Digital Sovereignty in a Fragmented World: How Specifications Empower Governments to be in Control

By Cora Bay, Country Engagement Lead for GovStack Initiative at GIZ, and Michael Lilier, E Government Architect & DPI Strategist at GIZ
In an era of growing geopolitical tensions, digital sovereignty has moved from a niche policy concern to a strategic imperative. Nations are increasingly asking themselves a fundamental question: who is really in control of the technology and data that runs and governs our state?
For decades, governments have built their digital infrastructure on the products and platforms of foreign companies – often without fully considering the long-term implications. When a critical service depends on software owned, hosted, or governed by a third-country entity, that dependency is not merely technical. It is political. A change in trade policy, a sanctions regime, or simply a vendor’s business decision can leave a government stranded, unable to operate the systems its citizens rely on.
Not every government system carries this risk equally. Choosing office software is not the same kind of decision as choosing who verifies a citizen’s identity, holds the civil register, or processes a state payment. These systems sit underneath everything else a government does, and they are what is meant here by digital public infrastructure: the foundational digital systems through which a state delivers services and remains accountable to its citizens. The argument that follows applies with real force to this category, and only loosely to the wider world of government IT.
Digital sovereignty is the answer to this risk. At its core, it means that countries retain the ability to make their own decisions about how their state is built digitally – whether that means choosing proprietary solutions, open-source software, or a combination of both. The goal is not to isolate, but to ensure that they retain a free choice, independent of third party interests.
Free choice is half the answer. The other half is accountability. A government that can switch vendors at will but cannot be held responsible for how citizens’ data is used, or for what happens when that data determines access to welfare, credit, or identity itself, has solved a procurement problem without solving a governance one. Serving a people and being accountable to them are not two separate goals. They are the same goal, and the name for that goal is sovereignty.
The Missing Piece: Technical Standards
Yet freedom of choice is meaningless without the capacity to exercise it. A government that lacks clear technical standards and specifications cannot evaluate vendors objectively, cannot switch providers without massive disruption, and cannot ensure that different systems talk to each other reliably. In short, without standards, sovereignty on paper quickly becomes dependency in practice.
The analogy to physical infrastructure helps, but only for part of the story. Railway gauges are a useful example: once a country defines a standard track width, any manufacturer can build trains and rolling stock that work on that network. Owning the standard, not the factory, keeps the market open. But a railway gauge governs interoperability. It does not govern who is allowed to ride the train. Digital identity, civil registries, and payment rails sit at that deeper layer. A government does not just need to own the standard for who issues a passport. It needs to own the decision of who holds one, because that is a question of authority, not interoperability. No government outsources that authority, even when it contracts out the printing. Open standards solve the lock-in problem. They are not, on their own, the same thing as sovereign control over who gets to act in the state’s name.
The same logic, with that distinction in mind, applies to digital public infrastructure.
GovStack: Specifications as the Foundation for Sovereignty
This is precisely where GovStack comes in. GovStack is an international initiative that provides governments with open, reusable technical specifications for the building blocks of digital public infrastructure – like identity verification, payments, consent management, and digital registries.
These specifications give governments a powerful tool: the ability to define their own technical requirements in vendor-neutral terms. Rather than procuring a closed, bespoke system from a single supplier, a government can use GovStack’s building block specifications to describe what a solution must do and how it must interoperate without dictating who builds it.
It is worth being clear about what GovStack itself is, and what it is not. The specifications are not, by themselves, digital public infrastructure. They are closer to a building code: detailed enough to build from, not themselves a building. What becomes digital public infrastructure is a government’s own deployment, the identity system, register, or payment rail a country builds using these specifications and then owns and runs itself. The specifications come with reference implementations, are tested through real deployments across dozens of countries, and are continuously refined through engagement with the governments and developers actually building with them. Implementations keep emerging independently of the initiative, built by governments persuaded by the underlying approach rather than recruited into it, which is the clearest sign that something here works in practice and not only on paper.
Crucially, these specifications are not developed behind closed doors. They are the product of a global community of practitioners – governments, technologists, civil society organizations, and international partners – who contribute their expertise, test assumptions against real implementation challenges, and continuously refine the standards based on what actually works on the ground. Sovereignty, in this model, is not handed down from above. It is built collectively.
Keeping the Market Open
The effect on the market is significant. When technical requirements are standardized and publicly available, the field opens up. Multiple vendors like local companies, international players and open-source communities, can compete to deliver solutions that meet the same specification. No single provider holds a structural lock-in advantage simply because they wrote the requirements in their own proprietary language.
This openness has a further benefit: it creates space for local technology ecosystems to grow. When specifications are clear and accessible, domestic developers and companies can build compliant solutions, generate local employment, and retain value within their own economies, rather than sending it abroad to a handful of global software vendors.
Open specifications do not guarantee an open market on their own. A vendor can still become practically indispensable through superior implementation, faster support, or simply being first to deploy at scale in a given country, even when the underlying standard remains open to everyone. This is the gap between sovereignty on paper and sovereignty in practice that runs through this entire piece. The defense against it is not the existence of a standard but a government’s active willingness to use the freedom that standard provides, evaluating alternatives, maintaining the technical capacity to switch, and resisting the convenience of staying with whoever arrived first. A specification creates the possibility of an open market. It does not, by itself, create the open market.
Ownership Stays Where It Belongs
Perhaps most importantly, the GovStack model keeps ownership firmly with the government. The private sector builds the solution, but the country owns the system, the data, and the standards it was built on. If a vendor underperforms, raises prices, or exits the market, the government can switch providers. The specification remains. The continuity remains. GovStack provides governments with an overview of compatible software solutions (GovMarket) that can be chosen from. However, the choice fully remains with the governments.
This is also where GovStack differs from platform-based alternatives that provide a complete, ready-to-deploy system rather than a specification for governments to build from. A government can adopt such a platform and still own its own deployment, just as it can with a GovStack-based system. But a platform’s underlying roadmap, the standards it adopts and the dependencies it accumulates, can be set by the platform’s own governing body rather than by the deploying government. A government using GovStack-conformant interfaces can later replace or supplement a vendor’s solution without rebuilding the system underneath it, because the standard, not the vendor or the platform, is what is load-bearing. That distinction, between a specification a government builds from and a platform a government adopts wholesale, is the practical difference between staying in the driver’s seat and trusting someone else to keep driving well.
And because the same specifications are used and refined by a growing community of countries, no government has to solve these problems alone. Lessons learned in one country feed back into the shared framework. A smaller nation benefits from the implementation experience of larger ones and vice versa. The community’s collective knowledge becomes a public good in its own right. Governments can pick and choose the best suitable solutions for their demands, objectives and regulatory framework – they remain in the driver´s seat of their sovereign decision making.
This is the practical meaning of digital sovereignty: not just a political aspiration, but a concrete architectural choice, where standards, not suppliers, define the infrastructure of the state. And where no country has to build that future in isolation.