Monitoring, analysis, threat hunting and incident response consultancy services

ENISA has published open tender ENISA/2026/OP/0010 for monitoring, analysis, threat hunting and incident response consultancy services for ENISA-owned IT systems. The contract is a framework agreement (initial 12 months, renewable up to 3 times, total potential 48 months) with an estimated total value of €1,200,000. Submissions are electronic via the EU Funding & Tenders Portal with a deadline of 9 June 2026 10:00:59 (Europe/Athens); bidders must meet selection, exclusion and technical capacity requirements and comply with ENISA supplier security measures. Awarding is based on quality (70%) and price (30%) and the procurement documents, templates and draft contract are available on the portal.

What it funds

Scope summary

Framework contract to procure managed security services to support ENISA in implementing Regulation (EU) 2023/2841. Services include continuous monitoring, security analysis, threat hunting and incident response for IT systems and tools for which ENISA is the risk owner.

Who can apply:Established managed security service providers and cybersecurity consultancies (open tender; consortiums and subcontracting allowed). The call is managed by ENISA and follows standard EU procurement rules.

1. 1Core services: monitoring, analysis, threat hunting, incident response
2. 2Contract type: framework agreement (initial 12 months, renewable up to 3 times)
3. 3Planned duration: 48 months total (procurement documents specify renewals)

Submission is electronic via the EU Funding & Tenders Portal. Evaluation weighting:quality 70 and price 30 (see procurement documents). Additional procurement documents, technical specifications and draft contract are published with the tender notice Tender details. ¹

Footnotes

1. 1Full invitation to tender, annexes, financial offer form and draft contract available on the portal link above (publication date 2026-05-11).

Opportunity summary

This is an EU procurement tender led by the European Union Agency for Cybersecurity (ENISA) to identify trusted managed security service providers to support ENISA in the implementation of Regulation (EU) 2023/2841. The contract(s) will cover monitoring, analysis, threat hunting and incident response consultancy services for IT systems and tools where ENISA is the risk owner. The procurement is published on the EU Funding & Tenders Portal and uses electronic submission.

Call identifier:ENISA/2026/OP/0010

Procuring authority:European Union Agency for Cybersecurity (ENISA) ENISA website ¹

Procedure type and contract nature:Open procurement tender (electronic submission required via the Funding & Tenders Portal). Nature: service contract for cybersecurity managed services and consultancy; framework agreement with initial duration 12 months renewable up to 3 times (planned total period 48 months).

1. 1Main CPV code: 72000000 (research and development services and related consultancy services).
2. 2Estimated overall contract amount: €1,200,000 (currency EUR).
3. 3Planned period/duration: 48 months (as per procurement record); framework contract initially 12 months renewable 3 times.
4. 4Tender submission method: eSubmission via Funding & Tenders Portal (ESUBMISSION).
5. 5Open tender event / opening: scheduled 10 June 2026 (see procurement documents).
6. 6Key outputs required: continuous monitoring services, analysis of security events, proactive threat hunting, and incident response consultancy for ENISA-owned IT systems and tools.

Deadlines and key dates

Who can apply and eligible applicant types

This is a public procurement open to economic operators who meet the selection, exclusion and technical capacity requirements specified in the tender documents. Based on the tender documentation and typical ENISA procurement rules, eligible applicant types include private sector managed security service providers, consultancies, cybersecurity SMEs and large enterprises, public-private partnerships and consortia of these entities. Research institutes or universities can participate if they meet the selection and capacity criteria and are established as eligible economic operators. Nonprofits and NGOs could participate if they operate as economic operators and meet the procurement requirements. Individuals are not the typical contracting counterparty for this type of service unless organised as an eligible economic operator.

Explicitly supported applicant/legal arrangements:The procurement documents include templates and annexes for: commitment letters by identified subcontractors, commitment by entities whose capacities are relied upon, ownership and control declarations, simplified financial statement, project reference list, declaration on honour and power of attorney. These indicate that single bidders, consortia and bidders using subcontractors or relying on third-party capacities are foreseen and allowed under conditions set in the selection criteria.

