Security Robot Tender Text: BoQ Template for KRITIS

A sound tender text for security robots separates three things cleanly: the rental arrangement, the minimum technical performance, and the operational service quality. Mixing these three levels produces a bill of quantities (BoQ) that RaaS providers either cannot bid on or price with risk surcharges. This article delivers the BoQ building blocks that a procurement or security manager can transfer directly into their own tender document.

Security Robot Tender Text: Structure and Mandatory Components

A complete BoQ for security robots contains six mandatory sections: scope of services, technical requirements, operating environment, service levels, award criteria, and contract duration. If one is missing, offers cannot be compared.

Hardware specification and service specification must be kept separate. Under the Robotics-as-a-Service model, no transfer of ownership takes place. The hardware remains with the provider. The contracting authority procures a patrol service with a defined availability level.

EN ISO 13482 is the binding standard for mobile service robots with physical human-robot coexistence and must be cited. From January 2027, the EU Machinery Regulation 2023/1230 must additionally be referenced as the CE basis (application date per Art. 52(2) of the Regulation).

Model clause for the preamble:

"The subject of this tender is the procurement of an autonomous patrol service under a rental model (Robotics-as-a-Service). No transfer of ownership of the deployed hardware to the contracting authority is envisaged. No depreciation calculation at the contracting authority's side is applicable."

For public contracting authorities, VgV applies above EU thresholds. Private industrial operators may procure freely but should adopt the negotiated procedure with prior publication.

Defining the Scope of Services Precisely

Generic terms such as "factory premises" are not permissible. The area must be stated in square metres (total area) and linear kilometres (patrol route). Example:

"Patrolled area: 84,000 m² outdoor surface, 6.2 km patrol route, of which 1.4 km unpaved tracks. Minimum 8 patrol runs per 24 hours, of which 5 between 20:00 and 06:00. Route planning with a randomised share of at least 30 percent to prevent pattern recognition by attackers."

Minimum sensor requirements must be stated explicitly. Standard sensors are RGB camera, audio, and thermal. LiDAR and drone detection are to be required based on risk assessment. For sensitive outer perimeters, the QR-3 with LiDAR and drone detection is the appropriate reference class; for standard patrol, the QR-2 for 24/7 outdoor patrol.

Control room connection clause:

"The contractor shall ensure 24/7 connectivity to a security operations centre certified to DIN EN 50518. The guaranteed first response time to an alarm is under 60 seconds, documented by a monthly response-time log."

Interfaces must be named: ONVIF Profile T, BACnet/IP, OPC UA, REST API. Data sovereignty belongs in the preamble: storage location EU, data processing agreement per GDPR Art. 28, deletion period for image material 72 hours when alarm-free.

Minimum Technical Requirements for KRITIS Deployments

For KRITIS procurement, the KRITIS requirements overview must be mapped sectorally. The reference framework is the BSI-KritisV.

Model clause for minimum technical requirements:

"Protection class IP65 as the minimum threshold for outdoor operation. In the energy and water sector: IP66. Operating temperature range minus 20 to plus 50 degrees Celsius without documented sensor performance degradation. Minimum autonomy runtime 8 hours per charge cycle, automatic return to charging station without human intervention. Maximum charging time 90 minutes."

Cybersecurity as a separate clause:

"The contractor shall demonstrate conformity with BSI IT-Grundschutz. Data transmission is encrypted to TLS 1.3. Firmware updates are cryptographically signed. A penetration test report from an independent third party, not older than 12 months, must be submitted with the offer."

Safety functions:

"Redundant emergency stop: physical emergency-stop button on the device and remote shutdown by the control room. Both channels operate independently of each other. Testing weekly, documented."

Person detection with a false-positive rate below 2 percent, evidenced by field-test logs from the bidder covering at least 30 operational days (test basis: EN ISO 13482). Generic manufacturer datasheet figures are not sufficient.

Service Levels and Availability Clauses

Service level agreements are the most frequent point of dispute in RaaS contracts. They belong in the main BoQ body, not in an annex.

Availability clause:

"Monthly availability shall be at least 98 percent, calculated as the quotient of actual patrol time and scheduled patrol time per the operational plan. Planned maintenance windows are not counted against availability, provided they do not exceed 4 hours per month and fall outside defined high-risk periods (22:00 to 04:00)."

Replacement and penalty:

"In the event of total failure, the contractor shall provide a functionally equivalent replacement unit at the contracting authority's site within 48 hours. Penalty scale: 5 percent of the monthly fee per commenced 12-hour period of delay, capped at 50 percent of the monthly fee."

Reporting obligation:

"Monthly reporting in machine-readable format (CSV or JSON) covering the following metrics: patrol kilometres, number of incidents by category, false-alarm rate, sensor failures, power consumption in kWh, availability ratio."

Escalation chain with three levels and named contact persons at the contractor. Level 1: SOC shift supervisor. Level 2: Operations Manager. Level 3: Management. Response times per level must be defined.

