Cybersecurity Tenders in South Africa: Technical Requirements and Certification Standards (2026) — March 2026 Update

By Kabelo Molefe

Gauteng's public-sector cybersecurity spend has jumped 42 % in the last 12 months, making compliant, future-proof bids the fastest route to sustainable revenue for local security firms. Yet 2026's tightening of the Protection of Personal Information Act (POPIA) and the State Security Agency's new "Critical Infrastructure Cyber Directive" mean that a single expired guard certificate or an unsigned SBD 4 form now triggers instant disqualification. In this guide I walk you through what has changed, what is still tripping up SMEs, and how to bullet-proof your next submission.

The Regulatory Framework

The Preferential Procurement Policy Framework Act (PPPFA) 2026 regulations, read together with the BBBEE Act as amended, still govern how points are scored for price and BBBEE level. For security services the PPPFA is overlaid by the Private Security Industry Regulation Act: every provider—whether you supply CCTV, cyber-monitoring, or armed response—must hold a current PSIRA category D certificate for the entity and individual grading for every operator. The Construction Industry Development Board (CIDB) Act does not apply unless the contract includes physical installation of infrastructure, in which case a CIDB contractor designation may be listed in the scope.

The Public Finance Management Act (PFMA) and Municipal Finance Management Act (MFMA) impose supply-chain management prescripts that municipalities and organs of state use to evaluate security tenders. In Gauteng, Provincial Treasury Instruction 03 of 2026 adds a layer: security bids above R10 million must now upload a "cyber-risk mitigation plan" on the e-Tender portal before technical evaluation opens.

What Security Suppliers in Gauteng Must Have in Place

1. PSIRA Registration
   Issuing body: Private Security Industry Regulatory Authority
   Portal: https://psira.co.za

   
   Validity: company certificate 12 months; individual grades A, B or C 24 months
   Lapse penalty: immediate disqualification; a single expired guard certificate voids the entire contract.

2. Central Supplier Database (CSD)
   National Treasury portal: https://secure.csd.gov.za

   
   Validity: annual update; status changes real-time
   If your tax status turns red, the system blocks your bid submission automatically.

3. BBBEE Certificate or Sworn Affidavit
   For turnover below R10 million an EME affidavit on a R0–10 M template suffices and is valid 12 months from commissioner of oaths date. A lapsed affidavit defaults you to non-compliant, losing 10 preference points.

4. SARS Tax Compliance Status (TCS)
   Generated via eFiling → Tax Status → Pin Request. Pin valid 90 days; upload the PDF, not the pin alone, or the bid is labelled "non-responsive".

5. COIDA Letter of Good Standing
   Department of Labour Compensation Fund: 12-month validity. A lapsed letter is the third-most-common reason security tenders are rejected in Gauteng, after PSIRA and CSD red flags.

Step-by-Step Compliance Approach

1. Run a PSIRA guard audit 30 days before bid submission. Log in at psira.co.za and print a "Verification of Validity" report for every guard you intend to deploy. Staple each report behind the roster in your technical proposal—evaluators check serial numbers.

2. Update your CSD record at least 72 hours before closure; Treasury pulls SARS data overnight and any mismatch places you under "Suspended" status.

3. Draft your technical schedule around the new State Security Agency Cybersecurity Controls List (2026). Reference encryption standards (AES-256), log-retention (minimum 365 days), and incident-reporting time (within 2 hours). These are now scored, not just stated.

4. Attach your BBBEE affidavit as Appendix B, single-sided, signed and stamped. Double-sided affidavits are still being rejected by the Johannesburg Metropolitan audit team—an avoidable technicality.

5. Attend the compulsory briefing session; obtain the attendance register and upload it. Virtual briefings are no longer accepted for security tenders above R5 million in Gauteng.

The Most Common Compliance Failures

The majority of security bids fail on five issues: expired PSIRA individual certificates, unsigned SBD 4 declarations, BBBEE affidavit dated before the 2026 template release, CSD "Tax Status Red", and missing COIDA. A favourite oversight is deploying a Grade C guard but attaching a Grade B certificate—evaluation teams pick this up because they reconcile the roster against PSIRA QR codes.

Another growing pitfall is the "Sworn Affidavit copy-paste": some SMEs still use the 2024 template and simply change the year. National Treasury's August 2026 circular explicitly states that only the March 2026 template is acceptable; old formats earn zero BBBEE points yet keep you in the race, wasting time and money.

2026 Context: What Security Suppliers Should Focus On

Gauteng Provincial Government's 2026–2027 Budget Statement ring-fenced R1.8 billion for "Cybersecurity & Resilience". The new direction is integrated cyber-physical security: cameras, access control, and SOC-as-a-Service bundled under one contract. If you traditionally tender only for guards, consider partnering with a cybersecurity software vendor; hybrid bids are scoring full technical points.

Looking ahead, the draft Critical Infrastructure Protection Amendment Bill introduces mandatory ISO/IEC 27001 certification for critical-site security contractors from 1 April 2027. Start building your compliance roadmap now—gap analyses and stage-1 audits take six to nine months, and early certification will be a differentiator in the next procurement cycle.

How Tenders-SA.org Helps

Our AI Matching Engine cross-references your PSIRA category, CSD status, and BBBEE level with every new security tender published in Gauteng, e-mailing only those you can legally pursue. The Company Profile Builder stores expiry dates for each guard's PSIRA certificate and pings you 45 days before renewal, ensuring continuous compliance. Add Cybersecurity as a watched category and receive Tender Alerts the moment an RFP mentions "SOC", "SIEM", or "incident response retainer".

Thousands of security SMEs already use the platform to pre-qualify, partner, and win. Browse Security tenders

ICT & Smart City Analyst specializing in digital transformation and security technology for South African municipalities.