Saltar al contenido principal
Back to blog
SecurityData sovereigntyPublic procurement

Data sovereignty and cloud security for AI in public administration

June 25, 20264 min readOptimTech
Share:

The adoption of AI services by municipalities and public entities raises concrete questions: where do the data reside? what technical and contractual controls ensure confidentiality and traceability? how does all this fit with the ENS (RD 311/2022), the GDPR and the obligations of the EU AI Act? This text offers a practical roadmap for technical, legal and procurement teams.

Why sovereignty and security matter in public AI projects

  • Municipal data typically combine administrative records, cadastral information and, sometimes, personal data. The GDPR requires clear legal bases and technical and organizational measures.
  • The ENS (RD 311/2022) sets mandatory protection and certification requirements for systems that handle administrative information.
  • The EU AI Act introduces obligations on risk management, technical documentation and transparency for high-risk AI systems, applicable to certain public uses.
  • choices of provider and deployment model determine auditability, continuity and portability at contract end.

Deployment model and practical effects

  • Public elastic SaaS (multi-tenant, global provider): easier to deploy but requires strong contractual controls over data residency, subcontracting and audits.
  • Dedicated SaaS / private VPC in the cloud: better logical isolation and more options to meet ENS requirements; may involve higher costs.
  • Private cloud or on-premises: maximum sovereignty and physical control; greater operational responsibility and cost.

Essential technical controls

Request proofs or proofs of concept for the following controls:

  • Data residency and segregation
    • Explicit guarantees on the geographic location of storage and backups.
    • Logical segregation between clients (multi-tenant) or a dedicated deployment.
  • Encryption
    • Encryption in transit (TLS) and at rest (AES-256 or equivalent).
    • Key management: possibility for the contracting authority to use its own KMS or use a certifiable HSM.
  • Access management
    • Federated authentication (SAML/OIDC), granular RBAC and logging of administrative access.
  • Logging and traceability
    • Immutable logs of access and system actions; minimum retention defined for audit purposes.
  • Egress and exfiltration controls
    • Policies preventing unauthorized outbound transfers; alerts for exfiltration.
  • Security testing
    • Recent penetration testing reports, disclosure of critical vulnerabilities and a remediation plan.
  • Resilience and continuity
    • Availability SLAs, backup/restore and recovery plans that align with ENS requirements.

Contractual clauses and procurement requirements (Law 9/2017)

Include concrete clauses in tender documents and contracts, aligned with Law 9/2017 on Public Sector Contracts:

  • Clear definition of the data covered by the contract and responsibilities (processor vs. controller).
  • Subprocessor appendix: initial list and a notification-and-approval mechanism.
  • Rights to technical and legal audits on-site or via reports (for example, SOC 2, ISO 27001, ENS reports).
  • Portability and reversion clauses: standard export format, post-termination retention period and obligation of certified destruction.
  • Continuity and transfer conditions in case of provider change.
  • Penalties for security breaches and mandatory breach notification (deadlines and format).
  • Guarantees on data location and prohibition of unauthorized transfers outside the EU without appropriate safeguards.

Evidence and verifications to request before signing

  • Certifications and audits: ISO 27001, ENS or evidence of compliance with RD 311/2022; recent independent reports.
  • Results of penetration tests and remediation plan.
  • Privacy policy and DPA (Data Processing Agreement) aligned with the GDPR.
  • Technical documentation required by the EU AI Act (if applicable): risk assessment, technical model documentation, human oversight mechanisms, and incident management plan.

Internal operations that must accompany procurement

  • Carry out a Data Protection Impact Assessment (DPIA) before deployment if there are sensitive personal data or large-scale processing.
  • Include in the system inventory the relationship between data, AI services and providers.
  • Establish clear roles: controller, processor, Data Protection Officer and continuity manager.
  • Training plan for teams on access, classification and responsible use of AI models.
  • Exit testing: data export exercises and validation of reintegration into local systems.

Quick practical case (steps in a tender)

  1. Define the data scope and sovereignty criteria in the tender documents.
  2. Require a DPA and a list of subprocessors as part of the solvency requirements.
  3. Request technical evidence (pentest, ENS/ISO audit) during the bid phase.
  4. Include concrete SLAs, audit rights and portability clauses.
  5. Perform a DPIA and technical validation in a pilot.

Takeaway / Recommended action

Before contracting any AI service, prepare a minimum checklist that covers: data residency, key management (KMS/HSM), audit rights, portability clauses and evidence of ENS and GDPR compliance. Use that checklist as a pass/fail criterion when evaluating bids.

OptimTech has worked with municipalities to integrate these controls into tender documents and secure deployments; if needed, you can use the checklist above as a basis for your procurement.