The contract implies a joint procurement.
The contracting authority is purchasing also on behalf of other contracting authorities.
The participating institutions are:
Banca d'Italia, Via Nazionale 91, Roma, IT 00184, Italy
Banco de España, Calle Alcalá, 48, 28014, Spain
Banque centrale du Luxembourg, 2, boulevard Royal, L-2983 Luxembourg
Central Bank of Cyprus, 80 Kennedy Avenue, Nicosia, CY-1076, CYPRUS
Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1, Ireland
Central Bank of Malta, Castille Place, Valletta, VLT1060, Malta
European Central Bank, Sonnemannstrasse 20, Frankfurt am Main,60314, Germany
Oesterreichische Nationalbank, Otto-Wagner-Platz 3, Wien, 1090, Austria
Malta Financial Services Authority, Triq l-Imdina, Zone 1, Central Business District, Birkirkara, Malta
Other institutions, having the right to participate in EPCO’s activities (according to Decision ECB/2008/17 as amended), which did not express an interest in this procedure before the publication of the contract notice in the OJEU will also have the possibility to join the Framework Agreements - if they wish so - before its expiry. The identity of EPCO members may be consulted on EPCO's website: https://epco.lu/.
The objective of the current joint tender procedure is to contract the services for identifying the cybersecurity risks and for guidance to take appropriate technical and organizational measures to minimize those risks within current and future EPCO members of the ESCB.
To cover a wider scope, according to the testing methodology, the National Bank of Romania identified three lots for the joint tender procedure:
• Lot no. 1 - IT Security Assessment Services in line with the latest Regular Penetration Testing Execution Standards;
IT Security Assessment Services according to the TIBER-EU framework:
• Lot no. 2 - Targeted Threat Intelligence Services;
• Lot no. 3 - Red team IT Security Services.
Each lot will result in a framework agreement with the following characteristics: multi-supplier framework agreement (max 5), with reopening the competition. For all Participating Institutions, except NBR, this Framework Agreement shall be non-exclusive, meaning that these Participating Institutions will not have obligation to award assignments to the Contractor according to this Framework Agreement for the purchase of IT Security Assessment Services with the Contractor. For NBR this Framework Agreement shall be exclusive, meaning that during the term of this Framework Agreement NBR will have the obligation to fulfill its needs for IT Security Assessment Services through this Framework Agreement by concluding Further Agreements with the Contractors.
All current and future EPCO member central banks are together potential beneficiaries of the Framework Agreements, which the Participating Institutions will implement via reopening of the competition (mini-competition) among the Contractors. Each Participating Institution shall be entitled to describe its specific needs regarding the IT Security Assessment Services (the IT infrastructure that needs to be tested), apply its own offers evaluation methodology, and quality/price weighting within the terms of the Framework Agreement to assign the Further Agreements.
Deadline for requesting clarifications to the award documentation: 16 days before the deadline for submission of offers
Date of response to all requests for clarification: 11 days before the deadline for submission of offers