· Bryan Collins · Sector Guides · 8 min read
IT Services Tenders Ireland: A Supplier Guide for Public Sector ICT Bidders
A working guide for Irish IT consultancies, MSPs, software vendors and systems integrators on OGP ICT frameworks, Cyber Security Baseline Standards, NIS2, data residency and how to compete for public sector ICT contracts.
IT services tenders in Ireland are public contracts for software, cloud, cybersecurity, systems integration and managed services, procured under S.I. 284/2016 by bodies such as the OGP, HSE, Revenue, local authorities and universities, most above-threshold work is awarded through multi-supplier OGP ICT frameworks.
This guide is for Irish SME and mid-market IT consultancies, MSPs, software vendors and systems integrators who need the execution detail. For higher-level context, see the IT tenders market overview. Browse live IT services notices on TenderWatch.
Who Buys IT in the Irish Public Sector
Office of Government Procurement (OGP): Runs the central ICT frameworks, consultancy, software licensing, cloud, cybersecurity, hardware. Framework membership is the route to scale.
Office of the Government Chief Information Officer (OGCIO): Inside the Department of Public Expenditure, NDP Delivery and Reform. Runs the Build to Share programme, common applications (eDocs, eFOI, eSubmissions, ePQ) used by more than 50 departments on the Microsoft stack, plus the Government Cloud and Managed Desktop.
HSE: Electronic health records, patient administration, clinical systems, health-sector cybersecurity. Restricted procedures and competitive dialogues dominate larger transformations.
Revenue, Department of Social Protection (Digital Services), Courts Service, Central Bank of Ireland: Enterprise systems, identity, payments infrastructure, case management. Expect strict security clauses.
Local authorities and universities: The 31 local authorities plus TCD, UCD, UCC, University of Galway, Maynooth and the Technological Universities. HEAnet runs shared-services frameworks for higher education.
State agencies and semi-states: IDA, Enterprise Ireland, ESB, SEAI and others run their own IT procurements under the same rules.
Relevant CPV Codes
Set eTenders alerts on the codes that map to your services, tracking only “IT” misses most of the market.
| Code | Description |
|---|---|
| 48000000 | Software packages and information systems |
| 48611000 | Database software package |
| 72000000 | IT services, consulting, development, internet, support |
| 72222000 | Systems/technology strategic review and planning |
| 72230000 | Custom software development services |
| 72250000 | System and support services |
| 72400000 | Internet services |
| 72600000 | Computer support and consultancy services |
| 72700000 | Computer network services |
Get deadline alerts when new tenders match these codes: sign up for TenderWatch daily alerts.
OGP ICT Frameworks, How the Competition Works
Most above-threshold ICT spend runs through OGP frameworks, not individual open tenders. Understanding the call-off mechanics is the highest-use thing a bidding team can learn.
OGP runs a full competitive procedure to establish a multi-supplier framework, often lotted by technology stack, service type or SME-specific lots. Winning bidders are admitted for 2–4 years with extension options.
Contracts are then awarded by one of two routes:
- Direct drawdown: the buyer selects a framework member under pre-agreed rules. Used for commoditised services.
- Mini-competition: a second-stage competition among framework members. The common route for IT services, typically 2–4 weeks from issue to award.
Quality weightings of 60–70% are typical, with the remainder on price. Case studies, named delivery personnel with CVs and a worked methodology win mini-competitions.
The Business and Management and ICT Consultancy Services multi-supplier framework (expiring 9 August 2026) is one of the larger active vehicles, a renewal competition is a near-term pipeline event. Cloud, cybersecurity and systems-integration frameworks run on their own refresh cycles. Check Framework Watch for live status.
Thresholds From 1 January 2026
The EU thresholds were revised effective 1 January 2026. Verify against procurement.ie before quoting a figure in a bid.
| Threshold (ex-VAT) | From 1 Jan 2026 | Applies to |
|---|---|---|
| EU, services, central gov | €140,000 | Government departments |
| EU, services, sub-central | €216,000 | Local authorities, HSE, universities, public bodies |
| EU, works | €5,404,000 | All contracting authorities |
| National, services | €50,000 | Below this, quotation process may apply |
Above the EU threshold, contracts must be advertised on TED in addition to eTenders.
SME lotting for ICT. OGP guidance encourages lotting of larger ICT requirements so SMEs can bid for subsets. Circular 05/2023 tightened expectations, if a large ICT contract is not lotted, the authority must explain why in the award documentation.
Security, Data and Compliance
Three regulatory threads sit across almost every Irish public-sector ICT tender this year. Address all three explicitly or evaluators will mark you down.
1. Cyber Security Baseline Standards (NCSC). Published by the National Cyber Security Centre and the Department of the Environment, Climate and Communications (Revision 1, November 2022). Aligned to the NIST Cybersecurity Framework, they cover identity and access management, staff training, incident response, disaster recovery and supply-chain security. Map your controls to the Baseline domains in your response.
2. NIS2 transposition. The National Cyber Security Bill 2024 will transpose NIS2 and is expected to progress through the Oireachtas during 2026, with a self-registration scheme tentatively launching mid-year. Scope expands from around 450 NIS1 operators to an estimated 4,500–6,000 entities. Public buyers already include forward-looking NIS2 clauses on incident reporting, supply-chain risk and executive accountability.
