At a time of rapid geopolitical change, cuts to international development assistance, and increased emphasis on digital sovereignty - investing in digital public goods (DPGs) represents an attractive option for countries looking to build and evolve their foundational digital public infrastructure (DPI).

As open source solutions that incorporate safeguards and best practices by design, and which can be adapted to meet contextual needs, DPGs provide an important starting point for helping countries implement and strategically maintain their most foundational components faster, better and at lower cost-over-time compared to leasing proprietary technologies or building from scratch.

Few governments have the capacity and resources to do the planning, financing, deployment, operation or hosting of DPI components fully by themselves, and entering into well-structured agreements with different types of private sector stakeholders is therefore vital for the success of these digital transformation processes.

However, when these agreements include the deployment and maintenance of DPGs, especially as part of building DPI, there are risks that may undermine the advantages that open source solutions provide. For these DPG4DPI-deployments we need to evolve a paradigm where a vibrant private sector benefits from actively seeking to meet implementing country objectives and to preserve the advantages and long-term sustainability of DPGs.

To inform this topic, it is important to first highlight the broad variety of stakeholder types that are covered by the “private sector” term. Important groups include:

• Systems integrators (SIs) that specialise in bringing together various components, including hardware, software, and services, from multiple vendors to create a cohesive and functional solution for a client;

• Independent system vendors (ISVs) that develop, market, and sell software applications running on existing third-party infrastructure, and who tend to create specialised software solutions for more narrow markets; and

• Hyperscalers/cloud providers, global service providers that offer highly scalable and flexible computing infrastructure, and that provide a wide range of services, including compute, storage, networking, and AI.

These different types of private sector stakeholders are similar in that they are all involved because of the expected commercial gain, but they differ widely in size, scope, engagement and business models. Hence, we must recognise that there is immense variation in the bargaining power, resourcing and contribution capacity within the group we collectively refer to as “private sector”.

DPGs and the risk of extraction and lock-ins

The open-source licence of a DPG ensures that access to the solution is non-exclusive, such that an implementer doesn’t need permission to adopt or adapt the solution to their needs and preferences.

Most DPGs that are relevant for implementing DPI take this one step further by having permissive licenses, which give even greater freedom to the users to choose how to modify their own version of the solution, even allowing them to re-license derivatives under a proprietary license.

In the context of system integrators (SIs) and hyperscalers, this offers greater flexibility for them to innovate and build upon existing code. Allowing for more seamless integration into existing proprietary systems and greater interoperability. However, it also gives these technology partners, who are at arm's length from the government, that same level of discretion in how they engage with the DPG, sometimes without clear incentives for contributing back to the source product. For example, larger private sector companies supporting multiple implementations of a DPG in different countries may find it more advantageous/profitable to offer a modified version under a new, proprietary license that they own the rights to, or make changes or configurations that result in detrimental forks and other types of lock-in. This risks undermining both the implementing country’s agency and the long-term sustainability of the core DPG.

How can we shape private sector engagement in the deployment of DPGs, so that it results in genuine partnerships where country objectives are met alongside commercial goals, with sustained benefits also to the DPGs that are being deployed?

Principles for Private Sector Stakeholders Engaged in DPG4DPI Deployments

From the DPGA Secretariat’s end, we have engaged DPG product owners, public sector officials, private sector representatives, multilateral institutions and other stakeholders to identify the following suggested principles that promote ecosystem health and equitable participation alongside commercial value creation:

• Reciprocity: Entities deriving significant commercial value from DPGs should contribute back to the source projects in a manner proportional to their benefit, including financially, technically, with code, documentation, and community support. This aligns with the rationale behind open source licensing principles that aim to balance freedoms with long-term collective gain. Investing in a shared resource is likely still cheaper than maintaining one in isolation and can have financial and operational benefits by reducing costs, increasing efficiency and eliminating redundancies.
• Sustainability: Commercial activities and deployments built upon DPGs should be structured in ways that actively support, rather than undermine, the long-term viability and maintenance of those underlying resources. This requires investing in the "digital infrastructure" itself, not just building on top of it. This continued investment in a shared resource can distribute costs and increase the profitability of organisations by optimising resource use, in addition to the brand advantages.
• Transparency: There should be reasonable visibility into how critical DPGs are being used, particularly in commercial contexts. Tools like Software Bills of Materials provide partial transparency into dependencies. Open governance structures within projects also contribute. Transparency can also be a valuable branding exercise, creating trust, confidence, and potentially stimulating innovation around the product.
• Community Health: Actions taken by users and vendors should aim to strengthen the community around the DPG, fostering diversity, encouraging participation, and respecting community norms and governance processes.

Guidance for DPG4DPI Product Owners

There are also important steps that can be taken by DPG product owners themselves, to “future-proof” their digital solutions for DPI deployment in a way that preserves these solutions’ inherent advantages as DPGs and enable countries to adopt them as part of their DPI.

• Cloud-Agnostic Architecture & Portability: One-click deployments are good add-ons for DPGs to improve the development experience for potential implementers. DPG product owners are encouraged to have these for multiple cloud providers in addition to the default setup they may have. However, in order to avoid creating a proprietary dependency, the cloud-optimised deployment should not diverge from the DPG's source code by introducing changes (either to the design or dependencies) that will create restrictions due to the use of unique proprietary infrastructure of a particular cloud provider.
• Decoupling Proprietary Functionality: DPG product owners should only utilise proprietary features from cloud providers or other service providers if these are used as isolated, optional extensions or deployment-specific modules that plug into the core solution, but are not essential for its main operation. This ensures that the primary functions remain unconstrained regardless of whether these vendor-specific features are utilised.
• Abstraction: Since DPGs are meant to be reused, as a design principle, product owners should use reusable or modular components for parts of the solution that are most likely to change when adapted or implemented by a user. Doing this will allow the DPG to be easily adapted and redeployed in different contexts (including one-click deployments).
• Branding & Resourcing Approaches: DPG product owners are encouraged to use different legal and commercial instruments actively to strengthen their brand, ability to mobilise contributions back to the core, and to develop complementary revenue streams that do not infringe on the openness of the core product; including IP and trademark policies, implementation support agreements, commercial licenses, and draft MOUs with principles and terms for how implementers and hyperscalers are expected to contribute back to the core.

We will stress test and evolve these proposed principles and guidelines in upcoming events and discussions, and you can also share any feedback directly with us on hello@digitalpublicgoods.net, using the subject line: DPG4DPI Private Sector Principles - Feedback.

An updated version of these principles and guidelines will be incorporated into a report that also takes into account the roles and contributions from other types of stakeholders, including government implementing agencies and multilateral development banks.

To learn more about DPGs that countries can use to build their DPI, please explore our DPG4DPI Collection on the DPG Registry.