Do you need a cybersecurity incident simulation service (SIC)?

Name of the grant line

Framework Agreement for the provision of cybersecurity incident simulation services within the framework of the Recovery, Transformation and Resilience Plan – Funded by the European Union – NextGenerationEU.

Objective, brief description

The purpose of this Framework Agreement is to select companies specializing in cybersecurity to provide cybersecurity incident simulation services for SPRI-Basque Business Development Agency (hereinafter, “SPRI”), for the duration of the agreement.

Deadline for submitting bids or requests to participate: 11/18/2024, 10:00 AM

Beneficiary entities

Award procedure: Open

Natural or legal persons, Spanish or foreign, who have full legal capacity, are not subject to a prohibition on contracting, are not in a situation of conflict of interest, and who meet the solvency requirements or, where applicable, are classified, may participate in the procurement procedure. They must also possess the qualifications established, where applicable, in clause 21.4 of the specific clauses of the contract (if said clause indicates that the time by which the qualification(s) must be obtained is the “final date for submission of bids”).

Several people who meet the requirements indicated in the previous paragraph may also participate, grouped into a UTE in accordance with the legally established conditions.

Only legal entities that comply with the provisions of Article 66.1 of the LCSP, as well as economic operators from the Community or signatory states of the Agreement on the European Economic Area, and non-Community economic operators that comply with the provisions of Articles 67 and 68.1 of the LCSP, respectively, are eligible to participate.

Economic operators must have the following solvency:

• Economic and financial. Requirement(s): The tenderer’s annual turnover, for the best financial year of the last three completed years, is equal to or greater than 175,000 euros.

• Technical or professional. Requirement(s): Only companies that can prove they have performed, over the last three years, work of the same or similar nature to that which constitutes the subject of the competition, with an annual cumulative value in the year of greatest performance equal to or greater than 122,500 euros, may participate in the competition.

Eligible projects

The tasks assigned to the successful bidders will be all those necessary for the management and execution of cybersecurity incident simulations.

Understand the objectives of each service, identify their needs, and define the type of simulation that best suits their needs.

• Collaborate with SPRI in defining the typology of cybersecurity incident simulations.

• Manage and execute cybersecurity incident simulations organized by SPRI through an open call to companies in the Basque Country at the facilities that SPRI makes available for this purpose.

• Manage and execute cybersecurity incident drills in companies that individually request them from SPRI, either in-house or at facilities that SPRI enables for this purpose within the CAE.

• Prepare a report on the results of the drills conducted, as well as proposals for actions to be taken by the drills to reduce their vulnerabilities.

• Preparation of reports for SPRI on the results of the drills conducted.

• Conduct the requested cybersecurity simulation types. The type will be defined and designed by SPRI. For each simulation, the maximum number of hours to be allocated will be established for each of the two professional profiles required in the Framework Agreement. The time commitment will not exceed 7 hours per consultant, up to a maximum of two people per simulation.

  • By way of example, and without prejudice to the necessary updating and adjustment to the needs of SPRI in each case, the drills may be of the following types:

  • Ransomware

  • Critical infrastructure

  • Targeted attacks

  • Others

• Drill types will be tailored to the size of the companies and their sectors of activity, with special attention paid to designing drills aimed at small and medium-sized enterprises, especially those in the industrial and advanced services sectors, as well as those in the energy sector.

• Carry out actions to disseminate the service for SPRI.

• Companies awarded the framework agreement must adhere to the methodology established by SPRI for each type of drill. For example, the following aspects will be taken into account:

  • Design specific drills for management teams, always involving the ICT department teams.

  • Drills should be targeted at crisis committee teams and focused on decision-making.

  • Possibility of benchmarking and seeking synergies with actions carried out by entities such as INCIBE or ZIUR.

  • Review actions also aimed at technical profiles, role play, etc.

  • Design drills with different formats: simulate an incident in a production plant using narrative role-playing (storytelling), drills for different profiles, in formats with dedicated time in one or more sessions.

• Collaboration with SPRI in the establishment and management of service dashboards.

• Collaboration with the Clusters within the scope of this contract when requested by SPRI.

% of financing

The total base tender budget for the contract is €3,500,000, plus €735,000 in 21% VAT, and is allocated to the following annual payments:

• Year 2025: 3,000,000 euros plus VAT.

• Year 2026: 500,000 euros plus VAT.

More information