Data sovereignty and cloud security for AI in public administration
The adoption of AI services by municipalities and public entities raises concrete questions: where do the data reside? what technical and contractual controls ensure confidentiality and traceability? how does all this fit with the ENS (RD 311/2022), the GDPR and the obligations of the EU AI Act? This text offers a practical roadmap for technical, legal and procurement teams.
Why sovereignty and security matter in public AI projects
- Municipal data typically combine administrative records, cadastral information and, sometimes, personal data. The GDPR requires clear legal bases and technical and organizational measures.
- The ENS (RD 311/2022) sets mandatory protection and certification requirements for systems that handle administrative information.
- The EU AI Act introduces obligations on risk management, technical documentation and transparency for high-risk AI systems, applicable to certain public uses.
- choices of provider and deployment model determine auditability, continuity and portability at contract end.
Deployment model and practical effects
- Public elastic SaaS (multi-tenant, global provider): easier to deploy but requires strong contractual controls over data residency, subcontracting and audits.
- Dedicated SaaS / private VPC in the cloud: better logical isolation and more options to meet ENS requirements; may involve higher costs.
- Private cloud or on-premises: maximum sovereignty and physical control; greater operational responsibility and cost.
Essential technical controls
Request proofs or proofs of concept for the following controls:
- Data residency and segregation
- Explicit guarantees on the geographic location of storage and backups.
- Logical segregation between clients (multi-tenant) or a dedicated deployment.
- Encryption
- Encryption in transit (TLS) and at rest (AES-256 or equivalent).
- Key management: possibility for the contracting authority to use its own KMS or use a certifiable HSM.
- Access management
- Federated authentication (SAML/OIDC), granular RBAC and logging of administrative access.
- Logging and traceability
- Immutable logs of access and system actions; minimum retention defined for audit purposes.
- Egress and exfiltration controls
- Policies preventing unauthorized outbound transfers; alerts for exfiltration.
- Security testing
- Recent penetration testing reports, disclosure of critical vulnerabilities and a remediation plan.
- Resilience and continuity
- Availability SLAs, backup/restore and recovery plans that align with ENS requirements.
Contractual clauses and procurement requirements (Law 9/2017)
Include concrete clauses in tender documents and contracts, aligned with Law 9/2017 on Public Sector Contracts:
- Clear definition of the data covered by the contract and responsibilities (processor vs. controller).
- Subprocessor appendix: initial list and a notification-and-approval mechanism.
- Rights to technical and legal audits on-site or via reports (for example, SOC 2, ISO 27001, ENS reports).
- Portability and reversion clauses: standard export format, post-termination retention period and obligation of certified destruction.
- Continuity and transfer conditions in case of provider change.
- Penalties for security breaches and mandatory breach notification (deadlines and format).
- Guarantees on data location and prohibition of unauthorized transfers outside the EU without appropriate safeguards.
Evidence and verifications to request before signing
- Certifications and audits: ISO 27001, ENS or evidence of compliance with RD 311/2022; recent independent reports.
- Results of penetration tests and remediation plan.
- Privacy policy and DPA (Data Processing Agreement) aligned with the GDPR.
- Technical documentation required by the EU AI Act (if applicable): risk assessment, technical model documentation, human oversight mechanisms, and incident management plan.
Internal operations that must accompany procurement
- Carry out a Data Protection Impact Assessment (DPIA) before deployment if there are sensitive personal data or large-scale processing.
- Include in the system inventory the relationship between data, AI services and providers.
- Establish clear roles: controller, processor, Data Protection Officer and continuity manager.
- Training plan for teams on access, classification and responsible use of AI models.
- Exit testing: data export exercises and validation of reintegration into local systems.
Quick practical case (steps in a tender)
- Define the data scope and sovereignty criteria in the tender documents.
- Require a DPA and a list of subprocessors as part of the solvency requirements.
- Request technical evidence (pentest, ENS/ISO audit) during the bid phase.
- Include concrete SLAs, audit rights and portability clauses.
- Perform a DPIA and technical validation in a pilot.
Takeaway / Recommended action
Before contracting any AI service, prepare a minimum checklist that covers: data residency, key management (KMS/HSM), audit rights, portability clauses and evidence of ENS and GDPR compliance. Use that checklist as a pass/fail criterion when evaluating bids.
OptimTech has worked with municipalities to integrate these controls into tender documents and secure deployments; if needed, you can use the checklist above as a basis for your procurement.
Related articles
AI in Municipal Emergency Management: A Practical Guide for Municipalities
How to apply AI to prevention, response, and recovery for local emergencies, with practical security and compliance requirements.
AI to Boost SME Participation in Public Procurement
How to use AI to reduce barriers and improve SME participation in public procurement processes, while ensuring regulatory compliance.
Federated Learning Between Municipalities: Collaborating on AI Without Moving Personal Data
A practical guide for municipalities to share models, not data: technical, legal and operational requirements.