• Digital Public Infrastructure requires shared digital systems that are secure and interoperable and built on open standards
• Interoperability enables seamless communication between government systems
• Once-Only Principle: Government agencies are prohibited from requesting information from citizens that the state already possesses

Above: Illustration by RoseStudios/DepositPhotos.

The Architecture of Agreement

This is the second article about Digital Public Infrastructure published by Nicole Greene on her Substack. The first article is here. The Architecture of Agreement is published with her permission.

When someone dies in a hospital in Trinidad and Tobago, the hospital knows.

The Registrar General’s Department, however, does not.

Not until a family member takes some proof from the hospital’s paper form, and attaches it to the RGD’s own paper form. Each state agency holds a piece of the administrative reality of a person’s life, and not one of them has sight of the others.

Interoperability is a dry word for a deeply human problem. Broadly speaking, it is the ability of systems (that were never designed to speak to each other), to exchange information securely, accurately, and in a way that can be trusted. One system can ask another a question, the answer can travel safely, and the exchange can be recorded without the need for a citizen-messenger carrying the proof in between.

In the first article of this series, we described the three foundational pillars of Digital Public Infrastructure (DPI): digital identity, digital payments, and data exchange. The G20’s 2023 consensus described DPI as shared digital systems that should be secure and interoperable – built on open standards to deliver equitable access to services at societal scale.

This article will help you to understand what it means in practice and what it makes possible, and I’m going to start that story in an unlikely place: the deck of a ship.

Malcolm McClaren

The Shipper’s Story

In 1937, a young trucker from Maxton, North Carolina, named Malcom McLean was waiting at the docks in Hoboken, New Jersey, watching stevedores unload his truck one cotton bale at a time. The loading was slow, the process unchanged in centuries, and McLean – sitting in his cab with nothing to do but watch – found himself thinking there had to be a better way. It would be nineteen years before he acted on the thought.

By 1955, McLean had built the largest trucking fleet in the American South: 1,776 trucks, thirty-seven terminals along the eastern seaboard. He sold the lot and bought a small coastal shipping company – Pan-Atlantic Steamship – for the sole purpose of proving an idea. He took a retired wartime tanker called the Ideal-X , reinforced its deck, and on the twenty-sixth of April, 1956, loaded fifty-eight sealed steel boxes onto it at Port Newark. The ship sailed for Houston. The crane placed a container on deck every seven minutes. The entire vessel was loaded in under eight hours.

The idea itself was technically simple – a single, standardised box that could be filled at a factory, locked, driven to a pier, hoisted aboard a ship, and opened only at its destination. What made it revolutionary was not the steel. It was the agreement the steel required. For the container to work, every port in the world had to accept the same dimensions. Every crane had to be rebuilt to the same specifications.

Every truck chassis, every rail car, every shipping line had to operate on the same standard. Longshoremen’s unions, correctly reading their own future, fought it. Competing carriers, whose entire business depended on the older breakbulk world, resisted. The International Organization for Standardization did not settle on final dimensions until 1968 – twelve years after the Ideal-X sailed.

When the standard finally held, the numbers moved in the way numbers move only when a bottleneck is removed entirely. The cost of loading a ton of cargo dropped from $5.86 to roughly sixteen cents. A week’s work for a gang of men became an afternoon’s work for a crane. Pan-Atlantic was renamed Sea-Land, which grew into one of the dominant carriers of the container era before being absorbed, decades later, into what is now known as Maersk – whose name rides the side of container ships in every major port in the world today.

McLean’s achievement was not the box. It was the agreement underneath the box – the shared standard that made every node in the chain legible to every other node without anyone having to unpack, translate, and repack the cargo at every stop. That is what interoperability makes possible. Applied to DPI, this would allow Ministries to retain their own rules, while enabling systems across government to speak to each other where authorised. So how do we go about putting that into practice?

The answer, it turns out, depends on which country you ask – and how that country thinks about trust.

The Estonia Experience

Estonia had been independent from the Soviet Union for barely five years. It had inherited no working tradition of integrated public administration – only a scattered collection of government databases, none of which spoke to any of the others. Then, in 1996, a young computer specialist walked out of a government job carrying personal data he had lifted from several of them, exposing how thin the walls between those systems actually were.

The state drew a conclusion worth pausing on. Fragmented storage was not a security feature. It was a vulnerability. The databases had been safe only by virtue of being useless to each other. The moment anyone with modest technical skill decided to connect them, they offered almost no defence at all.

Rather than respond by building a single, central vault where all information lived, Estonia built a rulebook. They called it X-Road. It was not a database. It was an agreement: a cryptographically signed, audit-logged, legally backed set of rules governing how any one government system could ask another for a specific piece of information, how the question would be authenticated, how the answer would travel, and how the exchange itself would be preserved so that anyone could later inspect exactly who asked what, of whom, and when.

The data stayed where it lived – in the ministries, hospitals, and agencies that had collected it. Only the question and the answer moved between them. No central vault. No master file. No single place to break into. The cleverness was in the rules, not in the hardware.

And then Estonia did something revolutionary. It wrote into law a principle called once-only: no government agency may ever ask a citizen for a piece of information the state already has.

