Security Robot RFP: Template for Corporate Procurement

Corporate procurement increasingly receives requests from security management for robotic patrols. Most of these procurement processes do not fail on budget. They fail on non-comparable bids, because the tender was drafted as a guard service RFP, not as a robotics RFP. This article delivers the structure, clauses, and scoring logic a security robot RFP must contain so bids can be compared on solid ground.

Security Robot RFP: Structure and Mandatory Components

Every robotic patrol tender needs three separate documents: technical specification, commercial requirements document, and compliance annex. The separation prevents bidders from compensating technical gaps with price discounts or masking compliance gaps with service promises.

The protected site must be described in measurable units. Area in square metres, perimeter length in metres, number of access points, number of patrol routes per shift. Without these baseline figures, bidders produce fantasy calculations.

Mandatory criteria (K.O.) and scoring criteria (0 to 100 points, weighted) must be clearly separated. Mandatory criteria are binary: CE conformity, IP54, EU data residency, at least three DACH references. Whoever misses one is out. Scoring criteria are weighted.

The response deadline is at least 21 calendar days. Shorter deadlines produce boilerplate offers without site reference. A pilot period of 60 to 90 days before the main contract is to be set as a standard clause, with exit rights without penalty if defined KPIs are not met.

Next step: review KRITIS requirements overview before drafting the specification.

Technical Minimum Requirements in the Specification

The robotics specification document defines sensors, navigation, operating environment, and interfaces. Every item is backed by numbers, not adjectives.

Sensors: RGB camera with at least 4K resolution, thermal sensor from 384x288 pixels for person detection at night, optional LiDAR from 16 channels for perimeters above 800 metres. Audio sensors only if the GDPR impact assessment covers it.

Autonomous navigation is to be specified per EN ISO 13482, with documented collision avoidance on two redundant layers. One layer is not enough. If the primary sensor fails, the second layer must trigger a stop.

Outdoor operation 24/7 at temperatures from minus 10 to plus 45 degrees Celsius. Protection class at least IP54, IP65 at coastal sites. Battery runtime minimum 6 hours on patrol, autonomous return to the charging station at residual capacity below 20 percent, full charge in under 3 hours.

Interfaces: ONVIF Profile S and T, REST API for SIEM integration, encrypted video transmission per BSI-Grundschutz. Proprietary protocols without an open API are to be rated as K.O., because they bind the operator to a single manufacturer.

For technical depth: QR-2 for 24/7 outdoor perimeter and QR-3 with LiDAR and drone detection show the specification in practice.

Compliance Requirements for KRITIS Operators

The compliance annex is the part where most security robot RFP processes fail. Not at contract signing, but at the first KRITIS audit.

The KRITIS Umbrella Act (KRITIS-Dachgesetz) obliges operators of critical facilities to apply physical protection measures with documented evidence. The bidder must state how the solution is embedded in the operator's protection concept. The bidder also sets out which evidence is delivered for an audit.

NIS-2 requires documented supply chain risk management for security-relevant service providers. The robotics manufacturer must document the supply chain, including subcontractors for cloud, maintenance, and software updates. Whoever fails to deliver this drops out at the K.O. filter.

The GDPR impact assessment per Article 35 is mandatory for person detection and audio recording. The bidder delivers the template, the operator adapts it to the site. Data residency exclusively in the EU with verifiable server location. No data flows to third countries without a current adequacy decision.

The EU Machinery Regulation 2023/1230 prescribes a CE conformity assessment with technical documentation for autonomous robots. Risk assessment, declaration of conformity, and operating manual must be submitted in German. English documentation is not sufficient for German audits.

Board members with personal liability should read NIS-2 board liability in parallel.

Scoring Matrix: Weighting of Criteria

The security technology scoring matrix is the most important part of the tender. It must be fixed before dispatch and made transparent in the RFP document. Retroactive weighting changes are legally vulnerable.

1. Technical performance: 35 percent. Sensor coverage as a percentage of the protected area, documented detection rate for persons and vehicles, false alarm rate below 2 percent per 24 hours measured over 30 days.
2. Economics: 25 percent. Monthly RaaS rate, indexation clauses, exit cost after 24 months, total cost over 36 months.
3. Compliance and security: 20 percent. Certificates submitted, documented KRITIS references, IT security concept, penetration test reports not older than 12 months.
4. Service and SLA: 15 percent. Response time below 4 hours, replacement unit provision within 48 hours, maintenance intervals, German-language hotline.
5. References: 5 percent. At least three DACH installations with runtime above 12 months, of which one in a comparable KRITIS sector.

The total equals 100 percent. Each bidder receives 0 to 100 points per criterion, multiplied by the weight. The winner is the highest weighted score, provided all K.O. criteria are met.

