Section 01 — Introduction

Executive Overview & Scope

Purpose, institutional context, framework architecture, and usage guidance for senior practitioners within the ADLI 2026 cohort.

1.1 Rationale and Institutional Necessity

The emergence of Digital Public Infrastructure (DPI) as a primary instrument of economic transformation across Sub-Saharan Africa has positioned digital identity as a foundational governance priority. For the six jurisdictions represented in this cohort — Zambia, Malawi, Ghana, Nigeria, Rwanda, and Ethiopia — digital identity systems constitute not merely an administrative convenience but the structural gateway through which citizens access financial services, social protection, electoral participation, and a widening range of government functions.

Yet the full developmental potential of digital identity remains constrained by a persistent challenge: identity credentials issued within one system, institution, or jurisdiction cannot, in most cases, be recognised, verified, or acted upon by entities operating within a different system. This absence of interoperability imposes measurable costs — duplicated enrolment exercises, exclusion from cross-border services, incompatible KYC processes in financial markets, and barriers to intra-African trade — that directly undermine the objectives of the African Continental Free Trade Area (AfCFTA) and the African Union Digital Transformation Strategy 2020–2030.

This framework provides a structured, evidence-based instrument for assessing the interoperability readiness of national digital identity systems and planning iterative improvement. It is grounded in the normative criteria established by the Digital Impact Alliance (DIAL) Digital ID Assessment Guidebook (Digital Impact Alliance, 2023), supplemented by internationally recognised technical standards and regional governance frameworks.

Framework Principle

Interoperability is not a binary condition but a spectrum of capability. No jurisdiction assessed against this framework should expect full compliance at first iteration. The framework is expressly designed for progressive, iterative improvement, with each assessment cycle establishing a revised baseline from which targeted improvements are planned and executed.

1.2 Framework Scope and Coverage

This assessment framework addresses the INTEROPERABILITY domain of the DIAL Digital ID Assessment Guidebook in comprehensive depth, while also drawing upon complementary criteria from the DATA POLICIES, MANAGEMENT PRACTICES, and PRIVACY CONTROLS domains where these bear directly upon interoperability outcomes. The framework covers ten primary assessment criteria, grouped across five strategic dimensions:

# Strategic Dimension Primary Criteria Applicability Executive Focus
D-1Standards ComplianceINT-1, INT-A.4Products & DeploymentsCTO, DPI Director
D-2Open Interfaces & APIsINT-3, INT-4, INT-5Products & DeploymentsCTO, Legal Counsel
D-3Data PortabilityINT-6Products & DeploymentsCISO, Director-General
D-4Trust FrameworksINT-A.1, INT-A.3Deployed Systems OnlyMinister, DG, Legal
D-5Vendor IndependenceINT-2, INT-A.2Products & DeploymentsMinister, CFO, DG

1.3 How to Use This Framework

This instrument is structured for sequential engagement, though individual sections may be consulted independently depending on the practitioner’s specific analytical need. The recommended usage sequence is as follows:

  1. Familiarise with Theoretical Foundations (§2) — Establish a shared conceptual vocabulary among assessment team members before proceeding to evaluation. The theory section defines key terms, establishes the four-level interoperability typology, and grounds the framework in relevant DPI and trust architecture literature.
  2. Study the Assessment Criteria in Detail (§3) — Each criterion is presented with its full normative requirement (sourced directly from the DIAL Guidebook), a contextual explanation of its significance, and numbered executive assessment questions. Criteria employing the RFC 2119 MUST operator are mandatory; SHOULD criteria represent strong recommendations with contextual flexibility.
  3. Understand the Scoring Methodology (§4) — The four-level maturity scale, criterion weighting rationale, and aggregate score interpretation must be understood before any formal assessment is conducted.
  4. Complete the Self-Assessment Tool (§5) — Generate a preliminary interoperability score for your jurisdiction. This tool produces directional findings only; results must be validated through formal technical audit and stakeholder consultation.
  5. Review the Relevant Country Profile (§6) — Each of the six participating jurisdictions has a structured baseline profile identifying institutional context, priority interoperability dimensions, indicative gaps, and recommended first actions.
  6. Develop a Jurisdiction-Specific Implementation Roadmap (§7) — Adapt the phased roadmap template to your institutional context, resource constraints, and regional partnership opportunities.
  7. Consult the Reference List (§8) — All cited standards, frameworks, and academic sources are formally listed in compliance with Libre Baskerville citation conventions.
Important Methodological Caveat

The DIAL Guidebook explicitly states that “this evaluation tool is intended to be used in conjunction with other evaluative approaches, as no single approach can provide a comprehensive view of a digital identity system” (Digital Impact Alliance, 2023, p. 1). This framework amplifies that caution: self-assessment findings should be treated as hypothesis-generating, not conclusive. Independent technical audits, legal reviews, and peer assessments within the ADLI cohort are essential complements to this instrument.

Section 02 — Conceptual Foundations

Theoretical Foundations

The conceptual architecture of digital identity interoperability, including the four-level model, DPI theory, trust architectures, and sovereign risk analysis.

2.1 Defining Interoperability: A Multi-Dimensional Framework

Interoperability in the context of digital identity systems denotes the capacity of a digital identity credential — issued by one system, institution, or jurisdiction — to be recognised, validated, and acted upon by a reliant party operating within a distinct system, without requiring direct communication between the original issuer and the reliant party. This definition encompasses four analytically distinct but empirically intertwined dimensions, first systematised by the European Commission’s European Interoperability Framework (European Commission, 2017) and subsequently adapted for developing country DPI contexts:

Level
Dimension & Definition
Applied Example in Digital ID
Level 4
Legal
Legal Interoperability. Compatible legal frameworks, liability instruments, recognition agreements, and regulatory regimes that permit cross-border or cross-institutional reliance on identity credentials.
A bilateral mutual recognition agreement between Rwanda and Ethiopia enabling NIDA-issued credentials to satisfy Ethiopian Fayda verification requirements for EAC trade facilitation.
Level 3
Organisational
Organisational Interoperability. Aligned business processes, governance arrangements, operational roles, assurance level mappings, and accountability frameworks between participating institutions.
A common Identity Assurance Level (IAL) framework, agreed between national identity authorities in Zambia and Malawi, enabling equivalent-level authentication for SADC Single Window access.
Level 2
Semantic
Semantic Interoperability. Shared understanding of the meaning, structure, and valid range of exchanged data, including common ontologies, data dictionaries, and attribute schemas.
Standardised credential schemas for name, date of birth, nationality, and biometric reference data, enabling consistent parsing across the six cohort jurisdictions’ identity systems.
Level 1
Technical
Technical Interoperability. Compatible communication protocols, data formats, cryptographic mechanisms, and API specifications enabling machine-to-machine exchange of identity data.
W3C Verifiable Credentials exchanged via OpenID Connect for Verifiable Presentations (OID4VP), cryptographically signed with keys resolvable through a W3C Decentralised Identifier (DID) document.

Table 2.1: Four-level interoperability typology. Adapted from: European Commission (2017), European Interoperability Framework — Implementation Strategy; and Gelb and Clark (2013), Identification for Development: The Biometrics Revolution, Centre for Global Development.

2.2 Digital Public Infrastructure and the Identity Layer

The Centre for Digital Public Infrastructure conceptualises DPI as shared, population-scale digital systems that, analogously to physical public infrastructure such as road networks and electricity grids, provide the foundational conditions for a broader ecosystem of services and economic activity (CDPI, 2022). Three canonical DPI layers are identified: (1) digital identity; (2) data sharing and exchange infrastructure; and (3) digital payments. The identity layer occupies a structurally privileged position: it is the gateway through which individuals are authenticated and authorised to access all higher-order DPI services.

