This section presents and interprets findings in response to the key research and sub-research questions (Section 3.2). This section will first build a conceptual grounding of digital sovereignty in the context of national digital identity systems from the literature to contextualise the findings.
Digital sovereignty is widely discussed as both an academic and political concept centred on reimagining state authority over data, governance mechanisms and technologies within borderless digital infrastructures (Abraham & Rajadhyaksha, 2015; Ivic & Troitiño, 2022; Naghmouchi et al., 2023; Prasad, 2022; Zwitter et al., 2020). National digital identity systems, which provide citizens with verifiable digital credentials for authentication and access to public services, have become a key political mechanism for exercising this authority in response to geopolitical shifts, technological disruption, and growing concerns over data governance (Ivic & Troitiño, 2022; Prasad, 2022). While digital sovereignty is consistently linked to digital, data, and technology (Prasad, 2022), several authors argue that their meanings and applications remain highly fragmented and inconsistently operationalised. They contend that digital sovereignty is not a fixed, uniform, or neutral concept but rather a fluid and strategic political project, loaded with legal and political connotations, deployed to pursue competing claims to authority and influence over digital infrastructures, while still relying on traditional sovereignty notions of control and self-determination (Abraham & Rajadhyaksha, 2015; Ivic & Troitiño, 2022; Prasad, 2022).
This conceptual ambiguity is widely acknowledged throughout the literature to shape digital identity systems through a variety of overlapping and contested sets of technical, legal, and socio-technological design choices. In response to the three thematic sub-questions, the following sections explore these variations in greater depth, highlighting specific examples of how digital sovereignty is being mobilised through national digital identity systems across different use cases.
5.2.1 Centralised identity models maximise sovereignty but risk political overreach
Centralised identity management models (Figure 4) are widely regarded as the "traditional" and "siloed" approach to digital identity systems, where a single authority controls the creation, storage, and management of digital identities, often to streamline social service provision (Sedlmeir et al., 2020; Naghmouchi et al., 2023; Zwitter et al., 2020). From a digital sovereignty perspective, these systems are often framed as instruments of state power, consolidating control over identity infrastructure and citizen data to drive state-centric data economies (Prasad, 2022; Naghmouchi et al., 2023).
Figure 4. Centralised identity management
Adapted from Naik and Jenkins, 2020, as cited in Rim, 2023
Despite the apparent success of centralised identity models in large-scale deployments, such as the EU's Digital COVID Certificate (Sedlmeir et al., 2020), India's Aadhaar system — the world's largest digital identity programme — is frequently criticised throughout the literature as a tool of "statecraft and biopolitical control" (Prasad, 2022). Scholars argue that the technological centralisation of Aadhaar is used to assert national ownership over citizen data while disregarding individual autonomy (Abraham & Rajadhyaksha, 2015; Anand & Brass, 2021; Naghmouchi et al., 2023; Sedlmeir et al., 2020; Zwitter et al., 2020). This approach is inherently viewed as a political choice to maximise sovereignty and deepens existing inequalities by exposing already marginalised groups to increased levels of digital exclusion and surveillance (Anand & Brass, 2021; Ivic & Troitiño, 2022; Prasad, 2022).
Several studies also highlight the security vulnerabilities of centralised identity systems, which overburden citizens with numerous credentials across institutions—"paradoxically decreasing security" (Boysen, 2021)—and increase the likelihood of widespread privacy breaches due to centralised data storage (Naghmouchi et al., 2023; Sedlmeir et al., 2022).
5.2.2 Federated and user-centric identity models promote trust but retain institutional gatekeeping
The shortcomings of centralised identity systems have led to federated (Figure 5) and user-centric identity management models as alternative approaches that aim to balance state control, user autonomy, and interoperability (Sedlmeir et al., 2020; Weigl, Barbereau & Fridgen, 2023; Zwitter et al., 2020). In federated models, multiple institutions — typically a combination of public and private actors — share responsibility for managing identities, enabling citizens to authenticate across services (Boysen, 2021; Naghmouchi et al., 2023). User-centric models build on this by improving citizen autonomy and privacy, but still operate within frameworks controlled by institutions — reflecting states' desires to retain strategic influence over citizen data (Boysen, 2021; Naghmouchi et al., 2023; Rim, 2023; Wang & De Filippi, 2020).
Figure 5. Federated identity management
Adapted from Naik and Jenkins, 2020, as cited in Rim, 2023
The EU's eIDAS framework and Estonia's eID system are frequently cited examples of these approaches, blending centralised credential issuance with decentralised authentication to promote citizen trust while maintaining state oversight (Carvalho et al., 2023; Naghmouchi et al., 2023; Rim, 2023). However, several scholars highlight the underlying vulnerabilities of this approach, warning of "latent centralisation" (Rim, 2023) by relying on a narrow set of trusted providers, which reinforces exclusionary dynamics and creates a "gatekeeper problem" (Weigl, Barbereau & Fridgen, 2023), where institutional actors retain significant control over identity infrastructures – ultimately undermining the system’s goals of citizen empowerment (Rim, 2023; Weigl, Barbereau & Fridgen, 2023; Zwitter et al., 2020).
5.2.3 Self-sovereign identity models place citizens in control but are unsolved in practice
Self-sovereign identity (SSI) models (Figure 6) are widely regarded as a radical departure from both centralised and federated identity systems by placing individuals at the centre of the identity management ecosystem (Ishmaev, Epema, & Pouwelse, 2021; Jenkins, 2022; Kim & Kokuryo, 2024; Naghmouchi et al., 2023; Pöhn, Grabatin, & Hommel, 2021; Sedlmeir et al., 2022; Shuaib et al., 2022; Soltani, Nguyen, & An, 2021; Stokkink & Pouwelse, 2018; Wang & Filippi, 2020; Weigl, Barbereau, & Fridgen, 2023; Zwitter et al., 2020). They enable citizens to create, own, and control their personal data on decentralised platforms, such as blockchain, to maximise personal autonomy and privacy (Naghmouchi et al., 2023; Jenkins, 2022; Sedlmeir et al., 2022; Zwitter et al., 2020). From a digital sovereignty perspective, projects such as the European Commission’s European Blockchain Services Infrastructure (EBSI), alongside initiatives in the Netherlands, Canada, and Estonia, demonstrate state experiments with SSI to reduce dependency on external infrastructure providers and align national ambitions with goals of citizen agency and data minimisation (Ishmaev, Epema & Pouwelse, 2021; Kim & Kokuryo, 2024; Naghmouchi et al., 2023; Rim, 2023).
Figure 6. Self-sovereign identity systems
Adapted from Naik and Jenkins (2020, cited in Rim, 2023)