Summary
Debates over how to define digital public infrastructure (DPI) may have quietened since 2023, but they are far from settled. DPI is becoming understood either as a general conceptual approach to digital transformation or as a label for specific digital systems that meet defined characteristics. Notwithstanding these definitional differences, the use of the term “DPI” is taking hold in national digital policies and international funding projects.
This residual ambiguity is no longer merely academic. Looking ahead, two pressing trends will demand more definitional clarity than exists today: first, the growing need to ration scarce concessional resources to the most eligible DPI; and second, the need for governments to regulate and oversee the rising risks accompanying large-scale digital systems. In both cases, the absence of clearer differentiation risks weakening policy effectiveness—either by diluting funding impact or by leaving systemically important infrastructure insufficiently governed.
To achieve this greater clarity, this brief argues for separating DPI into two categories —systemically important DPI and non-systemically important DPI — following precedents tried and tested in financial market infrastructure. The definition of what is systemically important should rest in the hands of national regulators, based on domestically relevant criteria; however, once designated, the consequences of such designation should be internationally aligned governance and oversight practices.
This two-tier approach would allow policymakers and funders to focus attention and safeguards where failure would have the greatest societal impact, while not crowding out further innovation and emergence in smaller or non-systemically important systems.
The first internationally accepted definition of digital public infrastructure (DPI) entered the international lexicon via the New Delhi G20 Leaders’ Declaration in November 2023: “A set of shared digital systems that are secure and interoperable, built on open standards, to deliver equitable access to public and/or private services at societal scale.” Since then, the term “DPI” has likely launched a thousand blogs, been the focus of many conference sessions, and become the rationale for major new financing programs. Amid all the activity, the frenzy of definitional debate seems to have subsided. But it isn’t over by a long way. For any new field to evolve requires walking the tightrope of sufficient definitional certainty — neither too prescriptive (constraining innovation), nor too loose (lacking certainty for regulatory or financing applications). Back in March 2023 I wrote a paper where I reviewed the different components of the term DPI and the emerging options for how it was then understood and being applied. My main point, though, was not to advocate for crystalline clarity at that early stage. I argued rather that as a new, emergent concept, DPI needed only ‘sufficient’ clarity. Today, rather than leaving DPI vague or else attempting to force artificial definitional precision in a fragmented international environment, this brief argues for a two-step approach to allow the DPI definition to evolve usefully at two levels. This approach would allow for national determination of what DPI is at country-level, making space for heterogeneity there. However, once a domestic regulator has designated a specific DPI system as operating at a systemically important level, it would have to conform to international principles for how it is governed. The domain of payments offers a precedent for this approach for other DPI categories to follow.
To make the case in this brief, I reflect first on how the usage of the term DPI has evolved in two definitional streams over the past two years and on what this means for the question of whether it is indeed becoming a useful category or not. While there has indeed been some convergence in understanding, and certainly there is growing usage of the term, I will argue that, looking ahead, the level of definitional clarity will need to step up if the term is to have continued currency. Hence the proposal of a third definitional way.
While there has indeed been some convergence in understanding, and certainly there is growing usage of the term, I will argue that, looking ahead, the level of definitional clarity will need to step up if the term is to have continued currency.
Since 2023, there have been two broad directions of evolution for the definition of DPI: first, toward a more functional approach that seeks more precision by identifying attributes of DPI systems; and second, a more conceptual approach that understands DPI as a set of core principles guiding the next generation of digital transformation efforts.
The first direction, exemplified by the DPI Mapping Project hosted at UCL’s Institute for Innovation and Public Purpose, has inventoried digital systems worldwide that fall into one of the three main accepted categories of DPI. In its most recent update, the Project reports that 57 countries had “DPI-like” digital identity systems, but even more had “DPI-like” digital payment systems or data exchange systems. To be able to categorize a specific system as “DPI-like”, the researchers had to set out more specific indicators which proxied for DPI characteristics within each relevant category. For example, digital ID systems were deemed “DPI-like” if the country claimed to have a digital ID and if that system was active, enabled digital authentication, and was used by two or more sectors. The result is an independent inventory of digital systems that adds nuance to other largely self-reported cross-country data sets like those underlying the World Bank GovTech Maturity Index or the G20 DPI Repository, which was launched during Indian D20 and encouraged countries to list their DPIs. The Mapping Project’s findings on specific systems are not without controversy, however, in part because there are limits to what desk research can assess; but more fundamentally, because there is not yet consensus on the indicators used.
