Procurement for development of open source cybersecurity attestation programmes in line with the Cyber Resilience Act

This announcement pertains to a planned call for tenders by the European Commission's Directorate-General for Connectivity, Content and Technology (DG CNECT) related to developing open-source cybersecurity attestation programs as part of the Cyber Resilience Act. The objective is to establish voluntary security attestation programs allowing developers and users of free and open-source software (FOSS) to confirm compliance with cybersecurity requirements mandated by the Act.

The contractor will take on the task of researching and drafting a comprehensive study to outline the operational effectiveness of these attestation programs. The total estimated contract value is €80,000, with a duration of 9 months. This will be a negotiated procedure classified as a middle/low-value contract.

Key details include:
- The expression of interest period starts on May 16, 2025, and runs through May 31, 2025.
- The indicative date for launching the negotiated procedure is June 2, 2025.
- Interested parties must submit their expressions of interest electronically.

Eligible applicants could include research institutes, consulting firms, universities, and other stakeholders with expertise in cybersecurity and software development. The opportunity targets organizations within the EU, given its alignment with European Commission directives.

The procurement is aimed at enhancing the compliance and security of software components that might not traditionally fall under stringent cybersecurity regulations, thereby bolstering the integrity of FOSS.

It is emphasized that this publication serves as a pre-announcement and is not a direct call for tenders, thus no applications are currently being accepted. The process for the actual tender remains to be formally outlined in the future publication of the call for tenders.

This is a publication announcing the contracting authority’s intention to publish a future negotiated low or middle value procedure, not a call for tenders.

The procedure identifier is EC-CNECT/2025/MVP/0044-EXA.

The description is as follows: Article 25 the Regulation (EU) 2024/2847 (the Cyber Resilience Act) empowers the European Commission to adopt delegated acts establishing voluntary security attestation programmes allowing the developers or users of free and open-source software (FOSS) as well as other third parties to attest the conformity of such software with all or certain essential cybersecurity requirements or other obligations laid down in the CRA. The objective of these attestation programmes is to support and facilitate the due diligence of manufacturers that integrate FOSS components that are not subject to the essential cybersecurity requirements, as such manufacturers need to ensure the compliance of their product as a whole, including vulnerability handling requirements, as well as to contribute to strengthening the security of FOSS that falls outside the scope of the CRA. The contractor will be responsible for researching and drafting a comprehensive study that outlines how the attestation programmes could function effectively.

The maximum value is 80,000 EUR. The duration is 9 months. The procedure type is a planned negotiated procedure for middle/low value contract. The estimated total value is 80000 EUR. The lead contracting authority is the European Commission, DG CNECT Communications Networks, Content and Technology. The main classification (CPV) is 72212980 Programming languages and tools development services. The nature of the contract is services. The maximum contract duration is 9 months. There is no framework agreement.

Milestones:
Start date for expression of interest: 2025-05-16 Europe/Brussels
Deadline for expression of interest: 31/05/2025 04:59 Europe/Brussels
Indicative date of launch of the negotiated procedure: 2025-06-02 Europe/Brussels

Expression of interest:
Submissions must be sent exclusively at the address for submission given below.
Method of expression of interest: Electronic
Address for expression of interest: Express interest

A frequently asked question is: Where can I find the procurement documents for calls for tenders with ‘ExA' in the reference? The answer is: References that feature an ‘ExA’ are not calls for tenders. They are a publication announcing the contracting authority’s intent to launch in the future a low or middle negotiated procedure. This was published on 03/10/2024 16:32.

In summary, this is a pre-announcement for a future negotiated procedure related to the Cyber Resilience Act (CRA) and the development of security attestation programs for free and open-source software (FOSS). The European Commission, DG CNECT, intends to contract a study to outline how these attestation programs can function effectively. The maximum value of the contract is 80,000 EUR, and the duration is expected to be 9 months. Companies interested in participating in this future negotiated procedure should express their interest electronically. The expression of interest period starts on May 16, 2025, and ends on May 31, 2025. The indicative date for launching the negotiated procedure is June 2, 2025. It is important to note that this announcement is not a call for tenders, and references with "ExA" are related to planned, not current, tender opportunities.

Eligible Applicant Types: The opportunity does not explicitly define eligible applicant types. However, given the nature of the contract (services related to cybersecurity attestation programs), it is likely that eligible applicants could include organizations with expertise in cybersecurity, software development, legal studies, and standardization, such as research institutes, consulting firms, universities, and potentially specialized SMEs or large enterprises.

Funding Type: Procurement. This is a planned call for tenders, indicating a procurement process where the contracting authority (European Commission, DG CNECT) intends to purchase services.

Consortium Requirement: The opportunity does not specify whether a single applicant or a consortium is required. This detail will likely be clarified when the actual call for tenders is published.

Beneficiary Scope (Geographic Eligibility): The opportunity does not explicitly state geographic eligibility. However, since it is issued by the European Commission, it is highly probable that the eligibility will be centered around EU member states, potentially extending to EEA countries or other countries associated with EU programs.

Target Sector: Cybersecurity, ICT, Software Services, Innovation, Legal. The program targets the development of open-source cybersecurity attestation programs, aligning with the Cyber Resilience Act. It involves programming languages and tools development services, and touches upon legal aspects related to the implementation of the Act.

Mentioned Countries: No specific countries are mentioned. The contracting authority is the European Commission, implying a focus on the European Union.

Project Stage: Research, Development. The contractor will be responsible for researching and drafting a comprehensive study, suggesting that the project is in the early stages of research and development.

Funding Amount: Under €50k to €200k. The estimated total value of the contract is 80,000 EUR.

Application Type: Planned negotiated procedure. This is not an open call but a planned negotiated procedure for a middle/low value contract. An expression of interest is required initially.

Nature of Support: Non-monetary services. The selected contractor will receive money for providing services, specifically for researching and drafting a study.

Application Stages: At least 2. The process involves an expression of interest, followed by a negotiated procedure. The exact number of stages will be clearer when the full call for tenders is released.

Success Rates: The success rates cannot be determined at this stage, as this is merely an announcement of a future call for tenders. Success rates will depend on the number of applicants and the evaluation criteria, which will be detailed in the actual call.

Co-funding Requirement: The opportunity does not mention any co-funding requirements.

Summary:

This is an announcement from the European Commission, DG CNECT, regarding a planned call for tenders related to the development of open-source cybersecurity attestation programs. This initiative is in line with Article 25 of the Cyber Resilience Act (Regulation (EU) 2024/2847). The main objective is to create voluntary security attestation programs that allow developers and users of free and open-source software (FOSS), as well as other third parties, to attest the conformity of their software with the cybersecurity requirements outlined in the CRA. The attestation programs aim to support manufacturers integrating FOSS components and to strengthen the security of FOSS.

The selected contractor will be responsible for conducting research and drafting a comprehensive study detailing how these attestation programs can function effectively. The estimated total value of the contract is 80,000 EUR, with a duration of 9 months. This is a planned negotiated procedure for a middle/low value contract.

The process begins with an expression of interest, with a start date of May 16, 2025, and a deadline of May 31, 2025. The indicative date for the launch of the negotiated procedure is June 2, 2025. Interested parties must submit their expression of interest electronically via the provided address. This announcement is not a call for tenders itself, but rather a notification of the contracting authority's intention to publish a future negotiated procedure.