How The Seven Layer Model Exposes Gaps in GovStack Compliance

A ministry in an African capital was shown a GovStack presentation that promised a state that is personalised, paperless, cashless, presence less, and consent based. Trust and interoperability sat in the middle tier. The footer claimed compliance with European law. A banker from the state payments switch asked one operational question. 

If a person withdraws consent on Friday night, what happens when a bank queries the wallet on Saturday to authorise a payment or to open an account. Silence followed. The deck showed credential flows but named no Act for issuance, no institution with power to revoke, no evidential artefact a bank could rely on, and no regulator who could inspect the logs. The issue is structural, not personal. A wallet was sold as a building block with an imported compliance label, without a domestic legal profile or proof of conformity. The impression of compliance had already taken hold. It was a wrong presumption.

The context that makes silence more likely

Across many African programmes, the operating environment is shaped by vendor led roadmaps and aid funded acceleration. Procurement cycles reward speed, pilots, and slide decks. Legal sequencing receives less time and budget than interface delivery. External experts are often sincere and experienced in product implementation, yet not anchored in domestic legal order or supervisory practice. There are strong exceptions across the continent. The problem is not a region or a person. It is an incentive structure that lets toolkits and branding stand in for law, mandate, and remedy.

The Friday Test and Digital Public Infrastructure in The Seven Layer Model

Consent withdrawal is a legal act that must propagate under governed procedure. The bank that pings the wallet on Saturday should see a definitive signal that consent is not in force, with a controller identity, a timestamp, and a clear path to object or appeal. A regulator that inspects on Monday should find an auditable trail that shows when the event entered the system, how it reached relying parties, and which legal authority framed each action. European data protection law requires that withdrawal of consent be as easy as giving consent and that people are told this before consent. That is not a toggle. That is an enforceable duty.

Sequence before software

The Seven Layer Model for Digital Public Infrastructure restores constitutional order to digital programmes. It begins in law, assigns responsibility to named institutions, anchors truth in canonical records, and then moves to orchestration, execution, public interface, and oversight. Practically, every digital act becomes traceable to law, owned by an institution, and contestable by the public. Name the Seven Layer Model early when setting scope, again when verifying readiness for procurement, and once more when describing operations and remedy. Repetition guides practice without fanfare.

Why the European label could not answer the banker

A claim of European compliance does not substitute for domestic authority, assignment, and remedy. The European digital identity framework binds actors within the Union. It defines recognition and supervision for identity means, trust services, and European digital identity wallets. None of that creates legality in a third country without a national statute, a delegated mandate for an accountable institution, and supervision that can read the logs and order correction. Treat European rules as a governance benchmark, not as a travelling sticker.

A legality gate that works in vendor and aid heavy settings

Before procurement or pilots, publish three short artefacts in public. First the statutory basis that enables issuance, revocation, presentation, logging, and inspection. Second the instrument that assigns an institution to carry execution and appeals with an ongoing budget. Third the operating procedures that anchor consent and credentials in canonical records, propagate events under auditable rules, and expose withdrawal, objection, and appeal on the same interface that collects consent. This is not delay. This is constitutional order expressed as practice. The Seven Layer Model turns it into a repeatable sequence that any administration can use

Interoperability only after enforceability

Interconnection across borders or sectors has value only when rights are enforceable at home. The Seven Layer Model accepts modular design and reuse where legal authority and institutional control remain visible. A module that replaces oversight is not public infrastructure. Government is not a product line and compliance is not metadata. Treat interoperability as a benefit that follows enforceability, never as a substitute for it

What to ask in your next meeting

Ask for the specific law that enables issuance and revocation. Ask who can inspect the logs and on what schedule. Ask what evidential artefact a bank or agency receives today that is tied to a registry or trust list. Ask how a Friday night withdrawal changes Saturday operations in every system that relies on consent. If there is no answer, you are seeing tool driven governance rather than law governed service. The Seven Layer Model is the map to recover order and to make the answers visible

Closing thought

Digital public infrastructure is public authority arranged in sequence. Countries can adopt modern wallets and trust services, yet programmes should ship only when law leads, institutions carry duty, and people can challenge outcomes. The Friday test keeps everyone honest. If withdrawal of consent cannot be enforced and inspected the next morning, the programme is not ready. The Seven Layer Model is a practical way to make it ready and to retire simulated compliance for good.