There are obvious difficulties in parsing the definitions of DPI-likeness to avoid “DPI-washing,” particularly as it becomes seen as a path to unlock funding. However, a further challenge exists around which categories to accept as DPI. The three core pillars inventoried in the DPI Mapping Project are widely accepted, at least as valid examples, such as Nigeria’s Digital Public Infrastructure Framework, released in March 2025, which explicitly describes DPI as a civic technology stack comprising those three pillars. However, questions remain about whether the categories are intended to be more indicative (meaning that others could be added over time) or more exhaustive (to prevent scope creep at this stage). Some, like the specialized technical assistance agency Centre for DPI (CDPI), in fact already recognize more than three categories of DPI — CDPI adds trust infrastructure and discovery and fulfillment to the standard three. The emergence of new categories follows from developments in India where, for example, promoting digital commerce through decentralized protocols is considered a valid public purpose infrastructure project that falls into the additional category of discovery and fulfillment.
Indeed, the sprawling number of digital systems in India that may qualify as DPI systems is part of the reason for the growth in popularity of the second more conceptual definitional approach. In terms of this approach, DPI is seen less as a discrete set of digital systems that can be identified and counted, but rather as an emerging approach to whole-of-society digital transformation, which is distinct from earlier approaches. For example, DPI has roots in govtech, but is different in that it goes further. The DPI approach emphasizes the application of digital systems for the whole of society, whether or not government is directly involved in provision. “DPI as approach” creates a wider tent, but carries the disadvantage that it becomes slippery and vague — the converse of the issues with the functional approach.
The World Bank Group’s (WBG’s) definition of DPI has shown elements of both approaches: A definition used in 2023 emphasizes discrete digital platforms: “DPI is the foundational and re-usable digital platforms and building blocks — such as digital ID, digital payments and data sharing — that underpin the development and delivery of trusted, digitally-enabled services across public and private sectors,” while a March 2025 report states: “DPI is an approach to digitalization focused on creating foundational, digital building blocks designed for the public benefit.” In the same report, a definition for DPI is given excluding the word “approach” but re-emphasizing the components: “DPI is foundational, re-usable digital building blocks — such as digital payments, ID, and data sharing — designed for the public benefit.” Recently, to encourage greater clarity and convergence, the Gates Foundation has adopted the WBG definition.
The insertion of “for the public benefit” in the WBG definition above highlights one of the main areas of unresolved definitional controversy: What is meant by “public”? This is a cross-cutting issue for both definitional streams. In the early definitions, pains were taken not to exclude privately-owned infrastructure, provided it served the “public purpose.” But Mariana Mazzucato and her colleagues David Eaves and Beatriz Vasconcellos, have challenged this understanding as being too vague. They have instead proposed that DPI should meet the higher bar of creating public value, which is proven not by its ownership but rather by how decisions are made about it, who sets its goals, and how the value it creates is distributed. This higher bar would largely exclude those platforms operated by private tech firms that extract profits. For some, this is the real point of DPI as a category — to underline the not-for-profit ownership requirement. However, Diana Sang, Jane Munga, and Nanjira Sambuli have questioned the implication of this line of thinking in the African context: If M-Pesa, the privately-owned instant payment platform that already operates at societal scale in Kenya, does not qualify as a DPI, they ask whether the country really needs to set up another payment system to fill the space?
While definitional issues like these have rumbled on, it is remarkable how quickly the recognition and use of the term DPI has spread. As one example of the speed of uptake, the overwhelming majority of digital policy makers in Latin America in a survey in early 2024 had already encountered the term, only months after the G20 declaration, even if they diverged somewhat on how it applied to particular systems. Perhaps more importantly, a majority of them recognized the potential benefits of taking a DPI approach. When probed as to why, most respondents suggested that it provided a new guiding paradigm for digital development, while another substantial group recognized its value in focusing attention on the whole of digital development rather than on the underlying parts. Only a minority saw the new term mainly as a “buzz phrase” useful mainly for unlocking donor funding.
Further evidence of common usage comes from the entrenchment of the term into domestic policy agendas well beyond its traditional “homelands” like India and Estonia. In May 2025, South Africa became the next country to publish a Digital Transformation Roadmap in which DPI principles explicitly inform its approach. Other African countries are following similar routes to building DPI. DPI has also entered the European digital policy arena, being explicitly referenced in the May 2025 EU International Digital Strategy, which lists “Digital Identity and Public Infrastructure” as part of the EU Tech Business Offer. However, as one counter example to this growing acceptance, Singapore refers instead to “Digital Public Utilities” while still following what is recognizable as a DPI-approach.