Eligibility and geographic scope

The tender is published by an EU agency and is open to economic operators in accordance with EU procurement rules as implemented in the tender paperwork. While the portal listing does not list an explicit country-by-country eligibility table in the scraped text, the presence of an annex on exclusion criteria for non-EU controlled entities indicates specific rules apply for entities outside the EU and that EU/EEA applicants are the primary eligible participants. Bidders should refer to Annex 10 and the administrative specifications for precise rules on nationality, establishment, and ownership/control exclusions and restrictions.

Mentioned countries / territories

No individual Member States are explicitly named in the scraped text. The tender is managed by ENISA (an EU agency) and therefore principally targets entities eligible under EU procurement rules (EU and typically EEA). The procurement documentation contains an explanatory note on exclusion criteria related to non-EU controlled entities, signalling specific treatment of entities outside the EU.

Services required and technical scope

ENISA requests managed security service providers to deliver monitoring, analysis, threat hunting and incident response consultancy services for IT systems and tools for which ENISA is the risk owner. The technical specifications are provided as Annex I Part 2 (document: 03. Annex I Part 2 Technical specifications F-EDO-26-T08_V1.pdf) and should be consulted in full. High-level service components inferred from the tender title and summary include:

1. 124/7 or defined hours security monitoring of ENISA IT systems and tools (log collection and SIEM-related monitoring implied).
2. 2Security event analysis, triage and escalation procedures.
3. 3Threat hunting services: proactive detection of hidden or advanced threats in ENISA environments.
4. 4Incident response consultancy: advisory, coordination, containment, eradication and recovery support, including post-incident analysis and lessons learned.
5. 5Integration with ENISA risk management and reporting processes for incidents affecting ENISA-owned assets.
6. 6Compliance with ENISA suppliers security measures and any ENISA-specific security controls (Annex 13).

Technical and security requirements (documents to consult)

Bidders must consult and comply with the full set of procurement documents attached to the tender. Relevant documents published with the call include administrative and technical tender specifications, draft contract, supplier security measures, and several administrative forms and templates. Key documents: Annex I Part 1 Admin specifications, Annex I Part 2 Technical specifications, Draft Contract (Annex II), Annex 13 ENISA suppliers security measures, Annex 10 explanatory note on exclusion criteria and the financial offer form.

Contract value, duration and award criteria

Estimated total procedure value:€1,200,000 (estimated overall contract amount as recorded on the portal).

Planned duration and contract model:Framework agreement / framework contract with initial 12-month duration and the possibility to renew three times. The procurement record lists a planned total period of 48 months.

Awarding criteria and weighting:Award is based on a quality versus price split. The procurement record shows weightings: quality 70 and price 30. Bidders must consult the procurement documents for the detailed sub-criteria defining quality elements and scoring rules.

Application process, stages and required submission materials

Submission is electronic only via the Funding & Tenders Portal (eSubmission). Bidders must register on the portal, download the invitation to tender and annexes, fill in the administrative forms and financial offer form, and upload all requested evidence before the closing date. The procurement documents include editable templates for multiple annexes to be completed by the bidder.

1. 1Submission method: ESUBMISSION on the Funding & Tenders Portal (required).
2. 2Key templates provided: Annex 02 Declaration of Honour, Annex 06 Financial Offer form, Annex 07 Simplified Financial Statement, Annex 08 Project References List, Annex 09 Administrative ID and Declaration form, Annex 11 Ownership control declaration, Annex 04 List of identified subcontractors, Annex 05.1 and 05.2 Commitment letters for subcontractors / third-party capacities, Editable documents package of annexes.
3. 3Other procurement documents: Invitation to tender, Administrative specifications (Annex I Part 1), Technical specifications (Annex I Part 2), Draft contract (Annex II), ENISA suppliers security measures (Annex 13), Explanatory note on exclusion criteria (Annex 10).

Suggested structure of the bid (based on provided templates and procurement usual practice):1) Administrative package: completed Annex 09 Administrative ID and Declaration, Declaration of Honour (Annex 02), ownership/control declaration (Annex 11), simplified financial statement (Annex 07). 2) Technical offer: response to Annex I Part 2 Technical specifications describing proposed service model, staffing and roles, methodologies for monitoring, threat hunting and incident response, SLAs, tools and integration approaches, security measures compliance and incident reporting. 3) Project references: Annex 08 Project References List with previous relevant projects demonstrating capability. 4) CVs and roles: profiles of key proposed personnel and evidence of experience. 5) Subcontracting and reliance: Annex 04 List of subcontractors and Annex 05.1/05.2 commitment letters where subcontracting or reliance on third-party capacities is planned. 6) Financial offer: completed Annex 06 Financial Offer form with priced rates, total estimated value and any break-down requested in the specification. 7) Any requested certificates or supporting documentation per administrative specifications.

Consortium, subcontracting and reliance on third parties

The procurement clearly contemplates the use of subcontractors and capacity reliance:templates for commitment letters by identified subcontractors and by entities on whose capacities a bidder relies are provided. This indicates the contracting authority accepts consortia, joint bids or single entities relying on third-party capacities, subject to the tender's selection and exclusion criteria and documentation requirements.

Evaluation process and stages

The portal record indicates an electronic submission followed by evaluation against qualitative and price criteria. The award criteria weighting is quality 70 and price 30. The tendering process includes a public opening event and an appeals receiver ID is listed for administrative appeals. The procurement uses standard selection/exclusion checks and qualification requirements as set out in the administrative specifications.

Application stages (summary):1) Preparation and eSubmission of full tender dossier (administrative, technical and financial documents); 2) Administrative and exclusion checks; 3) Technical evaluation (quality scoring); 4) Price evaluation and combined scoring; 5) Award decision and signature of draft contract. In practice this is a multi-stage evaluation but the formal submission is single-stage with subsequent evaluation phases leading to award.

Funding type, payments and co-funding

This is a procurement contract (tender) resulting in a paid services contract:the successful bidder(s) will receive monetary payments under the framework contract for services delivered. It is not a grant, loan or equity instrument. There is no requirement for co-funding by the bidder (price is the bid price and the contract value is paid by ENISA subject to contract terms); bidders must cover their own costs in preparing the bid.

Success rates and competition

The public tender listing does not provide explicit historical success rates. As a competitive EU agency procurement for a specialist cybersecurity service, bidders should expect multiple competitive offers and rigorous evaluation. No numeric success probability is specified in the call documentation.

Documents provided with the tender (key annexes and templates)

Co-funding, contractual and security obligations

No co-funding by the contracting authority is required beyond the contract price. Bidders are expected to comply with ENISA suppliers security measures (Annex 13) and any confidentiality, data protection and EU security-related clauses in the draft contract. The explanatory note on exclusion criteria (Annex 10) addresses restrictions for non-EU-controlled entities; bidders must review to ensure compliance with ownership and control rules.

Practical recommendations for bidders

1. 1Carefully download and read all annexes and the draft contract; technical specifications are detailed in Annex I Part 2 and must be followed closely.
2. 2Prepare the administrative package early: Declaration of Honour, Ownership declarations, Simplified Financial Statement, and Administrative ID form are mandatory.
3. 3If subcontracting or relying on third-party capacities, include the commitment letters (Annex 05.1/05.2) and a clear breakdown of subcontracted proportions (Annex 04).
4. 4Demonstrate strong, directly relevant project references in Annex 08 and provide CVs of key personnel with concrete experience in monitoring, threat hunting and incident response for public-sector clients if possible.
5. 5Structure the technical offer to address award sub-criteria (quality) which account for 70% of the evaluation—clarify methodology, SLAs, staffing, tools, incident escalation and reporting processes.
6. 6Price competitively but realistically; price accounts for 30% of the evaluation.
7. 7Respect the eSubmission deadline and validate portal submissions early to avoid technical issues.

Project maturity and expected project stage

The opportunity is for operational delivery of security monitoring, threat hunting and incident response services. The expected project maturity is mature service delivery and operational/managed services rather than research or development. Bidders should be able to provide immediate or near-term operational capacity, and documented prior experience in providing similar services.

