← Retour à l'accueil 🏛️ Appel d'offres officiel

📄 RESUME LONG EN

🏥 CAIH TENDER - COMPLETE & DETAILED SUMMARY

Innovation Partnership "Open Source Alternative"

Tender Reference: E26-01 | Negotiated Procedure

Document References: [PF] = Functional Program v20251222 | [CCAP] = Administrative Specifications v1.0 | [RC] = Consultation Regulations v20260130 | [Annex 1 RC] = Application Response Template

🎯 CONTEXT & STRATEGIC CHALLENGES [RC, Preamble]

Current Situation of Healthcare Institutions

Healthcare and medico-social institutions affiliated with CAIH currently primarily use integrated proprietary software environments and services, depending on dominant international vendors.

Identified Problems

Problem Impact
💸 Operating costs Annual global cost has become unsustainable
🔗 Structural dependency Uncontrolled foreign technologies
🔒 Technology lock-in Loss of data sovereignty
Poor interoperability National/European open source initiatives not integrated

Sought Solution [RC, Art. 1.2]

Design, experiment, qualify and industrialize a sovereign open source software suite covering:

Innovative and Differentiating Aspects [RC, Art. 2.1]

The ALTERNATIVE model stands out through:

  1. Single point of contact for support and maintenance
  2. "Open Source in Healthcare" standard enabling business software vendors to migrate from monopolistic technologies to cost-controlled Open Source solutions
  3. Data protection against extraterritorial foreign laws

⏰ CRITICAL INFORMATION

General Information [PF, Articles 1-2 & CCAP, Article 3]

Element Detail
Contracting Authority CAIH (Central Purchasing Body for Hospital IT)
Contract Type Innovation Partnership, Composite Framework Agreement
Procedure Negotiated procedure (articles L2124-3, R2124-3-4°, R2161-12 CCP)
Maximum Amount €250M excl. VAT (all phases included)
No Lots Single contract, no lots (joint contracting allowed)
APPLICATION DEADLINE February 19, 2026 at 12:30 PM (CET)
R&D Duration 12 months max cumulative (3 sequences)
Acquisition Duration 5 years firm + 2 renewals (1-2 years each)
Estimated Total Duration 7-9 years

CPV Codes [RC, Art. 1.2]

Code Label
72262000-9 Software development services
72415000-2 Website hosting services
72000000-5 IT services: consulting, software development

Main Strategic Objective [PF, Article 2]

Migrate 100,000+ workstations (250,000+ users) to Open Source by 2030

Provisional Timeline [RC, Article 2.4]

Stage Date
Application submission February 19, 2026, 12:30 PM
Selection of 3 candidates March 10, 2026
Request for initial tenders Mid-March 2026
Initial tender deadline Mid-April 2026

Candidate Premium [RC, Article 3.1.7]

Beneficiaries [CCAP, Article 2.2]

13 Member Institutions of the Consortium [CCAP, Annex 1]

No. Institution SIRET
1 CHU d'Angers 26490003600015
2 Union Sanitaire et Sociale pour l'Accompagnement et la Prévention 32086181800237
3 Hospices Civils de Lyon 26690027300019
4 CHU de Reims 26510005700487
5 Assistance Publique – Hôpitaux de Paris 26750045201928
6 CHU de Brest 20002305900013
7 Assistance Publique – Hôpitaux de Marseille 26130008100484
8 CHU de Nîmes 26300003600032
9 Groupe Hospitalier La Rochelle – Ré – Aunis 20004783500018
10 Groupe Hospitalier Rance Émeraude 26350005000012
11 CHI Redon – Carentoir 26350012600010
12 CHD Vendée 26850242400016
13 CAIH 80076579400022

Places of Execution [CCAP, Article 3.1]

🔒 SECTION 1: SOVEREIGNTY & DATA

Health Data - High Risk [PF, Preamble]

Nature of Data [PF, Preamble - Nature of data]

Legal Definition (Article 4, §15 GDPR): "All information relating to the physical or mental health status of a natural person, including information related to prevention, diagnosis, care or medico-administrative follow-up"

Classification & Processing [PF, Preamble - Nature of data]

Risk Level [PF, Preamble - Risk level]

Non-Negotiable Sovereignty Requirements [PF, Preliminary Article & PF, Preamble]

HDS Certification - MANDATORY [PF, Preamble - HDS Justification]

Health Data Hosting (Article L.1111-8 Public Health Code)

Exclusive European Union Location [PF, Preliminary Article - Minimum sovereignty requirements]

Capital Ownership Criteria [PF, Preliminary Article - Capital ownership criteria]

Hosting provider:

Critical subcontractors: Same criteria if accessing sensitive data

Continuous Operating Autonomy [PF, Preliminary Article - Sovereign hosting definition]

Applied principles:

Regulatory Compliance [PF, Article 4.1]

Multidimensional Framework

  1. GDPR - EU General Data Protection Regulation
  2. HDS - Health Data Hosting (French Law)
  3. NIS2 - Network & Information Security Directive
  4. PGSSI-S - Health IS General Security Policy (ANS)
  5. AI Act - EU Artificial Intelligence Regulation
  6. Data Act - Data Access and Portability

Security by Design Principles [PF, Article 4.2]

Integration from design phase:

Quantum Computing Risk Anticipation [PF, Article 4.3]

💻 SECTION 2: THE 5 TECHNOLOGY BUILDING BLOCKS

Global Architectural Principles [PF, Article 3 & Preliminary Article]

Block 1: Collaborative Workspace (Modern Workspace) [PF, Article 3.1]

Office Suite

Email & Calendar [PF, Article 3.1]

Electronic Document Management (EDM) [PF, Article 3.1]

Video Conferencing & Unified Communications [PF, Article 3.1]

Microsoft Word Workaround [PF, Article 3.1]

Solution to bypass local Microsoft Word usage by business software (e.g.: winword.exe for DPI report editing)

Deployment Mode [PF, Article 3.1]

Block 2: Identity Management (ID CAIH) [PF, Article 3.2]

Centralized Directory

Federated Strong Authentication

Protocols:

Implementations: OIDC (OpenID Connect), OAuth 2.0, SAML

Identity Provisioning

Healthcare Professional Interoperability - MANDATORY [PF, Article 3.2]

Deployment Mode [PF, Article 3.2]

Block 3: Hybrid Infrastructure & Virtualization [PF, Article 3.3]

Open Source Hypervisors [PF, Article 3.3]

Accepted open technologies:

Open Source Databases [PF, Article 3.3]

Relational and object:

Orchestration & Automation

Interoperability & Migration [PF, Article 3.3]

Block 4: Fleet & Workstation Management [PF, Article 3.4]

Hospital Linux Distribution

Mobile Device Management (MDM)

Automated Remote Deployment

Monitoring & Inventory

Block 5: Artificial Intelligence [PF, Article 3.5]

"The contractor will propose an open source conversational AI service (LLM) operating in a sovereign and controlled environment, guaranteeing data confidentiality and control over models used. It is complemented by speech recognition functionality with, if possible, a medical extension. The objective is to retain the Open Source distribution and technical components. Their customizations will initially be limited to integration with other blocks."

In summary: Sovereign open source LLM + speech recognition (optional medical). Complementary block to the other 4, with limited customizations.

🔧 SECTION 3: SERVICES & DELIVERABLES

RUN Services (24/7 Daily Operations) [PF, Article 6 - S3C Operations services]

24/7 Monitoring

Security Updates [PF, Article 6 - S3C Operations services]

Functional Updates [PF, Article 6 - S3C Operations services]

Incident Management [PF, Article 6 - S3C Operations services]

Capacity Planning [PF, Article 6 - S3C Operations services]

MCO Services (Operational Maintenance) [PF, Article 6 - S3D MCO services]

Application Patches

Periodic Updates

Vulnerability Tracking

Monthly CAIH Reporting [PF, Article 6 - S3D MCO services]

Annual Roadmap [PF, Article 6 - S3D MCO services]

Support Services [PF, Article 6 - S3E Support services]

N2 Support (Institutions)

N3 Support (Integrators/AMOE)

Intervention Schedule [PF, Article 6 - S3E Support services]

Portal & Knowledge Base [PF, Article 6 - S3E Support services]

Team Location [CCAP, Article 6.10.2]

Managed Security Services [PF, Article 6 - S3B Security services]

Identity & Access

Certified Logging

SIEM (Security Information Event Management)

SOC (Security Operations Center)

Perimeter Protection

Vulnerability Management

Penetration Testing

Incident Response

Availability & Continuity [PF, Article 6 - Availability, continuity, reversibility]

Target SLA

Recovery & Business Continuity

Full Reversibility [PF, Article 6 - Availability, continuity, reversibility]

Export capabilities:

To be defined in contract: Format, duration, costs, procedures

Alternative Operator Portability

LTS Versions (Long Term Support) [PF, Article 8]

📦 SECTION 4: DELIVERABLES BY PHASE

R&D Phase - Sequence 1 (Design & Development) [PF, Article 6.1 - Sequence 1]

S1 Deliverables:

R&D Phase - Sequence 2 (Prototyping & Experimentation) [PF, Article 6.1 - Sequence 2]

Planned Hackathons:

  1. "Uses" Hackathon and functional POCs
  2. "Technologies" Hackathon and technical POCs
  3. "Financial modeling and pilot generalization plan" Hackathon

S2 Deliverables:

R&D Phase - Sequence 3 (Pre-Industrialization) [PF, Article 6.1 - Sequence 3]

Work Streams:

  1. Technical integration & industrialization
  2. Operational transfer & AMOA/AMOE kits
  3. Mutualized MCO & Support service

S3 Deliverables - Services:

S3 Deliverables - Technical:

Acquisition Phase (5 years + 2 renewals 1-2 years) [PF, Article 6.2]

Operational Deliverables:

📚 SECTION 5: SUPPORT & RESOURCES

Consulting Services [PF, Article 5 & Article 7]

AMOA (Project Owner Assistance) [PF, Article 5]

Role: Representative of user institutions Responsibilities:

AMOE (Project Manager Assistance) [PF, Article 5]

Role: Technical execution expertise Responsibilities:

IS Audits [PF, Article 5]

Domains:

Security & Compliance Audit [PF, Article 5]

Change Management [PF, Article 5]

Organizational Transition Guides

Contents:

Elements:

Business Impact Analysis

Identification:

Internal Communication

Templates:

Timing: Before, during, after migration

DSI/RSSI Coaching

Topics:

Business Software Vendor Support Program [CCAP, Article 6.10.6]

The Contractor implements a structured support program for business software vendors to facilitate migration to open, interoperable, secure and sustainable platforms:

  1. Technical and functional sessions (workshops, webinars, training)
  2. Complete documentation (migration guides, interoperability references)
  3. SDK, APIs and code examples facilitating integration
  4. Participation in "Open Source Vendors UNIHA-CAIH" group

Complete Training [PF, Article 5]

IT Training Kits [PF, Article 5 - L5.1]

Objective: Train and support change for institution IT teams Deliverables: IT training kits

User Training Kits [PF, Article 5 - L5.2]

Objective: Train end users on functional blocks Deliverables: User training kits

Key Profiles to Recruit [PF, Article 7 - Intellectual services]

Category A - Sovereign Infrastructure & Hosting

Category B - Identity (ID CAIH / IAM)

Category C - Modern Workspace

Category D - Virtualization / Cloud

Category E - Interoperability / Migration / Deployment

Category F - Cybersecurity / SOC

📝 SECTION 6: APPLICATION & SELECTION

Candidate Selection Criteria [RC, Article 6.1.3]

Criterion Weighting Evaluated Elements
C1 - Financial capacity 10% Total revenue + Open Source revenue (last 3 fiscal years)
C2 - Technical capacity 20% Workforce, management, profiles (dev, integration, N2/N3 support, agile)
C3 - Professional capacity 70% Open Source references, R&D, innovative solutions, contributions to third-party OS projects

Maximum 3 candidates will be selected for tender phase (if sufficient number)

Tender Evaluation Criteria [RC, Article 6.3]

Criterion Weighting Description
Financial criterion 30% Total tender price
T1 - Coherence, adequacy, robustness 15% Architecture, OS choices, security, sovereignty, interoperability, continuity
T2 - Operational methodology 15% R&D and acquisition phases, deliverables, milestones, acceptance, risk management
T3 - OS development cycle mastery 15% Contribution governance, versions, CI/CD, security by design, sustainability
T4 - Generalization and funding 10% CAIH member adoption, public funding support, general interest
T5 - Support, MCO, operations 10% Support organization, monitoring, business continuity, OS block maintenance
T6 - CSR approach 5% Digital sobriety, OS ecosystem contribution, social/territorial impact

Application Requirements [Annex 1 RC - Response Template]

Significant References (Maximum 4)

Information Required per Reference

Criterion Description
Deployment date Deployment date
Client Company Name and address
Business sector Domain and products handled
Project nature Scope and perimeter
Regulatory requirements Standards implemented
Project manager CV, dedicated time, tools used
Schedule Study → Development → Implementation → Production
Cost "Turnkey" solution
Maintenance Contract type, internalization level, reliability
Client contact Name, function, phone, email

Blocks Concerned (to specify per reference)

Workforce and Open Source Contributions [Annex 1 RC]

To provide for the last 3 years (2023, 2024, 2025):

Company Total Workforce OS Developers R&D Staff OS Community Contributions
Lead
Member 2
...

Community contributions: Detail publications to Open Source projects (commits, PRs, documentation, etc.)

Technical and Organizational Equipment

Description of resources to ensure:

  1. Service quality
  2. Available study resources
  3. Company research resources

📄 SECTION 6bis: INITIAL TENDER DELIVERABLES [RC, Annex 2]

This section details the deliverables expected during Stage 2 - Initial Tender (after selection of 3 candidates)

Mandatory Technical Response Framework [RC, Annex 1]

The technical memo must imperatively follow this structure:

Chapter Title RC Criterion
1 Solution coherence, adequacy and robustness T1 (15%)
2 Innovation partnership operational methodology T2 (15%)
3 Open Source development cycle mastery T3 (15%)
4 Generalization, promotion and public funding T4 (10%)
5 Support, MCO and operations in hospital environment T5 (10%)
6 CSR approach applied to the project T6 (5%)

Initial Tender Deliverables List [RC, Annex 3]

Technical Deliverables

Ref Deliverable Content
L3 General technical memo Understanding of challenges, OS strategic vision, objectives alignment
L4 Target Open Source architecture Functional/technical architecture, OS blocks, hospital SI interoperability
L5 Sovereign hosting note Hosting model, EU location, HDS compliance, SecNumCloud guarantees
L6 BCP/DRP note Business continuity, failure scenarios, technology diversification, RTO/RPO

Security & Compliance Deliverables

Ref Deliverable Content
L7 Security Assurance Plan (PAS) Security governance, risk analysis, protection measures, GDPR/HDS/NIS2 alignment
L8 Regulatory compliance note GDPR, HDS compliance, healthcare institution security requirements
L9 Post-quantum cryptographic strategy PQC challenges, orientations, migration trajectory, ANSSI/NIST alignment

Methodological Deliverables

Ref Deliverable Content
L10 R&D phase conduct methodology Sequence breakdown, deliverables per sequence, validation indicators
L11 Project organization & governance Candidate/grouping organization, roles, PI governance
L12 Support, training, reversibility plan OS acculturation, hospital IT training, skill transfer

Economic Deliverables

Ref Deliverable Content
L13 Partnership economic model Economic hypotheses, sustainability, generalization trajectory
L14 TCO projection and comparison Total cost of ownership, proprietary solutions comparison, optimization levers

Annexes

Ref Deliverable Content
L15 Technical references Comparable OS projects, at-scale deployments, critical/sovereign environments
L16 Certificates and attestations HDS certification (mandatory), SecNumCloud 3.2 (if held), professional insurance

💰 SECTION 7: FINANCIAL CONDITIONS

Price Structure [CCAP, Article 9]

R&D Phase

Acquisition Phase

Price Revision Formulas [CCAP, Article 9.2]

NTIC Services (Daily Rate)

Index: SYNTEC

Pn = P0 × (0.20 + 0.80 × Sn/S0)

HDS Hosting

Indices: SYNTEC + INSEE (electricity + services)

Pn = P0 × (0.20 + 0.40 × Sn/S0 + 0.20 × En/E0 + 0.20 × In/I0)

Safeguard Clause [CCAP, Article 9.3]

Increase > 5% compared to last applicable price → Termination possible without indemnity

Payment Terms [CCAP, Article 10]

⚠️ SECTION 8: PENALTIES [CCAP, Article 11]

R&D Phase Penalties

Acquisition Phase Penalties

Support SLA Penalties

Service Unavailability Penalties

Monthly Availability Penalty
< 99.5% -2% monthly fee
< 99% -5% monthly fee
< 98% -10% monthly fee
< 96% -20% monthly fee

Security Penalties

🔎 SECTION 9: GRANT RESEARCH [CCAP, Article 6.11]

The Contractor contributes to grant and co-financing research from:

Deliverables: Active monitoring + financing plan updated at each phase

🏛️ SECTION 10: GOVERNANCE & MANAGEMENT [CCAP, Article 6.10.4]

Quarterly Agile Management

Partnership monitoring is organized in quarterly sprints (3 months), following agile methodology principles.

Each Sprint includes:

Indicators by Domain [CCAP, Article 6.10.4]

Domain Indicator Type Examples
Technical Performance, interoperability, availability Test success rate, compatibility, uptime %
Security GDPR/HDS/NIS2 compliance, vulnerabilities Nb non-compliances, correction delay, audits
Functional Usage, ergonomics, adoption Active user rate, satisfaction (rating /5)
Economic Costs / savings / TCO Avoided cost ratio vs target, OSS share
R&D / Innovation New features, modularity Nb OS contributions, patents, modules
Funding Grants and co-financing Amount mobilized, R&D coverage rate

Capitalization & Feedback [CCAP, Article 6.10.5]

Central REX Registry

Capitalization Deliverables

Key Governance Deadlines

Event Deadline
Deliverable acceptance 30 days after delivery (CCAP Art. 6.9.1)
Formal notice If no decision within 30 days
Tacit acceptance 30 additional days after formal notice
Data breach notification 24h maximum (CCAP Annex 3)
Joint contractor replacement 30 days to propose alternative (CCAP Art. 12.4)

GDPR Contact

Negotiation Procedure [RC, Art. 6.3]

Confidentiality [RC, Art. 8.3]

Competent Court [RC, Art. 8.4]

🎯 SECTION 11: RESPONSE STRUCTURE

Joint Contracting Allowed [RC, Art. 3.3 & CCAP, Art. 3.2]

Multiple Application Rules [RC, Art. 3.3]

Composition Modification During Consultation [RC, Art. 3.3]

Allowed in the following cases:

JOINT CONTRACTING GROUPING (ONE APPLICATION)
│
├─ LEAD (Administrative leader)
│  └─ Experienced open source integrator
│
├─ + JOINT CONTRACTOR 1: Infrastructure/Hosting
│  └─ HDS/SecNumCloud certified
│
├─ + JOINT CONTRACTOR 2: Software Development
│  └─ OSS block experts (Workspace, ID, Infra)
│
├─ + JOINT CONTRACTOR 3: Support
│  └─ Hospital change management
│
└─ + JOINT CONTRACTOR 4: Support
   └─ N2/N3 Support

ECONOMIC OPERATOR GROUPING

Contractor Commercial Neutrality [CCAP, Article 6.10.7.1.D]

In all promotional actions, the Contractor:

Actions are conducted under CAIH management, which validates messages, materials, commitments and formats.

📌 CRITICAL POINTS TO REMEMBER

Criterion Requirement Source
HDS Mandatory (non-negotiable) [PF, Preamble]
Location European Union exclusively [PF, Preliminary Article]
Non-EU Capital Max 24% individual, 39% collective [PF, Preliminary Article]
Open Source 100% minimum (Microsoft interop tolerance) [PF, Preliminary Article]
SLA 99.8% monthly [PF, Article 6]
DRP < 4 hours [PF, Article 6]
N2 Support ≤ 4 business hours [PF, Article 6]
N3 Support ≤ 8 business hours [PF, Article 6]
Teams EU + French-speaking mandatory [CCAP, Article 6.10.2]
LTS 36 months minimum [PF, Article 8]
Source code Delivered to CAIH + open licenses [CCAP, Article 6.13]
R&D duration 12 months max cumulative [CCAP, Article 3.5]
R&D modification Max +15% by amendment [CCAP, Article 12.5]
References Max 4, A4 front-back, last 4 years [Annex 1 RC]
Payment deadline 50 days [CCAP, Article 10.3]
Acceptance deadline 30 days [CCAP, Article 6.9.1]
Joint contractor replacement 30 days [CCAP, Article 12.4]
Breach notification 24h [CCAP, Annex 3]
APPLICATION DEADLINE February 19, 2026, 12:30 PM [RC]

🚀 NEXT STEPS

Submission Platform [RC, Art. 5.1 & Art. 7]

🌐 PLACE: https://www.marches-publics.gouv.fr

Element Detail
Submission mode Exclusively via PLACE buyer profile
Communication Electronic mandatory
Registration Recommended for automatic DCE modification tracking
File format Short names (< 30 characters), naming: 26_01_DC_[type]_[SupplierName]
Backup copy Possible (paper/physical or electronic) with "Backup copy" mention

Application Phase (Absolute Priority)

  1. ✅ Understand the 5 functional blocks [PF, Article 3]
  2. ⏳ Prepare max 4 references (1 A4 page front-back each)
  3. ⏳ Cover blocks: Workspace, ID CAIH, Infrastructure, Fleet & Workstations
  4. ⏳ Prepare workforce & OS contributions table (2023-2025)
  5. ⏳ Verify internal capabilities on 5 blocks
  6. ⏳ Identify joint contracting partners (HDS mandatory)
  7. ⏳ Validate sovereignty compliance (HDS, EU capital, EU location)
  8. ⏳ Prepare grouping agreement
  9. ⏳ Prepare sworn statement (articles L.2141-1 to L.2141-11 CCP)
  10. ⏳ Attach HDS certification + SecNumCloud 3.2 (optional)
  11. SUBMIT ON PLACE BEFORE February 19, 2026, 12:30 PM

Tender Phase (if selected among 3 candidates - ~March 10, 2026)

  1. ⏳ Receive invitation to tender
  2. ⏳ Prepare deliverables L3 to L16 (see Section 6bis)
  3. ⏳ Draft technical memo (6 mandatory chapters)
  4. ⏳ Participate in negotiations (2-3 phases)
  5. ⏳ Submit final tender

R&D Phase (if successful)

  1. ⏳ Develop 5-block prototypes
  2. ⏳ POCs & pilots in 13 institutions
  3. ⏳ Industrialization & pre-production
  4. ⏳ Complete MCO/Support service catalog

Complete document created: January 15, 2026
Major update: February 3, 2026 (Full enrichment with RC v20260130 - tender deliverables, negotiation, groupings)
Structure: Consistent with RESUME_SHORT_EN.md
Sources: Functional Program v20251222, CCAP v1.0, RC v20260130, Annex 1 RC, Institutions List

Legend: