In January 2026, the Spanish Federation of Municipalities and Provinces (FEMP) published a guide titled "Artificial Intelligence in Local Entities: Keys for Responsible, Legal and Effective Implementation." It is a 60-page document aimed at mayors, councillors and civil servants.
The relevant part is not just that it exists. It is what it implies for companies that work with public administration.
What the FEMP guide says
The guide covers three main pillars. First, AI governance: who decides, who is accountable, how decision-making around artificial intelligence is structured within a municipality. Second, legal requirements: GDPR, EU AI Act, ENS. Third, practical use cases for local entities: citizen services, administrative processes, urban data analysis, municipal chatbots.
It is a serious guide, written with technical advisory input, reflecting a real movement: municipalities are preparing to use AI. They are doing so with the regulatory backing and structure the law requires.
Municipalities already using AI
This is already happening. Municipalities across Spain are using AI in production. The most common use cases are four:
- Citizen services. Chatbots for census queries, taxes, appointments. Citizens ask a question and get an answer without waiting for office hours.
- Urban data analysis. Traffic, waste, energy consumption. Patterns that previously required weeks of manual analysis are now detected in real time.
- Infraction detection. Parking, noise, environment. Systems that identify violations and generate automatic alerts.
- Internal process automation. Administrative workflows that previously required manual intervention and are now resolved with AI.
These are not prototypes. They are live services processing citizen data. That is the key distinction: when a municipality deploys AI, it is processing personal information of the people living in that area.
What it means for provider companies
If your company provides software, consulting services, IT maintenance or data management to municipalities, the FEMP guide is a signal: your clients are going to ask you for AI integration. And they will require that integration to be compliant.
Public procurement specifications are already starting to include AI and cybersecurity requirements. This is not something that will happen. It is something that is happening.
Companies that cannot demonstrate EU AI Act compliance, that do not hold ISO 27001 or ENS certification, that cannot guarantee secure handling of citizen data, will be excluded from tenders. Not because the municipality is being demanding, but because the law requires it.
The chain of accountability is clear: the municipality answers to the regulator, and the municipality demands guarantees from its providers. If you are the provider and do not have them, the municipality cannot hire you.
ENS and AI in public administration
The National Security Framework (ENS) is mandatory for all public administration in Spain. It is not optional. It is not a recommendation. It is the law.
If a municipality uses AI and processes citizen data through an external provider, that provider must comply with ENS. There are no shortcuts. Royal Decree 311/2022 is explicit: any system processing public administration information must comply with the corresponding security framework.
The FEMP guide specifically mentions the need to assess AI risks under ENS and the EU AI Act. That means having ENS for traditional systems is not enough. AI systems must also be evaluated, along with their specific risks and mitigation measures.
If your company works with public administration and does not have ENS, you are exposed. If you have it but have not evaluated your AI systems within scope, you are also exposed.
How to prepare if you work with government
Three concrete steps you can take right now:
And whether they process citizen data. Build an inventory of active contracts, systems you manage and data you handle. If you have access to citizen data, you are on the radar.
Review current specifications and those in preparation. If they do not mention AI yet, they will at the next renewal. Better to be ready.
It is not optional: it is an access requirement. Certifications demonstrate that you have an implemented, audited and current security management system. Without them, many tenders will not even let you submit a bid.
ISO 27001 + ENS Certification
Do you work with public administration?
We help you certify ISO 27001 and ENS so you do not get excluded from tenders. Free initial assessment: we tell you what level you need, how much it costs and how long it takes.
Request a free assessment →Your team needs secure AI training
The EU AI Act requires AI literacy for all staff from August 2026. Our courses cover compliance, AI agents and governance. FUNDAE can subsidise 100% of the cost.
