Achizitie comuna/ Joint Procurement: Teste de penetrare infrastructura informatica / Supply of IT Security Assessment Services: Penetration Testing / IT Security Assessment Services according to the TIBER-EU framework

The contract implies a joint procurement. The contracting authority is purchasing also on behalf of other contracting authorities. The participating institutions are: Banca d'Italia, Via Nazionale 91, Roma, IT 00184, Italy Banco de España, Calle Alcalá, 48, 28014, Spain Banque centrale du Luxembourg, 2, boulevard Royal, L-2983 Luxembourg Central Bank …

CPV: 72820000 Computer testing services
Place of execution:
Achizitie comuna/ Joint Procurement: Teste de penetrare infrastructura informatica / Supply of IT Security Assessment Services: Penetration Testing / IT Security Assessment Services according to the TIBER-EU framework
Awarding body:
Banca Nationala a Romaniei
Award number:
361684_2021_M10

1. Cumpărător

1.1 Cumpărător

Denumire oficială : Banca Nationala a Romaniei

2. Procedură

2.1 Procedură

Titlu : Achizitie comuna/ Joint Procurement: Teste de penetrare infrastructura informatica / Supply of IT Security Assessment Services: Penetration Testing / IT Security Assessment Services according to the TIBER-EU framework
Descriere : The contract implies a joint procurement. The contracting authority is purchasing also on behalf of other contracting authorities. The participating institutions are: Banca d'Italia, Via Nazionale 91, Roma, IT 00184, Italy Banco de España, Calle Alcalá, 48, 28014, Spain Banque centrale du Luxembourg, 2, boulevard Royal, L-2983 Luxembourg Central Bank of Cyprus, 80 Kennedy Avenue, Nicosia, CY-1076, CYPRUS Central Bank of Ireland, New Wapping Street, North Wall Quay, Dublin 1, Ireland Central Bank of Malta, Castille Place, Valletta, VLT1060, Malta European Central Bank, Sonnemannstrasse 20, Frankfurt am Main,60314, Germany Oesterreichische Nationalbank, Otto-Wagner-Platz 3, Wien, 1090, Austria Malta Financial Services Authority, Triq l-Imdina, Zone 1, Central Business District, Birkirkara, Malta Other institutions, having the right to participate in EPCO’s activities (according to Decision ECB/2008/17 as amended), which did not express an interest in this procedure before the publication of the contract notice in the OJEU will also have the possibility to join the Framework Agreements - if they wish so - before its expiry. The identity of EPCO members may be consulted on EPCO's website: https://epco.lu/. The objective of the current joint tender procedure is to contract the services for identifying the cybersecurity risks and for guidance to take appropriate technical and organizational measures to minimize those risks within current and future EPCO members of the ESCB. To cover a wider scope, according to the testing methodology, the National Bank of Romania identified three lots for the joint tender procedure: • Lot no. 1 - IT Security Assessment Services in line with the latest Regular Penetration Testing Execution Standards; IT Security Assessment Services according to the TIBER-EU framework: • Lot no. 2 - Targeted Threat Intelligence Services; • Lot no. 3 - Red team IT Security Services. Each lot will result in a framework agreement with the following characteristics: multi-supplier framework agreement (max 5), with reopening the competition. For all Participating Institutions, except NBR, this Framework Agreement shall be non-exclusive, meaning that these Participating Institutions will not have obligation to award assignments to the Contractor according to this Framework Agreement for the purchase of IT Security Assessment Services with the Contractor. For NBR this Framework Agreement shall be exclusive, meaning that during the term of this Framework Agreement NBR will have the obligation to fulfill its needs for IT Security Assessment Services through this Framework Agreement by concluding Further Agreements with the Contractors. All current and future EPCO member central banks are together potential beneficiaries of the Framework Agreements, which the Participating Institutions will implement via reopening of the competition (mini-competition) among the Contractors. Each Participating Institution shall be entitled to describe its specific needs regarding the IT Security Assessment Services (the IT infrastructure that needs to be tested), apply its own offers evaluation methodology, and quality/price weighting within the terms of the Framework Agreement to assign the Further Agreements. Deadline for requesting clarifications to the award documentation: 16 days before the deadline for submission of offers Date of response to all requests for clarification: 11 days before the deadline for submission of offers
Identificatorul procedurii : 2fc94a6a-ac84-4c12-847e-69f6ecf10ee1
Identificator intern : 361684_2021_M10

