How Cabo Verde Built Digital Identity for an Archipelago

Most conversations about digital identity start from an assumption that's rarely said out loud. They assume that internet connectivity is stable, that service counters are close by, and that population density turns infrastructure distribution into a problem solved by default. That's a reasonable assumption in many European contexts. However, it simply doesn't hold for a country like Cabo Verde — ten islands scattered across the Atlantic. There, the distance between a citizen and the nearest public service can mean a boat trip, not a walk into town.

The eID middleware Caixa Mágica developed for Cabo Verde's National Identity Card (CNI) — which also supports the Residence Permit for Foreigners (TRE) — is, at first glance, a technical project like many others. In essence, it's a software layer connecting the chip on an identity document to the operating system, browsers and applications. But the context in which this middleware was conceived — and the choices that context forced — say something broader about digital identity outside the dense, well-connected territories where most of these systems were born. It's worth looking at this case not just as a project completed successfully, but as a lesson in what digital infrastructure needs to be when geography, institutional context and access can't be treated as constants.

10+ years
Portuguese Citizen Card middleware, tested and mature
eID middleware
Built for Cabo Verde's CNI, extended to the TRE
2021
Abertura Award from ESOP for the open source cooperation

Equity is the real test of digitisation

There's a tendency to describe the digitisation of public services primarily in terms of efficiency — less paper, faster processes, shorter queues. That's true, but it's a limited way of measuring what's actually at stake. For a citizen living in the capital, near well-equipped service counters, digitisation is convenience. For a citizen on a more remote island, however, that same digitisation can be the difference between handling an administrative matter and not being able to handle it at all. In other cases, it simply comes at a cost of time and money that distance imposes.

It's this distinction that makes the Cabo Verde case particularly relevant for thinking about digital identity outside dense urban centres. Being able to digitally sign a document, remotely activate the card's eID features, or verify a certificate without leaving home isn't just a process optimisation — it's a redistribution of access. As a result, it reduces the geographic penalty that would otherwise fall disproportionately on those who live furthest from the country's administrative centre. The scale of the underlying problem is significant: the World Bank's Identification for Development (ID4D) initiative estimates that billions of people worldwide still lack access to a government-recognised digital identity for online transactions.

This is a point that gets lost easily when the conversation about digital transformation focuses on adoption metrics or international comparisons of "digital maturity". The same equity principle applies, less obviously, to the decision to extend the middleware to the Residence Permit for Foreigners. After all, a foreign resident in Cabo Verde faces exactly the same geographic and administrative obstacles as a national citizen. By giving them access to the same digital signing and authentication features, the system recognises that equity of access shouldn't depend on the nationality of whoever needs the service.

Geography Isn't an Implementation Detail — It's a Digital Identity Design Requirement

In many digital identity projects, connectivity is treated as base infrastructure — something that already exists, on top of which everything else is built. In Cabo Verde, that premise doesn't hold in the same way. A population spread across ten islands means that any system built to depend on a constant connection to a central server risks excluding exactly the citizens who'd benefit most from digitisation. In particular, this means those living furthest from the capital, and those with least regular access to in-person services.

That's why the architecture of the Cabo Verdean middleware relies heavily on the card's own chip. Authentication, electronic signing and personal data management are processed locally, between the card and the citizen's computer, without depending on a constant, high-quality connection to a remote system. This isn't a purely technical choice — it's a direct response to a geographic condition. A system designed for Lisbon or Paris can afford to assume continuous connectivity, but a system designed for an archipelago cannot.

The lesson here is broader than this specific case. Digital infrastructure that works well in dense contexts often simply doesn't work when replicated in a dispersed one. Instead, it needs to be rethought from the real constraints of that context, not hastily adapted from a model that was never designed for it.

This concern with geography doesn't stop at the islands of the archipelago. Cabo Verde also has a large diaspora spread across Europe and the rest of the world, and an emigrant citizen faces exactly the same structural problem as a citizen on a more remote island: the distance to the service counter.

Adapting isn't copying

Caixa Mágica didn't build the Cabo Verdean middleware from scratch. It brought more than a decade of accumulated experience with the Portuguese Citizen Card middleware — a tested, mature system with an extensive track record in production. But there's an important difference between reusing technical experience and importing a solution as-is, and that difference is where most of the real work of a project like this lies.

The legal framework for civil authentication in Cabo Verde isn't the same as in Portugal. The responsible bodies are different: SNIAC, the National Civil Authentication System, and INCM, the National Press–Mint, have their own mandates and processes, shaped by Cabo Verde's institutional reality. Consequently, a middleware that ignored those differences and simply replicated the Portuguese architecture would have failed — technically sound, but institutionally incompatible with the country it was meant to serve.

This is made possible, in large part, by the open nature of the technology used. Open source isn't just an ideological choice or a way to cut licensing costs. Rather, it's what makes it feasible to adapt a solution to another country's legal and institutional framework without depending on a single vendor for every change. In short, a Cabo Verdean citizen benefits from more than a decade of technical maturity accumulated in another context, yet the system they use was designed, from the ground up, to answer to their own country's regulatory framework.