Summary and final explanation

This tender is an ENISA-led procurement to contract managed security service providers able to deliver monitoring, analysis, proactive threat hunting and incident response consultancy for ENISA-owned IT systems and tools. It is structured as a framework contract with a declared estimated maximum procedure value of €1,200,000 over the planned period. The award will be made following electronic submission and evaluation against a quality (70) / price (30) split. The procurement documents provide full administrative and technical specifications, a draft contract and numerous templates (financial offer, declarations, commitment letters) that bidders must complete. The tender accepts single bidders, consortia and bidders relying on subcontractors or third-party capacities, provided all selection, exclusion and capacity evidence is supplied. All proposals must be submitted electronically via the Funding & Tenders Portal by the stated closing date and conform to ENISA's security and contractual requirements. Review Annex I Part 2 Technical specifications and Annex 13 ENISA suppliers security measures in detail before preparing the technical and administrative offer.

Reference and access:full tender documents and submission are available on the EU Funding & Tenders Portal entry for this procurement: ec.europa.eu ¹

Footnotes

1. 1Tender and procurement documentation published on the Funding & Tenders Portal and ENISA website contain the authoritative and full technical/administrative specifications. Bidders must read and follow the invitation to tender and annexes available at the portal listing: ec.europa.eu

Opportunity Overview

This is an open tender procedure (Call Identifier:ENISA/2026/OP/0010) issued by the European Union Agency for Cybersecurity (ENISA). The purpose is to select trusted managed security service providers to support ENISA in implementing Regulation (EU) 2023/2841 on measures for a high common level of cybersecurity at EU institutions, bodies, offices, and agencies. Successful contractor(s) will provide monitoring, analysis, threat hunting, and incident response consultancy services for ENISA-owned IT systems and tools, whether hosted on-premises or outsourced. The tender covers LOT-0001 with an estimated overall contract value of €1,200,000 over 48 months.

Key Dates and Deadlines

• Publication Date: 11 May 2026
• Deadline for Tender Submission: 9 June 2026 at 10:00:59 (Athens time, Europe/Athens timezone)
• Additional Information Requests Deadline: 1 June 2026
• Tender Validity Period: 6 months

Eligibility and Who Can Apply

Open to economic operators capable of providing the required services. Tenderers must meet selection criteria, including economic and financial standing, technical and professional capacity, and exclusion criteria. Specific requirements are detailed in the procurement documents, including declarations on honour, administrative ID forms, and explanatory notes on exclusion criteria for non-EU controlled entities ¹. ENISA emphasizes security measures for suppliers (Annex 13). Subcontracting is allowed with required forms for identified subcontractors and entities relied upon for capacities.

Contract Structure and Budget

Estimated Value:€1,200,000 (total for the procedure).

Duration:Framework contract for an initial period of 12 months, renewable up to 3 times (total potential 48 months).

Contract Type:Framework agreement without reopening of competition (fa-wo-rc). Electronic orders and payments will be used.

Award Criteria

Detailed evaluation methodology is outlined in the procurement documents. Tenderers must submit project references, financial offers, and simplified financial statements.

Scope of Services

Services target ENISA IT assets including VMs, Dockers, web applications, infrastructure (firewalls, DNS servers, proxies), Windows and Linux systems. Logs are collected on on-premises Splunk servers. This tender aligns with prior ENISA procurements for similar services, such as LOT 2 in earlier calls with budgets around €1.1 million over 4 years ².

Application Process

1. 1Register and submit via the EU Funding & Tenders Portal eSubmission system (mandatory).
2. 2Download all documents from the portal, including Invitation to Tender, Administrative and Technical Specifications (Annex I Parts 1 and 2), Draft Contract (Annex II), and various annexes (e.g., financial offer form, declarations).
3. 3Use editable documents ZIP for Annexes 2,3,4,5.1,5.2,6,7,8,9,11.
4. 4Questions for clarification must be submitted via the portal's Q&A section.
5. 5Primary portal: EU Funding & Tenders Portal
6. 6ENISA website for context: ENISA Procurement

Additional Considerations

Tenderers should review guidance on participation in the Digital Europe Programme (Annex 12) and ownership control declaration (Annex 11). Compliance with ENISA supplier security measures is mandatory. This opportunity is not SME-specific (smeSuitableIndicator: false) but open to qualified providers including consulting firms.

Footnotes

1. 1See Annex 10: Explanatory Note on Exclusion Criteria on non-EU controlled entities and Annex 02: Declaration of Honour for full details.
2. 2Historical context from prior ENISA tenders; current tender has updated reference ENISA/2026/OP/0010 and value of €1.2 million.