2.1.1 Scop

Natura contractului : Servicii
Clasificarea principală ( cpv ): 72820000 Servicii de testări informatice

2.1.4 Informații generale

Temei juridic :
Directiva 2014/24/UE

5. Lot

5.1 Identificator tehnic pentru lot : LOT-0001

Titlu : IT Security Assessment Services in line with the latest Regular Penetration Testing Execution Standards
Descriere : The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments. These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions. The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks. More granular objectives are defined as follows: - Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors; - Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points; - Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it; - Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack; - Determine if the sensitive data is well protected against bad actors; - Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection. Penetration tests are performed usually by following the stages defined below: • Pre-engagement Interactions; • Intelligence Gathering and Threat Modelling; • Vulnerability Identification and Analysis; • Exploitation; • Post Exploitation; • Reporting.
Identificator intern : 1

5.1.1 Scop

Natura contractului : Servicii
Clasificarea principală ( cpv ): 72820000 Servicii de testări informatice

5.1.2 Locul de executare

Subdiviziunea țării (NUTS) : Bucureşti ( RO321 )
Țara : România
Informații suplimentare : NBR Headquarters, the headquarters of the participating institutions

5.1.6 Informații generale

Proiect de achiziții publice nefinanțat din fonduri UE
Informații suplimentare : Regarding the estimated volume in the case of participating institutions, EPCO members, the following information will be taken into account: • interested Institutions in using the framework agreements from the beginning: Banco de Espana, Banque Centrale du Luxembourg, Central Bank of Cyprus, Central Bank of Ireland, Central Bank of Malta, Oesterreichische Nationalbank, European Central Bank, Banca d'Italia, Malta Financial Services Authority. • The total estimated volume based on the information provided by the institutions listed above, for all three lots, for a period of 4 years: 2,975,636 EURO • The total real value of the subsequent contracts could increase considerably considering that any other participating EPCO institution (the complete list is accessible on the website https://epco.lu/) has the right to access the framework agreements that will result from this. joint acquisition. The framework agreements will be optional for the participating central banks and any other institution entitled to participate in the activities of the EPCO in accordance with Decision ECB / 2008/17 (as subsequently amended), so that they will have the option but not the obligation to orders the services from one of the contractors, based on the result of the resumption of the competition. The framework agreements do not confer any exclusive right on the contractors to provide the Services. However, the NBR is obliged to provide for its needs through these framework agreements.

5.1.16 Informații suplimentare, mediere și căi de atac

Organizația responsabilă cu căile de atac : Consiliul National de Solutionare a Contestatiilor
Organizația care furnizează informații suplimentare cu privire la procedura de achiziții : Banca Nationala a Romaniei
TED eSender : Operator SEAP

5.1 Identificator tehnic pentru lot : LOT-0002

Titlu : Targeted Threat Intelligence Services
Descriere : The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments. These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions. The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks. More granular objectives are defined as follows: - Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors; - Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points; - Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it; - Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack; - Determine if the sensitive data is well protected against bad actors; - Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection. From the point of view of the TIBER - EU methodology: The tests will provide an overview of the existing vulnerabilities in employees, business processes, associated technology (applications and infrastructure) and will provide a detailed threat assessment that can be used to raise awareness of the current situation and the measures to be taken to address it, improve the situation and reduce the associated risks. These tests performed on the basis of the "Red / Blue / White Team" concept are an extended form of the classic concept of penetration testing which usually provides a detailed and useful assessment of technical and configuration vulnerabilities. In the end, the tests will follow a complete scenario for a targeted attack against the entire entity.
Identificator intern : 2