A parent does not tell the school their child’s name; the school asks the Population Register. A taxpayer does not file most of the annual return; the state has already filled it in from sources it was entitled to consult, and the taxpayer is asked only to check and sign. A prescription written at a clinic in Tallinn can be collected at a pharmacy in Tartu without anyone carrying a piece of paper between them.

When a couple marries, the registries that need to know are informed by the registry that recorded the marriage. When a baby is born, the hospital tells the state; the state tells the family doctor, the health insurer, the family benefits office, and, eventually and patiently, the school that the child will one day attend.

And when someone dies? The hospital tells the system. The system tells the agencies that need to know. The family grieves. The state carries the message.

A quarter-century later, X-Road processes approximately 2.7 billion data queries a year for a country of 1.3 million people. Ninety-nine per cent of the population holds a digital identity card. One hundred per cent of public services are available online. Estonia has ranked second in the world on the United Nations’ measure of digital government for years. None of this is magic. It is the accumulated dividend of a single agreement about the shape of a question.

X-Road is also an export. The software is open source, published under a free licence, and maintained jointly by Estonia, Finland, and Iceland through a Nordic institute established for that single purpose. Colombia has adopted it. Cambodia runs a deployment. Because the underlying protocol is the same, queries can cross borders as easily as they cross ministries.

It would be tempting to stop here – to treat Estonia as the answer and recommend it to every country asking the question. But Estonia’s success was shaped by conditions most countries do not share: a small population, a unitary state, high literacy, near-universal broadband, and a post-Soviet political consensus that valued data minimisation. The principles that make X-Road work – distributed storage, cryptographic accountability, once-only, human rights by design – are transplantable anywhere. The institutional conditions that allowed those principles to take root so quickly… are not.

Which is why India asked a different question entirely.

India’s Account Aggregator System

India’s approach

The challenge India faced was not an absence of data. It was that much of the data that mattered sat inside private institutions – banks, mutual funds, pension providers, telecom operators – each with its own commercial reason to keep it right where it was. Nor could any citizen in a country of 1.4 billion people, twenty-two official languages, and a long institutional memory of being asked for documents that should never have been required, reasonably rely on an inter-agency agreement of the Estonian kind. India needed a different answer to the same question. Not the state carries the message. Something else.

India’s answer: the citizen carries the permission.

The system is called DEPA – the Data Empowerment and Protection Architecture – and it runs through a new class of regulated intermediaries called Consent Managers. A Consent Manager does not hold data. It holds permission. When a citizen applies for a small-business loan, the lender does not phone their bank for statements.

Instead, the citizen opens a consent screen, selects which accounts to share, for how long, and for what purpose, and the bank streams the relevant data directly to the lender, accompanied by a cryptographic record of the citizen’s permission that anyone – the citizen, the bank, a regulator – can later inspect. The consent can be revoked with the same few taps that granted it.

Where Estonia’s model assumes that the state can be trusted, and then builds legal and architectural scaffolding to keep it honest, India’s model assumes that trust is something to be issued by the citizen, one decision at a time, and that the citizen must be present every time their data leaves the room.

The scale is unlike anything else in the world. More than 780 financial institutions are live on the system. Over 2.6 billion accounts are enabled for consent-based sharing. More than 269 million individual consents have been processed, and over 252 million users have linked at least one account. It is the largest live experiment in citizen-mediated interoperability anywhere.

It is also an experiment honest enough to be asking its own hardest question. DEPA assumes a user who can read a consent screen, understand the difference between a one-time and a recurring data pull, and meaningfully revoke access if something goes wrong. In a country where rural digital literacy is uneven and where many users are onboarded during loan applications, by the very lender who stands to benefit from the data, the gap between architectural elegance and lived experience is real.

The headline ratio tells the story plainly: 2.6 billion accounts enabled, 252 million actually linked. The system’s technical surface area is vast. Its citizen engagement layer is still, by its own measure, about ten per cent of the way into its headroom. The live test the framework is ongoing.

Estonia’s E-Resident Programme emphasises speed

Two countries. Two fundamentally different answers to the same question the hospital posed silently when it recorded a death and had no one to tell. Estonia said: the state should carry the message, and the law will keep it honest. India said: the citizen should carry the permission, and the architecture will make it auditable. Both answers work. Neither is finished. And neither pretends to be.

Each of these is a version of the same math Malcom McLean proved on the pier at Newark in 1956. The cost of moving information drops when you stop unpacking it at every stop.

Uruguay has been running a quietly effective interoperability backbone since the early 2000s – over 200 state bodies and nearly 300 services connected, open-source software that reduces dependence on any single vendor, and an institutional consistency across successive governments that is the envy of the region. Colombia adopted X-Road and expanded its roster of available digital government services by more than four hundred percent in three years.

In Brazil, a federal interoperability platform processed over 1.1 billion automated data transactions in 2025 – the largest deployment in Latin America. In each case, the technology mattered less than the agreement that sat underneath it: a legal mandate and an institutional commitment that the systems would talk to each other and not simply sit in silos.

This is the second article in a four-part series on Digital Public Infrastructure. The first, “The Invisible Architecture,” introduced DPI and the global movement behind it. The next article will examine the second pillar: digital identity.