AI Technology 24 April 2026 · 10 min read

What Is a RAG System and Why It Transforms Public Procurement

The real difference between opening ChatGPT in a browser tab and using a well-implemented RAG system is that the latter learns from the organisation's own documentary history: its specifications, its justificatory reports, its administrative clauses, its needs assessments and its award resolutions. This guide explains exactly what Retrieval-Augmented Generation is, why it is the only architecture actually applicable to Spanish public procurement, and how it fits current regulation.

In this article

  1. 1. Why generic AI does not work for public procurement
  2. 2. What RAG is in practical terms
  3. 3. The RAG architecture in four steps
  4. 4. Why RAG is secure for public administrations
  5. 5. How a RAG is prepared with the council's history
  6. 6. Case study: drafting a Technical Specification with RAG vs pure ChatGPT
  7. 7. Hallucination reduction through cited sources
  8. 8. Regulatory compliance: ENS, GDPR and Law 40/2015
  9. 9. Real limitations of RAG
  10. 10. How to evaluate whether your organisation is ready
  11. 11. Frequently asked questions

1. Why generic AI does not work for public procurement

A generalist language model such as ChatGPT, Gemini or Claude in its public version knows LCSP 9/2017 because it was part of its training data, but it does not know the specifications approved by your council in the last five years, nor the auditor's observations on the last services contract, nor the internal template of award criteria your unit uses. And it cannot cite verifiable sources when it makes a statement.

The result is that the officer receives a text that looks correct but is peppered with generic formulations, occasionally invented regulatory references and zero traceability. Any experienced procurement officer knows that cannot be signed. The problem is not the quality of the model: it is that the architecture is wrong.

Common risk: when pasting text from a specification into a public tool such as ChatGPT, that content may, depending on the service tier, be used to improve future models. For documents that are not yet public (drafts, internal reports, auditor's observations) this is incompatible with the duty of confidentiality of public administration staff.

2. What RAG is in practical terms

RAG stands for Retrieval-Augmented Generation. In plain language: before answering, the system searches a library of your documents for the most relevant fragments and only then asks the language model to draft a response grounded on those fragments.

The difference is equivalent to asking a lawyer to draft a report from memory versus asking them to draft it with the complete file on the table. The lawyer is the same. The result is not.

Key idea: in a RAG, the organisation's specific knowledge is not inside the language model. It sits in a separate documentary base that is queried on every request. That means the model does not need to be retrained each time a new specification is approved; indexing it is enough.

3. The RAG architecture in four steps

A RAG system applied to public procurement rests on four phases. Understanding them helps the procurement officer to ask the right questions of any vendor.

Indexing: the organisation's documents (specifications, reports, administrative clauses, technical specifications, resolutions, needs assessments) are split into fragments and converted into numerical vectors through an embeddings model. Those vectors are stored in a vector database.

Retrieval: when the officer submits a query, the system also converts it into a vector and searches the base for the most similar fragments. It typically retrieves between five and twenty fragments.

Augmentation: those fragments are injected into the prompt sent to the language model, together with the original query and the style and format instructions.

Generation: the model drafts the response anchoring itself in the provided fragments and also returns the citation to the sources used, so the officer can open the original file and verify.

4. Why RAG is secure for public administrations

The most common concern of the secretary or procurement officer when faced with an AI system is: "will the data from my files be used to train a model that anyone else can then use?". In a well-designed RAG, the answer is no.

The organisation's documents remain in the vector database of the contracted tenant. The language model is a service to which relevant fragments are sent under a data processing agreement, without those fragments being incorporated into general training. The main providers have offered this as a standard contractual guarantee since 2024.

Required minimums: EU hosting, compliance with the National Security Framework (RD 311/2022) at the applicable category, a data processor agreement under article 28 GDPR, full access traceability and encryption at rest and in transit. Without these four elements, the system cannot be deployed in a Spanish public administration.

5. How a RAG is prepared with the council's history

The real value appears when the system knows the organisation's documents. The initial phase consists of loading the relevant files into the documentary base: specifications approved in recent years, justificatory reports, legal reports, award resolutions, auditor observations and internal templates.

Each document is tagged with metadata (contract type, CPV code, body, date, status) so the system can filter retrievals. From that point on, every new specification the organisation approves is added to the index automatically and becomes available for future queries.

None of this is retraining the model. It is documentary indexing. That is why cost and time are reasonable, and why there is no risk that confidential information ends up in a model accessible to third parties.

6. Case study: drafting a Technical Specification with RAG vs pure ChatGPT

Imagine a council that needs to tender the maintenance of its municipal vehicle fleet. The officer asks both systems for a draft Technical Specification.

With pure ChatGPT, the response is formally correct, with expected sections (object, scope, contractor obligations, penalties, timeline). On reading, the officer detects that the proposed service hours do not match the real use of the fleet, that the service levels are generic and that the environmental requirements the organisation has been demanding since 2023 are missing.