5.1.1 Scop

Natura contractului : Servicii
Clasificarea principală ( cpv ): 72820000 Servicii de testări informatice

5.1.2 Locul de executare

Subdiviziunea țării (NUTS) : Bucureşti ( RO321 )
Țara : România
Informații suplimentare : NBR Headquarters, the headquarters of the participating institutions

5.1.6 Informații generale

Proiect de achiziții publice nefinanțat din fonduri UE
Informații suplimentare : Regarding the estimated volume in the case of participating institutions, EPCO members, the following information will be taken into account: • interested Institutions in using the framework agreements from the beginning: Banco de Espana, Banque Centrale du Luxembourg, Central Bank of Cyprus, Central Bank of Ireland, Central Bank of Malta, Oesterreichische Nationalbank, European Central Bank, Banca d'Italia, Malta Financial Services Authority. • The total estimated volume based on the information provided by the institutions listed above, for all three lots, for a period of 4 years: 2,975,636 EURO • The total real value of the further agreements could increase considerably considering that any other participating EPCO institution (the complete list is accessible on the website https://epco.lu/) has the right to access the framework agreements that will result from this. joint acquisition. The framework agreements will be optional for the participating central banks and any other institution entitled to participate in the activities of the EPCO in accordance with Decision ECB / 2008/17 (as subsequently amended), so that they will have the option but not the obligation to orders the services from one of the contractors, based on the result of the resumption of the competition. The framework agreements do not confer any exclusive right on the contractors to provide the Services. However, the NBR is obliged to provide for its needs through these framework agreements.

5.1.16 Informații suplimentare, mediere și căi de atac

Organizația responsabilă cu căile de atac : Consiliul National de Solutionare a Contestatiilor
Organizația care furnizează informații suplimentare cu privire la procedura de achiziții : Banca Nationala a Romaniei
TED eSender : Operator SEAP

5.1 Identificator tehnic pentru lot : LOT-0003

Titlu : Red team IT Security Services
Descriere : The IT infrastructure of the NBR (as well as that of the other participating institutions), as it is implemented at the time of the tests, available to both internal and external customers is within the purpose of these tests. The IT infrastructure contains the components required to operate and manage the IT environments. These components include hardware, software, networking components, an operating system (OS), and data storage, all of which are used to deliver IT services and solutions. The main objective is to identify the Participating Institution's cybersecurity risks and to take appropriate technical and organizational measures to minimize/mitigate those risks. More granular objectives are defined as follows: - Identify the external exposure in terms of surface attack and determine if the implemented security controls ensure appropriate protection against malicious actors; - Measure the level of responsiveness and capability to identify and react against a cyber-attack targeted to the weakness points; - Determine if the security policy and controls implemented within the internal IT infrastructure are strong enough to be able to identify an ongoing cyber-attack and to take measures to stop it; - Measure the effectiveness of the security awareness program by testing the user’s reaction to a social engineering cyber-attack; - Determine if the sensitive data is well protected against bad actors; - Being compliant with the regulatory requirements in terms of ensuring that the IT infrastructure offers a certain level of security protection. From the point of view of the TIBER - EU methodology: The tests will provide an overview of the existing vulnerabilities in employees, business processes, associated technology (applications and infrastructure) and will provide a detailed threat assessment that can be used to raise awareness of the current situation and the measures to be taken to address it, improve the situation and reduce the associated risks. These tests performed on the basis of the "Red / Blue / White Team" concept are an extended form of the classic concept of penetration testing which usually provides a detailed and useful assessment of technical and configuration vulnerabilities. In the end, the tests will follow a complete scenario for a targeted attack against the entire entity.
Identificator intern : 3