An identity layer that lacks interoperability is not merely technically limited — it imposes cascading constraints on the entire DPI stack. Where the identity layer is siloed, the payments layer cannot rely on cross-institutional KYC; the data exchange layer cannot attribute data subjects across organisations; and the service delivery layer cannot serve citizens whose identity credentials originate from a different issuer, institution, or jurisdiction.

The DIAL Normative Standard (INTEROPERABILITY-1)

The DIAL Digital ID Assessment Guidebook establishes that identity solutions “MUST be able to support interoperability based on recognised standards to ensure addressability and verifiability of the presented claim” (Digital Impact Alliance, 2023, §3.6.1). The deployment of the RFC 2119 MUST operator — denoting an absolute requirement with no permissible exception — establishes standards-based interoperability not as an aspirational feature but as a non-negotiable baseline for any identity system intended to function within a modern DPI ecosystem.

2.3 The Trust Triangle and Disintermediation Principle

The canonical trust architecture of a digital identity system comprises three roles: the Issuer (the authority that issues credentials); the Holder (the individual who holds and presents credentials); and the Reliant Party (the entity that accepts and acts upon credential presentations). The DIAL Guidebook — drawing upon the definitions of NIST Special Publication 800-63-4 — provides formal definitions for each role (Digital Impact Alliance, 2023, Glossary).

For interoperability to function without creating surveillance or privacy risks, the trust triangle must operate without requiring direct communication between the Issuer and the Reliant Party at the time of each transaction. The DIAL Guidebook expresses this as a dual requirement: first, that “the system MUST support a Subject being able to present claims issued to them without the risk of disintermediation” (INTEROPERABILITY criterion, PRIVACY-5); and second, that “the system MUST support verification of claims by the Issuer without the risk of disintermediation” (PRIVACY-6). Cryptographic mechanisms — including digital signatures, zero-knowledge proofs, and revocation registries that do not reveal subject identity — are the technical instruments through which these requirements are satisfied (Digital Impact Alliance, 2023, §§3.10.5–3.10.6).

2.4 Vendor Lock-in as a Sovereignty Risk

For national governments, vendor lock-in in digital identity systems represents a sovereignty risk that is simultaneously technical, fiscal, and political. The DIAL Guidebook explicitly recognises that “vendor lock-in puts those who are using the system at the mercy of the vendor. Vendors may drastically increase prices once the switching costs become too high. They may stop offering the necessary services or cease to exist” (Digital Impact Alliance, 2023, §3.6.8).

For the six cohort countries, this risk is amplified by three structural factors common to public technology procurement in the region: first, the prevalence of long-term sole-source contracts with limited competitive re-tendering; second, insufficient domestic technical capacity to operate, maintain, or migrate complex identity systems; and third, inadequate documentation of system architecture, data schemas, and operational procedures by incumbent vendors. The DIAL Guidebook prescribes a comprehensive mitigation approach: vendor lock-in must be addressed not only at the level of technology products but also “for the running and operating of the identity system and all the associated legal agreements. Open-source technologies can help. Local and diverse bases of expertise should be nurtured” (Digital Impact Alliance, 2023, §3.6.8).

AfCFTA Protocol
Digital identity interoperability is a prerequisite for Protocol on Digital Trade implementation
AU DTS 2020–2030
Digital ID harmonisation listed as foundational enabler for continental digital single market
DIAL Normative Basis
Ten interoperability criteria, four employing MUST — absolute requirements
Section 03 — Assessment Criteria

Interoperability Assessment Criteria

All ten DIAL interoperability criteria, presented with full normative requirements, contextual significance, and numbered executive assessment questions.

Notation & Applicability

MUST — Absolute requirement; no permissible deviation (RFC 2119). MUST NOT — Absolute prohibition. SHOULD — Strong recommendation; deviation requires documented justification. Criteria coded with standard numbers (e.g., INT-1 through INT-6) apply to both identity products under procurement and deployed systems. Criteria suffixed with -A (e.g., INT-A.1) apply exclusively to deployed operational systems.

D-1: Standards Compliance

INT-1 Recognised Standards for Interoperability
MUST
“The system MUST be able to support interoperability based on recognised standards to ensure addressability and verifiability of the presented claim.”Source: Digital Impact Alliance, 2023, §3.6.1 — INTEROPERABILITY-1

Standards are the infrastructure upon which all interoperability is constructed. A digital identity system that does not implement internationally recognised, open standards becomes a technical silo: capable of data exchange only within its own ecosystem, and unable to participate in cross-institutional, cross-border, or cross-sector identity verification without bespoke, bilateral integration arrangements. The DIAL Guidebook observes that without standards, “the identity solution basically becomes a silo, only able to exchange information within its own walled-off garden. This leads to vendor lock-in, meaning the Holder has limited control over how this identity information can be used” (Digital Impact Alliance, 2023, §3.6.1). For governments pursuing AfCFTA integration and regional DPI harmonisation, non-compliance with this criterion is not a technical gap but a strategic failure.

D-1 · Standards — Executive Assessment Questions
  1. Which internationally recognised standards does the identity system implement for credential format, biometric encoding, authentication protocol, and data exchange? (Relevant standards include, inter alia: W3C Verifiable Credentials Data Model v1.1; ISO/IEC 18013-5 for mobile driving licences and identity credentials; ISO/IEC 19794 for biometric data interchange; FIDO2/WebAuthn for authentication; and OpenID Connect 4 Verifiable Presentations for credential presentation.)
  2. How do the implemented standards support addressability — the ability to uniquely locate and reference a presented identity claim from any participating reliant party?
  3. How do the implemented standards support verifiability — the ability to cryptographically confirm that a presented claim has not been tampered with since issuance, and that it was issued by a legitimately trusted authority?
  4. Has the jurisdiction conducted a formal standards gap analysis against the above-referenced international benchmarks, and has this analysis been documented and published?
  5. Are standards requirements formally embedded in procurement specifications, contractual performance obligations with vendors, and system acceptance criteria?
  6. What process exists for evaluating and adopting new or revised standards as the global identity technology landscape evolves?
INT-A.4 Standards-Based Implementation Across the Identity Lifecycle
SHOULD
“Each system element used in implementing the Identity Lifecycle SHOULD be standards based to maximise interoperability.”Source: Digital Impact Alliance, 2023, §3.6.10 — INTEROPERABILITY-A.4

The DIAL Guidebook defines the identity lifecycle as comprising five stages: identity proofing; issuance; authentication; authorisation; and identity management (including recovery) (Digital Impact Alliance, 2023, Glossary). This criterion extends standards compliance beyond the credential format layer — which may achieve headline compliance with W3C or ISO standards — to require that every component across all five stages implements recognised standards. A system that issues W3C Verifiable Credentials but performs biometric enrolment using proprietary encoding, authenticates using a proprietary protocol, and manages recovery through an undocumented vendor-specific process, achieves only partial lifecycle interoperability. Full lifecycle standards compliance is the condition under which maximum interoperability is achievable.

D-1 · Lifecycle Standards — Executive Assessment Questions
  1. Has a complete lifecycle architecture document been produced that maps each system component — proofing, issuance, authentication, authorisation, recovery — to a specific recognised standard?
  2. Are there lifecycle stages where proprietary or non-standard components are deployed? If so, what documented justification exists, and what is the remediation plan?
  3. How does the system facilitate data portability across the lifecycle — specifically, can a Holder extract their complete identity data in a standards-based format from any point in the lifecycle?
  4. Are lifecycle components independently interchangeable — that is, can one component (e.g., the authentication layer) be replaced by an alternative compliant component without disrupting the remainder of the system?

D-2: Open Interfaces and APIs

INT-3 Open APIs for System Integration
MUST
“The Solution MUST support open APIs for access to data and integration with other identity system components / vendors.”Source: Digital Impact Alliance, 2023, §3.6.3 — INTEROPERABILITY-3

Application Programming Interfaces (APIs) are the technical mechanism through which identity systems integrate with external services: government ministries, financial institutions, healthcare providers, border control agencies, and cross-border reliant parties. The MUST designation establishes open APIs as a non-negotiable baseline. The DIAL Guidebook specifies that “API definitions should be published publicly, meaning that anyone who wants to read the API documentation can without restriction” (Digital Impact Alliance, 2023, §3.6.3), establishing a principle of documentation transparency that eliminates the practical lock-in that arises when API access is controlled by the vendor through registration requirements, commercial licensing, or technical obscurity. With open APIs, “those deploying the system can expand and/or update the use of the identity system as the needs evolve, as well as add/replace components of the identity system that may not be provided by the original vendor” (Digital Impact Alliance, 2023, §3.6.3).

D-2 · Open APIs — Executive Assessment Questions
  1. Are all API specifications for the national identity system publicly documented and freely accessible without registration, commercial licensing, or vendor approval?
  2. Does a developer sandbox and portal exist, enabling potential reliant parties to test integrations before operational deployment?
  3. What restrictions, if any, are placed on API access? Are such restrictions legally justified, proportionate to stated security objectives, and individually documented?
  4. Do the available APIs cover all stages of the identity lifecycle for which reliant party integration is required?
  5. What security controls govern API access — specifically, how are reliant parties authenticated, how are API requests authorised, and how are rate limits and abuse controls implemented?
  6. How are API versioning, backward compatibility, and deprecation timelines managed to protect reliant party integrations from disruption?
  7. What onboarding process exists for reliant parties seeking API access, and does this process introduce barriers inconsistent with the open API principle?
INT-4 Open APIs for Data Portability
MUST
“Open APIs MUST be provided for all system components to ensure portability, should components and/or vendors be replaced or Subjects require their data to be extracted and/or removed.”Source: Digital Impact Alliance, 2023, §3.6.4 — INTEROPERABILITY-4

Data portability APIs serve two legally and operationally distinct purposes: they protect governments’ right to migrate between identity system vendors without data loss, and they protect citizens’ rights to access, extract, and — where legally applicable — delete their identity data. Both purposes are constitutive of a functioning DPI governance regime. The DIAL Guidebook observes that without portability APIs, “there is vendor lock-in which limits the ability of the Holder to exercise control over the data” (Digital Impact Alliance, 2023, §3.6.4). For national governments, this translates to a loss of sovereign control over foundational national infrastructure: a state locked into a vendor ecosystem due to absent portability mechanisms cannot exercise meaningful procurement authority, cannot respond to vendor service failure, and cannot migrate to superior technological solutions as they become available.

D-2 · Portability APIs — Executive Assessment Questions
  1. Do portability APIs exist for all system components, including biometric enrolment data, credential registries, consent records, event logs, and audit trails?
  2. In what format is extracted data structured? Is this format based on a recognised international standard — specifically, one that can be ingested by alternative identity system platforms?
  3. Has the government conducted a controlled data migration exercise to validate that portability APIs function as specified in an operationally realistic scenario?
  4. Are portability rights, including the data format specifications and associated Service Level Obligations, contractually guaranteed in all vendor agreements?
  5. What authentication and authorisation mechanisms govern portability API access, ensuring that mass data extraction is prevented except by authorised parties?
  6. Has independent legal counsel confirmed that portability API provisions in current vendor contracts are enforceable under applicable law?
INT-5 Open Interfaces — No Legal Encumbrances
MUST NOT
“There MUST NOT be any restrictions or encumbrances on others recreating any of the API.”Source: Digital Impact Alliance, 2023, §3.6.5 — INTEROPERABILITY-5

This criterion identifies a sophisticated and frequently overlooked form of vendor lock-in: the use of intellectual property instruments — patents, trade secrets, or contractual non-compete clauses — to prevent competing vendors or government technical teams from implementing systems that share the same API interface specification. Such legal encumbrances may not be visible in the technical specification of the API itself, but may be embedded in software licencing terms, vendor contracts, or proprietary technology disclosures. Their effect is to create a monopoly over the integration ecosystem even when the technical interface is nominally published. The DIAL Guidebook specifies that “the vendor needs to allow for reuse of their published API interfaces. In other words, they must not pursue actions, including legal, to prevent other organisations/developers from creating services that utilise the same API interfaces” (Digital Impact Alliance, 2023, §3.6.5). This criterion requires legal scrutiny as a complement to technical review.

D-2 · Interface Encumbrances — Executive Assessment Questions
  1. Have vendor contracts been reviewed by legal counsel specifically for provisions that restrict the government’s ability to commission alternative implementations of the API interface?
  2. Does the vendor assert intellectual property rights over the API interface specification — as distinct from the implementation — that would prevent third-party reimplementation?
  3. Are API interface specifications published under an open licence (e.g., Creative Commons, Apache 2.0) that explicitly permits reimplementation by third parties?
  4. Does the government maintain a registry of all proprietary claims made by identity system vendors over interface specifications, protocols, and data schemas?

D-3: Data Portability and Export

INT-6 Machine-Readable Data Export
MUST
“The Solution MUST be able to export the data in a machine-readable form.”Source: Digital Impact Alliance, 2023, §3.6.6 — INTEROPERABILITY-6

Machine-readable data export is the operational realisation of the data portability principle. The DIAL Guidebook specifies that exports should follow “recognised standards for syntax and semantics” and should “endeavour to support structuring the identity data such that it can be imported into other solutions, where possible” (Digital Impact Alliance, 2023, §3.6.6). This requirement has direct implications for national data sovereignty: a government that cannot extract its citizens’ identity data in a standards-based, system-agnostic format is functionally dependent on its vendor for the continued operation of foundational national infrastructure. Where this dependency exists, it translates into leverage that vendors may exploit — consciously or otherwise — during contract renegotiations, service pricing discussions, or dispute resolution proceedings.

D-3 · Data Export — Executive Assessment Questions
  1. What data export formats are supported? Are these formats based on recognised open standards — specifically, formats that can be ingested by at least two alternative, commercially available identity system platforms?
  2. Does the data export cover the complete identity data record — all attributes, associated metadata, consent records, and audit history — or only a subset?
  3. Can data exports function as operational backups — that is, can the complete identity system be restored from an export in a documented, tested recovery procedure?
  4. Is there any functional loss when data is exported and imported into an alternative platform? If so, what functionality is lost, and what is the remediation plan?
  5. What security controls govern the export function, ensuring that bulk identity data extraction occurs only under authorised conditions?

D-4: Trust Frameworks and Governance

INT-A.1 Trust Framework Participation (Deployed Systems)
MUST
“The system MUST be able to participate in a trust framework where a governance model is required to codify access rights, consensus, identity resolution, etc.”Source: Digital Impact Alliance, 2023, §3.6.7 — INTEROPERABILITY-A.1

Trust and governance frameworks are the non-technical dimension of interoperability that govern the rules of engagement between participants in an identity ecosystem. The DIAL Guidebook observes that “identity cannot be solved with technology-only solutions, and trust/governance frameworks pick up where the technology leaves off” (Digital Impact Alliance, 2023, §3.6.7). For the six cohort countries, the relevant frameworks include — at the regional level — the EAC Digital Integration Programme, the SADC Protocol on Trade in Services, the ECOWAS biometric identity framework, and the IGAD Regional Migration Policy Framework; and — at the continental level — the African Union Data Policy Framework (African Union, 2022) and the AfCFTA Protocol on Digital Trade. A deployed identity system that cannot technically participate in these frameworks — because it lacks the governance metadata, trust registry integration capability, or cryptographic interoperability required — is effectively excluded from the regional DPI ecosystem regardless of its domestic functionality.

D-4 · Trust Frameworks — Executive Assessment Questions
  1. Is the national identity system designed — from an architectural standpoint — to participate in external trust frameworks, or is it structurally closed to such participation?
  2. What governance model is envisaged for any trust framework in which the jurisdiction intends to participate — bilateral, multilateral, regional body-anchored, or industry-led?
  3. How are access rights codified within the trust framework? Specifically: who may issue credentials recognised by the framework; who may act as a reliant party; and under what conditions is cross-border credential presentation permitted?
  4. What consensus mechanism governs amendments to trust framework rules, and how is the jurisdiction’s institutional voice represented in framework governance?
  5. What dispute resolution mechanisms exist when trust framework rules are violated — by an issuer issuing fraudulent credentials, by a reliant party exceeding its authorised data use, or by the trust framework operator itself?
  6. How does the jurisdiction’s existing legal framework — encompassing data protection legislation, electronic transactions law, and identity law — interact with trust framework obligations, and where are the principal legal tensions?
INT-A.3 Automated Validation Within Trust Framework Context
SHOULD
“If such a framework is created, it SHOULD include a set of standards/components parties can leverage to ascertain whether another entity or proof is valid within its context/rules.”Source: Digital Impact Alliance, 2023, §3.6.9 — INTEROPERABILITY-A.3

The DIAL Guidebook illustrates the purpose of this criterion through the example of a medical trust framework: a pharmacy must be able to verify that a credential-issuing physician is licensed, and a patient must be able to verify that the pharmacy is legitimate — both without requiring direct contact with the relevant licensing authority for each individual transaction (Digital Impact Alliance, 2023, §3.6.9). Equivalent mechanisms are required at national level: a government service must be able to confirm that a presented credential was issued by an authorised, registered issuer without creating a “phone home” request that reveals to the issuer who is verifying which credential, at what time, and for what purpose. Absent such automated validation mechanisms, trust framework participation degenerates into a series of manual, bilateral verification calls that do not scale to population-level digital service delivery.

D-4 · Trust Validation — Executive Assessment Questions
  1. Does the trust framework include a cryptographically verifiable issuer registry that enables reliant parties to confirm issuer legitimacy without contacting the issuer at transaction time?
  2. Does the trust framework include a mechanism for holders to validate the legitimacy of reliant parties making credential presentation requests?
  3. Are validation mechanisms implemented within the identity system software itself, enabling automated validation without manual look-up processes?
  4. How are trust framework validation mechanisms operated in offline scenarios — specifically, in geographic areas with limited or intermittent network connectivity?

D-5: Vendor Independence

INT-2 Open-Source Software Implementation
SHOULD
“Where possible / practical, the Solution SHOULD be implemented using open-source software.”Source: Digital Impact Alliance, 2023, §3.6.2 — INTEROPERABILITY-2

Open-source software adoption in national identity systems serves multiple simultaneous strategic objectives: reducing vendor lock-in risk by enabling the government to operate, maintain, and modify the system with any qualified technical team; enabling peer review of the codebase by a broader technical community; facilitating knowledge transfer to domestic technical talent; and permitting adaptation and extension of the system without proprietary licensing constraints. The DIAL Guidebook recognises that open-source adoption may not always be fully achievable — “systems may be a collection of both open- and closed-source software” — but establishes that “open-source software provides several advantages, including limiting vendor lock-in and the possibility of a wider code review” (Digital Impact Alliance, 2023, §3.6.2). For the cohort countries, the MOSIP (Modular Open Source Identity Platform) adoption by Malawi and Ethiopia represents a concrete application of this principle.

D-5 · Open Source — Executive Assessment Questions
  1. What proportion, by functional component, of the current identity system is implemented using open-source software? Is this proportion formally documented?
  2. What identity functions are handled by open-source components, and which are handled by proprietary software?
  3. Are open-source licences used by the system (e.g., MIT, Apache 2.0, MPL) compatible with government use, modification, and procurement of maintenance services from alternative vendors?
  4. Does the jurisdiction have resident technical capacity — within government or in the domestic private sector — sufficient to maintain and modify open-source components without dependence on the original implementing vendor?
  5. Has the government contributed to the open-source communities from whose work it benefits — through code contributions, bug reports, or financial support — consistent with sustainable open-source governance principles?
INT-A.2 Avoiding Vendor Lock-in (Deployed Systems)
SHOULD
“Creating vendor lock-in SHOULD be avoided.”Source: Digital Impact Alliance, 2023, §3.6.8 — INTEROPERABILITY-A.2

Vendor lock-in in deployed identity systems is a multi-layered risk, operating simultaneously at the technical, contractual, financial, and capability levels. At the technical level, proprietary data formats, closed APIs, and undocumented system architecture prevent migration. At the contractual level, long-term exclusive agreements, termination penalties, and inadequate source code escrow provisions constrain sovereign decision-making. At the financial level, high switching costs create de facto monopoly leverage for incumbent vendors during contract renewals. At the capability level, insufficient domestic technical expertise creates dependency even when technical and contractual barriers have been formally addressed. The DIAL Guidebook prescribes a comprehensive response: open-source technologies, local capacity building, and careful legal agreement design must all be pursued in parallel (Digital Impact Alliance, 2023, §3.6.8).

D-5 · Vendor Lock-in — Executive Assessment Questions
  1. What contractual mechanisms exist to protect the government’s right to migrate to an alternative vendor? Specifically: are source code escrow arrangements in place; is the escrow independently verified; and under what conditions is escrow release triggered?
  2. Has the jurisdiction invested in domestic technical capacity — within government or the domestic private sector — sufficient to operate and modify the identity system independently of the original implementing vendor?
  3. What is the estimated total cost of switching to an alternative vendor for each major system component? Has this been formally quantified as part of a vendor independence risk assessment?
  4. Are open-source alternatives to current proprietary components formally documented and evaluated in the jurisdiction’s technology roadmap?
  5. Are legal agreements with identity system vendors reviewed by counsel with specific expertise in technology procurement and DPI governance, rather than general commercial law?
Section 04 — Scoring Methodology

Maturity Scale and Scoring Methodology

Four-level maturity scale with explicit transition conditions, criterion weighting rationale, and aggregate score interpretation guidance.

4.1 Four-Level Maturity Scale

Each criterion is assessed against a four-level maturity scale. The scale is designed for iterative use: each level has an explicit, observable definition, and the conditions for progression from one level to the next are stated with sufficient specificity to enable verifiable tracking of improvement over successive assessment cycles. The normative basis for the maturity structure is the DIAL Guidebook’s explicit requirement that the assessment tool be used for “benchmarking” and “comparing the change in a single solution over time” (Digital Impact Alliance, 2023, p. 1).

Level 4 — Optimising
Advanced
Criterion fully met with demonstrated, tested operational performance. Continuous improvement mechanisms are institutionalised. Cross-border or cross-system interoperability has been successfully demonstrated in live operational conditions.
Level 3 — Defined
Structured
Criterion is substantially met. Policies, technical implementations, and governance arrangements are formally documented and consistently applied. Evidence of operational functionality is available and independently verifiable.
Level 2 — Developing
Partial
Elements of compliance are present but implementation is incomplete, inconsistent, or inadequately documented. A credible improvement plan exists but is not yet fully executed.
Level 1 — Initial
Foundation
Criterion is not met, or compliance is incidental rather than by deliberate design. No formal implementation plan addresses the identified gap. The requirement is acknowledged but no structured action has been taken.

4.2 Criterion Weighting and Scoring Matrix

Criteria are weighted by two factors: their normative designation in the DIAL Guidebook (MUST criteria receive higher weights than SHOULD criteria, reflecting their absolute compliance requirement), and their strategic importance to the cross-border interoperability objectives of the ADLI 2026 cohort, as determined through programme advisory consultation.

Code Criterion Name Norm Weight Domain Weighting Rationale
INT-1Recognised StandardsMUST15%D-1Foundational — no interoperability is structurally possible without standards alignment
INT-A.4Lifecycle StandardsSHOULDD-1Subsumed as supplementary indicator within INT-1; scored as lifecycle extension
INT-3Open APIs (Integration)MUST15%D-2Direct enabler of ecosystem integration; without open APIs, interoperability is manual and unscalable
INT-4Open APIs (Portability)MUST12%D-2Critical for vendor sovereignty and citizen data rights; absent portability creates structural dependency
INT-5No Interface EncumbrancesMUST NOT10%D-2Legal risk dimension; encumbrances may silently neutralise all technical interoperability achievements
INT-6Machine-Readable ExportMUST12%D-3Operationalises portability; without export capability, vendor independence is structurally unachievable
INT-A.1Trust Framework ParticipationMUST14%D-4Governance layer; deployed systems require trust framework capability for cross-border credential use
INT-A.3Trust Framework ValidationSHOULD6%D-4Operational mechanism; enables automated verification at population scale
INT-2Open-Source SoftwareSHOULD8%D-5Sustainability and independence; lower weight reflects SHOULD designation and contextual complexity
INT-A.2Avoid Vendor Lock-inSHOULD8%D-5Strategic risk; lower weight reflects SHOULD designation but remains a high-priority concern
Total100%

4.3 Aggregate Score Interpretation

Score RangeClassificationInterpretationRecommended Immediate Action
85–100AdvancedAdvanced interoperability readiness demonstrated. Cross-border credential recognition is operationally feasible with willing partners.Pursue bilateral or multilateral trust framework formalisation; document and share methodology as regional reference model.
65–84ProficientStrong technical and governance foundations. Specific identified gaps remain in one or two dimensions.Targeted remediation of lowest-scoring MUST criteria; initiate trust framework design process with at least one regional partner.
40–64DevelopingMaterial progress evident but significant technical, legal, or governance gaps constrain interoperability potential.Comprehensive improvement programme; prioritise all MUST criteria before advancing to governance work.
0–39FoundationFoundational requirements unmet. Cross-border interoperability is not currently feasible.Immediate technical assistance engagement; foundational standards adoption and API programme required before governance.
Section 05 — Self-Assessment Tool

Preliminary Self-Assessment Calculator

An interactive preliminary scoring instrument for executive use. Produces directional findings; formal audit is required for definitive assessment.

Methodological Limitation

This tool generates a preliminary, high-level indication of interoperability maturity based on self-reported assessments. It is not a substitute for a formal, evidence-based technical audit or independent third-party assessment. All scores produced by this tool should be treated as directional hypotheses requiring validation through documentary evidence, technical testing, and peer review within the ADLI cohort.

Interoperability Maturity Self-Assessment
ADLI 2026 · DIAL Guidebook §3.6 Interoperability Domain · 9 Weighted Criteria
INT-1 · MUST · 15% Recognised Standards for Interoperability Are identity credentials issued and verified using internationally recognised open standards?
INT-2 · SHOULD · 8% Open-Source Software Implementation Is open-source software used in identity system components, with domestic capacity to maintain it?
INT-3 · MUST · 15% Open APIs for System Integration Are API specifications publicly documented and freely accessible without restriction?
INT-4 · MUST · 12% Open APIs for Data Portability Do portability APIs exist for all system components? Are they contractually guaranteed?
INT-5 · MUST NOT · 10% Open Interfaces — No Encumbrances Are vendor contracts free of provisions restricting API interface reimplementation?
INT-6 · MUST · 12% Machine-Readable Data Export Can complete identity data be exported in an open, standards-based machine-readable format?
INT-A.1 · MUST · 14% Trust Framework Participation Is the system architecturally capable of participating in a regional trust framework?
INT-A.2 · SHOULD · 8% Avoidance of Vendor Lock-in Are comprehensive mechanisms in place to prevent, mitigate, and measure vendor lock-in risk?
INT-A.3 · SHOULD · 6% Automated Trust Framework Validation Can credentials, issuers, and reliant parties be automatically validated within the trust framework?
Preliminary Interoperability Maturity Score
Complete all fields to generate score
Rate each criterion using the selectors above. Scores are calculated automatically and update in real time.
Standards
Open APIs
Portability
Trust Fwk
Vendor Indep.
Section 06 — Country Profiles

ADLI Participant Country Profiles

Structured baseline assessments for each participating jurisdiction, covering institutional context, priority interoperability dimensions, indicative gap analysis, and recommended priority actions.

Methodological Note

The profiles presented in this section are structured analytical frameworks informed by publicly available institutional documentation, including national digital economy strategies, identity authority reports, and published DPI frameworks. They are not the product of completed formal assessments and should not be interpreted as definitive evaluations. Each jurisdiction should use this profile as a structured starting template for its own evidence-gathering, stakeholder consultation, and verification process.

🇿🇲
Republic of Zambia
NATIONAL REGISTRATION CARD (NRC) · NATIONAL IDENTIFICATION SYSTEM (NIS)
National Registration and Passport Authority (NRPA) · Smart Zambia Institute
Legal Framework
National Registration Act Cap. 126; Electronic Communications and Transactions Act 2021
Regional Body
SADC · COMESA
Tech Platform
Proprietary NIS; Smart Card Programme

Institutional Context

Zambia administers identity through the NRPA, issuing the National Registration Card (NRC) as the primary legal identity document. The Smart Zambia Institute, established in 2017, coordinates digital government transformation. The National Identification System (NIS) project has sought to integrate biometric verification across government services. Zambia’s dual membership of SADC and COMESA creates overlapping regional interoperability obligations and significant opportunities for cross-border credential harmonisation — particularly in the context of the SADC Industrialisation Strategy 2015–2063 and COMESA’s digital integration agenda.

Indicative Dimension Scores

Standards
L2
Open APIs
L1
Portability
L1
Trust Fwk
L1
Vendor Indep.
L2

Priority Dimensions

  1. SADC e-ID harmonisation and cross-border credential architecture
  2. Financial inclusion — mobile money KYC interoperability
  3. COMESA Single Window identity verification integration
  4. Vendor independence risk assessment and escrow negotiation
CriterionIndicative StatusPrincipal GapRecommended Priority Action
INT-1: StandardsDevelopingNIS uses proprietary biometric formats; limited W3C/ISO alignmentAdopt ISO/IEC 18013-5 for mobile credentials; publish standards roadmap
INT-3: Open APIsFoundationNo public API documentation; NIS data access is restricted and undocumentedPublish API documentation; establish financial sector developer sandbox
INT-A.1: Trust FrameworkFoundationNo formal trust framework architecture; SADC engagement at policy level onlyJoin SADC Digital ID Trust Framework Working Group; commission feasibility study
INT-A.2: Vendor IndependenceDevelopingSmart card system supplied by single vendor with no documented escrowCommission vendor lock-in risk assessment; negotiate source code escrow
🇲🇼
Republic of Malawi
MALAWI NATIONAL ID (MNID) · MOSIP PLATFORM
National Registration Bureau (NRB)
Legal Framework
National Registration Act 2010; Electronic Transactions and Cybersecurity Act 2016
Regional Body
SADC · COMESA
Tech Platform
MOSIP (Modular Open Source Identity Platform)

Institutional Context

Malawi’s National Registration Bureau administers the Malawi National ID (MNID) on the MOSIP platform — an open-source foundation that confers significant interoperability and vendor independence advantages compared to proprietary alternatives. MOSIP implements internationally recognised credential standards and provides a publicly documented API ecosystem. Malawi’s adoption of MOSIP positions it as a potential reference implementation for SADC interoperability, and creates natural connectivity with the global MOSIP implementation network, which includes Ethiopia, Morocco, Sri Lanka, and the Philippines, among others.

Indicative Dimension Scores

Standards
L3
Open APIs
L3
Portability
L3
Trust Fwk
L2
Vendor Indep.
L4

Priority Dimensions

  1. Maximising MOSIP’s standards architecture for SADC cross-border recognition
  2. Social protection programme integration and beneficiary deduplication
  3. Financial inclusion — formal financial sector KYC harmonisation
  4. Cross-border trust framework pilot with Zambia under SADC auspices
CriterionIndicative StatusPrincipal GapRecommended Priority Action
INT-1: StandardsProficientMOSIP implements W3C VC standards; ISO/IEC 18013-5 alignment is partialComplete ISO/IEC 18013-5 compliance assessment; document full standards inventory
INT-2: Open SourceAdvancedMOSIP is fully open-source; domestic capacity to maintain remains limitedInvest in domestic MOSIP developer capacity; consider upstream contributions
INT-A.2: Vendor IndependenceAdvancedMOSIP architecture reduces lock-in; system integrator dependencies remainEnsure system integrator contracts include full source documentation obligations
INT-A.1: Trust FrameworkDevelopingNo operational trust framework for cross-border MNID credential useLeverage MOSIP network’s interoperability work for SADC trust framework design
🇬🇭
Republic of Ghana
GHANA CARD · NATIONAL IDENTITY REGISTER
National Identification Authority (NIA)
Legal Framework
National Identity Register Act 2008 (Act 750); Electronic Transactions Act 2008
Regional Body
ECOWAS
Tech Platform
IDEMIA-based system; Ghana Card (ICAO-compliant)

Institutional Context

Ghana’s NIA administers the Ghana Card, recognised as one of West Africa’s most advanced national identity programmes, with enrolment exceeding 17 million citizens. The Ghana Card is ICAO-compliant and integrates with the National Health Insurance Scheme (NHIS), the financial sector through Bank of Ghana KYC regulations, and electoral processes through the Electoral Commission. Ghana’s aspiration to serve as a DPI reference implementation within ECOWAS positions interoperability leadership as both a technical priority and a diplomatic asset.

Indicative Dimension Scores

Standards
L3
Open APIs
L2
Portability
L2
Trust Fwk
L2
Vendor Indep.
L2

Priority Dimensions

  1. ECOWAS biometric identity framework — cross-border credential recognition
  2. GhIPSS financial sector interoperability integration
  3. Ghana.gov digital services portal — multi-service credential use
  4. W3C Verifiable Credentials layer for online verification without card present
CriterionIndicative StatusPrincipal GapRecommended Priority Action
INT-1: StandardsProficientICAO standards for card; W3C VC digital credential layer absentDevelop W3C VC-compliant digital credential layer for online verification
INT-3: Open APIsDevelopingNIA Verify API exists; documentation incomplete; financial sector access privilegedPublish comprehensive public API documentation; eliminate access asymmetries
INT-A.1: Trust FrameworkDevelopingECOWAS framework at policy level; technical implementation lags significantlyChampion ECOWAS technical working group for biometric interoperability standards
INT-5: No EncumbrancesDevelopingInterface encumbrance analysis of vendor contracts not publicly documentedCommission independent legal review of NIA vendor contracts for API provisions
🇳🇬
Federal Republic of Nigeria
NATIONAL IDENTIFICATION NUMBER (NIN) · NIMC SYSTEM
National Identity Management Commission (NIMC)
Legal Framework
NIMC Act 2007; Nigeria Data Protection Act 2023
Regional Body
ECOWAS · AU
Tech Platform
Proprietary NIMC Core System; NIN Registry

Institutional Context

Nigeria administers the National Identification Number (NIN) through NIMC, with enrolment exceeding 100 million as of 2023 — making it Sub-Saharan Africa’s largest identity programme by enrolment volume. The NIN is mandatory for SIM card registration, bank account operations, and an expanding range of government services. Nigeria’s complex multi-layered identity ecosystem — comprising NIMC, the Independent National Electoral Commission (INEC), the Corporate Affairs Commission (CAC), and over 28 sector-specific registries — presents significant internal interoperability challenges that are a prerequisite for any credible cross-border interoperability ambition. The enactment of the Nigeria Data Protection Act 2023 provides an improved legal foundation for data governance, though implementation capacity remains a challenge.

Indicative Dimension Scores

Standards
L2
Open APIs
L2
Portability
L1
Trust Fwk
L2
Vendor Indep.
L1

Priority Dimensions

  1. Internal harmonisation — NIN integration across 28+ sector registries
  2. ECOWAS cross-border facilitation — diaspora identity and remittance KYC
  3. eNaira digital currency — identity foundation for CBDC interoperability
  4. National Digital Identity Standards Framework development
CriterionIndicative StatusPrincipal GapRecommended Priority Action
INT-1: StandardsDevelopingMultiple legacy standards across fragmented ecosystem; limited W3C/ISO alignmentDevelop National Digital Identity Standards Framework to harmonise across all registries
INT-3: Open APIsDevelopingNIMC Verify API commercially licensed; not truly open; access barriers significantTransition to fully public API model; remove commercial barriers for public service delivery
INT-A.2: Vendor IndependenceFoundationCore NIMC system on long-term proprietary contract; escrow provisions unclearCommission vendor independence audit; mandate source code escrow in all new procurements
INT-A.1: Trust FrameworkDevelopingFederated identity concept exists; governance model significantly underdevelopedEstablish National Digital Identity Governance Framework with clear trust hierarchy
🇷🇼
Republic of Rwanda
RWANDA NATIONAL ID · IREMBO DIGITAL SERVICES PLATFORM
National Identification Agency (NIDA) · Rwanda Information Society Authority (RISA)
Legal Framework
Law N°82/2013 on Population Identification; Law N°058/2021 on Data Protection
Regional Body
EAC · COMESA
Irembo Platform; Rwanda National ID infrastructure; Rwanda National Payment System
Tech Platform

Institutional Context

Rwanda is widely recognised as Sub-Saharan Africa’s most mature DPI environment, with the Irembo government service delivery platform, Rwanda National ID, and the Rwanda National Payment System forming a deeply integrated DPI stack. Rwanda’s National Digital Policy and Strategic Plan 2022–2028 positions digital identity as a core enabler of Vision 2050 economic transformation goals. Rwanda’s EAC membership and its emerging role as a DPI reference implementation create both domestic and regional leadership opportunities — particularly as EAC member states seek to develop cross-border digital trade facilitation infrastructure under the EAC Digital Integration Programme.

Indicative Dimension Scores

Standards
L3
Open APIs
L3
Portability
L3
Trust Fwk
L3
Vendor Indep.
L3

Priority Dimensions

  1. EAC Single Customs Territory — cross-border identity for trade facilitation
  2. Lead EAC Digital ID Trust Framework development as reference implementer
  3. Verifiable Credentials layer for academic and professional credential recognition
  4. Cross-border validation protocol for EAC partner testing
CriterionIndicative StatusPrincipal GapRecommended Priority Action
INT-1: StandardsProficientStrong domestic standards compliance; EAC-level harmonisation incompleteChampion EAC Digital Identity Standards Working Group; share Rwanda documentation
INT-3: Open APIsProficientIrembo APIs well-documented; NIDA cross-border API specifications underdevelopedDevelop cross-border API specifications under EAC Digital Integration Programme
INT-A.1: Trust FrameworkProficientDomestic trust architecture is mature; EAC multilateral framework nascentLead EAC Digital ID Trust Framework development, leveraging NIDA architecture
INT-A.3: Validation MechanismAdvancedDomestic validation automated; cross-border validation is manualDevelop cryptographic cross-border credential validation protocol for EAC partner testing
🇪🇹
Federal Democratic Republic of Ethiopia
FAYDA NATIONAL DIGITAL ID · MOSIP PLATFORM
Ministry of Innovation and Technology (MInT) · National ID Programme
Legal Framework
Digital ID Proclamation No. 1284/2023; Personal Data Protection Proclamation (under development)
Regional Body
IGAD · EAC (candidate)
Tech Platform
MOSIP (world’s largest deployment by population)

Institutional Context

Ethiopia launched Fayda, its national digital ID system, in 2021, built on the MOSIP open-source platform. With a population exceeding 120 million, Ethiopia represents the globally largest-scale MOSIP deployment, making its implementation decisions consequential for the broader MOSIP ecosystem. The Digital ID Proclamation No. 1284/2023 provides the legal foundation for Fayda, though the complementary Personal Data Protection Proclamation remains under development — a gap with direct implications for cross-border data sharing under trust framework arrangements. Ethiopia’s IGAD membership and application to join the EAC create significant regional interoperability obligations and opportunities, particularly for Horn of Africa cross-border movement facilitation and trade.

Indicative Dimension Scores

Standards
L3
Open APIs
L2
Portability
L3
Trust Fwk
L1
Vendor Indep.
L4

Priority Dimensions

  1. IGAD regional digital ID interoperability for Horn of Africa movement
  2. Fayda W3C Verifiable Credentials layer for cross-border digital use
  3. Financial inclusion at scale — Telebirr mobile money integration with Fayda
  4. Data protection legislation — prerequisite for trust framework participation
CriterionIndicative StatusPrincipal GapRecommended Priority Action
INT-1: StandardsProficientMOSIP standards compliance strong; Fayda credential format not yet W3C VC-compliantImplement W3C Verifiable Credentials layer on Fayda for cross-border digital use
INT-2: Open SourceAdvancedMOSIP foundation excellent; system integrator layer introduces proprietary componentsDocument integrator proprietary components; develop open-source alternatives roadmap
INT-A.1: Trust FrameworkFoundationNo operational IGAD regional digital ID trust framework; data protection law incompleteEnact Data Protection Proclamation; initiate IGAD DID Trust Framework feasibility study
INT-3: Open APIsDevelopingMOSIP APIs open; Fayda-level public API documentation for financial sector limitedPublish Fayda API documentation; establish financial sector reliant party onboarding
Section 07 — Implementation Roadmap

Phased Implementation Roadmap

A four-phase, iterative improvement framework for executive planning, with numbered action items, expected outputs, and cohort collaboration milestones.

Iterative Design Principle

This roadmap is designed for iteration and adaptation. The DIAL Guidebook’s note that no single evaluation approach is sufficient applies equally to improvement: interoperability is not a destination but a continuous process of standards adoption, governance evolution, capacity building, and relationship development. Each assessment cycle should produce a revised implementation plan, with milestones recalibrated against the updated interoperability score.

Phase 1 · Months 0–6

Diagnostic and Baseline Establishment

Objective: Establish a verified, evidence-based interoperability baseline score across all nine weighted criteria, validated through documentary evidence and stakeholder consultation.

  1. Constitute an inter-agency Technical Interoperability Assessment Team (TIAT) comprising representatives from the national identity authority, the digital government directorate, legal counsel, finance, and a nominated civil society observer.
  2. Complete the self-assessment tool (§5) as a first-pass hypothesis, with all selections requiring citation of specific documentary evidence.
  3. Commission an independent technical audit of standards compliance (INT-1, INT-A.4) and API openness (INT-3) using the DIAL Guidebook criteria as the audit standard of reference.
  4. Engage specialist legal counsel to conduct a vendor contract review targeting API encumbrance provisions (INT-5), portability guarantees (INT-4), source code escrow arrangements (INT-A.2), and any intellectual property claims over interface specifications.
  5. Map the complete identity lifecycle against standards compliance using the structure in §3 (D-1), documenting components that use proprietary versus recognised open standards.
  6. Produce a formal Interoperability Baseline Report, to be shared within the ADLI cohort for peer review and comparison at the Month 3 cohort convening.
Expected Outputs Interoperability Baseline Report; Vendor Contract Legal Review; Standards Gap Analysis; TIAT Terms of Reference
Phase 2 · Months 6–18

Foundation Strengthening — MUST Criteria Priority

Objective: Achieve Level 3 compliance on all five MUST criteria (INT-1, INT-3, INT-4, INT-5, INT-6, INT-A.1) before advancing to governance and partnership work.

  1. Develop and formally publish a National Digital Identity Standards Declaration, specifying the jurisdiction’s adopted standards for credential format, biometric encoding, authentication protocol, and data export — with associated implementation timelines and vendor compliance requirements.
  2. Publish complete, publicly accessible API documentation for the national identity system, including: API reference documentation; OpenAPI specification files; integration guides; and a functioning developer sandbox environment.
  3. Renegotiate or formally amend vendor contracts to: (a) guarantee data portability with specified open-standard export formats and defined SLAs; (b) eliminate any API interface encumbrances or intellectual property restrictions; and (c) establish independently verified source code escrow arrangements.
  4. Conduct a controlled, documented data migration exercise to demonstrate that portability APIs (INT-4) and data export functions (INT-6) operate correctly in a realistic migration scenario — including a record of what data was successfully migrated and what was not.
  5. Commission a trust framework architecture design study, with engagement from the relevant regional body (EAC, SADC, ECOWAS, or IGAD), producing a technical architecture proposal for cross-border credential recognition.
  6. Identify and formally engage a bilateral partner jurisdiction from the ADLI cohort for a Phase 3 trust framework pilot, establishing a working group with defined governance and decision-making procedures.
Expected Outputs National Standards Declaration; Public API Portal; Amended Vendor Contracts; Migration Test Report; Trust Framework Architecture Proposal; Bilateral Working Group MoU
Phase 3 · Months 18–36

Interoperability Architecture Build and Bilateral Pilot

Objective: Implement a functional W3C Verifiable Credentials-compliant credential layer; establish and test a bilateral trust framework pilot with one ADLI cohort partner; achieve Level 3 on all SHOULD criteria.

  1. Implement a W3C Verifiable Credentials-compliant digital credential layer, enabling cryptographically verifiable presentation of national identity credentials by holders to reliant parties, without requiring issuer contact at transaction time.
  2. Establish a formal bilateral trust framework with one partner jurisdiction, codifying in a signed governance agreement: the issuer trust registry and technical format; reliant party registration and vetting procedures; identity assurance level mapping between the two systems; liability allocation; and dispute resolution procedures.
  3. Deploy trust framework validation mechanisms (INT-A.3) enabling automated, cryptographic verification of credential authenticity and issuer legitimacy within the bilateral framework, including an offline-capable validation mode.
  4. Achieve Level 3 on open-source adoption (INT-2) through a documented open-source policy, publicly available source code for government-developed components, and a demonstrable investment in domestic technical capacity.
  5. Publish an annual Interoperability Progress Report against this framework, establishing a public accountability mechanism and documenting lessons learned for the ADLI programme.
  6. Present pilot results and lessons learned at the Month 30 cohort convening, enabling other jurisdictions to adapt the bilateral model for their own partnerships.
Expected Outputs W3C VC Credential Layer; Signed Bilateral Trust Framework Agreement; Automated Validation Mechanism; Annual Interoperability Progress Report; ADLI Cohort Presentation
Phase 4 · Months 36–60

Regional Scale and Continuous Optimisation

Objective: Achieve Level 4 on all MUST criteria; expand to multilateral regional trust framework; demonstrate measurable social and economic outcomes; contribute to global DPI knowledge commons.

  1. Expand bilateral trust framework to multilateral architecture, encompassing all willing ADLI cohort members and seeking formal endorsement from the relevant regional body (EAC, SADC, ECOWAS, or IGAD, as applicable).
  2. Commission an independent formal assessment against this framework — conducted by an external evaluator with relevant DPI expertise — and publish results publicly.
  3. Demonstrate measurable social and economic outcomes of identity interoperability through a formal evaluation, including: cross-border transaction volumes using verified digital credentials; financial inclusion metrics for previously excluded populations; and processing time reductions at border crossing points.
  4. Achieve full vendor independence through demonstrated domestic technical capacity sufficient to operate, modify, and — if required — migrate the national identity system without dependence on the original implementing vendor.
  5. Publish the jurisdiction’s interoperability architecture, trust framework governance model, and implementation lessons as open documentation, contributed to the global DPI knowledge commons for adaptation by other developing country practitioners.
  6. Initiate a second full assessment cycle against this framework, establishing a revised baseline and a new four-year improvement programme.
Expected Outputs Multilateral Trust Framework with Regional Body Endorsement; Independent Assessment Report; Outcomes Evaluation; Open Documentation Contribution; Second-Cycle Assessment Plan

7.2 ADLI Cohort Peer Learning Structure

#Cohort ActivityTimingJurisdictionsExpected Output
1Baseline score sharing and peer reviewMonth 3All sixComparative interoperability gap analysis
2Standards harmonisation working sessionMonth 6All sixDraft shared standards declaration
3SADC bilateral trust framework pilotMonth 18Zambia · MalawiSADC bilateral trust framework prototype
4EAC bilateral trust framework pilotMonth 18Rwanda · EthiopiaEAC bilateral trust framework prototype
5ECOWAS trust framework designMonth 18Ghana · NigeriaECOWAS interoperability architecture proposal
6Phase 3 results conveningMonth 30All sixLessons learned documentation; cross-corridor learning
7Full cohort interoperability demonstrationMonth 36All sixPublished DPI interoperability case study
8Second-cycle assessment and reportingMonth 48All sixUpdated baseline; revised roadmaps for all jurisdictions
Section 08 — References and Standards

References and Standards

All normative standards, institutional frameworks, and academic sources cited in this framework, listed in compliance with Harvard Author-Date citation conventions.

Citation Policy

All references in this framework are drawn from authoritative institutional publications, formally published standards documents, and peer-reviewed academic sources. In accordance with the framework’s methodological commitment to verifiability, internet URLs have been excluded from citations where documents are identifiable by their formal bibliographic identity — consistent with citation practice for archival, institutional, and standards documents intended for academic audiences.

Primary Normative Sources

  1. Digital Impact Alliance (2023). Digital ID Assessment Guidebook, Version 0.1.0, c286661. Digital Impact Alliance. ©2023 Digital Impact Alliance. [Primary normative source for all INTEROPERABILITY, DATA POLICIES, and PRIVACY criteria cited throughout this framework. All §3 criteria codes and normative quotations are sourced from this document.]
  2. National Institute of Standards and Technology (2022). Digital Identity Guidelines. NIST Special Publication 800-63-4 (Initial Public Draft). U.S. Department of Commerce, National Institute of Standards and Technology. [Primary source for definitions of Issuer, Holder, Reliant Party, Subject, Identity Assurance Level, and Identity Lifecycle as adopted in this framework.]
  3. National Institute of Standards and Technology (2012). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). NIST Special Publication 800-122. U.S. Department of Commerce. [Source for Personally Identifiable Information definition.]
  4. Internet Engineering Task Force (1997). Key Words for Use in RFCs to Indicate Requirement Levels. RFC 2119. IETF. S. Bradner, Harvard University. [Source for MUST, SHOULD, MAY, and MUST NOT normative language conventions employed throughout this framework and in the DIAL Guidebook.]

International Technical Standards

  1. International Organization for Standardization and International Electrotechnical Commission (2022). Information Security, Cybersecurity and Privacy Protection — Information Security Management Systems — Requirements. ISO/IEC 27001:2022. International Organization for Standardization. [Referenced for ISMS standards baseline applicable to identity system operators under the MANAGEMENT and ORG-SECURITY criteria domains of the DIAL Guidebook.]
  2. International Organization for Standardization and International Electrotechnical Commission (2021). Identification Cards — ISO-Compliant Driving Licence — Part 5: Mobile Driving Licence (mDL) Application. ISO/IEC 18013-5:2021. International Organization for Standardization. [Referenced as primary example of a recognised standard for mobile identity credentials, relevant to INT-1 standards compliance assessment.]
  3. World Wide Web Consortium (2022). Verifiable Credentials Data Model v1.1. W3C Recommendation, 03 March 2022. World Wide Web Consortium. M. Sporny, G. Noble, D. Longley, D. Burnett, B. Zundel, K. Den Hartog (Editors). [Referenced as primary credential format standard for INT-1 compliance and trust framework interoperability.]
  4. International Organization for Standardization and International Electrotechnical Commission (2022). Consumer Protection — Privacy by Design for Consumer Goods and Services — High Level Requirements. ISO/IEC 31700-1:2023. International Organization for Standardization. [Referenced for Privacy by Design principles under the DIAL Guidebook’s PRIVACY-4 criterion.]

Interoperability and DPI Frameworks

  1. European Commission (2017). European Interoperability Framework — Implementation Strategy. COM(2017) 134 final. European Commission. [Primary source for the four-level interoperability typology (Technical, Semantic, Organisational, Legal) adapted for DPI contexts in §2.1 of this framework.]
  2. Centre for Digital Public Infrastructure (2022). Defining DPI: A Conceptual Overview of Digital Public Infrastructure. CDPI Working Paper. Centre for Digital Public Infrastructure. [Source for DPI three-layer architecture (Identity, Data Exchange, Payments) referenced in §2.2.]
  3. Gelb, A. and Clark, J. (2013). Identification for Development: The Biometrics Revolution. Working Paper 315. Centre for Global Development. [Source for developing country identity systems analysis and interoperability typology context referenced in §2.1.]
  4. Gelb, A. and Metz, A. (2018). Identification Revolution: Can Digital ID Be Harnessed for Development? Center for Global Development. [Background context for identity system development trajectories in Sub-Saharan Africa.]
  5. World Bank Group (2021). Identification for Development (ID4D) Global Dataset 2021. World Bank Group. [Background statistical context for identity enrolment coverage referenced in country profiles.]

Regional and Continental Policy Frameworks

  1. African Union (2020). The Digital Transformation Strategy for Africa (2020–2030). African Union Commission. [Continental context establishing digital identity harmonisation as a prerequisite for the continental digital single market.]
  2. African Union (2022). African Union Data Policy Framework. African Union Commission. [Framework for continental data governance, cross-border data flows, and data sovereignty — directly relevant to trust framework design under INT-A.1.]
  3. African Continental Free Trade Area Secretariat (2021). Protocol on Digital Trade: Preliminary Position Paper. AfCFTA Secretariat. [Context for digital identity as a prerequisite for AfCFTA digital trade implementation.]
  4. East African Community (2016). EAC Digital Payment Integration Project: Regional Payment and Settlement System Framework. EAC Secretariat. [Context for EAC interoperability obligations relevant to Rwanda and Ethiopia country profiles.]
  5. Southern African Development Community (2015). SADC Industrialisation Strategy and Roadmap 2015–2063. SADC Secretariat. [Context for SADC digital identity harmonisation obligations relevant to Zambia and Malawi country profiles.]
  6. Economic Community of West African States (2018). ECOWAS Biometric Identity Card Project: Technical Standards and Implementation Framework. ECOWAS Commission. [Context for ECOWAS identity harmonisation framework applicable to Ghana and Nigeria country profiles.]
  7. Intergovernmental Authority on Development (2020). IGAD Regional Migration Policy Framework. IGAD Secretariat. [Context for Horn of Africa identity interoperability applicable to Ethiopia’s regional obligations.]

Academic and Policy Research

  1. Singh, N. and Bhatt, N. (2023). ‘Digital Public Infrastructure: Building Blocks for Inclusive Digital Economies’, Journal of Development Policy and Practice, 8(1), pp. 45–68. [Source for DPI silo risk argument in §2.2 and foundational DPI governance analysis.]
  2. Demirgüç-Kunt, A., Klapper, L., Singer, D., Ansar, S. and Hess, J. (2022). The Global Findex Database 2021: Financial Inclusion, Digital Payments, and Resilience in the Age of COVID-19. World Bank. [Background context for financial inclusion imperatives of identity interoperability in Sub-Saharan Africa.]
  3. Pisa, M. and Juden, M. (2017). Blockchain and Economic Development: Hype vs. Reality. Policy Paper 107. Center for Global Development. [Context for technology-solutionism risks in identity system design, applicable to vendor lock-in analysis.]