The EPSO AD7 ICT Infrastructure 2026 competition (EPSO/AD/429/26, Field 1) selects experienced infrastructure specialists (grade AD7) to design and run the systems that keep the EU institutions operating, with 204 reserve-list places. This guide explains what the exam tests and how to prepare.
Competition Overview
Field 1 is one of four fields in the EPSO/AD/429/26 ICT competition, alongside Project Management (Field 2), Clouds & Networks (Field 3) and Data Science (Field 4). It is important not to confuse Field 1 with Field 3: Infrastructure focuses on on-premises and hybrid systems and EU digital sovereignty — data centres, servers, storage and identity — whereas Clouds & Networks centres on public cloud and wide-area networking. Successful candidates join teams running the Commission's own data centres and core services.
Who Should Apply
This is a competition for seasoned specialists, typically with five to nine years of hands-on infrastructure experience, on top of the AD7-level qualifications set out in the Notice of Competition. The exam does not reward memorised commands or vendor trivia; it rewards engineers who can justify a design decision — why this redundancy model, why this identity architecture, why this backup strategy — and who understand how those decisions change inside an EU institution bound by its own security and procurement rules.
Exam Format
The competition runs in stages: computer-based reasoning tests, an EU-knowledge essay and the field-related multiple-choice test, followed by an assessment phase for those who progress. The decisive stage is the field-related multiple-choice test: 30 questions in 40 minutes, pass mark 15/30. It is the only ranked test — the reasoning tests and the EU-knowledge essay are pass/fail gates, while this 30-question paper sets your place on the reserve list. There is no negative marking, so answer every question.
Questions are scenario-based and aimed at 5–9-year specialists: they test architecture judgement and trade-offs, not product syntax or trivia. A typical item sketches a requirement — a recovery-time target, a federation between two directorates, a tightening of access after an incident — and asks which design or control best fits, given the EU context.
What the Exam Tests
The syllabus spans the full infrastructure stack, framed in the EU-institutional context:
- High availability & business continuity — fault tolerance, disaster recovery, and RPO/RTO.
- Virtualisation & containers — hypervisors (VMware, Hyper-V, KVM) and container/Kubernetes basics.
- Storage & backup — SAN, NAS, RAID, replication, snapshots and DR.
- OS administration — Linux and Windows Server, patching and hardening.
- Identity & access management — Active Directory, LDAP, Kerberos, SAML, OAuth2/OIDC, federation and PKI.
- Networking for infrastructure — TCP/IP, DNS, DHCP, VLANs, routing, firewalls and load balancing (on-prem/hybrid).
- Infrastructure cybersecurity — Zero Trust, SIEM/SOC, vulnerability management and incident response, with ENISA's role.
- IT service management — ITIL 4 incident, problem, change and configuration management, plus SLAs.
- Automation & infrastructure-as-code — configuration management, IaC and observability.
- Emerging tech — high-performance computing (EuroHPC — LUMI, Leonardo, JUPITER) and the EuroQCI quantum-communication initiative.
The EU-Specific Layer
What sets this exam apart from a generic infrastructure certification is its EU dimension. Expect questions on:
- TESTA/sTESTA — the secure trans-European network linking EU administrations, and DG DIGIT's data centres.
- Regulation (EU) 2023/2841 — the cybersecurity rules for the EU institutions, bodies and agencies, and the role of CERT-EU.
- NIS2, DORA and the Cyber Resilience Act (CRA) — the EU's wider cybersecurity and resilience framework.
- eIDAS2 and Regulation (EU) 2018/1725 — electronic identity, and the institutions' data-protection rules supervised by the EDPS.
Common Pitfalls
- Confusing Field 1 with Field 3 — answer from an on-prem/hybrid and sovereignty perspective, not a public-cloud one.
- Mixing up RPO and RTO — RPO is acceptable data loss; RTO is acceptable downtime.
- Treating EU cyber law as optional — Reg. 2023/2841, CERT-EU and NIS2 are core examinable content.
- GDPR vs Regulation 2018/1725 — the institutions follow Reg. 2018/1725 under the EDPS, not the GDPR.
How to Prepare
With 40 minutes for 30 scenario questions, breadth and judgement matter more than speed. A workable plan:
- Build the technical foundations — HA/BC, virtualisation, storage, IAM and infrastructure security.
- Add the EU layer — TESTA, DG DIGIT, Reg. 2023/2841/CERT-EU, NIS2, DORA, CRA and Reg. 2018/1725 — the differentiator most candidates neglect.
- Practise trade-off scenarios — "which design best meets this RPO/RTO?" rather than definitions.
- Sit timed mocks — full 30-question, 40-minute papers to build pacing.
A practical rhythm: begin with a diagnostic mock to expose weak areas, then concentrate on the EU-specific layer and infrastructure security, which carry the most weight and trip up the most candidates. In the final week, run full timed papers and review only the questions you got wrong rather than re-reading the whole syllabus.
Prep4EU is expanding its EPSO/AD/429/26 ICT coverage across all four fields. Start preparing with Prep4EU to practise scenario MCQs in the exact EPSO format.