Confirm cookie choices
Cookies are pieces of code used to track website usage and give audiences the best possible experience.
Use the buttons to confirm whether you agree with default cookie settings when using

TC Programme for Cybersecurity Resilience



TCRS Number:


Business sector:


Notice type:




PSD disclosed:

11 Aug 2023

Project Description

Accelerating the digital transition is one of the three cross-cutting themes of the EBRD’s Strategic and Capital Framework (SCF) 2021-25. The new digital approach approved in November 2021 is implemented by the Digital Hub, a dedicated unit established in January 2022. To accelerate the digital transition, the Bank is establishing the foundations for digital transformation, promoting adaptation among enterprises and governments, and supporting innovation and new market entrants.

As cyber threats pose considerable risks for the achievement of these goals, the Digital Approach committed to:(1) The Bank’s external policy and investment promotional activities take into account cyber issues; (2) The Bank undertakes an appropriate level of cyber due diligence to ensure the compliance of investee companies, where necessary.  Cyber threats are relevant to the great majority of the Bank`s investments in all sectors and all regions, to corporations.

This TC Programme of the Digital Hub is a complete framework to address cyber risks and will support ICA, SIG and FI investment projects.

The TC programme will facilitate four functions:

A.           Preliminary assessment of existing EBRD clients, or prospective clients or groups of such clients to raise awareness to the risk and help formulate a strategic course of action. In the context of a generic project, or at the exploratory phase of a designated  cybersecurity project.

B.           In depth assessment of clients during the Due Diligence phase to develop a specific technical mitigation plan for the cyber risk to the resiliency of the organization, the specific project and/or client`s ICT offering. In the context of a generic project, or at as part of a designated cybersecurity project.

C.           Supporting the client in implementing a technical cybersecurity mitigation plan.

D.          Cybersecurity RoSI (Return on Security Investment) consultancy.

Project`s pipeline should be large, as although not all projects have substantial cyber risks, dozens of EBRD projects with considerable cyber risks are approved each year. Additionally, demand from clients and prospective clients to receive support to enhance their cybersecurity resiliency, not in the context of a specific project, is also considerable. This demand is not confined to a specific region or sector, however the Digital Hub will prioritize engaging critical infrastructure operators and clients who are going through considerable digital transformation exposing them to significant cyber and privacy risks.

The Digital Hub will fundraise either on an ad hoc basis for specific investment projects, or for a larger pot of money to be used against specific regions or sectors of specific importance & funding will be sought initially from Israel and Taipei China.

hese TC programmes have the same standardised scope of work, budget methodology and ranges; EBRD clients will be the main beneficiary of the services, as follows:

Standardised Activity 1: Cybersecurity Preliminary assessment

  • Assessing enterprise cybersecurity posture using open source information 
  • Assessing enterprise cybersecurity posture using questionnaires
  • Aligning assessments with Digital Hub Cyber Framework

Standardised Activity 2: Cybersecurity Organizational Due Diligence

  • Review information security management system
  • Review and validate mitigation plan and controls
  • Analyse and formulate mitigation plan

Standardised Activity 3: Implementation Support

  • Create specific security plans and architectures
  • Create security based business models
  • Formulate policy and processes
  • Support on-boarding of tools and services
  • Staff training

Standardised Activity 4: Cybersecurity RoSI consultancy, return on Security Investment & expected market conditions & appropriateness of business plan in light of relevant market trends.

Market analysis

  • Assessment of  competitive positioning
  • Assessment of cyber risks impact on Company's business plan (positive and negative)
  • Assessment of Company's & competitors' product offerings
  • The purpose of activity 4 is to develop with the client a rational for investing in its cybersecurity posture beyond resiliency (mainly competitiveness)

Understanding Transition

Further information regarding the EBRD’s approach to measuring transition impact is available here.

Business opportunities

For business opportunities or procurement, contact the client company.

For business opportunities with EBRD (not related to procurement) contact:

Tel: +44 20 7338 7168

For state-sector projects, visit EBRD Procurement:

Tel: +44 20 7338 6794

Any competitive selections for business opportunities relating to this project will be published on the EBRD's website: Consultancy Procurement Opportunities.

General enquiries

EBRD project enquiries not related to procurement:
Tel: +44 20 7338 7168

Access to Information Policy (AIP)

The AIP sets out how the EBRD discloses information and consults with its stakeholders so as to promote better awareness and understanding of its strategies, policies and operations following its entry into force on 1 January 2020. Please visit the Access to Information Policy page to find out what information is available from the EBRD website.

Specific requests for information can be made using the EBRD Enquiries form

Independent Project Accountability Mechanism (IPAM)

If efforts to address environmental, social or public disclosure concerns with the Client or the Bank are unsuccessful (e.g. through the Client’s Project-level grievance mechanism or through direct engagement with Bank management), individuals and organisations may seek to address their concerns through the EBRD’s Independent Project Accountability Mechanism (IPAM).

IPAM independently reviews Project issues that are believed to have caused (or to be likely to cause) harm. The purpose of the Mechanism is: to support dialogue between Project stakeholders to resolve environmental, social and public disclosure issues; to determine whether the Bank has complied with its Environmental and Social Policy or Project-specific provisions of its Access to Information Policy; and where applicable, to address any existing non-compliance with these policies, while preventing future non-compliance by the Bank.

Please visit the Independent Project Accountability Mechanism webpage to find out more about IPAM and its mandate; how to submit a Request for review; or contact IPAM  via email to get guidance and more information on IPAM and how to submit a request.

GDPR Cookie Status