NDA Between Companies and with Public Administration: How to Ensure Confidentiality in Any Collaboration

In an environment where collaboration is essential to drive innovation, share knowledge, and develop joint solutions, protecting the information exchanged between public and private actors is no longer optional. From public tenders to innovation consortia, technology transfer agreements, and public procurement processes, the flow of sensitive data continues to grow—along with the associated risks.

A confidentiality agreement, or NDA (Non-Disclosure Agreement), is the legal instrument that enables the secure sharing of strategic information. However, in 2025, its real effectiveness no longer depends solely on careful drafting. It also requires technical and organizational measures aligned with current digital maturity standards: access control, traceability, electronic signatures, and verification of document integrity.

An NDA is a contract through which the parties agree not to disclose confidential information shared during a collaboration. Its use is not new, but it has intensified in the context of digital transformation, interoperability between public and private systems, and the growth of models such as public procurement of innovation and regulatory sandboxes.

In Spain, its legal basis is supported by regulations such as Law 1/2019 on Trade Secrets, which requires that anyone seeking to protect their information demonstrate that reasonable measures have been taken to safeguard it. A properly managed NDA is one of those key measures.

Typical Situations Where Signing an NDA Is Advisable

There are numerous scenarios in which signing an NDA is advisable: participation in public tenders involving the exchange of sensitive technical proposals, publicly funded R&D projects, the transfer of algorithms, the sharing of technical documentation, or collaborations between SMEs and large enterprises within broader digitalization strategies.

Key Differences Between Company-to-Company Agreements and Agreements with Public Administrations

When dealing with private entities, the primary focus is usually on protecting know-how or commercial opportunities. In contrast, NDAs involving public administrations require an additional level of traceability and transparency. They often must comply with sector-specific regulatory requirements, public access-to-information obligations, and validation through qualified electronic signatures.

In this context, selecting the appropriate type of signature is essential:

A simple electronic signature may be sufficient for informal or low-risk exchanges.

An advanced electronic signature is appropriate when personal data is involved or when there are moderate legal commitments.

A qualified electronic signature, in accordance with eIDAS2, is the only option that guarantees full legal validity in regulated environments and is typically required in formal administrative procedures.

A well-drafted NDA should leave little room for ambiguity. It is essential to clearly define what is considered “confidential information,” the purpose of the agreement, the duration of the confidentiality obligation, the permitted uses of the information, how shared data must be protected, and the consequences of a breach. It is also advisable to regulate what happens once the collaboration ends: must the information be returned, destroyed, or archived?

Errores comunes a evitar

Uno de los errores más frecuentes es utilizar modelos genéricos sin adaptarlos al caso concreto. También es habitual no contemplar mecanismos técnicos de protección como control de accesos o trazabilidad, lo que debilita la capacidad de demostrar cumplimiento. Y no menos importante: muchos NDA omiten la parte operativa posterior a la firma, como la eliminación segura de documentos o la conservación de evidencias.

Signing an NDA is only the starting point. For it to be truly effective, access to protected information must be restricted so that only authorized individuals can view, edit, or transfer it. Establishing differentiated access profiles and applying the principle of least privilege are essential.

Electronic signatures—preferably advanced or qualified—strengthen the legal validity of the NDA. When combined with a time stamp, a mechanism that adds a verifiable digital date and time, it becomes possible to prove precisely when the document was signed, which is particularly relevant in the event of disputes or audits.

Tracking who accesses what information, when, and under what conditions; preserving previous versions of the document; and maintaining activity logs are fundamental practices to ensure that an NDA is not merely symbolic, but a verifiable commitment.

These digital tools are not optional—they are what make it possible to demonstrate, when required, that the agreed obligations have been fulfilled and that reasonable protective measures have been implemented.

Blockchain makes it possible to immutably record the existence of an NDA and its potential versions without revealing its content. This registration is based on what is known as a digital fingerprint or hash—a unique code generated from the document’s content. If the file changes, even minimally, the hash changes as well, making any alteration immediately detectable.

In this way, it is possible to verify that an NDA existed on a specific date, that it has not been modified since, and that its integrity remains intact—without disclosing the original text. This ability to prove authenticity without exposing the underlying information adds an additional layer of trust and confidentiality in sensitive environments.

ISBE as an Interoperable Infrastructure Aligned with European Frameworks

The Spanish Blockchain Services Infrastructure (ISBE) provides a public-permissioned environment in which evidence can be recorded in a traceable and auditable manner, fully aligned with European standards for digital identity and data protection (eIDAS2, GDPR). It is a network specifically designed for use cases such as agreements between companies and public administrations, where both confidentiality and regulatory compliance are essential.

First, there are legal risks. An NDA that is poorly drafted, incomplete, or lacks technical backing may be declared null or prove ineffective in the event of a dispute. If it is not possible to demonstrate when it was signed or under what conditions, defending rights against improper use of information becomes significantly more difficult.

From an operational standpoint, poor NDA management can lead to information leaks, unauthorized duplication of developments, or loss of control over key documents. This may jeopardize strategic projects, delay decision-making, or undermine an organization’s competitiveness.

Finally, there is reputational risk. A data leak—even if unintentional—can call into question the reliability of a company or public administration. The consequences extend beyond the relationship with the affected partner, impacting institutional credibility and future collaboration opportunities.

An effective NDA does not end with the signature; it must be actively managed throughout every phase of the project. These are the key elements at each stage:

Before signing: clearly define what information is protected, for how long, and which type of electronic signature will be used, depending on the required legal level.

During the collaboration: control who has access to the information, properly sign updated versions of the document, and maintain activity logs that allow verification of compliance with the agreement if necessary.

After the project: retain evidence (signatures, logs, time stamps) for the agreed period and securely delete the data if so stipulated.

In summary, a well-managed NDA is not merely a contract; it is an active instrument for protecting sensitive information from start to finish.

New European legislation, such as the eIDAS2 Regulation and the NIS2 Directive, is driving more robust and harmonized document management practices. Contractual agreements, including NDAs, must be verifiable, auditable, and digitally shareable without losing legal validity or control over their integrity.

In this context, ISBE is emerging as a trusted infrastructure. It enables the registration of an agreement’s existence, its execution with a qualified digital identity, the traceability of its evolution, and its verification without disclosing its content. All of this operates within a public-permissioned network aligned with the principles of interoperability, digital sovereignty, and distributed governance—key enablers of secure collaboration between companies and public administrations.

Is your NDA prepared to comply, protect, and stand the test of time?

Discover how to strengthen it with traceability and trust through ISBE.