Used Services and Cookies

Our website uses cookies to enhance your user experience. Some cookies are essential for the operation and management of the site, while others are used for anonymous statistics or personalized content. Please note that limiting cookie use may impair certain functions of the website.

More information: Imprint, Data protection

Essential cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website or, for example, saving your cookie settings. The website cannot function properly without these cookies. This category cannot be deactivated.
  • Name:
    ukie_a_cookie_consent_manager
  • Domain:
    blomstein.com
  • Purpose:
    Stores the cookie preferences of website visitors.
  • Name:
    blomstein_session
  • Domain:
    blomstein.com
  • Purpose:
    The session cookie is essential for the basic functioning of the website. It allows users to navigate through the site and use its basic features.
  • Name:
    XSRF-TOKEN
  • Domain:
    blomstein.com
  • Purpose:
    This cookie serves security purposes and aids in preventing Cross-Site Request Forgery (CSRF) attacks. It is a technical necessity.
These cookies collect information about how you use a website, e.g. which pages you have visited and which links you have clicked on.
  • Name:
    _ga
  • Domain:
    blomstein.com
  • Purpose:
    The Google Analytics cookie _ga is used to distinguish users by assigning a unique identification number to each visitor. This number is sent to Google Analytics each time a page is accessed in order to collect user, session and campaign data and to statistically evaluate the use of the website. The cookie helps website operators to understand how visitors interact with the website by collecting information anonymously and generating reports.
  • Name:
    _ga_*
  • Domain:
    blomstein.com
  • Purpose:
    The _ga_[container_id] cookie, specific to Google Analytics 4 (GA4), is used to distinguish website visitors by assigning a unique ID for each session and each user. It enables the collection and analysis of data on user behavior on the website in anonymized form. This includes tracking page views, interactions and the path users take on the website to give website operators deeper insights into the use of their site and improve the user experience.
  • Name:
    _gid
  • Domain:
    blomstein.com
  • Purpose:
    The _gid cookie is a cookie set by Google Analytics that is used to distinguish users. It assigns a unique identification number to each visitor to the website, which is sent to Google Analytics each time the page is accessed. This makes it possible to track and analyze user behavior on the website over a period of 24 hours.
  • Name:
    _gat_gtag_UA_77241503_1
  • Domain:
    blomstein.com
  • Purpose:
    The _gat_gtag_UA_77241503_1 cookie is part of Google Analytics and Google Tag Manager and is used to throttle the request rate, i.e. it limits data collection on high traffic websites. This cookie is linked to a specific Google Analytics property ID (in this case UA-77241503-1), which means that it is used for performance monitoring and control of data collection for that specific website property.
DE EN

Purchasing Cybersecurity Goods and Services

29.10.2020
PDF download
Recent News

Gateways, Not Gatekeepers: New Data Access Avenues Under the DMA

Dismantling Digital Walls: The Promise of the DMA

DMA's Self-Preferencing Ban: setting the stance for equal treatment

Cybersecurity is becoming increasingly important. In the wake of cyberattacks on the German parliament, the foreign office, and on prominent public figures, there is now greater awareness of the need for the State and companies to protect the integrity of their existing IT systems. The following article will provide an overview of some of the particularities that arise in the procurement of cybersecurity goods and services. Another article explains how a public contracting entity can achieve a higher standard of cybersecurity in its procurement procedures.

Many companies already offer a wide range of effective products and services that increase cybersecurity standards. These vary from simple, standardised software solutions such as firewalls and virus protection, to highly secured server rooms, and advice on the creation of coherent cybersecurity structures. It even extends to specialist software for security agencies carrying out investigations designed to access third party computer systems.

When acquiring cybersecurity goods or services there is significant tension between, on the one hand, compliance with relevant public procurement law regarding non-discriminatory and transparent competition and, on the other hand, the public contracting authority’s need for tailored solutions. National security and confidentiality concerns also play an important role. Embedded industry interests in building and developing German and European expertise in this particular field create further complexity. How this tension is resolved in each case largely depends on which public procurement procedure is appropriate and available:

20201029 Wheighing of interests2

  • The negotiated procedure without a call for competition is predestined for the acquisition of a particular product or service provided by a specific company. As it hinders competition, the procedure is available only in very specific circumstances and subject to strict requirements. In general, it is permissible in cases in which only one available product or supplier meets the required minimum standard regarding IT security. The procedure might also be employed if migration of sensitive data to a new system or incompatibility between different systems used by the public authorities would lead to serious security risks. Lastly, it is also regularly permissible in cases in which certain proprietary rights restrict the tender to only on possible supplier. This occurs, for example, when the public contracting authority seeks to obtain updates for existing software, software maintenance services or additional licences for particular IT security products that are already in use.

  • If the public authority’s choice is not limited to one product or one supplier, then the negotiated procedure with a call for competition is preferable for complex projects. In this procedure, companies present their solutions based on the requirements set out by the public authority and the parties can negotiate specific terms. The public authority may then select the best product or services from those offered. This process enables the public authority to modify and refine the terms of the contract and to thereby purchase innovative solutions and state-of-the-art technology. In the past, this procedure has been used to acquire goods and services aimed at analysing vulnerabilities and weaknesses in IT infrastructure, for big-scale projects aimed at increasing employee awareness of cybersecurity topics, and for the creation of contingency plans to be used in the case of successful cyberattacks.

  • To build or expand on state-of-the-art technology a public authority may use an Innovation Partnership. This type of tender offers the possibility of developing new products and services that are not available on the market yet in collaboration with one or several selected companies. While this procedure has not yet gained significant relevance in practice, it could help to minimise dependence on non-EU products or systems in the IT security sector and strengthen the German and European presence on the cybersecurity market. These innovation partnerships could be suitable for large-scale projects in the field of IT, such as the development of complex spy software or defence systems.

  • Tenders for standardised goods and services without security implications can also be dealt with in an open procedure. This procedure is suitable for tenders for basic employee training on IT security or regular, general analyses of the current cyber threat level (“threat assessments”).

  • In the very limited cases set out in Article 346 of Treaty on the Functioning of the European Union, the public authority is permitted to acquire a specific product or service without calling for a tender at all. This only applies if the “essential interests of [a member state’s] security” are affected. According to the newly introduced Section 107 Paragraph 2 Sentence 2 of the German Act against Restraints of Competition (GWB) this is also the case where the public contract concerns key defence or security technologies. These key technologies also include security-relevant IT and communication systems, such as cyber defence systems, and solutions using artificial intelligence (AI).

The coming years will show how contracting authorities can best resolve the tension between competition and security concerns and which types of procedures will prevail in the procurement of goods and services in the area of cyber security.

BLOMSTEIN will continue to monitor and report on these developments. If you have questions about the potential impact of cybersecurity in your company or sector, Roland M. Stein and Christopher Wolters are happy to provide assistance.

back to overview