3. GDPR and Data Processing Agreements. Any ICT contract touching personal data requires a DPA under Article 28 GDPR. EU data residency is the de-facto expectation, sensitive data must stay within the EEA absent an explicit transfer mechanism. Non-EU processing submissions must evidence Standard Contractual Clauses and a Transfer Impact Assessment under the post-Schrems II regime.
Data Hosting Residency, EU vs Outside-EU
Data residency is where a material share of IT bids are won or lost. Irish public buyers typically specify EU-only hosting; for health, financial and justice data the default is Ireland or EU with documented safeguards.
- EU-region hosting. Default for most workloads. Name the specific region (AWS Dublin, Azure North Europe, Google Cloud Dublin) in your response.
- Outside-EU processing. Permitted only with an adequate transfer mechanism and a Transfer Impact Assessment. US processing submissions must address CLOUD Act exposure head-on.
- Sovereign / Government Cloud. For certain workloads the OGCIO Government Cloud is the designated home. Build to Share integrations deploy into government infrastructure.
Use the Jargon Decoder to translate data-residency clauses in any ITT.
Qualification Thresholds for ICT Tenders
- Turnover: 1.5–2× annual contract value in each of the last 2–3 years.
- Financial standing: filed CRO accounts; audited only where the ITT requires them.
- Insurance: professional indemnity €1m–€6.5m, public liability €6.5m, employer’s liability €13m. Cyber liability increasingly specified for managed services.
- Experience: 2–3 reference contracts of comparable scale in the past 3–5 years.
- Certifications: ISO 27001 is effectively table stakes for security, data or hosting work. ISO 9001 for quality. SOC 2 Type II and NIST-aligned assurance letters help.
- Tax clearance: current Revenue tax clearance number.
- GDPR posture: named DPO, documented DPIA methodology, draft DPA.
Practical Tips, How to Win ICT Mini-Competitions
- Win the framework first, then build a mini-competition engine. A framework place is a licence to compete, not revenue. Budget capacity for three to five mini-competitions per quarter.
- Write to the Baseline, not the spec alone. Reference the NCSC Cyber Security Baseline Standards in your security section and map your controls to its domains. Evaluators score responses that align to recognised frameworks.
- Lead with data residency and DPA stance. Name the EU region and DPA position in the first 200 words of the technical response.
- Use public-sector case studies where you have them. A €400k HSE systems-integration reference is worth more than a €4m private-sector one. If you have none, target a smaller below-threshold contract first.
- Name the delivery team with CVs and availability. Generic “experienced team” language is penalised. Name the architect, delivery lead and key engineers; note Garda vetting where relevant.
- Design for Build to Share where the buyer runs it. Propose an integration path rather than a parallel system if the department is on the common-applications suite.
- Submit 24 hours early. eTenders platform issues at deadline are your risk. Late is disqualified without exception.
Run a quick bid-readiness check against any ICT tender before committing bid/no-bid capacity.
Where to Find Current IT Services Tenders
- TenderWatch IT Services: live open tenders updated daily with CPV filtering.
- Tender Matcher: score open IT tenders against your capability statement.
- Framework Watch: active and upcoming OGP frameworks with renewal dates.
- eTenders.gov.ie: register and set alerts on 48xxx and 72xxx codes.
- Fit Score: test a specific tender against your strengths before writing.
Frequently Asked Questions
What is the EU threshold for IT services tenders in Ireland in 2026?
From 1 January 2026, the EU services threshold is €140,000 for central government and €216,000 for local authorities, HSE, universities and other public bodies. Above these values, contracts must be advertised on TED in addition to eTenders.
Do I need ISO 27001 to bid on Irish public-sector IT contracts?
Not on every contract, but effectively required for hosting, managed services, cybersecurity or personal-data work. SOC 2 Type II and NIST-aligned assurance letters may be accepted; the NCSC Cyber Security Baseline Standards are the common reference point.
How do OGP ICT framework mini-competitions work?
Contracts are awarded by mini-competition among admitted suppliers. The buyer issues a request to the framework or a relevant lot; suppliers respond with a technical and commercial proposal. Scoring is typically 60–70% quality, 30–40% price. Timelines run 2–4 weeks.
Where does NIS2 leave Irish IT suppliers in 2026?
The National Cyber Security Bill 2024 is the transposition vehicle and is expected to progress through 2026, with self-registration tentatively launching mid-year. Scope expands from around 450 NIS1 operators to 4,500–6,000 entities. Public buyers already expect NIS2-ready clauses.
Can SMEs win Irish public IT tenders?
Yes. Circular 05/2023 requires buyers to divide contracts into lots where practical and justify any decision not to. SMEs win regularly in cybersecurity, UX, data analytics and bespoke development.
Tools and Further Reading
- Bid Readiness, assess a specific IT tender before committing
- Tender Matcher, score open IT tenders against your profile
- Jargon Decoder, translate procurement and security clauses
- IT Services live tenders, current open opportunities
- Framework Watch, upcoming OGP ICT framework renewals
- IT tenders market overview, higher-level sector context
- Irish procurement thresholds 2026, EU and national detail
Track every new IT services tender as it publishes, sign up for TenderWatch daily alerts or browse IT services.