates: The success rates are not explicitly mentioned, but the fact that up to 5 tenderers per lot can be awarded framework agreements suggests a potentially higher success rate compared to opportunities where only one applicant is selected.

Co-funding Requirement: There is no mention of a co-funding requirement.

Summary:

This is a call for tenders issued by the European Investment Bank (EIB) to establish framework agreements with up to five service providers per lot for the provision of information security services. The tender is divided into four lots: IT Security Operations consultancy, Business Continuity consultancy, Information Protection and Identity and Access Management consultancy, and IT Security Testing services. The total estimated value of the tender is 56,355,128 EUR. The deadline for submitting tenders is December 10, 2025. The submission method is electronic. The tender aims to support the Cybersecurity Division of the European Investment Bank Group by securing expert services in various areas of information security. The award method is based on the best price-quality ratio. Companies specializing in IT security consulting and services are encouraged to apply for one or more of the lots, depending on their expertise. A Personal Identification Code (PIC) is mandatory to participate in this call for tenders. The maximum number of documents allowed per tender is 200 files, and the maximum file size is 50 MB. The system supports all 24 official EU languages and uses UTF-8 character set encoding. The system encrypts all uploaded documents using an asymmetric key as an encryption mechanism.