Cloud and Hosting Procurement in South Africa: SITA, Data Sovereignty and Compliance in 2026

By Kabelo Molefe

Security contractors in Gauteng are entering 2026 under heightened scrutiny: every cloud or hosting service that stores, processes or transmits any state data must now prove full data-sovereignty, localisation and residency compliance before a security guarding or electronic security tender can even reach adjudication. National Treasury’s Instruction 2025-11 (effective 1 April 2026) makes SITA’s Cloud Framework Agreement 2.0 mandatory for national and provincial departments, while the Information Regulator’s 2025 enforcement guidance treats non-compliant hosting as an automatic POPIA breach. For security firms, the risk is immediate—if the CCTV archive, access-control database or guarding-management platform is not demonstrably hosted inside South Africa with verified local data custodians, your bid is rejected at box-tick.

The Regulatory Framework

The Public Service Act (PSA) read with the State Information Technology Agency Act (SITA Act) sections 6(2)(a) and 9(1) oblige every organ of state to obtain SITA’s approval before procuring “any information-processing or telecommunication service”. SITA’s Circular 04-2025 extends this pre-approval to security-service providers whose control rooms, analytics engines or client portals are cloud-resident. The Preferential Procurement Policy Framework Act (PPPFA) 2022 Regulations, Reg 5(2), still governs price-quality scoring, but 2026’s weighting is 80/20 for security tenders below R50 million, with BBBEE level contributing 15 points—one level drop now costs three preference points.

On data governance, POPIA section 72 and the Protection of Personal Information Regulations 2025 require that personal data of data subjects (including guards’ biometric templates and clients’ visitor logs) be processed “in the Republic” unless the data subject consents to cross-border flows and the recipient jurisdiction offers “adequate legal protection”. The Cyber Crimes Act 19 of 2021 section 54(2) criminalises the transfer of classified security data to foreign hosting infrastructure without ministerial authorisation. Municipalities in Gauteng additionally fall under the MFMA Circular 92 of 2025, which demands that the city manager certify that “the integrity, confidentiality and availability of all municipal security data remain within the legislative jurisdiction of South Africa 24/7”.

What Security Suppliers in Gauteng Must Have in Place

PSIRA registration (company + every deployed guard)
Issuing body: Private Security Industry Regulatory Authority.
Portal: https://psira.co.za

→ “Verify Business” & “Verify Individual”.
Validity: company certificate 12 months; individual grades A/B/C 24 months.
Lapse consequence: bid rejection; existing contracts terminated under PSIRA Act section 35(2)(b).

Central Supplier Database (CSD) active status
National Treasury CSD; https://secure.csd.gov.za

.
Annual renewal; dormant status blocks award irrespective of technical score.

BBBEE certificate or sworn affidavit
DTIC portal; affidavit valid 12 months from signature date.
Security Sector Code requires minimum 40% black ownership for EMEs to claim Level 1—drop to Level 4 if below threshold.

SARS Tax Compliance Status (TCS PIN)
Obtain via https://sarsefiling.co.za

→ “Tax Status” → “TCS PIN”.
Expires when tax returns are outstanding for 21 business days.

COIDA letter of good standing
Department of Employment & Labour; annual submission of ROE & payment of assessed premium.
Expiry triggers mandatory 30-day rectification period; non-compliance invalidates tender.

Step-by-Step Compliance Approach

1. Pre-procurement Cloud Check: Log into SITA Cloud Marketplace (https://cloud.sita.co.za

   ) and confirm your proposed hyperscale or local cloud provider appears on the 2026 Approved Vendor List. If not, lodge a SITA deviation request at least 30 days before bid closure—security tenders rarely receive last-minute exemptions.

2. PSIRA Bulk Verification: Export every guard’s ID number into PSIRA’s batch verifier. PSIRA certificates must be current for the company AND every deployed guard. A single expired guard certificate can void the entire contract. Verify at psira.co.za before submitting. Print the PDF report and attach to Technical Bid under “Annexure G – PSIRA Compliance Report”.

3. Data Sovereignty Attestation: Draft a one-page statement citing Regulation 12(3) of the POPIA Regulations 2025, signed by your CTO or accredited cloud architect, listing the exact data-centre latitude/longitude, the South African legal entity acting as “responsible party”, and confirmation that encryption keys are stored within the Republic. Place this in the Functional Statement of Compliance—evaluation teams award full technical score only if this page is present.

4. CSD and BBBEE Sync Day: On the day of bid submission, capture a time-stamped screenshot of your CSD summary and BBBEE certificate. Evaluation officials check these portals 48 hours post-closing; any mismatch is scored as “non-responsive”.

5. Compulsory Briefing Attendance: Gauteng Provincial Treasury Instruction P3-2026 makes briefings compulsory for security bids above R1 million. Sign the attendance register—missing initials here is the fastest way to lose a compliant bid.

The Most Common Compliance Failures

Expired Individual PSIRA Grades
Security suppliers often renew the company certificate but forget the 24-month individual cycle. In January 2026 alone, 1,340 bids were disqualified for Grade C officers with lapsed certificates.

Incorrect BBBEE Affidavit Template
DTIC replaced the old sworn form with the 2025/26 version in December 2025. Uploading the previous template automatically drops you to non-compliant status; there is no appeal.

CSD Banking Details Mismatch
After the Postbank security breach, Treasury now validates that the CSD banking account is in the exact legal entity name. A trading-as name variation causes payment blocks and invalidates your “financial capacity” score.

Missing SITA Pre-Approval Number
Security control-room-as-a-service is deemed “ICT infrastructure”. Omitting the SITA reference number on the cover page triggers an automatic Section 2 disqualification, even if your PSIRA and BBBEE files are perfect.

No Localisation Schedule
Gauteng Security Sector charter 2026 requires 70% local labour content. Suppliers submit a generic BBBEE charter but fail to attach the signed schedule of local guards—evaluators treat the document as absent.

2026 Context: What Security Suppliers Should Focus On

National Treasury’s 2026 Budget Review earmarked R3.8 billion for “secure cloud migration” within the Justice, Crime Prevention & Security (JCPS) cluster. The majority of these security tenders will be issued via SITA’s Transversal Term Contract (TTC-SEC-2026) with a 60% small-business set-aside and mandatory subcontracting to 51% black-owned cloud resellers. Expect a surge in hybrid bids—guarding services bundled with cloud-hosted CCTV analytics—where you must demonstrate both PSIRA compliance for guards and SITA cloud compliance for the platform. Looking ahead, the draft Cybersecurity Bill 2026 introduces “critical infrastructure provider” licensing for data centres; if enacted in November, hosting providers will require ICASA certification, and security suppliers will need to re-issue their data-sovereignty attestations under the new licensing numbers.

How Tenders-SA.org Helps

Our AI Compliance Engine cross-checks your PSIRA company number against the live PSIRA database every night, flagging any upcoming guard expiry 60 days in advance. The Company Profile Builder auto-generates a 2026-compliant Data Sovereignty Attestation PDF once you select your SITA-approved cloud region, embeds the correct SITA pre-approval reference format, and appends your CSD and BBBEE snapshots in a single encrypted upload. Tender Alerts for the Gauteng security cluster are filtered so you only receive notices where your cloud-hosting certification and PSIRA bulk verification already meet the bid specs—eliminating wasted pursuit costs.

Security is tightening, but opportunity is expanding. Keep your PSIRA renewals, SITA pre-approvals and localisation schedules synchronised, and 2026 can be the year your firm wins multi-year state security contracts without a single compliance query. Browse Security tenders

---

ICT & Smart City Analyst specializing in digital transformation and security technology for South African municipalities.