ESS IT Security Assurance: Re-certification, cycle 3 (2026-2028)

The European Commission, specifically DG ESTAT Eurostat, has released a call for tenders titled "ESS IT Security Assurance: Re-certification, cycle 3 (2026-2028)." This opportunity involves establishing a central certification service to manage the third cycle of the ESS IT Security Assurance Mechanism from 2026 to 2028. The selected contractor will act as a liaison with National Statistical Institutes and Other National Authorities in ESS Member States, confirming their compliance with the ESS IT Security Framework.

The contract is for services, with an estimated total value of €350,000 and a duration of 30 months. The procurement procedure is open and requires electronic submission of tenders. The deadline for submission is November 5, 2025, and public opening is scheduled for November 7, 2025.

Eligible applicants must have the technical and professional capacity for IT security assurance, ideally holding ISO 27006 accreditation, particularly for those involved in related tasks. The main focus areas for this tender are IT services, consulting, and cybersecurity.

The tender documents, including invitation letters and specifications, are available for download. Interested parties must adhere to established submission protocols and ensure their qualifications meet specified criteria. The procurement emphasizes both quality and cost, aiming for a balanced evaluation in awarding the contract.

Overall, this tender focuses on the operational management of an established certification process within the European Statistical System, geared towards ensuring compliance and security assurance for statistical bodies across member states.

The European Commission, DG ESTAT Eurostat, has published a call for tenders with procedure identifier EC-ESTAT/2025/OP/0030. The call, titled "ESS IT Security Assurance: Re-certification, cycle 3 (2026-2028)", is an open procedure with electronic submission. The TED reference is 173/2025 589923-2025.

The objective of this tender specification is to award a contract to manage and run the third cycle of the ESS IT Security Assurance Mechanism from 2026 to 2028. This involves establishing a central certification service to liaise with National Statistical Institutes (NSI) / Other National Authorities (ONA) of ESS Member States (bodies). The contractor will carry out all necessary activities to prepare, assess, and confirm the continuous compliance of these bodies with the ESS IT Security Framework control set (version 2) within the specified timeframe. The expected result is the written confirmation of compliance of up to 30 bodies, with one spare.

The estimated total value of the contract is 350,000 EUR. The nature of the contract is for services, with a maximum duration of 30 months. The award method will be based on the best price-quality ratio. No framework agreement is mentioned.

Key milestones include a TED publication date of 10/09/2025. The date and time of the public opening is 07/11/2025 at 10:00 Europe/Luxembourg time. The deadline for receipt of tenders is 05/11/2025 at 16:00 Europe/Luxembourg time. The contracting authority is not bound to reply to questions submitted after 28/10/2025 at 07:00 Europe/Luxembourg time.

The main Classification (CPV) code is 72000000 IT services: consulting, software development, Internet and support.

The following documents are available for download:
EN2025OP0030 Invitation to tender OPInvitation letter, published on 10/09/2025, Version 1, no translations available.
EN2025OP0030 Tender SpecificationsTender specifications, published on 10/09/2025, Version 1, no translations available.
EN2025OP0030 Annex 6 Financial TenderFinancial offer form, published on 10/09/2025, Version 1, no translations available.
EN2025OP0030 Service contractDraft contract, published on 10/09/2025, Version 1, no translations available.

Submissions must be sent exclusively via electronic submission at the address provided.

Based on technical and professional capacity (Criterion T2), the tenderer must be ISO 27006 accredited. Each tenderer involved in task 3 must be ISO 27006 accredited and provide evidence of accreditation. This is a selection criterion.

In summary, this tender is for managing and executing the third cycle of the ESS IT Security Assurance Mechanism. The selected contractor will be responsible for certifying the compliance of ESS Member States' bodies with the ESS IT Security Framework. This involves liaising with NSIs/ONAs, conducting assessments, and providing written confirmation of compliance. The tender is open to organizations with the necessary IT security expertise and ISO 27006 accreditation, particularly for those involved in task 3. The contract is valued at 350,000 EUR and will run for 30 months. The submission deadline is November 5, 2025.

Eligible Applicant Types: The eligible applicant types are not explicitly stated, but based on the nature of the tender, it is likely targeted towards organizations or companies with the technical and professional capacity to provide IT security assurance services, including those accredited with ISO 27006. This could include IT service providers, consulting firms, or certification bodies.

Funding Type: The funding type is a service contract, as indicated by the "Nature of the contract: services" and the presence of a "Service contract Draft contract" document. This implies a procurement process where the selected tenderer will be paid for delivering the specified services.

Consortium Requirement: The tender documentation does not explicitly state whether a consortium is required or if a single applicant is sufficient. However, the mention of "each tenderer who will be involved in task 3 must be ISO 27006 accredited" suggests that multiple entities might be involved, potentially as part of a consortium or as subcontractors. Therefore, either a single applicant or a consortium could be eligible.

Beneficiary Scope (Geographic Eligibility): The geographic eligibility is not explicitly stated, but the project involves liaising with NSI/ONA of ESS Member States. This suggests that the tender is open to entities located in EU Member States, and potentially also to entities in countries participating in the European Statistical System (ESS).

Target Sector: The target sector is IT security assurance, specifically within the context of the European Statistical System (ESS). This includes IT services, consulting, software development, and support related to ensuring the security and compliance of ESS Member States' IT systems.

Mentioned Countries: No specific countries are mentioned, but the tender refers to "ESS Member States," implying that the project is relevant to the member states of the European Statistical System.

Project Stage: The project stage is focused on the operational phase of running and managing the third cycle of the ESS IT Security Assurance Mechanism. This involves assessing and confirming the continuous compliance of bodies with the ESS IT Security Framework, indicating a stage of validation and demonstration of existing security frameworks.

Funding Amount: The estimated total value of the contract is 350,000 EUR.

Application Type: The application type is an open call for tenders, as indicated by the "Procedure type: Open procedure" designation.

Nature of Support: The beneficiaries will receive money in exchange for services rendered, as this is a service contract.

Application Stages: The number of application stages is not explicitly stated, but it is implied that there is at least one stage involving the submission of a tender, followed by an evaluation process based on the best price-quality ratio. The mention of selection criteria, such as ISO 27006 accreditation, suggests that there may be a pre-selection stage.

Success Rates: The success rates are not mentioned in the provided text.

Co-funding Requirement: The tender documentation does not explicitly mention any co-funding requirement.

Summary: This is a call for tenders issued by the European Commission, DG ESTAT Eurostat, for the third cycle of the ESS IT Security Assurance Mechanism. The objective is to award a service contract to an organization that can manage and run this mechanism from 2026 to 2028. This involves establishing a central certification service to liaise with National Statistical Institutes (NSI) or Other National Authorities (ONA) of ESS Member States. The selected contractor will be responsible for preparing, assessing, and confirming the compliance of these bodies with the ESS IT Security Framework. The estimated value of the contract is 350,000 EUR, and the contract duration is 30 months. The tender is open to organizations with the necessary technical and professional capacity, including ISO 27006 accreditation for those involved in task 3. The submission method is electronic, and the deadline for receipt of tenders is November 5, 2025. The award method will be based on the best price-quality ratio. The successful tenderer will provide written confirmation of compliance for up to 30 bodies.