CIPC Compliance Software: The Complete South African Guide (2026)
Everything South African businesses need to know about CIPC compliance software — annual returns, B-BBEE tracking, SARS deadlines, POPIA obligations, and how to stop missing critical filing dates.
CIPC Compliance Software: The Complete South African Guide (2026)
The R5,000 Fine That Can Kill Your Business
In the 2024/25 financial year, the Companies and Intellectual Properties Commission (CIPC) deregistered over 47,000 companies for failing to file annual returns. Not because these businesses were failing — many were profitable, operating, employing people — but because someone forgot a deadline.
The immediate penalty for a late annual return is modest: R100 per month for every month past due, capped at R1,200. That sounds manageable. But what happens next is not.
A company that fails to file for two consecutive years gets flagged for deregistration. Once deregistered, your business cannot open bank accounts, sign contracts, bid on tenders, or legally trade. Restoring a deregistered company costs between R3,000 and R5,000 in CIPC fees alone — and that excludes the accounting and legal fees to sort out the mess, which routinely exceed R15,000. One Johannesburg logistics company reported losing a R2.3 million contract because their compliance lapse showed up on a client''s due diligence check.
And annual returns are only the beginning. South African businesses must comply with CIPC, SARS, the B-BBEE Commission, and the Information Regulator — each with their own deadlines, their own penalties, and their own portals. Miss enough of them and the cumulative damage can genuinely threaten your company''s survival.
This guide covers exactly what compliance obligations you face, what the real deadlines and penalties are, why manual tracking fails, and what to look for in CIPC compliance software that actually keeps you covered.
What CIPC Compliance Actually Requires
The Companies and Intellectual Properties Commission administers the Companies Act 71 of 2008 — the primary legislation governing company registration, reporting, and governance in South Africa. Here is what CIPC expects from your business every year.
Annual Returns (Section 33 of the Companies Act)
Every registered company and close corporation must file an annual return with CIPC. The filing window opens on the first business day of the anniversary month of your company''s registration.
Key details:
- Filing window: Your company''s registration anniversary month, annually
- Fee: R100 for close corporations; R450 for private companies; R4,000+ for public companies (2026 fee schedule)
- Late penalty: R100 per month overdue
- Consequence of non-filing: Deregistration proceedings begin after two consecutive missed filings
- Where to file: CIPC e-Services portal (eservices.cipc.co.za)
The annual return itself is straightforward — it confirms your company''s registered details, directors, and financial year-end. The problem is never the form. It is remembering to file it.
Beneficial Ownership Register (Regulation 32A)
Since April 2023, all companies must file and maintain a beneficial ownership register with CIPC. This register must disclose every natural person who:
- Holds 5% or more of the company''s shares or voting rights
- Has the right to appoint or remove directors
- Exercises significant influence or control over the company
Key details:
- Initial filing: Required at registration or within the prescribed period
- Updates: Must be filed within 10 business days of any change in beneficial ownership
- Penalty for non-compliance: Up to R10 million or 10% of turnover under the General Laws Amendment Act
This is the obligation most companies are currently getting wrong. The register must be filed electronically through the CIPC BOR portal, and changes must be reported promptly — not at year-end.
Director Changes (Section 70)
Any change to your company''s directors — appointment, resignation, or removal — must be filed with CIPC within 10 business days using the CoR39 form.
Late filing does not carry a direct fine, but an outdated directors'' register creates serious problems during BEE verification, bank account changes, and company secretarial audits.
Registered Address and Name Changes
Changes to your company''s registered address (CoR21 form) or company name (CoR9.1 form) must be filed with CIPC and carry processing fees. An outdated registered address means CIPC correspondence — including deregistration notices — goes to the wrong place. Many companies only discover they have been flagged for deregistration months after the fact.
B-BBEE Certificate Management
Broad-Based Black Economic Empowerment is governed by the B-BBEE Act 53 of 2003 (amended 2013) and its associated Codes of Good Practice. While B-BBEE is technically voluntary, it is practically mandatory for any business that wants to work with government, state-owned enterprises, or large corporates.
What You Need to Track
B-BBEE certificates expire after 12 months. There is no renewal — you must undergo a full verification or affidavit process each year.
- EMEs (Exempt Micro Enterprises, turnover under R10 million): File a sworn affidavit with a Commissioner of Oaths. Valid for 12 months from the date of the affidavit.
