ISO 27001Pubblica amministrazione

Certifications and public tenders: what the public sector actually asks

AgID, qualifications, ISO 27001 / 27017 / 27018: the updated 2026 map of what is needed to bid in Italian public tenders.

1 min read

TL;DR

For Italian public tenders in 2026, the standard required certifications are ISO 9001 + ISO 27001:2022 + ISO 27017 + ISO 27018 for cloud/IT suppliers. AgID maintains a list of qualified providers. Without certifications you are excluded a priori.

Required certifications

Always

  • ISO 9001:2015 — quality management system.
  • ISO/IEC 27001:2022 — information security.

For cloud services

  • ISO/IEC 27017:2015 — cloud security.
  • ISO/IEC 27018:2019 — cloud privacy.

For datacentre and hosting

  • ISO/IEC 27036 — supply chain.
  • ISO 22301 — business continuity (substitutable with 27001:2022 A.5.30).

AgID's role

AgID manages the Qualifications Marketplace: a public list of suppliers qualified for public-sector services. To be in:

  • updated company registration;
  • valid ISO certifications (not expired);
  • registration with CONSIP / MePA;
  • in some cases, specific AgID qualification.

Timeline and budget to qualify

  • ISO 9001 + 27001 from zero: 8-12 months;
  • adding 27017 + 27018: 3-6 months;
  • AgID and CONSIP registration: 1-2 months;
  • realistic total: 12-18 months.

Budget: €25-50k year one.

What changes in 2026 with NIS2

NIS2 has raised the bar: for tenders with NIS2-essential entities, beyond ISO they ask:

  • NIS2 Article 21 compliance attestation;
  • cyber lead registered with ACN;
  • documented incident notification procedure.

In short: the "AgID qualification" is gaining NIS2 requirements.

Common tender mistakes

  • certifications expired at submission: immediate exclusion.
  • certification scope inconsistent with the tender: immediate exclusion.
  • missing sector references: penalises technical scoring.

Sefthy in tenders

Sefthy is certified on all three cloud ISOs. MSPs using Sefthy can declare compliance for their DR stack.

FAQ

Is ISO 9001 enough?

For cloud services no, at least 27001 is needed. For non-cloud services (e.g. consulting), often yes.

Do supplier certifications count for the prime contractor?

Partially. The prime contractor must have its own 27001, regardless of suppliers.

Is CONSIP mandatory?

No, but it is the fastest path for medium-value tenders.

For ISO differences, ISO 27001 vs 27017 vs 27018. For MSP ISO, ISO 27001 for MSPs.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo