Source: European Parliament
The Commission confirms that ‘data security’ can be used in public procurement as a technical specifications requirement or as part of the awarding criteria.
It is up to the public buyers to define the adequate procurement solution that meets their specific needs and reflect it adequately in the tender documents.
The evaluation of the EU public procurement framework is ongoing. Security aspects, including data security, are discussed in this context.
Once the evaluation is concluded, its outcome will be taken into account in the impact assessment of the forthcoming revision. As a principle, public procurement regulates only the process of purchasing. Public buyers have already various ways to include security aspects in their tenders.
From the general cybersecurity perspective, the Commission is monitoring the current transposition of the Network and Information Systems (NIS2) Directive[1] which requires entities from 18 critical sectors to take organisational cybersecurity risk-management measures to protect their network and information systems, which include the digital data stored, processed, retrieved or transmitted.
The Commission is also monitoring and supporting the implementation of the Cyber Resilience Act[2], which ensures, among others, cybersecurity by design (including protection of processed data) of products with digital elements placed on the EU market as of 11 December 2027.
- [1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance).
- [2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02024R2847-20241120.