The Sovereign Layer
The Sovereign Layer
Why Digital Public Infrastructure Has Become the Most Important Strategic Asset a Developing Country Can Build
In September 2023, India's Prime Minister presented the country's digital public infrastructure stack — Aadhaar digital identity, the Unified Payments Interface, and the DigiLocker document verification system — as a template for global adoption at the G20 summit in New Delhi. The pitch was ambitious but grounded in evidence: India Stack had facilitated the transfer of over $350 billion in direct benefit payments to citizens, enabled over 13 billion monthly digital payment transactions, and provided digital identity to 1.4 billion people. No other technology deployment in history had reached so many people so quickly. The implicit message was clear: this is how countries should build their digital foundations.
The concept India was promoting — digital public infrastructure, or DPI — has since become the most consequential idea in development technology. The term refers to shared, interoperable digital systems that provide foundational capabilities upon which governments, businesses, and individuals can build. The canonical DPI stack includes three layers: a digital identity system that allows individuals to prove who they are, a real-time payment system that allows value to move between accounts instantly, and a data exchange layer that allows information to flow between institutions with the consent of the individual concerned.
But the most important word in "digital public infrastructure" is not "digital" or "infrastructure." It is "public" — and more specifically, it is the question of sovereignty that the word implies. Who owns the systems upon which a nation's digital economy operates? Who governs the rules by which data flows, transactions are processed, and identities are verified? Who has the authority to modify these systems as national priorities evolve? These questions, which seemed abstract a decade ago, have become the central strategic considerations for every government that takes its digital future seriously.
The Dependency Problem
The urgency of the sovereignty question stems from a simple observation: most developing countries have built their digital economies on infrastructure they do not control. The payment rails run through Visa, Mastercard, and increasingly through mobile money systems owned by multinational telecommunications companies. The identity verification systems rely on databases maintained by foreign vendors under contracts that are opaque and difficult to renegotiate. The cloud infrastructure that hosts government data and critical applications is operated by Amazon, Microsoft, and Google from data centres located in other countries, subject to other countries' laws.
This dependency creates multiple categories of risk. The first is operational risk: when a critical digital system is operated by a foreign entity, the government's ability to ensure continuity of service during a crisis — a natural disaster, a geopolitical conflict, a pandemic — depends on the decisions and priorities of that entity. During the COVID-19 pandemic, several African governments discovered that their digital health information systems, hosted on cloud platforms managed by foreign vendors, could not be rapidly modified to support contact tracing and vaccination certificate requirements because the contracts did not provide for emergency modifications.
The second is economic risk. When the payment infrastructure that underlies a nation's commerce is owned by foreign companies, the economic rents generated by that infrastructure — transaction fees, data monetisation, network effects — accrue to foreign shareholders rather than to the domestic economy. Visa and Mastercard collectively process approximately $1.2 trillion in African card transactions annually. The interchange fees, processing fees, and network fees associated with these transactions represent a continuous extraction of value from African economies to the shareholders of American corporations.
The third is data sovereignty risk. When citizen data — financial records, health information, biometric identifiers, location histories — is stored on infrastructure controlled by foreign entities, the government's ability to protect that data from unauthorised access, compelled disclosure under foreign law, or commercial exploitation is fundamentally compromised. The US CLOUD Act, for instance, allows American law enforcement to compel American technology companies to produce data stored on their servers regardless of where the data is physically located or whose citizens it concerns. For an African government whose citizen data is hosted on AWS or Azure, this creates a structural vulnerability that no amount of local data protection legislation can fully address.
The India Stack Model and Its Limits
India's DPI stack — the most frequently cited model for sovereign digital infrastructure — demonstrates both the potential and the complexity of building digital foundations under national control. Aadhaar, the biometric identity system, has enrolled over 1.4 billion people, making it the largest biometric database in the world. The Unified Payments Interface processes more real-time digital payments than any other system globally. The Data Empowerment and Protection Architecture provides a consent-based framework for data sharing between institutions.
The economic impact has been substantial. The World Bank estimated that India's DPI stack saves the government approximately $33 billion annually through reduced leakage in benefit transfers, improved tax collection, and administrative efficiency. The productivity gains for the private sector — through reduced costs of identity verification, customer onboarding, and payment processing — are likely several times larger, though harder to quantify precisely.
However, the India model has features that limit its direct applicability elsewhere. First, it was built over a fifteen-year period with sustained political commitment from successive governments — a level of institutional continuity that is rare in most developing countries. Second, it benefited from India's enormous software engineering talent pool — an asset that most African and South Asian countries do not possess at comparable scale. Third, it was developed in a context where the government had the regulatory authority and political will to mandate adoption by financial institutions, telecommunications companies, and government agencies — a coercive capacity that requires both institutional strength and political capital.
The most transferable lesson from India's experience is not the specific technical architecture but the strategic insight that underlies it: that digital infrastructure is too important to be left to the market. Markets are efficient at building applications and services on top of infrastructure, but they are poor at building the infrastructure itself in ways that serve broad public interest. Left to market forces, digital infrastructure will be built by the most powerful private actors, optimised for their commercial objectives, and governed by their corporate policies. Sovereign DPI represents the deliberate choice to build the foundational layer under public governance, creating a level playing field on which private innovation can occur.