- QSEs (Qualifying Small Enterprises, R10M–R50M turnover): Can use an affidavit or a full BEE verification through a SANAS-accredited verification agency. A full scorecard is advisable if you tender for government work.
- Generic enterprises (turnover above R50M): Must undergo a full BEE verification by a SANAS-accredited agency. Valid for 12 months.
Why This Matters
An expired B-BBEE certificate is treated the same as having no certificate — you score Level 8 (or "non-compliant") in any tender evaluation or enterprise assessment. If your certificate lapses by even one day during a tender evaluation period, you lose points. Some procurement departments automatically disqualify suppliers with expired certificates.
The gap trap: Verification agencies typically need 4–6 weeks to complete a BEE assessment. If you start the process when your certificate expires, you face a 4–6 week gap where you are effectively non-compliant. Compliance software should alert you 60–90 days before expiry, not on the day.
SARS Filing Deadlines You Cannot Afford to Miss
The South African Revenue Service operates on a strict calendar. Unlike CIPC, SARS penalties escalate quickly and carry criminal liability for directors in cases of wilful non-compliance.
Provisional Tax (Income Tax Act, Section 89A)
Companies registered for provisional tax must file twice a year, with an optional third payment:
| Payment | Due Date | What It Covers |
|---|---|---|
| First provisional (IRP6) | 6 months after financial year start | Estimate of taxable income for the full year |
| Second provisional (IRP6) | On or before financial year-end | Updated estimate based on actual performance |
| Third provisional (voluntary "top-up") | 7 months after financial year-end | Final adjustment to avoid underestimation penalties |
For companies with a February year-end (the most common in South Africa), this means:
- First provisional: Due by 31 August
- Second provisional: Due by 28/29 February
- Third provisional (top-up): Due by 30 September
Penalty for late payment: 10% of the outstanding amount, plus SARS interest (currently the repo rate plus 4.25%).
Penalty for underestimation: If your estimate is less than 80% of actual taxable income, SARS imposes a 20% underestimation penalty on the shortfall.
VAT Returns (Value-Added Tax Act 89 of 1991)
- Monthly filers (turnover above R30 million): Due by the 25th of the month following the tax period
- Bi-monthly filers (most businesses): Due by the 25th of the month following the two-month tax period
- Late filing penalty: R250 per month for turnover up to R250,000; scales up to R16,000 per month for turnover above R50 million
- Late payment penalty: 10% of unpaid VAT
PAYE, SDL, and UIF (Monthly)
Employers must file and pay EMP201 returns monthly by the 7th of the following month. The annual EMP501 reconciliation is due bi-annually (October and April submission windows).
The penalty stack: A single missed EMP201 triggers a 10% late payment penalty, plus 1% per month interest, plus a potential 10% additional penalty under the Tax Administration Act. For a mid-sized manufacturer with a monthly PAYE bill of R400,000, one missed filing can cost over R50,000 in penalties.
POPIA: The Compliance Obligation Everyone Is Underestimating
The Protection of Personal Information Act 4 of 2013 (POPIA) has been fully enforceable since 1 July 2021. Despite this, a significant number of South African businesses have not appointed an Information Officer, registered with the Information Regulator, or implemented adequate data protection measures.
What POPIA Requires
- Registration of an Information Officer with the Information Regulator (mandatory for all private bodies)
- A PAIA manual (Section 51 manual under the Promotion of Access to Information Act, updated to include POPIA requirements)
- Data processing records documenting what personal information you collect, why, and how it is protected
- Breach notification procedures — the Information Regulator must be notified "as soon as reasonably possible" after a data breach
- Consent management for all direct marketing communications
POPIA Penalties
The Information Regulator can impose fines of up to R10 million and/or imprisonment of up to 10 years for serious offences. In practice, the Regulator has been issuing enforcement notices and conducting investigations with increasing frequency since 2024. The Department of Justice has confirmed that POPIA enforcement is a priority through 2026 and beyond.
What This Means for Compliance Software
Any system that stores customer data, employee records, or supplier information must account for POPIA. Your compliance tracking should include:
- Information Officer registration status and renewal
- PAIA manual review dates
- Data retention policy compliance
- Breach notification procedures and timelines
- Records of consent for marketing activities
Why Spreadsheets Fail at Compliance Tracking
Most South African businesses start with a spreadsheet. A well-intentioned operations manager creates an Excel file with tabs for CIPC, SARS, B-BBEE, and POPIA deadlines. For the first three months, it works beautifully.
Then reality sets in.
