The World Health Organization (WHO) invites vendors to submit an Expression of Interest (EOI) for [the development of a fully deployed, cloud-based competency-based training catalogue portal built on an open-source solution such as Moodle, Canvas LMS, Open edX, Chamilo, or ILIAS. This platform will be customized to support role-based user management, collection of feedback on trainings and other indicators (e.g. unmet training needs, number of staff per NRA having registered/completed referenced trainings, etc - no detailed personal information regarding trainees) and real-time analytics. It will be GDPR-compliant, scalable, and designed for integration with other systems such as partners, WHO Academy or NRA LMS an other databases. The output must also be developed using a full stack approach, i.e. open standards,  and technologies, architecture and content to ensure interoperability, flexibility, and sustainability, and to eventually become a digital health global good. The platform will serve as a regional hub for curated training programs (either hosted on the platform or through a link), verified trainers, and educational resources. The platform will map these learning assets to the WHO global competency framework for regulators and other regional competency domains, enabling organizational and personalized learning pathways. Ideally the system should also enable the use of the different languages and scripts from the Members.]  which address the following objectives: General requirements GDPR-compliant, scalable, and designed for integration with other systems such as partners, WHO Academy or NRA LMS an other databases. The output must be developed using a full stack approach, i.e. open standards,  and technologies, architecture and content to ensure interoperability, flexibility, and sustainability, and to eventually become a digital health global good. The proposal should highlight what would be the costs for replicating the platform in another WHO region / country In general, WHO may host the associated data on its servers. In such case, WHO will ensure that only WHO’s IT department is authorized to access personal or NRA-specific data (e.g. training certificates, NRA’s tailored competency framework/training plan); i.e. the SEARN secretariat / WHO technical units supporting regulatory system-related activities. However, some countries may still require (e.g. legal requirements) that some specific data (e.g. training data) is hosted in some specific servers in their country. The proposal should highlight what would be the additional initial and recurring costs for such arrangement.   Objective 1: SEARN Learning Platform Output 1.1: A fully deployed, cloud-based competency-based training catalogue portal built on an open-source solution such as Moodle, Canvas LMS, Open edX, Chamilo, and ILIAS. This platform will be customized to support role-based user management (IT support, SEARN secretariat, NRAs, Training providers), collection of feedback on trainings and training needs, and indicators and real-time analytics (including displaying to all users activities from the competency framework prioritized by NRA staff for the development of training programmes). The SEARN secretariat’s roles (separate from IT support) will include to Administer access at organizational level: NRA, training provider Administer and edit the competency framework (Global + regional) Administer the list of competencies and information fields to be filled by training providers (e.g. mode, length, pre-requisits, costs, NRA objectives etc) and NRA users Collect aggregated information required for indicators and training needs The SEARN secretariat should not have access to personal or NRA-specific data (e.g. training certificates, NRA’s tailored competency framework/training plan); i.e. the SEARN secretariat / WHO technical units supporting regulatory system-related activities. Training providers (WHO, partners, regional centers of excellence, etc.) once authorized by SEARN should be able to manage directly access of staff from their organization and to post, edit and delete information about the trainings they propose. While the trainings may be hosted on other platforms, the SEARN platform should be able to capture registration to training by NRA users and completion of trainings, either manually or automatically. The roles are further detailed in the attached presentation. Roles will include to: Administer access at individual level within their organization Administer and edit the catalogue of trainings available and fill required information fields (including activities from the competency framework, fields identified in the Appendix 3 SEARN Capacity building options, costs, language(s), external link if applicable) and manage training requests Document trainings conducted and certificate/credits etc at the individual level (e.g. Staff 1 was successfully trained for TRAININGX) NRAs (there can be several NRAs per country) once authorized by SEARN should be able to manage directly access of staff from their organization. The main entry point for NRAs to find trainings on this platform should be activities from the SEARN competency framework, which is constituted of the WHO Global Competency Framework, additional domains, and additional information (e.g. NRA goals). The roles are further detailed in the attached presentation. Roles will include: Staff to: Access learner profile including certificates of past trainings Identify competency needs against SEARN and NRA competency framework, as determined by their manager Search, identify and request trainings based on the catalogue Attend trainings within or outside the platform Provide feedback on the trainings Identify activities from the competency framework for which the development of training programmes need to be prioritized Managers to: Determine competency needs against SEARN and NRA competency framework for their team and develop training plans Access and monitor training records of their staff Search and identify adequate trainings (and gaps) from the catalogue Identify activities from the competency framework for which the development of training programmes need to be prioritized NRA leadership (e.g. HR/Director) general to: Administer access at individual level within their organization Administer and edit the NRA-specific domains of the competency framework Collect indicators defined by their NRA Access and monitor training records of their staff