Build AI in-house or outsource: a practical guide for town councils

Introduction

Town councils that want to use AI face a recurring decision: develop capabilities internally or rely on external providers. There is no single right answer. The choice depends on technical, legal and organizational factors — and on specific obligations such as the Public Sector Contracts Law (Law 9/2017), the GDPR, the ENS (Royal Decree 311/2022) and the EU AI Act. This guide provides a practical framework to decide and carry out the option that best fits your organization.

Models and key considerations

1. Build in-house capabilities

Pros:

• Control over data, models and customizations.
• Greater ability to meet transparency and explainability requirements.
• Lower long-term dependence on vendors.

Cons:

• Requires investment in staff (data engineers, MLOps, compliance).
• Longer initial time to delivery.
• Risk if not integrated with security (ENS) and data protection practices.

Legal/practical requirements:

• Classification and protection according to the ENS.
• GDPR Data Protection Impact Assessments (DPIAs) for processing personal data.
• Prepare for obligations under the EU AI Act if the system is high-risk.

2. Buy (SaaS / vendors)

Pros:

• Fast deployment and lower initial cost.
• Access to advanced capabilities without hiring specialists.
• Updates managed by the provider.

Cons:

• Risk of vendor lock-in and limited auditability.
• Need to ensure ENS, GDPR and contractual transparency compliance.
• Less control over models and data.

Legal/practical requirements:

• Tender specifications that require ENS compliance and security measures.
• Clauses on processing, ownership and portability of data (GDPR).
• Audit rights and access to technical documentation to comply with the EU AI Act.

3. Hybrid model (collaboration/partnership)

Pros:

• Combines speed with knowledge transfer.
• Enables phased pilots with progressively increasing control.
• Facilitates co-developed projects with technology transfer clauses.

Cons:

• Requires more sophisticated contract management.
• Need to plan the transition of knowledge and responsibilities.

Quick decision matrix (indicative)

• Small municipalities, limited IT capabilities, standard needs -> Buy SaaS with strict security and data clauses.
• Mid-sized municipalities with sensitive data and control goals -> Hybrid: pilot with a vendor and train an internal team.
• Large entities with scale and complex regulatory needs -> In-house or hybrid with heavy investment in talent and ENS.

Practical steps to execute the decision

1. Prioritize use cases

• Select 2–3 cases with clear, measurable impact (e.g., duplicate request detection, document classification, incident prioritization).
• Define success indicators and associated risks.

2. Legal and risk assessment

• Conduct a DPIA (GDPR Data Protection Impact Assessment) and ENS risk analysis.
• Determine whether the solution falls into any EU AI Act category (high-risk, etc.).

3. Design the operating model

• If in-house: map required roles (product owner, data engineer, compliance officer, MLOps).
• If buying: specify interoperability requirements, SLAs, business continuity plan and exit clauses.

4. Procurement: essential clauses

• ENS compliance (Royal Decree 311/2022) and required security level.
• Data processing responsibilities (GDPR): data controller/processor roles and subcontracting.
• Data ownership and portability; standard export formats.
• Technical audit rights and access to models/explanations.
• Contingency plan and technology transfer provisions, if applicable.
• Performance KPIs and penalties for breaches.

5. Pilot with exit criteria

• Limited duration (3–6 months), measurable objectives, legal and technical checkpoints.
• Assessment of real costs and staff experience.

6. Training and transfer

• Training plan for operational and legal staff.
• Accessible technical and operational documentation.
• "Shadowing" sessions with providers in a hybrid model.

7. Ongoing governance

• Register AI systems, and designate technical and legal responsible parties.
• Monitor performance, bias and regulatory compliance.
• Periodic reviews aligned with the EU AI Act and the ENS.

Public procurement considerations (Law 9/2017)

• Prepare tender documents with verifiable technical and security criteria.
• Avoid clauses that hinder future competition (exclusivity clauses).
• Evaluate solutions for interoperability and open data when appropriate.
• Include technology transfer criteria for hybrid models or co-developed projects.

Sample practical clauses (summary)

• "The provider shall guarantee complete portability of data in open formats and interoperable standards upon contract termination."
• "The contracting authority shall be granted the right to an annual technical audit and access to model training and testing records."
• "The system shall comply with ENS requirements and provide technical documentation enabling risk assessments."

Conclusion and takeaway

The decision to build or outsource should be based on a clear assessment of data control, internal technical capacity, regulatory risk and time horizon. Practical recommendation: start with a pilot that has defined success criteria and contractual clauses that preserve control and portability. If you need an initial diagnosis combining technical, legal and governance aspects, a structured analysis (such as OptimGov Ready) helps identify the optimal model before tendering.

Immediate recommended action:

• Define a pilot use case today and ask your legal and IT teams for a DPIA + ENS requirements checklist to include in the tender or contract before any trial.