AI & Legality 21 April 2026 · 9 min read

Is It Legal to Use AI to Draft Public Procurement Documents?

It is the question procurement officers ask most before trying any new tool: "What if the auditor raises an objection because the specification was drafted by an AI?" The short answer is yes, it is legal. But the full answer requires understanding what the regulations say, who bears responsibility, and why using ChatGPT is not the same as using a tool specialised in public procurement.

In this article

  1. 1. Does the LCSP prohibit using AI to draft specifications?
  2. 2. Who bears legal responsibility for the specification
  3. 3. The EU AI Act and public procurement
  4. 4. Generic AI vs. specialised AI: key differences
  5. 5. Data security and GDPR: the real concern
  6. 6. ENS: what public bodies must demand from their digital tools
  7. 7. How to use AI correctly in public procurement
  8. 8. Frequently asked questions

1. Does the LCSP prohibit using AI to draft specifications?

No. Law 9/2017 on Public Sector Contracts (LCSP) contains no restriction on the tools a procurement officer may use to prepare contractual documentation. What the law regulates is the content, structure and legal requirements of the final document — not the drafting process.

Using an AI tool to draft a Technical Specification or Justificatory Report is legally equivalent to using a Word template, a document model database, or a previous specification as a reference. The law does not require the officer to write the document by hand from scratch: it requires the document to meet legal requirements and for the competent person to validate and sign it.

Core principle: The LCSP regulates what a specification must contain and who approves it. It does not regulate how it is drafted. The use of drafting support tools, including AI, is a technical decision of the organisation.

This interpretation is consistent with Spain's public sector digitalisation strategy (España Digital 2026) and with the guidance of the State Secretariat for Digitalisation and Artificial Intelligence, which actively promotes the use of AI in public administration.

2. Who bears legal responsibility for the specification

This is the real question underlying the legality debate: if a specification generated with AI contains an error and leads to an appeal or nullification, whose fault is it?

The answer is clear and has not changed with the arrival of AI: responsibility always rests with the natural person who signs the document. The procurement officer who signs the Technical Specification, the Justificatory Report or the Administrative Clauses is responsible for its content, regardless of what tools were used to draft it.

Responsibility chain in AI-assisted drafting

AI generates

A draft based on the information provided, the regulations and the documentary history. It has no legal responsibility.

Officer validates

Reviews the content, corrects as needed and verifies compliance with LCSP requirements. This is where professional responsibility arises.

Officer signs

By subscribing the document, assumes full legal responsibility for its content — as if they had drafted it manually.

Body approves

The Mayor or competent body approves the dossier. This approval does not relieve the officer of technical responsibility for the specification content.

The use of AI therefore creates no new liability regime nor exempts the officer from any existing obligation. What it does change is the focus of the work: instead of spending hours drafting, the officer spends their time reviewing, validating and improving — higher quality work with lower risk.

3. The EU AI Act and public procurement

Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act), in force since August 2024, classifies AI systems by risk levels. AI tools for drafting administrative documents such as procurement specifications fall outside the high-risk categories defined in Annex III of the Regulation.

High-risk AI systems in the public sector are those used to make decisions about people (access to public services, credit assessment, immigration control, etc.). A system that assists in the drafting of technical documents reviewed by humans before publication does not fall into that category.

Practical conclusion: AI tools for assisting in the drafting of procurement specifications are classified as limited or minimal risk systems under the EU AI Act, provided they include transparency about AI use and maintain the human in the role of final decision-maker (human oversight principle, art. 9 AI Act).

4. Generic AI vs. specialised AI: differences that matter

Not all AI is equal when it comes to public procurement documentation. This distinction has the most impact on result quality and on the review time the officer needs to spend.

Aspect ChatGPT / Generic Copilot LicitadIA (specialised)
Regulatory knowledge Generic, can become outdated LCSP 9/2017 + complementary regulations integrated
Organisation history Not available RAG system: learns from your historical specifications
Institutional terminology Generic Replicated from the organisation itself
Automatic validation None Detects brands, subjective criteria, inconsistencies
Data in Europe US servers (variable by plan) European cloud, GDPR compliant
Technical review time High — requires thorough review Low — draft already adjusted to standards

The problem with generic tools is not that they are illegal: it is that they generate drafts that sound good but require technical review almost as deep as drafting from scratch. They may reference articles from repealed laws, use terminology that does not match the organisation, or generate award criteria that a specialist in procurement law would immediately advise against.