This matrix can be copied directly into the in-house specification. Whoever adjusts the weighting should not lower technical performance below 30 percent. Otherwise the cheapest bidder with the weakest detection wins.

Commercial Clauses: RaaS versus CapEx Model

The central economic lever in the RaaS contract model is the shift from CapEx to OpEx. Specification requirement: monthly RaaS rate between EUR 3,200 and EUR 3,800 per unit, no upfront investment, hardware remains the property of the provider.

As a comparison template, a TCO calculation against a 24/7 guard post belongs in the document. A continuously staffed post costs between EUR 15,000 and EUR 25,000 per month in the DACH region. The exact value depends on collective wage agreement, surcharges, and staffing availability. The BDSW documents hourly rates and personnel shortages in the guarding sector as a structural challenge. The gap to the RaaS model is quantifiable.

Contract term 24 months minimum, renewal option with 90 days notice. Shorter terms below 18 months trigger surcharges of 15 to 25 percent on the monthly rate. Longer terms above 36 months are only acceptable with an indexation cap.

Price adjustment clause coupled at most to the consumer price index, capped at 3 percent annually. Open indexation without a cap is a veto criterion. Lead time guarantee: commissioning within 48 hours after contract signing with a contractual penalty of 0.5 percent of the monthly rate per day of delay, capped at one monthly rate.

For the TCO logic: guard service versus robotics TCO comparison delivers the full table.

Service Level Agreement: Availability and Response

The SLA is not an annex but a contractual component. Minimum availability 98 percent on monthly average, measured via the provider's telemetry with monthly reporting. Whoever insists on 99.5 percent risks a corresponding surcharge on the monthly rate. 98 percent is the economic sweet spot.

Response time on failure: 4 hours remote diagnosis, 24 hours on-site service in DACH. Replacement unit within 48 hours for non-repairable defects, no additional cost. Without this clause, the operator is stranded on every hardware defect.

Escalation path in three stages with named contacts: Level 1 support hotline, Level 2 technical account manager, Level 3 executive management. 24/7 hotline in German. English-language offshore support is not sufficient for KRITIS audits.

Quarterly performance reviews with documented KPIs to the security manager. Template for the KPIs: availability, false alarm rate, detection rate, incidents, maintenance interventions, software updates. Whoever does not deliver quarterly reviews loses points in the service criterion.

Typical Tender Errors and Their Consequences

Five recurring errors in the guard service tender that lead to non-comparable results:

Mixing guard service and robotics. Whoever evaluates guard posts and robotics in a single tender receives non-comparable offers. The cost structure, scope of work, and contract logic differ. Separate them or tender as two lots.

Missing definition of false alarm rate. Without a hard limit (below 2 percent per 24 hours), bidders promise arbitrary figures without measurement methodology. In operation, they then produce 15 to 30 false alarms per shift, blocking the control room.

Insufficient compliance specification. Whoever fails to detail KRITIS requirements, NIS-2, and GDPR in the compliance annex risks renegotiations or contract breach at the first audit. The cost of remediation is usually borne by the operator.

No pilot phase. Signing investments above EUR 100,000 annual volume without a 60- to 90-day pilot is an avoidable project risk. The pilot is the only way to verify performance promises on the real site.

Missing exit clauses. Without documented exit conditions after 24 months, the operator is bound to a provider whose performance is not yet known. An exit clause with clear KPI thresholds and termination rights is mandatory.

Award Process: Timeline and Decision Body

A clean KRITIS perimeter procurement process runs in three phases over 4 to 5 months.

Phase 1 RFI: 14 days market scan. Longlist of 5 to 8 bidders, dispatch of an RFI with 8 to 10 questions on technology, references, compliance, and pricing model. Result: shortlist reduced to 4 to 5 bidders.

Phase 2 RFP: 21 days bid deadline. Dispatch of the full specification, commercial requirements, and compliance annex to the shortlist. Evaluation by the scoring matrix. Result: 3 bidders for the presentation, 2 for the pilot.

Phase 3 pilot: 60 to 90 days operational test. Two finalists in parallel on two sub-sections of the site. Daily reporting, weekly reviews, final evaluation against the same KPIs as in the SLA.

Decision body: procurement, security management, IT security, plant management, optionally the data protection officer. For KRITIS operators, additionally the KRITIS officer. Voting weight is defined in advance, otherwise the body blocks the decision.

Contract signing within 30 days after pilot end, otherwise the conditions lapse. This clause forces the body to decide and protects the bidder from endless renegotiations.

For pricing logic in the standard case: three-tier pricing structure. For the contract model: Robotics-as-a-Service model.

If you need an RFP template with scoring matrix, compliance annex, and pilot clauses in Word and Excel, request the corporate package via the contact form for corporate procurement. Delivery within 5 working days, language German, adaptable to the site in question.