The Five Ways Spreadsheets Kill Your Compliance
1. Nobody owns the spreadsheet. The person who created it goes on leave. When they return, the spreadsheet has not been updated. Two CIPC filing reminders were missed.
2. Spreadsheets do not send reminders. A cell formatted in red is not a notification. It requires someone to open the file, navigate to the correct tab, and notice the colour. In a busy operations environment, this does not happen consistently.
3. Version control is non-existent. Three people have copies. One is on a shared drive. One is on someone''s desktop. The most current version is on a laptop that went for repairs. Which version has the correct B-BBEE expiry date?
4. Multi-entity tracking is a nightmare. If your group has four companies across two provinces, each with different registration dates, different financial year-ends, and different BEE levels, a single spreadsheet becomes incomprehensible. A group with 10+ entities — common in South African holding structures — faces a genuinely unmanageable matrix.
5. There is no audit trail. When your auditors ask "who confirmed the annual return was filed, and when?", a spreadsheet cannot answer. CIPC compliance software with proper logging can.
The Comparison
| Capability | Spreadsheet | Compliance Software |
|---|---|---|
| Automatic deadline reminders | No — requires manual checking | Yes — email/SMS alerts at 90, 60, 30, 7 days |
| Multi-entity tracking | Unwieldy past 3 entities | Designed for group structures |
| B-BBEE expiry warnings | Manual cell formatting | Automatic alerts with lead time |
| SARS deadline calendar | Static — must update annually | Dynamic — adjusts for weekends, public holidays |
| Audit trail | None | Full history of who filed what and when |
| Document storage | Links to folders (if maintained) | Centralised, attached to each obligation |
| POPIA compliance records | Separate system (if any) | Integrated module |
| Mobile access | Limited (Excel mobile is painful) | Full web/mobile access |
| Cost of missed deadline | No warning until it is too late | Escalating alerts prevent misses |
| Reporting for directors | Manual compilation | One-click compliance dashboard |
What to Look for in CIPC Compliance Software
Not all compliance tools are built for the South African regulatory environment. Many international solutions cover GDPR and SEC filings but have no concept of B-BBEE, CIPC annual returns, or the South African provisional tax calendar.
Here is what a South African compliance platform must include:
Essential Features (Non-Negotiable)
- [ ] CIPC annual return tracking with company-specific anniversary dates
- [ ] Beneficial ownership register management and change alerts
- [ ] B-BBEE certificate tracking with 60–90 day pre-expiry warnings
- [ ] SARS filing calendar covering provisional tax, VAT, PAYE/SDL/UIF, and annual IT14 returns
- [ ] Multi-entity support — group holding structures with multiple subsidiaries
- [ ] Automated reminders via email and/or SMS — not just dashboard indicators
- [ ] Document storage — attach filed returns, certificates, and receipts to each obligation
- [ ] Audit trail — timestamped record of filings, confirmations, and responsible persons
- [ ] POPIA compliance module — Information Officer registration, PAIA manual tracking, breach logging
Important Features (Strongly Recommended)
- [ ] Director register synchronised with CIPC filings
- [ ] Custom obligations — add industry-specific licences (liquor, NRCS, CIDB, health certificates)
- [ ] Delegation and assignment — assign obligations to responsible team members
- [ ] Dashboard reporting — group-wide compliance status for board packs and management meetings
- [ ] Calendar integration — sync deadlines to Outlook, Google Calendar, or Teams
- [ ] Multi-country support — for South African businesses with operations in other African markets
Red Flags to Avoid
- Software that only tracks one regulator (e.g., CIPC but not SARS or B-BBEE)
- Systems built for US/EU markets with a "South Africa" checkbox bolted on
- Platforms with no reminder functionality — a dashboard you must log into is not a solution
- Tools that charge per filing instead of per entity — costs spiral for groups with many obligations
How ComplyGear Tracks All of This Automatically
ComplyGear is purpose-built for South African compliance. It was designed from the ground up around the CIPC, SARS, B-BBEE, and POPIA obligations that South African businesses actually face — not adapted from a foreign template.
What ComplyGear Does
Unified compliance calendar. Every obligation — CIPC annual returns, B-BBEE certificate expiry, SARS provisional tax, VAT returns, PAYE submissions, POPIA reviews — lives in a single calendar. Each deadline is linked to the specific company entity it applies to.
Smart reminders that escalate. ComplyGear sends reminders at 90 days, 60 days, 30 days, 14 days, and 7 days before each deadline. If the obligation is not marked as complete, reminders escalate to the next responsible person in the chain. No more relying on one person to remember.