Just as definitions matter for the application of policy and regulation, so they matter also for determining funding eligibility. “DPI” is now explicitly searchable as a project tag for at least two major international financiers — the World Bank and the Gates Foundation. A search of the World Bank project database in August 2025 revealed six active projects tagged as DPI totaling around USD $600 million in funding, five of which were approved in 2024. Four of the six were in Africa. The individual Project Information Documents reveal that DPI is usually part of one component of a typical broader government digital transformation project. The term is used in quite an open-ended way, more like a collective noun that describes a cluster of foundational digital systems, rather than in a narrow technical one — for example, the Tajikistan Digital Foundations Project includes in its Component 1: “Upgrading essential infrastructure such as the public services portal, interoperability platforms, digital authentication systems and digital payment gateways…,” of which some portals are not in typical definitions of DPI systems. Likewise, in August 2025, the Gates Foundation grant database tagged 33 grants totaling USD $87 million with DPI as a “Topic”; of these, half were approved after January 2024. One of these supported the South African Digital Transformation Roadmap to implement its initial use cases.
No reasonable observer in 2023 could have expected that all the remaining definitional questions around DPI would be resolved within two years. And as this account shows, they have not been. However, there has been sufficient clarity so far to enable the term to take root and to start to grow in usage. While this progress may be cause for some celebration among those who, like me, received the new term favorably, it is not cause for complacency. Looking ahead, the bar of definitional clarity needs to rise further for the term DPI to remain useful and scale further.
The general understanding of DPI as a collective noun for important digital systems will not be sufficient to meet the need for clarity in two pressing tasks. The first is the growing need for funders to allocate scarce concessional capital across rising demand now that the early stage, when capital supply has exceeded project demand, is over. Recent open calls for proposals for grant funding for DPI related work — research or building DPIs — have received large volumes of applications, not all of which qualify. Examples include the Global DPI Insights Community run by CFI, which received over 300 applications in its first round to support research into DPI, and the DPI for People and Planet (DPI4PP) challenge funded by the Gates Foundation, CoDevelop, and JICA, which received 540 applications in its first round to build new DPIs, solutions on top of DPIs, or DPGs for DPI. The second task is for national governments to oversee the operations of particular DPI systems so that rising societal risks — from cybersecurity to digital exclusion — are managed with appropriate safeguards. The first task requires clarity to better ration resources; the second to regulate effectively. The two tasks are distinct but related; better regulated systems would likely attract more resources, but equally, more resources are needed to create the capacity to better regulate digital systems.
One way to address both tasks is to push for a next level of international definitional clarity which would shape both international funding and domestic regulation of DPI. However, achieving international definitional convergence seems infeasible in the present geopolitical circumstances: the same G20 that initiated the current stage of definitional clarity is unlikely now to be able to agree to take it much further. And even if they, or some other international body, could ultimately agree, it may well not be worth the time or resources it would require to arrive at such a definition, given such great heterogeneity in country circumstances.
An alternative approach would be to allow countries to resolve their own definitions for what is considered DPI at the national level, but to require that they differentiate between systemically important and non-systemically important DPI. This two-step process would mean that a country would decide whether a particular system is DPI; and also, when that system becomes systemically important, creating in effect two tiers of DPI. In some cases, these decisions may happen simultaneously; in others, a DPI may need to evolve in scale or degree of integration before being considered systemically important. The determination that a particular DPI is in fact systemically important would trigger the need for compliance with internationally agreed norms of governance — certainly if it is to receive international funding or support. This approach allows for international convergence at the second step, while also making space at the first step for both sovereignty and heterogeneity at the country level.
In practice, national definitions are likely to evolve as locally tailored versions of the emerging international consensus which was described earlier. But even if the national DPI definition remains vague or obscure, the really important part of this approach is authorizing a domestic regulator or regulators to make the designation when a DPI becomes systemically important. In other words, it may be less important to define what is inside the “box” called DPI than it is to determine how digital systems beyond a certain threshold of usage or importance should be governed and safeguarded.
This two-step approach follows the precedent created in the domain of financial market infrastructure. Faced by an ever-increasing number of digital payment systems, payment legislation empowers payment regulators, usually the central bank, to draw the distinction between those systems that merit extra oversight, which are categorized as systemically important systems, and the rest, which are not. This distinction triggers different oversight requirements and powers for regulators. It allows regulators to treat systemically important systems and other systems proportionately, that is, recognizing that the consequences of failure of a systemically important system would be severe so require additional oversight; while also recognizing that holding all payment systems to the same level of requirements would be onerous on smaller systems and may chill innovation.
Here’s the key definitional point though: In most national payment laws, the prescribed regulator, usually the central bank, makes the determination. To reach that decision, some central banks, like the Reserve Bank of India, follow published parameters such as volumes and values relating to transactions, payment systems share, markets, participants, criticality, and more ; other legislation, like the National Payment System Act of South Africa, set more discretional criteria, like whether a system serves the integrity, effectiveness, efficiency, or security of the National Payment System. Importantly, this two-tier approach has been able to accommodate a range of ownership models; central banks or private sector players may own and operate systemically important payment systems, provided they comply. The determination then triggers a set of enhanced compliance requirements embodied in local law but drawn largely from international standards called the Principles for Financial Market Infrastructures. Because these standards are internationally accepted, they create a basis for cross-border linkages between payment systems which otherwise may be considered too risky.
While most countries in the world now have payments legislation that provides designation powers like these to payment regulators, it is not yet the case with other categories of DPI. In most places, digital identity is understood to be issued by single, state-operated systems, though in practice, these may not be the most widely used digital identity systems, and the category of data exchange infrastructures has generally been too diffuse for any regulation beyond than sector-specific laws. The passage of the EU Data Governance Act (2022) and Data Act (2023) signal changes in approach to regulating data beyond sectoral level only, which are likely to be adopted in other jurisdictions as well.
However, there is a trend towards designation for a different, though related, reason: information infrastructure is increasingly recognized as a critical infrastructure under cybersecurity law provisions. These laws typically give powers to a security body, such as, in Kenya for example, the National Computer and Cybercrimes Coordination Committee , to designate and maintain a list of digital infrastructure which is deemed critical. The list would typically include large data centers and public key infrastructure (PKI) operators. Designation obligates the owners of the infrastructure to implement and maintain baseline security requirements. However, regulations like these have a narrow scope: they do not cover the wider considerations of additional safeguards which should apply to DPI as proposed in the UN DPI Safeguards framework, such as privacy or redress, or the wider considerations of their governance beyond appointing Chief Information Security Officers and requiring audits. Nonetheless, this increasingly common type of designation creates a precedent for critical digital public infrastructure.
As with payments and critical information infrastructure, implementing this two-step approach to DPI will likely require new or amended legislation that authorizes specific regulators (which could vary by sector) to designate digital systems as systemically important digital public infrastructure. It would also empower them to set requirements for how the operators of such systems are governed and how they manage risk. Some DPI systems like payments or data exchanges may only become systemically important when they reach a certain scale of usage; others, like ID systems, may be deemed systemically important from “birth” because of their functions and the sensitive data they hold. It is at the national level that questions regarding public purpose and public value can be meaningfully assessed. If a country determines that a privately operated scheme is in fact a systemically important DPI in their context, then what matters most is how it is effectively overseen in the context of public policy.
Of course, the passage of legislation usually takes time. It has taken more than 20 years for national payment laws to become the norm in most countries. This time, it could be faster, in part because of the precedent created by payments and, in part, because of the urgency of having digital public infrastructure that is resilient to more than cyber threats alone, but that is also able to serve public purpose.
But following this approach would not mean simply waiting for laws to be passed. For one thing, international development agencies could apply their energy not to fighting definitional wars but rather on building out the standards of oversight and compliance for systemically important DPI, rather than debating precise definitions, which would be left to local regulators to apply in local circumstances. Funders could encourage or require compliance with these standards while also supporting the development of local oversight capacity in advance of any national law. Future international funding could then become conditional on having a law in place.
This approach would not undermine but rather reinforce local sovereignty by leaving the key decision of which systems to designate to national level, while providing aligned international standards for the operation of these systemically important large-scale platforms. However, the benefit comes not just from paying closer supervisory attention to the designated level. It may be as important to allow locally-determined “innovation zones” for non-designated DPI systems in which the requirements are less onerous, just as the distinction in payment systems has allowed for a large variety of different systems to emerge in the non-systemically important category. There is little doubt that the categories of systems today considered foundational are likely to evolve further, and this definitional approach would allow jurisdictional regulators to add others over time based on what is relevant in their context.
In its short life, the term DPI has achieved considerable traction. “DPI-like” has so far been sufficient to mobilize attention, funding, and political interest. However, the “easy” phase of growth — when definitional looseness carried few consequences — is now ending. A future characterized by tighter funding envelopes and higher systemic risk calls for a more operational form of clarity. To meet these challenges, this brief has argued not for a single, globally agreed definition of DPI, but for a division of labor between national designation and international alignment on the consequences of designation.
Decisions over which digital systems are systemically important should be made at the national level by empowered regulators, reflecting domestic context and priorities. At the same time, once such designation is made, the implications should be clear and convergent internationally — particularly with respect to governance, risk management, and accountability.
This approach draws on the proven experience of financial market infrastructure oversight, where proportional regulation has enabled both stability at scale and innovation at the edge. Applied to DPI, it offers a way to reconcile sovereignty with interoperability, and flexibility with discipline.
As an emergent concept, DPI will always require a balancing act between clarity and adaptability. Moving from definition to designation — while anchoring oversight expectations internationally — offers a pragmatic next step in that evolution. By doing so, DPI can remain a useful policy category, capable of guiding both responsible scale and inclusive digital transformation in the years ahead.
Author