With a RAG trained on the council's history, the draft starts from the Technical Specification approved in the previous contract, incorporates the auditor observations that led to changes in the last award and reuses the organisation's standard environmental clause. Each relevant statement is accompanied by a reference to the source document.

Key point: the drafting time for the first version drops, but the larger saving is in review: the officer no longer has to check line by line that the text is consistent with the organisation's criteria, because the system has built on those criteria directly.

7. Hallucination reduction through cited sources

A hallucination in the AI context is an invented statement that appears true. In public procurement, the classic example is a reference to an LCSP article that does not exist, or an outdated threshold figure, or a fictitious case citation.

RAG drastically reduces the hallucination rate because the model is not generating from its internal memory: it is rephrasing real fragments it has been given. And above all, each statement carries a source citation, which allows the officer to do the verification in seconds rather than reading the text line by line.

Human review remains essential. But the nature of that review changes: it shifts from "is this real?" to "is this applicable to this contract?".

8. Regulatory compliance: ENS, GDPR and Law 40/2015

A RAG system deployed in a Spanish public administration must fit three regulatory blocks. The National Security Framework (RD 311/2022) requires systems handling administration information to be certified at the category corresponding to their criticality. The GDPR and LOPDGDD oblige the signing of a data processor agreement and a data protection impact assessment when the processing implies a high risk to the rights of data subjects.

Law 40/2015 on the Legal Regime of the Public Sector adds in article 41 the requirement that automated administrative actions be defined by resolution of the competent body, identifying responsibilities. A RAG system does not take automated decisions (the officer signs), but it does support the instructor, which usually suffices not to trigger that article.

The European AI Regulation (Regulation 2024/1689) classifies administrative decision-support systems at a level that obliges, among other things, informing the citizen where applicable, guaranteeing human oversight and documenting the system's functioning. A well-integrated RAG meets all of these requirements naturally.

9. Real limitations of RAG

RAG does not turn poorly planned procurement into good procurement. If the organisation's documentary history contains systematic errors (specifications with unjustified brand mentions, non-objective criteria, repealed references), the RAG will reproduce them unless combined with an explicit regulatory validation layer.

Nor does it remove the legal obligation of the officer who signs the document. Article 116 LCSP and administrative procedure regulations place responsibility on the natural person signing. AI is assistance, not delegation.

Finally, the quality of answers depends on the quality of the indexed corpus. An organisation that has poorly digitised its files will get poor initial results; it is worth investing in good extraction and structuring before expecting miracles.

10. How to evaluate whether your organisation is ready

Before committing budget, four questions are worth answering internally.

Readiness checklist

1. Documentary corpus

Are the specifications, reports and resolutions of the last three to five years available in a digital, accessible format (native PDF or Word)? If only scans exist, an OCR phase is required first.

2. Useful volume

A RAG with 20-30 files brings little value; with several hundred it starts to be very useful. If your organisation runs few tenders each year, consider sharing corpus with other councils in the region or the provincial council.

3. Clear governance

Is there a defined procurement lead who can drive implementation and validate its use? Projects without a functional owner do not finish.

4. Infrastructure and support

Do you have an ICT officer (internal or shared) who can follow the integration with the management platform and certificate-based access? In small councils this is usually the bottleneck.

If you want to see exactly how a RAG architecture connects with your documentary history, you can review the technical description on the LicitadIA features page or the step-by-step explanation of how the system works inside a public administration. To see a demo on your own contract types, the most direct route is to request a free demo and share two or three representative examples from your history.

Frequently asked questions

What is the difference between a RAG system and ChatGPT for public procurement?

ChatGPT replies using only the general knowledge it was trained on, without access to the organisation's own documents and without source traceability. A RAG system first retrieves the relevant specifications, reports and historical contracts from the council itself and only then generates the response citing those sources. That drastically reduces hallucinations and allows the officer to verify each statement by opening the original file.

Is it secure to upload my organisation's specifications to a RAG system?

In a RAG system properly designed for public administrations, the organisation's documents are stored in a vector database inside the contracted tenant and are not used to train general models. The language model only receives the fragments needed to answer each query. The service must be hosted in the EU, comply with the National Security Framework (RD 311/2022), a data processor agreement must be signed under article 28 GDPR and it must offer full access traceability.

How long does it take and how much does it cost to implement a RAG in a council?

A typical implementation for a council of 5,000 to 50,000 inhabitants combines an initial indexing phase of the documentary history (2-4 weeks) and a production roll-out with officer training (2-3 additional weeks). The cost depends on documentary volume and number of users, but is well below a full procurement platform because it deploys on top of whichever one is already in use. It can be partially funded through MRR funds depending on the active call at the time of contracting.

Want to see a RAG working on your real history?

LicitadIA is deployed on top of the specifications and reports you already have in the organisation. In the demo we work with two or three real examples so you can see what the system returns, how it cites sources and how it integrates your internal criteria.

Request free demo