The African DPI Landscape
Africa's engagement with digital public infrastructure is uneven, nascent, and strategically underdeveloped. A handful of countries have made significant investments. Nigeria's National Identity Number system, despite implementation challenges, has enrolled over 100 million Nigerians and is increasingly integrated with financial services, telecommunications, and government benefit programmes. Kenya's Huduma Namba initiative, though politically contentious, represents an attempt to create a unified digital identity. Rwanda's Irembo platform has digitised over 100 government services, creating a functional e-government layer that serves as a model for smaller economies.
At the regional level, the Smart Africa Alliance has promoted a continental approach to digital infrastructure, advocating for harmonised regulatory frameworks, shared technical standards, and collaborative procurement of digital systems. The African Union's Digital Transformation Strategy 2020-2030 provides a policy framework for continental digital development, though implementation has been largely left to individual member states.
But the dominant pattern across the continent remains dependency. The payment infrastructure is owned by foreign telecommunications companies and international card networks. The cloud infrastructure is operated by American hyperscalers. The identity systems, where they exist, are often built on proprietary platforms provided by foreign vendors under long-term contracts that lock governments into specific technical architectures and limit their ability to evolve the systems as needs change.
The strategic challenge for African countries is not merely technical — it is institutional and political. Building sovereign DPI requires governments to make a series of difficult choices: to invest public resources in infrastructure that will not generate visible benefits for years, to resist the temptation of quick-fix solutions offered by well-funded foreign vendors, to develop the technical capacity to build and maintain complex systems domestically, and to establish governance frameworks that prevent the sovereign infrastructure from being captured by political interests or commercial incumbents.
The Sovereign Cloud Question
Nowhere is the sovereignty debate more acute than in cloud infrastructure. The global cloud computing market is dominated by three American companies — Amazon Web Services, Microsoft Azure, and Google Cloud Platform — which collectively control approximately 65 percent of the global market. In Africa, the concentration is even more extreme, with AWS and Azure commanding the overwhelming majority of enterprise and government cloud spending.
The establishment of local data centres by hyperscalers — AWS launched its Africa region in Cape Town in 2020, Microsoft has invested in data centres across South Africa and Kenya, and Google has established cloud infrastructure in multiple African markets — has been welcomed as evidence of investment in the continent's digital future. But the presence of a data centre on African soil does not, in itself, constitute data sovereignty. The hardware may be local, but the software stack, the governance framework, the encryption key management, and the contractual terms under which the data is stored remain under the control of the cloud provider. A government that hosts its data in a local AWS facility is still subject to the technical and legal authority of Amazon.
The alternative — building domestic or regional cloud infrastructure under sovereign control — is expensive and technically demanding, but not impossible. Several African countries and regional bodies have begun exploring sovereign cloud initiatives. The African Development Bank has invested in studies of continental cloud infrastructure needs. Morocco, South Africa, and Kenya have each explored national cloud strategies. The challenge is that sovereign cloud requires not just capital investment in hardware but sustained investment in the human capacity to operate, secure, and evolve complex distributed computing infrastructure — and this capacity is precisely what the hyperscalers have spent decades building and are reluctant to see replicated.
Building the Sovereign Layer
The path to digital sovereignty for developing countries is neither autarky — building everything domestically from scratch — nor dependency — relying entirely on foreign infrastructure providers. It is a strategic approach that distinguishes between the layers of the digital stack that must be under sovereign control and those where foreign provision is acceptable.
The sovereign layer — the digital public infrastructure upon which the national digital economy depends — must be under public governance. This includes the identity system, the core payment infrastructure, the population register, and the data governance framework. These systems define the rules of the digital economy, determine who can participate and on what terms, and generate the data that is most sensitive from a national security and privacy perspective. Sovereignty over these systems is not a luxury — it is a prerequisite for meaningful digital self-determination.
Above the sovereign layer, commercial infrastructure — cloud services, application platforms, productivity tools — can reasonably be provided by foreign vendors, subject to regulatory oversight and contractual protections. The key distinction is between infrastructure that defines the rules of the game (which must be sovereign) and infrastructure that operates within those rules (which can be commercially provided).
This layered approach requires three enabling conditions. First, a clear national digital strategy that distinguishes between sovereign and commercial infrastructure and allocates resources accordingly. Second, investment in the human capital necessary to build and maintain sovereign digital systems — an investment that must be sustained over decades, not project cycles. Third, regional cooperation to achieve economies of scale, share technical expertise, and create interoperable systems that work across borders.
The countries that build their sovereign layer first will shape the rules of their digital economies for decades to come. The countries that do not will find those rules shaped by others — by the commercial interests of foreign technology companies, by the regulatory frameworks of other nations, and by the strategic priorities of other governments. Digital sovereignty is not an ideological position. It is a practical necessity for any country that intends to govern its own economic future. The question is not whether to build the sovereign layer but how quickly it can be done — and the window for acting before dependency becomes permanent is narrowing with every passing year.