5.1.1 Scop

Natura contractului : Servicii
Clasificarea principală ( cpv ): 72820000 Servicii de testări informatice

5.1.2 Locul de executare

Subdiviziunea țării (NUTS) : Bucureşti ( RO321 )
Țara : România
Informații suplimentare : NBR Headquarters, the headquarters of the participating institutions

5.1.6 Informații generale

Proiect de achiziții publice nefinanțat din fonduri UE
Informații suplimentare : Regarding the estimated volume in the case of participating institutions, EPCO members, the following information will be taken into account: • interested Institutions in using the framework agreements from the beginning: Banco de Espana, Banque Centrale du Luxembourg, Central Bank of Cyprus, Central Bank of Ireland, Central Bank of Malta, Oesterreichische Nationalbank, European Central Bank, Banca d'Italia, Malta Financial Services Authority. • The total estimated volume based on the information provided by the institutions listed above, for all three lots, for a period of 4 years: 2,975,636 EURO • The total real value of the further agreements could increase considerably considering that any other participating EPCO institution (the complete list is accessible on the website https://epco.lu/) has the right to access the framework agreements that will result from this. joint acquisition. The framework agreements will be optional for the participating central banks and any other institution entitled to participate in the activities of the EPCO in accordance with Decision ECB / 2008/17 (as subsequently amended), so that they will have the option but not the obligation to orders the services from one of the contractors, based on the result of the resumption of the competition. The framework agreements do not confer any exclusive right on the contractors to provide the Services. However, the NBR is obliged to provide for its needs through these framework agreements.

5.1.16 Informații suplimentare, mediere și căi de atac

Organizația responsabilă cu căile de atac : Consiliul National de Solutionare a Contestatiilor
Organizația care furnizează informații suplimentare cu privire la procedura de achiziții : Banca Nationala a Romaniei
TED eSender : Operator SEAP

6. Rezultate

Valoarea tuturor contractelor atribuite în această notificare : 200 000 Euro

6.1 Rezultate: identificator lot : LOT-0002

6.1.2 Informații despre câștigători

Câștigător :
Denumire oficială : S.C. DELOITTE CONSULTANTA S.R.L.
Ofertă :
Identificatorul ofertei : REF_OF: CAN1068262/LOT-0002/CIF: RO 2626460
Identificatorul lotului sau al grupului de loturi : LOT-0002
Valoarea licitației : 4 050 Euro
Oferta a fost poziționată în clasament : da
Locul pe lista câștigătorilor : 2
Subcontractare : Nu
Informații referitoare la contract :
Identificatorul contractului : 1
Data încheierii contractului : 15/11/2023
Câștigător :
Denumire oficială : S.C. DELOITTE CONSULTANTA S.R.L.
Ofertă :
Identificatorul ofertei : REF_OF: CAN1068262/LOT-0002/CIF: RO 2626460
Identificatorul lotului sau al grupului de loturi : LOT-0002
Valoarea licitației : 4 050 Euro
Oferta a fost poziționată în clasament : da
Locul pe lista câștigătorilor : 2
Subcontractare : Nu
Informații referitoare la contract :
Identificatorul contractului : 4/P/2022
Data încheierii contractului : 11/02/2022
Câștigător :
Denumire oficială : Security Alliance B.V.
Ofertă :
Identificatorul ofertei : REF_OF: CAN1068262/LOT-0002/CIF: RSIN 860566912
Identificatorul lotului sau al grupului de loturi : LOT-0002
Valoarea licitației : 1 200 Euro
Oferta a fost poziționată în clasament : da
Locul pe lista câștigătorilor : 1
Subcontractare : Nu
Informații referitoare la contract :
Identificatorul contractului : 4/P/2022
Data încheierii contractului : 11/02/2022

