π Executive Summary - CAIH Tender
Innovation Partnership "Open Source Alternative"
Tender Reference: E26-01 | Negotiated Procedure
π― CONTEXT & CHALLENGES [RC, Preamble]
Healthcare institutions currently depend on proprietary environments that generate:
- πΈ Unsustainable costs in annual operations
- π Structural dependency on uncontrolled foreign technologies
- π Technology lock-in and loss of data sovereignty
- β‘ Poor interoperability with national/European open source initiatives
Sought Solution: Sovereign open source software suite covering workplace environment, digital identity, virtualization and hospital infrastructure.
| Element |
Detail |
| Contracting Authority |
CAIH (Central Purchasing Body for Hospital IT) |
| Contract Type |
Innovation Partnership, Composite Framework Agreement |
| Procedure |
Negotiated procedure (L2124-3, R2124-3-4Β°, R2161-12 CCP) |
| Maximum Amount |
β¬250M excl. VAT (all phases included) |
| APPLICATION DEADLINE |
February 19, 2026 at 12:30 PM (CET) |
| R&D Duration |
12 months max cumulative (3 sequences) |
| Acquisition Duration |
5 years firm + 2 renewals (1-2 years each) |
| Total Duration |
7-9 years |
| No Lots |
Single contract (joint contracting allowed) |
| Consortium |
13 healthcare institutions + CAIH |
| CPV Codes |
72262000-9 (software dev), 72415000-2 (hosting), 72000000-5 (IT services) |
Strategic Objective
Migrate 100,000+ workstations (250,000+ users) to Open Source by 2030
Differentiating Aspects of ALTERNATIVE Model [RC, Art. 2.1]
- π« Single point of contact for support and maintenance
- π "Open Source in Healthcare" standard enabling business software vendors to migrate from monopolistic technologies
- π‘οΈ Data protection against extraterritorial foreign laws
Provisional Timeline [RC]
| Stage |
Date |
| Application submission |
February 19, 2026, 12:30 PM |
| Selection of 3 candidates |
March 10, 2026 |
| Request for initial tenders |
Mid-March 2026 |
| Initial tender deadline |
Mid-April 2026 |
Candidate Premium [RC Art. 3.1.7]
- β¬20,000 incl. VAT for candidates who participated in all phases and submitted an acceptable final tender
- Deducted from first payments for the successful tenderer
π SECTION 1: SOVEREIGNTY & DATA
Health Data - High Risk
- Type: Special categories (Article 9 GDPR)
- Definition: Information relating to physical or mental health status (Article 4 Β§15 GDPR)
- Protection: Enhanced protection mandatory
- Stakes: HIGH risk for rights/freedoms
Non-Negotiable Sovereignty Requirements
- β
HDS Mandatory: Health Data Hosting certification (Article L.1111-8 CSP)
- β
EU Location: Datacenter exclusively in European Union
- β
EU Administration: 100% from EU Member State
- β
No transfer outside EU: Prohibited
- β
Non-EU Capital: Max 24% individual, Max 39% collective
- β
No non-EU veto rights
- β
SecNumCloud 3.2: Recommended (not mandatory)
Regulatory Compliance
- β
GDPR: Personal/health data management
- β
HDS: Secure hosting
- β
NIS2: Network security directive
- β
PGSSI-S: Health IS security policy (ANS)
- β
AI Act: AI regulation
- β
Data Act: Data portability
- β
Post-quantum: Cryptographic migration plan (PQC)
π» SECTION 2: THE 5 TECHNOLOGY BUILDING BLOCKS
Block 1: Collaborative Workspace (Modern Workspace)
- Office: LibreOffice (Writer, Calc, Impress) + OnlyOffice
- Email: BlueMind
- ECM: Nextcloud
- Video: Jitsi
- Chat: Mattermost
- Co-editing: WOPI (Web Open Platform Interface)
- Mode: On-Premise mandatory, SaaS optional
Block 2: Identity Management (ID CAIH)
- Directory: Centralized open source LDAP
- Auth: SSO, MFA, IAM (OIDC, OAuth2, SAML)
- Provisioning: SCIM (auto-sync)
- Healthcare: Pro SantΓ© Connect, CPS, e-CPS MANDATORY
- Mode: On-Premise mandatory
Block 3: Hybrid Infrastructure & Virtualization
- Hypervisors: Proxmox, oVirt, KVM, Xen, OpenStack
- DB: PostgreSQL, MariaDB, MySQL, CouchDB
- Orchestration: Kubernetes, containers
- Automation: Terraform, Ansible, GLPI
- Monitoring: OpenObserve, ELK, Prometheus, Grafana
Block 4: Fleet & Workstation Management
- OS: Secure Linux distribution adapted for hospital context
- MDM: Fleet management, remote deployment
- Monitoring: Metrics, inventory
- Ergonomics: Similar to current environments
Block 5: Artificial Intelligence
- LLM: Sovereign open source (integration with existing blocks)
- Speech recognition: Medical extension if possible
- Customizations: Initially limited to integration
π§ SECTION 3: SERVICES & DELIVERABLES
RUN Services (24/7 Operations)
- Monitoring: 24/7 real-time, metrics, logs, traces
- Security updates: Monthly publication
- Functional updates: Quarterly publication
- Incidents: Centralized recording + escalation
- Capacity planning: Saturation prevention
MCO Services (Operational Maintenance)
- Patches: Continuous (bugs, functional)
- Updates: Quarterly tested + release notes
- Vulnerabilities: Continuous automated tracking (CVE)
- Reporting: Monthly to CAIH (incidents, availability, vulnerabilities)
- Roadmap: Annual validated by CAIH
Support Services
- N2 Support (Institutions): SLA β€ 4 business hours
- N3 Support (Integrators/AMOE): SLA β€ 8 business hours
- Initial schedule: 5d/7 8am-midnight
- Evolving schedule: 24/7 optional (steering committee decision)
- Portal: Tickets & knowledge base
- Teams: EU-based, French-speaking mandatory
Security Services
- Identity & Access: MFA, SSO, hardening
- Logging: Certified (timestamped, tamper-proof, forensic)
- SIEM: Security event federation
- SOC: Optional 24/7
- Protection: IDS, IPS, Anti-DDoS, WAF
- Vulnerabilities: Continuous scanning + pen-testing
- Incidents: Documented plan, 24/7 escalation
Availability & Continuity
- SLA: β₯ 99.8% monthly
- DRP: < 4 hours
- BCP: High availability multi-zone
- Reversibility: Export VM, DB, files, logs, configs
- LTS: Minimum 36 months support per version
π¦ SECTION 4: DELIVERABLES BY PHASE
R&D Phase - Sequence 1 (Design & Development)
- Target architecture for 5 blocks
- Customized distributions
- Initial Security Assurance Plan (PAS)
- Migration & training kits
- Initial ISO/OVA
R&D Phase - Sequence 2 (Prototyping & Experimentation)
- Consolidated technical prototypes
- Performance reports
- POC/pilot feedback
- TCO/ROI financial model
- Synthesis file S2L1-S2L5
- Hackathons (Uses, Technologies, Financial modeling)
R&D Phase - Sequence 3 (Pre-Industrialization)
- S3A Services: Hosting & infrastructure
- S3B Services: Managed security
- S3C Services: Operations (RUN)
- S3D Services: MCO
- S3E Services: Support
- S3F Services: Support services
- AMOA/AMOE Kits
- GDPR/HDS/NIS2 Audit
Acquisition Phase (5 years + renewals)
- Acquisition/operation contract
- Complete service catalog
- Hosted environments
- SI integration guides
- Monthly reports
π SECTION 5: APPLICATION
Candidate Selection Criteria [RC Art. 6.1.3]
| Criterion |
Weighting |
| C1 - Financial capacity (Total revenue + OS revenue) |
10% |
| C2 - Technical capacity (staff, management, profiles) |
20% |
| C3 - Professional capacity (references, OS contributions) |
70% |
Maximum 3 candidates will be selected for the tender phase
Tender Evaluation Criteria [RC Art. 6.3]
| Criterion |
Weighting |
| Financial criterion |
30% |
| Solution coherence, adequacy, robustness |
15% |
| Operational methodology (R&D + acquisition) |
15% |
| Open Source development cycle mastery |
15% |
| Generalization, promotion, public funding |
10% |
| Support, MCO, operations |
10% |
| CSR approach |
5% |
Required References (Annex 1 RC)
- Number: Maximum 4 references
- Format: 1 A4 page front and back per reference
- Period: Initiated or deployed within the last 4 years
- Blocks to cover: Workspace, ID CAIH, Infrastructure, Fleet & Workstations
- Deployment date
- Client company (name, address)
- Business sector
- Project nature and scope
- Regulatory requirements implemented
- Project manager (CV, dedicated time)
- Schedule and cost
- Client contact
Workforce & Open Source Contributions
- To provide for the last 3 years (2023, 2024, 2025)
- Total workforce
- Open Source developers
- R&D staff (contract subject)
- OS community contributions (commits, PRs, documentation)
π° SECTION 6: FINANCIAL CONDITIONS
Price Structure
| Phase |
Type |
Revision |
| R&D |
Fixed lump-sum prices |
Non-revisable |
| Acquisition |
Revisable unit prices |
Annual (SYNTEC) |
Payment Terms
- Deadline: 50 days from invoice receipt
- Advance: 5% of phase amount
- Guarantee retention: 5% deducted from each installment
- Invoicing: CHORUS PRO mandatory
Safeguard Clause
- Increase > 5% β Termination possible without indemnity
R&D Modification
- Maximum: +15% of R&D lump-sum prices (by justified amendment)
β οΈ SECTION 7: PENALTIES
R&D Phase
- Sequence delay: 0.3% excl. VAT of sequence per business day
- Deliverable non-compliance: 1% excl. VAT of sequence per week
- Cap: 20% of total R&D amount
Acquisition Phase
- Service delay: 1% excl. VAT per business week
- Rejection/Non-acceptance: 2% excl. VAT of service
- Cap: 20% of maximum framework agreement amount
Support & SLA
- Acknowledgment exceeded: β¬50 / ticket
- Response exceeded: β¬150 (sev.1), β¬75 (sev.2), β¬30 (sev.3)
- Resolution exceeded: β¬300/h (sev.1), β¬150/h (sev.2), β¬50/h (sev.3)
Service Unavailability
| Monthly Availability |
Penalty |
| < 99.5% |
-2% monthly fee |
| < 99% |
-5% monthly fee |
| < 98% |
-10% monthly fee |
| < 96% |
-20% monthly fee |
π― SECTION 8: RESPONSE STRUCTURE
Joint Contracting Allowed [RC, Art. 3.3 & CCAP, Art. 3.2]
- β
Economic operator grouping possible
- β
Single lead contractor + joint contractors (lead jointly liable for joint grouping)
- β
Each member complies with sovereignty criteria
- β
Joint contractor replacement: 30-day deadline to propose alternative
- β
Multiple applications allowed: individual AND member of grouping(s)
- β
Composition modification possible during consultation (restructuring, required replacement, etc.)
Recommended Architecture
Lead Contractor (Leader)
ββ Open source integrator
ββ + Joint Contractor 1: Infrastructure/Hosting (HDS)
ββ + Joint Contractor 2: Development (OSS blocks)
ββ + Joint Contractor 3: Support (Change management)
ββ + Joint Contractor 4: Support (N2/N3)
Commercial Neutrality
The contractor commits to:
- Respect commercial neutrality principle
- Exercise no pressure on institutions
- Promote free competition among service providers
- Not claim exclusivity on associated services
ποΈ SECTION 9: GOVERNANCE
Quarterly Agile Management
- Sprints: Quarterly (3 months)
- Sprint review: Technical committee (CAIH + pilots + industrials + vendors)
- Indicators: Performance, security, usage, TCO, compliance, OS contributions
- REX Registry: Centralized feedback
Key Deadlines
- Deliverable acceptance: 30 days after delivery (otherwise formal notice)
- Data breach notification: 24 hours maximum
π CRITICAL POINTS TO REMEMBER
| Criterion |
Requirement |
| HDS |
Mandatory (non-negotiable) |
| Location |
European Union exclusively |
| Non-EU Capital |
Max 24% individual, 39% collective |
| Open Source |
100% minimum (Microsoft interop tolerance) |
| SLA |
99.8% monthly |
| DRP |
< 4 hours |
| N2 Support |
β€ 4 business hours |
| N3 Support |
β€ 8 business hours |
| Teams |
EU + French-speaking |
| LTS |
36 months minimum |
| Source code |
Delivered to CAIH + open licenses |
| R&D duration |
12 months max cumulative |
| R&D modification |
Max +15% by amendment |
| References |
Max 4, A4 front-back, last 4 years |
| Application Deadline |
February 19, 2026, 12:30 PM |
π NEXT STEPS
π PLACE: https://www.marches-publics.gouv.fr
- Application submission exclusively via buyer profile
- Electronic communication mandatory
- Registration recommended for DCE modification tracking
Application Checklist
- β
Understand 5-block structure
- β³ Prepare max 4 references (1 A4 page front-back each)
- β³ Cover blocks: Workspace, ID CAIH, Infrastructure, Fleet & Workstations
- β³ Verify internal capabilities on 5 blocks
- β³ Identify joint contracting partners (HDS mandatory)
- β³ Validate sovereignty compliance (HDS, EU capital, EU location)
- β³ Prepare workforce & OS contributions (2023-2025)
- β³ Prepare grouping agreement
- β³ Name files:
26_01_DC_[type]_[SupplierName]
- β³ SUBMIT ON PLACE BEFORE February 19, 2026, 12:30 PM
Summary created: January 15, 2026
Updated: February 3, 2026 (Full enrichment with RC v20260130)
Sources: Functional Program v20251222, CCAP v1.0, RC v20260130, Annex 1 RC, Institutions List