Automated Bid Evaluation: Designing Auditable and Compliant Criteria
Why converting award criteria into automatic scores is feasible — and risky
Automating bid evaluation can speed up processes, reduce errors and improve traceability. But in Spanish public procurement it must align with Law 9/2017 on Public Sector Contracts, the GDPR, the ENS (RD 311/2022) and the transparency and oversight obligations of the EU AI Act. The practical challenge is not just "using AI", but translating legal and technical criteria into auditable, defensible and explainable rules and metrics that can withstand challenges.
Below we propose a practical, step-by-step approach to design an automatic scoring system that can be integrated into a tender process while preserving legality, fairness and traceability.
1. Start from the law: document the legal criterion
- Review the award criteria approved in the tender specifications in accordance with Law 9/2017. Only criteria that are objectively measurable should be automated (price, deadlines, quantified experience).
- Identify non-automatable criteria (value judgments, innovation that’s hard to measure) and ensure they remain under human assessment.
- Document the legal basis and the exact weighting of each criterion in the procurement file so that automation is a technical transposition of what has already been published.
2. Translate criteria into verifiable indicators
Convert each criterion into indicators and verification rules:
- Example: "Team experience" (weight 20%)
- Indicators: number of similar projects in the last 5 years; average contract value; verified references.
- Rules: 0–5 projects = 0–10 points, 6–10 = 11–18, >10 = 19–20 (define thresholds and justification).
- Example: "Compliance with technical requirements" (weight 30%)
- Indicators: checklist of mandatory requirements (yes/no), conformity tests (documents, certificates).
Practical rule: each indicator must have a source of verification (document provided by the bidder, consultation with a public register, external verification). If the source contains personal data, the GDPR applies.
3. Normalize and explain weighting and aggregation
- Define the aggregation function (weighted sum, averages, penalties).
- Normalize scales to avoid design-induced bias (e.g., transform heterogeneous variables to 0–100 before weighting).
- Publish the formula in the procurement file to meet transparency requirements and facilitate appeals.
4. Ensure human oversight and the right to review
- Retain an evaluation committee with the authority to review and veto automatic scores.
- Establish a human "second read" process for bids whose automatic score is close to award thresholds or shows anomalies.
- Record human reasons and actions in the auditable procurement file.
5. Traceability, records and reproducibility
- Log all inputs: model/algorithm version, input data, timestamp, responsible person, version of the specifications applied.
- Keep verification evidence (document hashes, logs of registry queries).
- Design the system output as an "audit report" that explains scores by criterion and the rules applied — useful when facing appeals.
6. Security and technical compliance (ENS and GDPR)
- Classify the system according to ENS RD 311/2022 and apply security measures appropriate to its category (access management, encryption, continuity).
- For personal data processed in the evaluation (experience, CVs), document the legal basis (public interest in procurement), the processing activities, retention periods and minimization measures under the GDPR.
- Record transfers (if using cloud services) and verify data sovereignty and contractual safeguards.
7. EU AI Act risk assessment and transparency
- Analyze whether the system falls under the "high-risk" category under the EU AI Act (systems that affect decisions about legal entities/operators in public procurement may have obligations).
- Ensure documentation obligations: technical documentation, risk management and explanation of decisions. Register the AI system where required.
- Implement robustness and fairness tests — for example, verify that the system does not consistently penalize companies from a particular region due to data errors.
8. Procuring the vendor and SLAs
In the technical specifications require the vendor to provide:
- Access to logs and technical documentation (model cards, data sheets).
- SLAs for availability, integrity of logs and time-to-reproduce results.
- Technical audit rights for the administration or independent third parties.
9. Controlled pilot and acceptance metrics
- Run a pilot with real procurement files but without binding effect (shadow mode) for 2–3 procedures.
- Measure: human-automatic agreement, time saved, appeals incidents, cases requiring human review.
- Adjust thresholds and rules before activating the system in real awards.
Quick operational checklist (immediate actions)
- Review the specifications and select automatable criteria.
- Define indicators, sources and thresholds in writing.
- Implement traceability logging from the first run.
- Plan a shadow pilot + mandatory human review.
- Include contractual clauses on access to logs and audit rights.
Automated evaluation can be a useful tool to better manage resources and speed up processes. But its adoption must be technically and legally prudent: documented, auditable and supervised by humans. If you need support translating your award criteria into an auditable scoring matrix compliant with the ENS, GDPR and Law 9/2017, OptimGov Ready can provide a practical roadmap and templates adapted to your contracting authority.
Related articles
Predictive Maintenance for Municipal Infrastructure with AI
A practical guide to prioritizing interventions and meeting ENS, GDPR and public procurement requirements when implementing predictive maintenance.
AI Interoperability with Legacy Systems in Municipalities
Practical guide to integrating AI with legacy systems: data models, APIs, ENS and GDPR compliance.
Prompt Governance in Public Administration
Practical guide to managing language model prompts in the public sector: logging, auditing, risk and compliance.