Development, Consultancy and Support for an Age Verification Solution
Buyer: European Commission, DG CNECT – Communications Networks, Content and Technology, Brussels
Duration: 24 Months
Estimated value excluding VAT: €4.000.000
Deadline for receipt of tenders: 18/11
Description: This procurement will enable users of online web services to prove their age through the presentation of an electronic attestation through a dedicated application (mobile app) in a privacy preserving manner in order to access age restricted content. This mobile app will directly contribute to the implementation of the provisions on protection of minors of the Digital Services Act (DSA). The application will be built in compliance with the emerging technical specifications of the European Digital Identity Wallet (European Digital Identity · GitHub) and integrated into the common specifications of the European Digital Identity Wallet to be provided by Member States further to Regulation (EU) 1183/2024.
Requirements:
1) Average yearly turnover of the last two financial years above €2.500.000
2) The tenderer must prove experience in the field of Information systems development, Information systems support, and Information systems consultancy:
At least 3 projects in the field of Information systems development, support, and /or consultancy having been performer during a minimum period of 6 months in the last three years preceding the tender submission deadline, each with a minimum value of EUR 1 000 000.
Each of the elements below must be covered by at least covered by at least one of the three one of the three contractscontracts:
a. Project including the provision of an information system to over 1000 registered users;
b. Project using an agile project methodology eg Scrum, SAFe or similar;
c. Broad international geographical coverage providing professional services in at least 3 different EU Member States;
d. Project ensured compliance of IT software and personal data processing with data protection law (i.e. GDPR/EUDPR)
e. Project developed under an Open Source Licence.
3) The tenderer must prove experience in the field of electronic identity management and mobile apps:
At least 3 projects in the field of identity management and mobile apps with different clients completed in the last five years preceding the tender submission deadline, each with a minimum value of €1.000.000 and having been and having been performed during a minimum period of 6 performed during a minimum period of 6 months.
Each of the elements below must be covered by at least one of the three covered by at least one of the three contracts:
* implementing digital iidentity schemes;
* developing or operating the necessary technology for the provision of identity means to citizens or businesses;
* implementing selective disclosure of information, zero-knowledge proofs or similar privacy preserving techniques;
* involving cryptographic verification of information;
* relying upon and implementing FIPS-140-2 or 3 L2 and/or EAL4+ certified devices;
* using secure execution and storage (Trusted Execution Environment/ Secure Enclave);
* involving the application of international identity or trust-services related standards or industry specifications (SAML, CTAP, EACv2, OID4VP, OID4VCI, oAUTH, OpenID Connect, DIDCOMM, W3C DID, ISO18013 – mDL, AnonCreds, W3C Verifiable Credentials);
* developing one or more mobile applications with users in at least three EU Member States;
* developing one or more white label apps;
* involved in the eIDAS ecosystem supporting relying parties or eID schemes integrating to the eIDAS nodes or the development of an eIDAS node;
* involved in creating self-sovereign identity systems;
4) The tenderer must prove experience in the field of cryptography and particularly with zero knowledge proofs:
A) At least 3 published articles or research papers concerning zero knowledge proofs, written by a consortium member, subcontractor, or other entity to be relied on (such as a research institute, academic institution or not for profit organization) published within the past 2 years
OR
B) 1 research project in the field of cryptography and involving zero knowledge proofs having been performed during a minimum period of 6 months , and started in the 2 years preceding the tender submission deadline
OR
C) at least 1 IT development project in the field of cryptography and involving zero knowledge proofs , having been performed during a minimum period of 6 months , and started in the 2 years preceding the tender submission deadline
5) The tenderer must prove to have worked professionally with national or federal authorities in the EU Member States:
Projects having been performed during a minimum period of 6 months in the last five years preceding the tender submission deadline, where
EITHER:
At least 1 project included the provision of digital services to a national authority or public sector body in at least three EU Member States
OR At least 3 projects:
• included the provision of digital services to a national authority or public sector body in at least one EU Member State;
6) The Service quality of the tenderer must be certified according to industry standards:
The tenderer must have a valid SEI/CMMI level 3 certification or ISO 9001:2015 certification.
7) Certification of the information security management system:
The tenderer must have an ISO 27001:2013 certification for information security management system.
8) The tenderer must have at its disposal an adequate number of appropriate human resources (e.g. relevant qualifications for key staff) to perform the services requested
9) The tenderer must demonstrate professional experience in European Data Protection Law, as well as in data protection engineering:
The team must include at least one member who is a lawyer with a minimum of 7 years of professional experience , at least 3 years of which shall be in the field of data protection field , IT software compliance with data protection law (i.e. GDPR 18 /EUDPR 19 ). This member must have experience in drafting data protection compliance documentation, including, but not limited to Data Protection Impact Assessments ( DPIAs), Data Protection Risk Assessments, records, etc., and ensuring IT solutions comply with data protection by design and by default.
Additionally, the team must also include at least one software engineer or computer scientist with a minimum of 5 years of experience in ensuring compliance with data protection engineering principles in software protection engineering principles in software development fulfil specific data protection development fulfil specific data protection principles (e.g. data minimisation, purpose principles (e.g. data minimisation, purpose limitation, data quality, etc.). This team limitation, data quality, etc.). This team member should have experience in member should have experience in cocollaborating with Data Protection Officers llaborating with Data Protection Officers or legal professionals to ensure compliance or legal professionals to ensure compliance of IT solutions with data protection by of IT solutions with data protection by design and by default.design and by default.
10) The tenderer must prove its capacity to effectively manage projects relevant to this tender:
Project Manager: At least three years of experience in project management, including overseeing project delivery, quality control of delivered service, client orientation and conflict resolution experience in project of similar size (at least EUR 1 000 000 ) and coverage , and with experience in management of team of at least 5 people.
We are currently looking for a consortium partner so if you are interested write me: horejsi.tomas@gmail.com
Leave a Reply