A specialised AI like LicitadIA starts from an updated regulatory knowledge base and, above all, learns from the organisation's own documentary history. The result is a draft that already incorporates the clauses the auditor recognises, the timelines the organisation typically uses, and the terminology the Administrative Tribunal expects. The officer's review becomes a quick validation, not a rewrite.

5. Data security and GDPR: the real concern

The concern that "council data might go to American servers" is not irrational. It is a legally grounded worry. Procurement specifications can contain personal data (names of contract managers, employee data, infrastructure information) and their processing is subject to Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on Personal Data Protection (LOPDGDD).

What to demand from an AI tool for public procurement

European cloud hosting

The servers where data is processed and stored must be in the EEA. The provider must be able to document this.

Data Processing Agreement (DPA)

The provider acts as a data processor. A DPA compliant with art. 28 GDPR must exist, delimiting responsibilities.

No data use for retraining

The provider must not use the organisation's documents to train or improve its general models. Organisational data belongs exclusively to the organisation.

Retention and deletion policy

The provider must specify how long data is retained and how deletion is handled when the contract ends.

6. ENS: what public bodies must demand from their digital tools

The National Security Framework (ENS), regulated by Royal Decree 311/2022, sets the security requirements that public administration information systems and their supporting providers must meet. For digital tools that process administrative documentation, ENS certification is increasingly an explicit requirement in public ICT procurement specifications.

  • Be oriented towards ENS certification at medium or high level
  • Document the technical and organisational security measures implemented
  • Offer audit logs of accesses and operations performed
  • Implement role-based access control
  • Guarantee service availability with documented SLAs

LicitadIA has been designed from the outset with these requirements in mind: European cloud hosting, data architecture that guarantees isolation between organisations, and an ENS certification roadmap that is part of the product's strategic plan. You can find technical and security details on the features page.

7. How to use AI correctly in public procurement

Correct use of AI in public procurement is not a regulatory question but a methodological one. These are the best practices to follow:

01

AI generates, officer decides

The AI-generated draft is always the starting point, never the final document. The officer must actively review each section, not simply approve without reading.

02

Document the process

If the organisation adopts AI tools for procurement, it is advisable to have an internal procedure describing how they are used. This protects the officer and gives the process transparency.

03

Do not delegate regulatory decisions

AI can propose a regulatory solution (e.g. the appropriate procedure for a contract), but the final decision on interpretation of the rule belongs to the officer or legal adviser.

04

Use tools with integrated validation

A tool that not only generates but also validates the result against regulations dramatically reduces the risk of errors the officer might miss in review.

05

Verify regulatory references

Always confirm that the articles cited in the specification are from current legislation. It is the easiest error to detect and the one that most damages the document's credibility.

To see how LicitadIA implements these practices in its step-by-step workflow, visit the how it works page. And if you want to resolve your specific questions about use in your organisation before committing to anything, the most direct route is to request a free demo where you can see the system with real data.

Frequently asked questions

Is it legal to use artificial intelligence to draft public procurement specifications in Spain?

Yes, it is legal. LCSP 9/2017 contains no restriction on the tools a procurement officer may use to prepare contractual documents. What the law requires is that the final document meets its content requirements and that the competent person validates and signs it. Using AI to draft the initial version is legally equivalent to using a Word template or a previous specification as a reference. Legal responsibility for the specification always rests with whoever signs it.

What is the difference between using ChatGPT and a specialised AI like LicitadIA to draft specifications?

ChatGPT and generic AI tools generate plausible text but without real knowledge of Spanish public procurement law or your organisation's documentary history. Their drafts may include incorrect regulatory references, generic terminology that doesn't match the organisation, and award criteria that a specialist would immediately advise against. LicitadIA is built on the LCSP and complementary regulations, uses RAG to learn from the organisation's real documents, and automatically validates the draft before presenting it to the officer.

Will my data go to American servers if I use AI to draft specifications?

It depends on the tool. Generic solutions (ChatGPT, Microsoft 365 Copilot) may process data on servers outside the EEA, which can be problematic under GDPR if specifications contain personal data. LicitadIA hosts all data in European cloud, operates under a Data Processing Agreement (DPA) compliant with article 28 GDPR, and guarantees that organisational documents are never used to retrain general models. All these commitments are set out in our Privacy Policy and service contract.

The answer to your questions isn't on Google. It's in a real demo.

Show LicitadIA one of your real contracts. In 30 minutes you'll see exactly how it generates the draft, what it validates automatically, and what decisions remain yours. No commitment required.

Request free demo