This distinction — between inheriting technical knowledge and imposing a foreign architecture — is probably the most transferable lesson from this project. It matters especially for countries trying to build digital identity infrastructure without repeating decades of trial and error others have already been through. At the same time, it matters for countries that don't want to simply accept systems designed to answer problems that aren't quite their own.

Institutional cooperation is part of the architecture, not a political footnote

It's tempting to describe a project like this purely in technical terms — programming languages, security protocols, operating system compatibility. However, Cabo Verde's eID middleware wouldn't have worked without sustained institutional alignment between Caixa Mágica, SNIAC and INCM. Each of the three is responsible for a distinct and indispensable piece.

Who does what in Cabo Verde's eID middleware
Legal framework
SNIAC — civil authentication rules and mandate
Identity document
INCM — production and chip compatibility
Software
Caixa Mágica — development and ongoing maintenance
Recognition
ESOP — 2021 Abertura Award
The system's success depends as much on the quality of this institutional relationship as on the quality of the code.

This cooperation was formally recognised in 2021, when the project received the Abertura Award from ESOP — the Portuguese Association of Open Source Software Companies. For other countries considering similar projects, this suggests a question that precedes any technical decision. Namely: does solid institutional alignment already exist, or can it be built, between the bodies that will have to work together for years, not just through launch? After all, the technology can be excellent and the project can still fail if that institutional foundation isn't there.

What success looks like when infrastructure is built to disappear

There's a rarely discussed feature of good digital infrastructure: when it works well, it becomes invisible. Nobody praises an ID card's middleware for being remarkable. At best, they praise it for simply working, every time, without requiring specialist technical knowledge from the citizen using it.

This standard is particularly demanding in an island context like Cabo Verde's, where specialist technical support may not be immediately available on every island. A system that fails often, or that requires complex troubleshooting, imposes a real cost. In dense continental territories, that cost is absorbed fairly easily — someone could be called, or the equipment taken to a specialist shop. In an archipelago, however, that cost can be significantly higher.

Which is why reliability and ease of use aren't just good software engineering practice. In this context, they're functional requirements equivalent to any legal specification. Consider a digital identity middleware that works correctly in 95% of cases, but whose failures in the remaining 5% are hard to resolve without in-person technical support. Put simply, that system isn't adequately serving every citizen it's meant to serve. The definition of success here can't be separated from the real conditions in which the system will be used.

Data sovereignty starts in the technical design, not in policy

One quiet but significant choice in this middleware illustrates the point well. The personal notes a citizen can attach to their card — emergency contacts, blood type, allergies — aren't stored on a central server. Instead, they stay on the card's own chip, under the holder's direct control.

This is an architectural decision, not a political statement, but it has implications beyond the technical. In many debates about digital identity, data sovereignty is discussed mainly in legal or geopolitical terms: where the servers are located, which jurisdiction applies, what contractual guarantees exist. Yet there's a layer of data sovereignty decided long before any contract is signed. Namely, the one that results from choices made in the system's own design, about what's centralised and what stays under the citizen's direct control.

For countries still building their citizens' trust in their own digital institutions, this kind of architectural choice can carry as much weight as any legal guarantee. That trust-building is, after all, a slow, cumulative process. A system that, by design, keeps the most sensitive data out of reach of any central server is communicating something about where control actually sits — regardless of what any privacy policy later states in writing.

A Bigger Lesson for Digital Identity in Archipelagos

Cabo Verde's eID middleware is, in itself, a successful project. It's in production, used by citizens, and formally recognised for the quality of the cooperation that made it possible. But the value of this case isn't just in the outcome. For anyone thinking about digital identity outside the usual technology hubs, it's in the process of decisions that made it fit for the context in which it operates. None of these decisions was spectacular on its own.

Five choices, one philosophy

Processing locally instead of depending on constant connectivity.
Adapting the legal framework instead of importing a foreign architecture.
Investing in the institutional relationship as much as in the code.
Treating reliability as a core requirement, not a nice-to-have.
Keeping sensitive data under the citizen's control, by design rather than by promise.

Together, these choices describe a philosophy of building infrastructure that responds to a country's real conditions, rather than assuming those conditions are the same everywhere. It's this philosophy — more than any specific line of code — that becomes relevant to other archipelagos. In particular, it applies to other countries with dispersed populations, and to other contexts where urban density and continuous connectivity can't be taken for granted. The digital identity that works for most of the world is probably not a scaled-down version of the one built for the densest technology hubs. Instead, it's a digital identity designed, from the outset, for the conditions in which most of its citizens actually live.

Caixa Mágica Software
Caixa Mágica Team
Caixa Mágica Software is a Portuguese software company with 20+ years of experience delivering custom software, AI solutions and nearshore development teams for European businesses.
eID Box · Caixa Mágica Software
See what digital identity built for real-world conditions looks like
Reliable, secure eID systems adapted to your country's geography, institutions and legal framework.
From Portugal's Citizen Card to Cabo Verde's eID middleware.