By Cora Bay, Country Engagement Lead for GovStack Initiative at GIZ, and Michael Lilier, E Government Architect & DPI Strategist at GIZ

In an era of growing geopolitical tensions, digital sovereignty has moved from a niche policy concern to a strategic imperative. Nations are increasingly asking themselves a fundamental question: who is really in control of the technology and data that runs and governs our state?

For decades, governments have built their digital infrastructure on the products and platforms of foreign companies – often without fully considering the long-term implications. When a critical service depends on software owned, hosted, or governed by a third-country entity, that dependency is not merely technical. It is political. A change in trade policy, a sanctions regime, or simply a vendor’s business decision can leave a government stranded, unable to operate the systems its citizens rely on.

Digital sovereignty is the answer to this risk. At its core, it means that countries retain the ability to make their own decisions about how their state is built digitally – whether that means choosing proprietary solutions, open-source software, or a combination of both. The goal is not to isolate, but to ensure that they retain a free choice, independent of third party interests.

The Missing Piece: Technical Standards

Yet freedom of choice is meaningless without the capacity to exercise it. A government that lacks clear technical standards and specifications cannot evaluate vendors objectively, cannot switch providers without massive disruption, and cannot ensure that different systems talk to each other reliably. In short, without standards, sovereignty on paper quickly becomes dependency in practice.

The analogy to physical infrastructure is instructive. Railway gauges are a classic example: once a country defines a standard track width, any manufacturer, domestic or international, large or small, can build trains and rolling stock that will work on that network. The state does not need to own the train factory. It just needs to own the standard. That standard is what keeps the market open, competitive, and ultimately under public control.

Digital public infrastructure follows (almost) the same logic as physical infrastructure. Rails and roads are state-owned – neither negotiable nor to be forgotten. Private solutions exist, but the foundation belongs to the state. Why would DPI be any different? There are currently no convincing arguments that point away from government in the driver’s seat. Capacity is a concern, of course – but building it together, based on open standards, is a reasonable way forward. Quick wins today might come with a significant price tag down the road.

The decisive difference from physical infrastructure lies in scalability: digital infrastructure scales at a fraction of the cost – marginal costs flatten out while societal value grows. McKinsey estimates that well-implemented DPI systems can unlock economic value equivalent to 3–13% of GDP.⁵ This makes DPI one of the most efficient levers for state capacity and revenue generation alike. Done right, this might manifest in the state budget as some deployments of DPI already indicate.

Prevailing definitions of DPI focus almost exclusively on public service delivery and state accountability to citizens – while the sovereignty dimension, attributed to the nation state since antiquity, is rarely foregrounded.

Digital public infrastructure is the sovereign foundation of the digital state, through which citizens receive equal access to public services and governments exercise accountability. Built on open standards, owned and governed by the state at its core, it connects people, businesses and physical infrastructure – nationally and internationally – embedding social, economic and political activity holistically, and providing the architecture upon which public and private digital services and innovation operate. Without sound governance, DPI risks being depleted, captured or enclosed – undermining the very sovereignty it is meant to express. As it scales, marginal costs approach zero while direct fiscal returns grow – and the downstream value unlocked for innovation multiplies. Sovereignty is not a political choice imposed on DPI – it is its most neutral possible foundation, enshrined in international law and claimed by states worldwide.

As DPI is still an emerging concept built on the principle of openness, this definition lays out its full scope as we understand it today. We remain optimistic that as DPI matures and discourse deepens, the definition will sharpen through contributions from people, practitioners, policymakers and researchers alike.

GovStack: Specifications as the Foundation for Sovereignty

This is precisely where GovStack comes in. GovStack is an international initiative that provides governments with open, reusable technical specifications for the building blocks of digital public infrastructure – like identity verification, payments, consent management, and digital registries.

These specifications give governments a powerful tool: the ability to define their own technical requirements in vendor-neutral terms. Rather than procuring a closed, bespoke system from a single supplier, a government can use GovStack’s building block specifications to describe what a solution must do and how it must interoperate without dictating who builds it.

Crucially, these specifications are not developed behind closed doors. They are the product of a global community of practitioners – governments, technologists, civil society organizations, and international partners – who contribute their expertise, test assumptions against real implementation challenges, and continuously refine the standards based on what actually works on the ground. Sovereignty, in this model, is not handed down from above. It is built collectively.

Keeping the Market Open

The effect on the market is significant. When technical requirements are standardized and publicly available, the field opens up. Multiple vendors like local companies, international players and open-source communities, can compete to deliver solutions that meet the same specification. No single provider holds a structural lock-in advantage simply because they wrote the requirements in their own proprietary language.

This openness has a further benefit: it creates space for local technology ecosystems to grow. When specifications are clear and accessible, domestic developers and companies can build compliant solutions, generate local employment, and retain value within their own economies, rather than sending it abroad to a handful of global software vendors.

Ownership Stays Where It Belongs

Perhaps most importantly, the GovStack model keeps ownership firmly with the government. The private sector builds the solution, but the country owns the system, the data, and the standards it was built on. If a vendor underperforms, raises prices, or exits the market, the government can switch providers. The specification remains. The continuity remains. GovStack provides governments with an overview of compatible software solutions (GovMarket) that can be chosen from. However, the choice fully remains with the governments.

And because the same specifications are used and refined by a growing community of countries, no government has to solve these problems alone. Lessons learned in one country feed back into the shared framework. A smaller nation benefits from the implementation experience of larger ones and vice versa. The community’s collective knowledge becomes a public good in its own right. Governments can pick and choose the best suitable solutions for their demands, objectives and regulatory framework – they remain in the driver´s seat of their sovereign decision making.

This is the practical meaning of digital sovereignty: not just a political aspiration, but a concrete architectural choice, where standards, not suppliers, define the infrastructure of the state. And where no country has to build that future in isolation.