General background
The EU Anti-Corruption Initiative in Ukraine (EUACI) is the European Union’s technical support program in the area of anti-corruption in Ukraine, co-funded and implemented by the Ministry of Foreign Affairs in Denmark. The overall objective of the EUACI is to achieve significant progress in preventing and countering corruption, ensuring the coherence and systemic anti-corruption activities of state and local self-government bodies, and to empower civil society and citizens to contribute to the combatting of corruption, as well as the proper process of Ukraine’s post-war recovery. The program runs till April 2027.
The Specialized Anti-Corruption Prosecutor’s Office (SAPO) is one of the key EUACI’s partner and an independent legal entity separated from the Prosecutor General’s Office (PGO). As part of this separation, SAPO is establishing an independent IT infrastructure no longer hosted or supported by the PGO.
With the EUACI support, SAPO has completed a major upgrade of its core IT infrastructure, including structured cabling, network and server environments, and power and cooling systems. However, the newly deployed environment requires the implementation and configuration of corporate solutions for identity and user management (Microsoft Active Directory), email services (Microsoft Exchange), communications (Cisco Unified Communications Manager), network security (Fortinet FortiGate), and related PKI services, followed by end-user migration.
To finalize the establishment of a secure, resilient, and fully operational independent IT infrastructure, SAPO has requested EUACI support. In response, the EUACI seeks to engage an experienced consultant to implement the scope of work described below and achieve its objective.
Objective
The objective of the project is to design, deploy, and commission an integrated, secure, and resilient corporate IT infrastructure for SAPO based on enterprise Microsoft Active Directory, Microsoft Exchange, Microsoft PKI, Cisco Unified Communications Manager, and Fortinet FortiGate solutions.
The project will ensure the modernization of key IT infrastructure services, enhance the level of information security, reliability, and manageability of internal communications, and establish a foundation for the SAPO’s further digital transformation as an independent legal entity.
Scope of work
The project covers the implementation of a scope of works on the design, deployment, configuration, and commissioning of Microsoft AD, Microsoft Exchange, Microsoft PKI, Cisco UCM, as well as the configuration of networking and security functionality of Fortinet FortiGate. The works shall be carried out in stages or in parallel, taking into account information security requirements, service continuity, and the SAPO’s change management regulations.
At the design stage, the target architecture and technical design are developed, including: AD structure (OU/GPO, Sites & Services, replication), PKI topology (CA model, CRL publication, certificate templates, auto-enrolment), Exchange deployment model (high-availability or non-high-availability configuration), Cisco UCM parameters (cluster, SIP trunks, numbering plan and call routing), as well as requirements for network segmentation, access control rules, VPN, and (if required) high availability of Fortinet FortiGate. Additional requirements for server resources/VMs, network interaction, and necessary network ports are also defined.
Following approval of the technical design, deployment and configuration works are performed, including:
- Implementation/upgrade of AD and DNS, configuration of baseline GPO policies; deployment of PKI and issuance of certificates for Exchange, Cisco UCM, and Fortinet FortiGate
- Installation and configuration of Microsoft Exchange (namespace, connectors, mail flow, certificates, required DNS records)
- Deployment of Cisco UCM (cluster, SIP trunks, dial plan, integration with AD via LDAP, certificates)
- Configuration of Fortinet FortiGate, including setup of interfaces/VLANs/zones, routing, access policies, NAT/VIP, VPN (SSL/IPsec), integration with AD for authentication, configuration of security profiles, and logging (including, if required, integration with FortiAnalyzer or SIEM)
- Services for updating software on end-user workstations to ensure information security, stable operation of user systems, and full compatibility with the updated corporate IT infrastructure of SAPO.
The scope of work covers the implementation of all activities required for the achievement of project objective as outlined above.
Deliverables
- Services for implementing Microsoft Active Directory and Microsoft Exchange solutions:
| # | Stage | Deliverables |
| 1. | Survey (AS-IS) | Analysis of the current state of AD/DNS, Exchange, PKI; collection of configurations/parameters; identification of dependencies and risks |
| 2. | Design (HLD/LLD) | Development of target architecture; resource/VM requirements; network port matrix; integration design; HLD/LLD coordination |
| 3. | Platform preparation | Preparation of VMs/servers, OS, updates; NTP/DNS; basic hardening; backup preparation |
| 4. | Microsoft AD DS + DNS | DC deployment/upgrade; Sites & Services; replication; DNS configuration; OU structure; rights delegation; basic GPOs |
| 5. | Microsoft PKI (AD CS) | CA deployment (Root/Issuing as needed); CDP/AIA/CRL configuration; certificate templates; autoenrollment; trust chain verification |
| 6. | Microsoft Exchange | AD preparation for Exchange; installation; configuration of basic parameters; namespace (Autodiscover/OWA); connectors; mail flow; certificate binding; DNS records |
As a result, key components of the IT infrastructure will be upgraded, centralized and secure user and access management will be ensured, and the level of protection of electronic communications and the reliability of official information exchange will be improved.
Expected completion time (working days): 20
- Cisco Unified Communications Manager implementation services:
| # | Stage | Deliverables |
| 1. | Survey (AS-IS) | Analysis of the current state of AD/DNS, Exchange, PKI; collection of configurations/parameters; identification of dependencies and risks |
| 2. | Design (HLD/LLD) | Development of target architecture; resource/VM requirements; network port matrix; integration design; HLD/LLD coordination |
| 3. | Platform preparation | Preparation of VMs/servers, OS, updates; NTP/DNS; basic hardening; backup preparation |
| 4. | Cisco UCM | Cluster deployment (Pub/Sub if resources are available); basic settings; SIP trunks; dial plan; users/lines/devices; LDAP integration with AD; certificates integration with AD; certificates |
The implementation of Cisco Unified Communications Manager will provide a reliable and centralized business voice communications system integrated with the corporate IT infrastructure. The implementation will improve the quality of internal communications, service manageability, and resilience to failures.
Expected completion time (working days): 20
- Services for configuring Fortinet FortiGate network and security functionality:
| # | Stage | Deliverables |
| 1. | Survey (AS-IS) | Analysis of the current state of FortiGate; collection of configurations/parameters; identification of dependencies and risks |
| 2. | Design (HLD/LLD) | Target architecture development; resource/VM requirements; network port matrix; integration design; HLD/LLD coordination |
| 3. | Platform preparation | Preparation of VMs/servers, OS, updates; NTP/DNS; basic hardening; backup preparation |
| 4. | FortiGate basic network | Interfaces/VLAN/zones; routing (static/dynamic as needed); access policies; NAT/VIP; service publication |
| 5. | FortiGate protection and logging | UTM profiles (IPS/AV/Web/DNS/App); SSL inspection (if necessary) with corporate CA; logging, integration with FortiAnalyzer/SIEM (if necessary) |
| 6. | FortiGate HA (if needed) | HA configuration, synchronization, failover tests, fault tolerance testing |
Implementation of this component will provide an increased level of network security, control of access to information resources, and protection from external and internal threats. The implemented solution will increase network stability, monitoring transparency, and scalability readiness.
Expected completion time (working days): 14
- Software update services at end-user workstations:
| # | Stage | Deliverables |
| 1. | Survey (AS-IS) | Inventory of workstations; analysis of Windows OS versions and installed software; identification of obsolete or vulnerable components |
| 2. | Preparation for update | Work planning; coordination of schedules with departments; preparation of backup tools |
| 3 | Data backup | Creating backups of user data (profiles, documents, working files, settings) before performing updates |
| 4. | Windows OS updates | Updating or reinstalling Microsoft Windows to the latest supported version; installing critical updates and security patches |
| 5. | Configuring end-user workstations | Joining the AD domain (if necessary); applying group policies (GPO) |
| 6. | Data recovery and verification | Restoring user data; verifying correct OS operation, access to corporate services (AD, Exchange, PKI, network resources) |
Expected completion time (working days): 30
The expected result: user workstations updated and protected, information security risks reduced, the stability and manageability of the user IT environment improved, and workstations fully integrated with the corporate infrastructure.
Requirements for the service provider
It is envisaged that the assignment will be implemented by a team of experts familiar with the context and experienced with similar assignments.
The contractor can propose a composition of an experts’ team, which, in his opinion, is most appropriate for the assignment.
1. General requirements
- The company must be officially registered in accordance with Ukrainian law.
- At least 3–5 years of experience in providing IT infrastructure implementation and modernization services.
- No grounds for refusal to participate in public procurement (in accordance with Ukrainian law).
2. Experience and competencies
- Proven experience in implementing at least 2–3 projects involving the implementation or modernization of Microsoft Active Directory and Exchange, Microsoft PKI (AD CS), Cisco Unified Communications Manager, Fortinet network solutions, and security tools.
- Experience in implementing complex infrastructure solutions in the public, law enforcement or corporate sector would be an advantage.
- Experience in upgrading Windows OS and migrating user workstations.
3. Staff qualifications:
The team must include certified specialists and as part of the proposal, the bidder must provide the following certificates:
- At least one valid certificate in the Dell Technologies Server track (Dell Technologies SE Server)
- At least one valid Cisco certification at the CCNP level.
- At least one valid certification at the level of Fortinet Certified Fundamentals in Cybersecurity.
- At least one valid VMware Certified Professional (VCP) certification.
- At least one valid Microsoft certification (Active Directory / Windows Server / Exchange);
The team shall have experience in developing documentation and implementing solutions that take into account information security requirements.
4. Organizational requirements
- Availability of a project manager responsible for coordinating the work.
- Ensuring phased implementation of work with minimal impact on the continuity of the SAPO’s activities.
- Provision of a technical documentation based on the results of the work performed.
- Conducting basic training for the SAPO’s IT staff (if necessary).
Budget, timeframe, and location
The maximum budget for the assignment all included may not exceed EUR 15,500. The Tenderer’s financial proposal shall include all costs for a fee and project-related reimbursable expenses.
The assignment will start following a notification issued by the contracting authority, but not earlier than the date of signing the contract between the EUACI and the Consultant. The tentative start date is 25 March 2026. All activities envisaged under this contract shall be completed with a total duration of up to 3 months. The project activities are expected to take place at SAPO’s premises in Kyiv.
The consultant may request an advance payment of up to 30% of the total cost upon contract signing. The remaining 70% will be paid after the consultancy services are delivered in accordance with the requirements outlined in the Scope of Work and Deliverables of this ToR.
All payments are subject to verification of deliverable completion and approval by both SAPO and the EUACI.
Reporting and management
The performance of the Contractor will be judged upon reaching the purpose of this contract as well as obtaining its results, as indicated in the section Objective and Deliverables herein respectively. Moreover, the performance of the Contractor will be judged upon the successful implementation of all the specific activities indicated in section Scope of work of this document.
By signing the contract, the Consultant agrees to hold in trust and confidence any information or documents disclosed to the Consultant or discovered by the Consultant or prepared by the Consultant in the course of or as a result of the implementation of the contract, and agrees that it shall be used only for the contract implementation and shall not be disclosed to any third party. The Consultant also agrees not to retain copies of any written information or prototypes in its archive and for its use.
In the period until acceptance, the EUACI, Contractor, and Beneficiary will hold regular project group meetings to exchange information and seek to clarify any questions of whatsoever nature. The purpose of the project group meetings is to ensure follow-up on any activities between the meetings, and to maintain a common overview of the current stage of the project at a detailed level, based on the applicable detailed schedule, and to ensure the day-to-day progress.
How to apply
The deadline for submitting the proposals is 23 March 2026, 17.00 Kyiv time. All interested companies should submit:
- Filled and signed Appendix 1 (portfolio of relevant projects, technical approach, CV of key staff, confirm readiness to provide service as described in
Appendix 1) - Financial offer
The proposal shall include the aforementioned information and should be submitted within the above deadline to [email protected] CC to [email protected] indicating the subject line: SAPO Enterprise Services.
You will receive an auto-reply from the [email protected] mailbox when the offer has been received. If you do not receive an auto-reply, your offer was not received and you should contact the EUACI by phone.
Bidding language: English.
Any clarification questions regarding the bid request should be addressed to [email protected], not later than 13 March 2026 17.00 Kyiv time.
Evaluation criteria
Bids will be evaluated in accordance with the criteria provided below:
| # | Criteria | Weight |
| 1 | Portfolio of projects | 30% |
| 2 | Expert’s relevant experience, skills and competencies | 40% |
| 3 | Technical approach and workplan | 10% |
| 4 | Financial Offer | 20% |
The evaluation methodology is described in Appendix 2.