Group-wide dashboard. If your group has three companies, twelve obligations each, you are managing 36 deadlines per year minimum. ComplyGear shows a single dashboard with red/amber/green status across every entity — the kind of view a group CFO or company secretary actually needs.
Document vault. Every filed return, every B-BBEE certificate, every SARS confirmation letter is stored against the relevant obligation. When your auditors ask for proof of filing, it is one click away.
Built for South African group structures. Holding companies, subsidiaries, dormant entities, close corporations — ComplyGear handles the structures South African businesses actually use, including different financial year-ends within the same group.
ComplyGear does not replace your accountant or company secretary. It makes sure they never miss a deadline, and it gives directors the oversight they are legally required to maintain under Section 76 of the Companies Act.
See how ComplyGear tracks all of this automatically → comply.grimmgear.com
Frequently Asked Questions
What happens if my company is deregistered by CIPC?
A deregistered company loses its legal personality. It cannot trade, enter into contracts, maintain bank accounts, or institute legal proceedings. Directors may face personal liability for obligations incurred while the company was deregistered. Restoration requires an application to CIPC (Form CoR40.5) with a fee of R475, plus proof of filing all outstanding annual returns, plus updated beneficial ownership declarations. The practical cost — including professional fees — typically ranges from R10,000 to R25,000.
How often must I file a CIPC annual return?
Every registered company and close corporation must file an annual return once per year, during the anniversary month of its registration with CIPC. The exact registration date determines your filing window. You can check your company''s registration date and filing status on the CIPC e-Services portal.
Is B-BBEE compliance legally mandatory?
Strictly speaking, B-BBEE is voluntary for private-sector companies in their private capacity. However, it is effectively mandatory for any business that supplies goods or services to government, organs of state, public entities, or large corporates with procurement policies requiring BEE compliance. Without a valid B-BBEE certificate, you score as "non-compliant" in tender evaluations, which typically means automatic disqualification. The Broad-Based Black Economic Empowerment Act 53 of 2003 (as amended) sets out the framework, while the Codes of Good Practice (gazetted under Section 9) define scoring and verification requirements.
What are the POPIA fines for non-compliance?
The Protection of Personal Information Act provides for administrative fines of up to R10 million and criminal penalties of up to 10 years'' imprisonment for the most serious offences (Sections 100–106 of the Act). In practice, the Information Regulator has focused on enforcement notices, compliance orders, and publicised investigations. Even without a fine, an enforcement notice requires immediate remedial action and can involve significant legal and operational costs. The reputational damage of a publicised POPIA investigation can be equally damaging.
Can I use one system to track CIPC, SARS, B-BBEE, and POPIA compliance?
Yes — and you should. Using separate systems (or spreadsheets) for each regulator creates gaps where deadlines are missed. An integrated CIPC compliance software platform that covers all four regulatory bodies gives you a single source of truth and a unified reminder system. This is especially important for group structures where the same director may be responsible for obligations across multiple entities and regulators.
How far in advance should I start my B-BBEE verification?
Start at least 90 days before your current certificate expires. Verification agencies typically need 4–6 weeks to complete the assessment, and you will need time to gather supporting documentation (payroll records, procurement spend, skills development evidence). If you start on the expiry date, you face a minimum 4-week gap with no valid certificate — during which you are scored as non-compliant for any tender or procurement evaluation.
What is the penalty for underestimating provisional tax?
Under Section 89quat of the Income Tax Act, if your provisional tax estimate is less than 80% of your actual taxable income (for the second provisional payment) or less than 90% (for the third top-up payment), SARS imposes a 20% underestimation penalty on the shortfall. This is in addition to the standard 10% late payment penalty and SARS interest. For a company with R5 million in taxable income that underestimated by 30%, the penalty can exceed R200,000.
Stop Tracking Compliance in Your Head
South African regulatory compliance is not a single obligation — it is a web of interconnected deadlines across CIPC, SARS, B-BBEE, and POPIA, each with their own penalties, their own portals, and their own consequences for non-compliance.
The businesses that stay compliant are not the ones with the best memories. They are the ones with systems that make it impossible to forget.
See how ComplyGear tracks all of this automatically → comply.grimmgear.com
This guide is for informational purposes and does not constitute legal or tax advice. Consult a qualified attorney, company secretary, or tax practitioner for advice specific to your business. Legislation references are current as of March 2026.