6.1 Rezultate: identificator lot : LOT-0003

6.1.2 Informații despre câștigători

Câștigător :
Denumire oficială : Atos Convergence Creators SRL
Ofertă :
Identificatorul ofertei : REF_OF: CAN1068262/LOT-0003/CIF: RO13783400
Identificatorul lotului sau al grupului de loturi : LOT-0003
Valoarea licitației : 3 870 Euro
Oferta a fost poziționată în clasament : da
Locul pe lista câștigătorilor : 1
Subcontractare : Nu
Informații referitoare la contract :
Identificatorul contractului : 5/P/2022
Data încheierii contractului : 18/02/2022
Câștigător :
Denumire oficială : Clarified Security OÜ
Ofertă :
Identificatorul ofertei : REF_OF: CAN1068262/LOT-0003/CIF: EE101483225
Identificatorul lotului sau al grupului de loturi : LOT-0003
Valoarea licitației : 6 000 Euro
Oferta a fost poziționată în clasament : da
Locul pe lista câștigătorilor : 2
Subcontractare : Nu
Informații referitoare la contract :
Identificatorul contractului : 5/P/2022
Data încheierii contractului : 18/02/2022

6.1 Rezultate: identificator lot : LOT-0001

6.1.2 Informații despre câștigători

Câștigător :
Denumire oficială : Atos Convergence Creators SRL
Ofertă :
Identificatorul ofertei : REF_OF: CAN1068262/LOT-0001/CIF: RO13783400
Identificatorul lotului sau al grupului de loturi : LOT-0001
Valoarea licitației : 4 470 Euro
Oferta a fost poziționată în clasament : da
Locul pe lista câștigătorilor : 1
Subcontractare : Nu
Informații referitoare la contract :
Identificatorul contractului : 217/P/2021
Data încheierii contractului : 06/12/2021
Câștigător :
Denumire oficială : S.C. DELOITTE CONSULTANTA S.R.L.
Ofertă :
Identificatorul ofertei : REF_OF: CAN1068262/LOT-0001/CIF: RO 2626460
Identificatorul lotului sau al grupului de loturi : LOT-0001
Valoarea licitației : 4 050 Euro
Oferta a fost poziționată în clasament : da
Locul pe lista câștigătorilor : 2
Subcontractare : Nu
Informații referitoare la contract :
Identificatorul contractului : 217/P/2021
Data încheierii contractului : 06/12/2021

7. Modificare

Identificatorul anunțului anterior de atribuire a contractului : 715536-2023
Motivul modificării : Modificări bazate pe cauze sau pe opțiuni legate de căile de atac.
Descriere : Modificari ca urmare a aplicarii directe a prevederilor contractului - clauze de revizuire (ajustari, masuratori, regularitate) Au fost prevazute in documentele achizitiei initiale sub forma unor clauze sau optiuni de revizuire clare, care pot include si clauze de revizuire a pretului Necesitatea prelungirii duratei contractelor de furnizare sau de servicii cu caracter de regularitate, incheiate in anul precedent a caror durata normala de indeplinire expira la data de 31 decembrie

7.1 Modificare

Identificator secțiune : CON-0003
Descrierea modificărilor : Modificare durata cf act aditional nr. 1 la Further Agreement no. 1/15.11.2023 ( Framework Agreement no. 4/P/2022)

8. Organizații

8.1 ORG-0004

Denumire oficială : Banca Nationala a Romaniei
Număr de înregistrare : R 361684
Adresă poștală : Strada: Doamnei, nr. 8
Localitate : Bucuresti
Cod poștal : 030051
Subdiviziunea țării (NUTS) : Bucureşti ( RO321 )
Țara : România
Punct de contact : Petre Tudor
Telefon : +40 311323245
Fax : +40 213070503
Adresa de internet : https://www.bnr.ro
Rolurile acestei organizații :
Cumpărător
Organizația care furnizează informații suplimentare cu privire la procedura de achiziții

