SITA Act Compliance for Gauteng IT Suppliers: What It Means and How to Qualify in 2026

By Kabelo Molefe

Security contractors in Gauteng are losing multimillion-rand SITA contracts in 2026, not on price or technical score, but because a single Grade C guard’s PSIRA certificate lapsed three weeks before submission. With National Treasury’s Central Supplier Database (CSD) now auto-rejecting bids when any mandatory credential is out of sync, compliance has become the first—and most brutal—gate. Below is a concise survival guide that keeps your bid alive long before the technical envelopes are opened.

The Regulatory Framework

The State Information Technology Agency Act 88 of 2002, read with the Public Finance Management Act (PFMA) and Preferential Procurement Policy Framework Act (PPPFA), makes SITA the mandatory gateway for all public-sector IT and IT-related security services in Gauteng. Any contract that touches government networks, data centres, or end-user devices—even if the primary service is guarding—must be awarded through SITA’s bid panels and is therefore subject to SITA’s 2026 General Conditions of Contract (GCC 2026).

Sector-specific overlays flow from the Private Security Industry Regulation Act 56 of 2001. In Gauteng, provincial treasury instruction PT 3 of 2025 reinforces these overlays, requiring that every security supplier on a SITA contract be “in good standing” with PSIRA, the Compensation Fund (COIDA), and the BBBEE Commission. Failure to meet any one of these three pillars triggers an automatic disqualification, irrespective of the PPPFA preference points already earned.

What Security Suppliers in Gauteng Must Have in Place

1. PSIRA registration (company + every deployed guard)
   Issuing body: Private Security Industry Regulatory Authority
   Portal: https://psira.co.za

   
   Validity: Company certificate 36 months; individual guard certificates 24 months
   Lapse consequence: Entire bid is labelled “non-responsive” on eGP even if only one guard expires next month.

2. Central Supplier Database (CSD) active status
   Portal: https://secure.csd.gov.za

   
   Validity: Rolling 12-month verification; tax status refreshes every 30 days
   Lapse consequence: Auto-generated “Vendor Not Compliant” email sent to bid evaluation committee; bid is quarantined.

3. BBBEE certificate (Level 1–4) or sworn affidavit (EME below R10 m)
   Issuing body: SANAS-accredited verification agency or commissioner of oaths
   Validity: 12 months from issue date
   Lapse consequence: Zero preference points; contract value capped at 80% of estimate if you still qualify on functionality.

4. SARS Tax Compliance Status (TCS PIN)
   Portal: https://sarsefiling.co.za

   → “Tax Status”
   Validity: 90 days from date of request
   Lapse consequence: CSD blocks your vendor number; provincial treasury issues Form TCR-13 stopping all payments.

5. COIDA letter of good standing
   Issuing body: Department of Employment & Labour Compensation Fund
   Portal: https://labour.gov.za

   
   Validity: 12 months, aligned to COIDA tariff year (1 March–end-February)
   Lapse consequence: Insurance exclusion clause kicks in; SITA immediately suspends guard deployment.

Step-by-Step Compliance Approach

1. Run a full PSIRA audit
   Log in at psira.co.za with your company PSIRA number → “Employee Verification” → export CSV of every guard on your payroll. Cross-check expiry dates against the proposed contract start date plus 12 months. Renew any certificate expiring inside that window before you submit.

2. Refresh your CSD vendor summary
   Print the “MRR” (Vendor Master Report) the day before bid submission. Highlight the “Compliance Status” block; if it says “Not Compliant” for any line item, resolve it on the spot—do not assume yesterday’s green light is still valid.

3. Lock in your BBBEE score
   If annual turnover is below R10 million, execute a new sworn affidavit on the official BBBEE Commission template (rev 03-2025) no more than 30 days before submission; SANAS certificates must still be valid on the closing date.

4. Generate a fresh TCS PIN
   Do this at least five working days before submission; SITA’s bid evaluation system rejects PINs older than 90 days even if SARS still considers them valid.

5. Upload a single, bookmarked PDF
   Combine PSIRA company certificate, PSIRA guard schedule, CSD MRR, BBBEE, TCS, and COIDA into one file named “Compulsory_Enclosure_1_Security_Compliance_2026.pdf”. Bookmark each section; evaluators hate hunting.

The Most Common Compliance Failures

Consequence: Bid is disqualified at the compulsory briefing session because the PSIRA business licence copy is colour-scanned but the guard schedule is black-and-white, triggering “document unreadable” under SBD 4.
Root cause: Staff assume identical formatting is not required across annexures.
Fix: Print every PSIRA certificate in colour, scan at 300 dpi, and collate in descending grade order (A first, C last).

Consequence: Zero BBBEE points because the affidavit box “Black woman ownership percentage” is left blank (new field added March 2026).
Root cause: Template downloaded from a municipal website hosting the 2024 version.
Fix: Download only from https://bbbeecommission.co.za

Consequence: CSD shows “Tax Status = Non-Compliant” 48 hours after bid submission because a PAYE recon was outstanding.
Root cause: Finance team believed “overall TCS PIN green” meant all tax types were settled.
Fix: Request the detailed “Statement of Account” from SARS eFiling for PAYE, Income Tax, and VAT; clear any rand-value outstanding before generating the PIN.

Consequence: Contract terminated at month four when a routine SITA audit finds one guard’s PSIRA Grade B certificate expired during annual leave.
Root cause: HR only tracked guards on active site rosters; leave cover guards slipped through.
Fix: Create a shared Google Sheet fed by the PSIRA API; set conditional formatting to red 60 days before expiry and mandate renewal before leave is approved.

2026 Context: What Security Suppliers Should Focus On

Gauteng’s 2026/27 budget statements prioritise “cyber-resilient government buildings,” meaning guards must now also undergo basic IT asset-awareness training certified by SITA’s new Cyber Security Academy. Expect evaluation criteria to weight 5–10% of technical score on proof of guard training certificates issued after 1 January 2026. Looking ahead, SITA is piloting blockchain-based PSIRA badges; by mid-2027, QR-code verification will replace hard-copy certificates. Suppliers who invest in API-linked compliance dashboards today will migrate painlessly tomorrow.

How Tenders-SA.org Helps

Our AI Matching Engine stores your PSIRA company number, guard schedule, and BBBEE level, then compares every new SITA security tender against your live credentials. If a guard certificate is 45 days from expiry, the system flags the opportunity as “at risk” and auto-sends a renewal reminder to your HR mailbox. The Company Profile Builder exports a single, bookmarked compliance pack that aligns with SBD 4 and SITA GCC 2026—no retyping, no missing annexures.

Subscribe to Tender Alerts and you will receive only Gauteng security tenders for which your profile is 100% compliant, eliminating the noise of bids you cannot pursue. Let technology guard your compliance while you guard the nation’s assets.
Browse Security tenders

ICT & Smart City Analyst specializing in digital transformation and security technology for South African municipalities.