Search and identify adequate trainings (and gaps) from the catalogue Identify activities from the competency framework for which the development of training programmes need to be prioritized Administer and edit the NRA-specific catalogue of trainings available and fill required information fields (including activities from the competency framework) and manage training requests Document trainings conducted and certificate/credits etc at the individual level (e.g. Staff 1 was successfully trained for TRAININGX) While the platform will be in English, ideally the system should also enable the use of the different languages and scripts from the Members. The indicators which can be captured by the platform should include (1) Number of staff trained through the SEARN platform during the workplan period (Total, By country), (2) Number of training offers referenced in the SEARN platform, (3) Percentage of activities from the SEARN competency framework with at least one training offer on the SEARN platform, (4) Number of staff trained for each available training over a period of time, (5) Satisfaction of trainees (anonymous) with the trainings proposed, (6) NRA staff feedback on activities from the competency framework for which the development of training programmes need to be prioritized. If access to individual/personal data (e.g. training records) is required, only IT support teams should have access to it, not e.g. the SEARN secretariat/WHO staff involved in regulatory system strengthening activities.   Objective 2: NRA-customizable digital learning management module Output 2.1: A fully deployed, cloud-based NRA-customizable learning management module built on an open-source solution such as Moodle, Canvas LMS, Open edX, Chamilo. This NRA LMS will be customized to support role-based user management, competency tracking, training registration, collection of training feedback/completion, and real-time analytics. It will be GDPR-compliant, taking into account country-specific requirements regarding data hosting and protection and IT policies (e.g., data protection laws, cybersecurity acts). It will be designed for integration with other systems such as the SEARN Learning platform, and, ideally, partners, WHO Academy or other NRA databases. This will enable personalized learning pathways (self selected or recommended/allocated by management,development of training plans), monitoring of workforce development (including archiving of training certificates and identification of gaps), and identification of skill gaps across staff and regulatory functions. Ideally the system should also enable the use of the different languages and scripts from the Members. SEARN secretariat should not have access to NRAs’ LMS.   Objective 3: Documentation, Pilot Implementation, and Capacity Building Output 3.1: This involves preparing comprehensive user and technical documentation, conducting a pilot rollout in one to two countries, and incorporating user feedback into the final platform. Additionally, it includes training for administrators and stakeholders, a maintenance and support plan, and a structured handover to ensure long-term sustainability and regional scalability.   Objective 4: Desirable: AI-Based tool to assist training providers in mapping their catalogue Output 4.1: The developped SEARN Learning Platform should also ideally provide an AI-based tool which would facilitate the mapping of training providers' pre-existing training catalogues against the SEARN competency framework and the requested information fields.   Requirements related to cybersecurity: The IT solution must be ISO certified (27000 family). For sensitive data, data at rest must be encrypted by the IT solution. Industry best practice cryptographic algorithms must be enforced by the IT solution. For sensitive data, secure data destruction processes must be in place. Vendor must provide evidence of secure data destruction. Data in transit and in use must be encrypted. Industry best practice cryptographic algorithms must be enforced. Data must be encrypted on all removable media used by the IT solution. (I.e., USB memory stick, external hard drives). When authentication is required, all systems or applications should integrate with the WHO Single Sign On authentication scheme (SAML; OpenID Connect). Multi-factor Authentication (MFA) must be enforced. A system or an application must support Role-Based Access Control (RBAC). A system or an application in production must use individual accounts. All account sharing is strictly prohibited. For non-SaaS solutions, a system or an application in production must have logging capabilities as defined in ISO 27001 annex A.12.4 A solution should have all levels of technical support for security controls. A vendor must allow WHO to perform periodic vulnerability scans and penetration testing when required. A hosting provider should produce evidence that security controls are in place (i.e. network and web application firewalls; proxy; etc.) including evidence of recent security audits and security penetration tests. A solution must include non-repudiation methods and fraud prevention when financial transactions are executed. This includes MFA, audit trail, digital signatures, challenge-response OTP tokens, and other security controls. А vendor must have a technical change and configuration management process in place that is compliant with ITIL. A vendor must have secure software development processes in place (for example: OWASP Secure Coding Practices). A vendor must provide technical support to the Project Team during the Risk Assessment conducted by the WHO Cybersecurity Team. A vendor must ensure they have backup and restore processes in place. It is recommended a Disaster Recovery Plan and periodic testing is performed. The IT solution must have a governance mechanism to ensure confidential and sensitive data (to be determined through a separate confidentiality undertaking) is sufficiently protected in accordance with the highest standards, and in compliancewith all applicable laws, ordinances, rules and regulations (including the UN Principles on Personal Data Protection and Privacy): https://www.unsceb.org/principles-personal-data-protection-and-privacy WHO intends to invite selected vendors to participate in a formal solicitation, via a Request for Proposals (RFP), at a later stage, for the above requirements.  Complete details of the requirements will be included in the solicitation documents.