8.1 ORG-0002

Denumire oficială : Consiliul National de Solutionare a Contestatiilor
Număr de înregistrare : 20329980
Adresă poștală : Str. Stavropoleos nr. 6, sector 3
Localitate : București
Cod poștal : 030084
Subdiviziunea țării (NUTS) : Bucureşti ( RO321 )
Țara : România
Telefon : +40 213104641
Fax : +40 213104642
Adresa de internet : http://www.cnsc.ro
Rolurile acestei organizații :
Organizația responsabilă cu căile de atac

8.1 ORG-0001

Denumire oficială : Operator SEAP
Număr de înregistrare : RO42283735
Adresă poștală : Strada: Italiană, nr. 22, Sector: -, Judet: Bucuresti, Localitate: Bucuresti, Cod postal: 020976
Localitate : Bucuresti
Cod poștal : 020976
Subdiviziunea țării (NUTS) : Bucureşti ( RO321 )
Țara : România
Punct de contact : Roxana Popescu
Telefon : +40 3032997
Fax : +40 3052889
Adresa de internet : https://www.adr.gov.ro/
Rolurile acestei organizații :
TED eSender

8.1 ORG-9000

Denumire oficială : Clarified Security OÜ
Număr de înregistrare : EE101483225
Adresă poștală : Strada Lõõtsa, Nr. 12
Localitate : Tallinn
Cod poștal : 11415
Subdiviziunea țării (NUTS) : Lääne-Eesti ( EE004 )
Țara : Estonia
Punct de contact : Mehis Hakkaja
Telefon : +372 6036644
Rolurile acestei organizații :
Ofertant
Câștigătorul acestor loturi : LOT-0003

8.1 ORG-9001

Denumire oficială : Atos Convergence Creators SRL
Număr de înregistrare : RO13783400
Adresă poștală : Strada Kogălniceanu Mihail, Nr. 21
Localitate : Brasov
Cod poștal : 500090
Subdiviziunea țării (NUTS) : Braşov ( RO122 )
Țara : România
Telefon : +40 268409470
Fax : +40 268409103
Rolurile acestei organizații :
Ofertant
Câștigătorul acestor loturi : LOT-0003 LOT-0001

8.1 ORG-9002

Denumire oficială : S.C. DELOITTE CONSULTANTA S.R.L.
Număr de înregistrare : 2626460
Adresă poștală : Strada: Nicolae Titulescu, nr. 4-8, Sector: -, Judet: Bucuresti, Localitate: Bucuresti, Cod postal: 011141
Localitate : Bucuresti
Cod poștal : 010735
Subdiviziunea țării (NUTS) : Bucureşti ( RO321 )
Țara : România
Telefon : +40 212221661
Fax : +40 212221660
Rolurile acestei organizații :
Ofertant
Câștigătorul acestor loturi : LOT-0001 LOT-0002

8.1 ORG-9003

Denumire oficială : Security Alliance B.V.
Număr de înregistrare : RSIN 860566912
Adresă poștală : Strada Overschiestraat, Nr. 59
Localitate : Amsterdam
Cod poștal : 1062 XD
Subdiviziunea țării (NUTS) : Groot-Amsterdam ( NL329 )
Țara : Ţările de Jos
Telefon : +44 2071487475
Adresa de internet : https://www.secalliance.com
Rolurile acestei organizații :
Ofertant
Câștigătorul acestor loturi : LOT-0002

11. Informații privind anunțul

11.1 Informații privind anunțul

Identificatorul/versiunea anunțului : 9e3c603c-53b0-4cc7-9453-13df0f31d705 - 01
Tip de formular : Modificări aduse contractului
Tip de anunț : Anunț de modificare a contractului
Data notificării expedierii : 21/10/2024 14:54 +03:00
Data de expediere a anunțului eSender : 21/10/2024 12:18 +03:00
Limbile în care acest anunț este disponibil oficial : română

11.2 Informații privind publicarea

Numărul de publicare al anunțului : 00638266-2024
Numărul ediției JO S : 206/2024
Data publicării : 22/10/2024