Exit clause:

"The contracting authority may terminate the contract with 3 months' notice after a minimum term of 24 months. No residual payment for the hardware applies. Return of the devices in operational condition is carried out by the contractor at the contractor's cost."

Award Criteria and Weighting

The weighting determines the outcome more than any individual clause. Pure price evaluation in the RaaS model leads to providers with reduced service levels.

Recommended weighting:

• Price: 40 percent
• Technical quality: 35 percent
• KRITIS references: 15 percent
• Data protection concept: 10 percent

Reference requirement clause:

"The bidder shall demonstrate at least two comparable deployments with a minimum duration of 12 months each. At least one deployment must be in the DACH region. Reference contacts must be named with a contact person and telephone number. The contracting authority reserves the right to make enquiries."

Live demonstration:

"As part of the negotiated procedure, the bidder shall carry out a 72-hour live demonstration under real operating conditions on the contracting authority's premises. Costs are borne by the bidder. Evaluated criteria are detection performance, false-alarm rate, battery range, and integration into the control room."

Cybersecurity is evaluated on the basis of BSI conformity evidence or an equivalent test report, not on the basis of marketing materials. Sustainability is included as a secondary metric. Measurement: power consumption per patrol kilometre in Wh/km.

Bidder questions in writing, answers made available to all bidders, deadline 14 days before offer submission.

Contract Clauses for the RaaS Model

The pricing model must be formulated transparently in the BoQ. Background on the structure is provided in the three-tier pricing model.

Price clause:

"The monthly service fee covers: hardware provision, all maintenance and repair services, software updates throughout the contract term, operating liability insurance, and 24/7 control room connectivity. No activation fee, device financing charge, or any other one-time cost is levied."

Graduated liability clause:

"The contractor's liability is limited to: EUR 1 million per loss event for property damage, EUR 5 million per loss event for personal injury, EUR 2 million per loss event for data protection breaches. In cases of intent and gross negligence, statutory provisions apply."

Subcontractors:

"The use of subcontractors must be disclosed to the contracting authority in writing before contract conclusion and requires the contracting authority's consent. Subcontractors must be bound to the same technical and organisational security standards."

Data protection as an annex: data processing agreement per GDPR Art. 28, technical and organisational measures per Art. 32 documented in the appendix.

Confidentiality:

"The confidentiality obligation survives termination of the contract by 5 years. In the event of a breach, a contractual penalty of EUR 50,000 per individual breach becomes due. The right to claim further damages remains unaffected."

Avoiding Typical Errors in Tender Documents

Six errors appear in almost every first draft.

First: manufacturer-specific model designations in the BoQ. This violates the non-discrimination requirement under VgV § 31(6). Functional requirements must be used instead. The formulation "equivalent to model X, or equal" is permissible.

Second: requiring transfer of ownership. This systematically excludes RaaS providers and increases costs by turning capital expenditure into an investment item rather than an operating expense.

Third: generic boilerplate. "Latest technology" is not enforceable in court. Measurable metrics are required: IP protection class, false-positive rate, response time in seconds.

Fourth: missing personnel replacement calculation. A 24/7 guard post costs, on full-cost figures from the BDSW, between EUR 15,000 and EUR 25,000 per month (source: BDSW Figures, Data, Facts). A comparable robot service starts at EUR 3,200 (internal calculation, Quarero Robotics, as of Q3 2025). This comparison belongs in the annex. Detail is provided in Security Guard Costs Compared.

Fifth: unrealistic transition periods. 8 to 12 weeks is realistic for area mapping, control room training, and trial operation. Requiring 4 weeks produces either no bids or unreliable mapping data.

Sixth: missing co-determination step. The works council must be involved under BetrVG § 87(1) No. 6 for technical monitoring equipment. This is mandatory, not optional. A documented works agreement belongs as an annex to the BoQ.

Template and Next Steps

A reliable BoQ template exists in three variants: industrial park, logistics centre, and KRITIS operator. The KRITIS variant references the KRITIS-Dachgesetz draft (Bundestag-Drucksache 20/9262) and the sectoral resilience obligations. Adaptation to energy, water, health, and transport is mandatory, not optional. The current status of the umbrella legislation is summarised in the KRITIS-Dachgesetz Checklist 2026.

For KRITIS procurement above EU thresholds, the negotiated procedure with prior publication is the appropriate route. It permits the live demonstration. Bidders without a KRITIS reference are excluded at the selection stage before effort accumulates on either side.

Pilot phase before contract extension: 90 days with defined exit criteria. Possible criteria: availability below 95 percent in pilot months 2 and 3, false-positive rate above 5 percent, more than two documented security incidents without correct response.

Quarero provides bidders on request with a reference package from three live DACH deployments. The package contains anonymised SLA reports, false-alarm statistics, and availability evidence covering 12 months.

An initial specification alignment call takes 45 minutes and is non-binding. Appointments are booked via Book a Specification Call. Please prepare for the call: planned area in square metres, desired patrol frequency, and sector (KRITIS or private).