Diia — A Digital Monopoly Under One Person’s Control: The Architecture of Power in Ukraine’s Public Services

15 August 2025, 12:51
Ukraine is undergoing a rapid digital transformation of public services. The “Diia” ecosystem, developed under the Ministry of Digital Transformation, has evolved from a simple portal into a multi-functional platform controlling citizen identification, access to state registries, service delivery, and now — basic financial transactions through the new Diia.Card.

This is a technologically progressive step with undeniable benefits. Yet it also creates a unique situation in Ukrainian governance: critical state functions are concentrated in a single administratively controlled hub, under the authority of one person — the Minister of Digital Transformation.

The issue is not about the intentions or competence of the current leadership, but about the power architecture and systemic risks such concentration creates for a democratic society.

From Portal to Ecosystem

Diia.Card — The New Stage of Concentration

In August 2025, the Ministry announced the launch of Diia.Card — a multi-account instrument for receiving state payments directly through the Diia app. It covers pensions, IDP assistance, grant programs, and other targeted or untargeted transfers.

The card contains separate “pockets” for special programs and a general balance, all within a single interface. Importantly, the platform doesn’t just display transactions — it controls the routing of funds, effectively binding the recipient to a specific state interaction channel.

Growing Dependence: The Ukrzaliznytsia Case

Ukraine’s state railway operator has been phasing in Diia.Signature verification for certain popular services — starting with international routes and ticket refunds, then expanding further. BankID integration is also being introduced as another mandatory ID method.

While alternative channels formally exist, critical functions are increasingly tied to Diia. This is not “sales exclusively via Diia,” but an administrative dependency on a single identification method is becoming the norm.

All Under One Roof

Today, the Diia ecosystem combines:

  • Identification (Diia.Signature, BankID integration)
  • Registry access (documents, certificates, registration data)
  • Service delivery (from certificates to licenses)
  • Financial transactions (Diia.Card for state payments)
  • Communications (notifications, official correspondence)

This means one government body — the Ministry of Digital Transformation — now controls almost every digital touchpoint between citizens and the state.

Legal Risks

Constitutional Principles Under Strain

  • Article 42 of the Constitution prohibits abuse of monopolistic position and obliges the state to protect competition. A de facto monopoly on access to public services may violate this principle.
  • Article 19 requires state bodies to act only within powers defined by law. Imposing a single access channel without explicit legal mandate creates uncertainty.
  • Article 32 guarantees personal data protection. Consolidating identification, registry, and financial data in one place raises privacy risks.

Antitrust Concerns

  • Article 15 of the Law on Economic Competition Protection bans anti-competitive actions by state authorities. If the state fixes one point of entry (ID/signature/payment), it may amount to creating administrative market power.

Financial Regulation Issues

Launching a banking product (Diia.Card) with exclusive registry access and administrative leverage creates unfair conditions for other financial service providers, potentially breaching equal market access principles.

Systemic Risks in the Architecture

  • Single-point cyber risk: One breach could disrupt services, falsify identities, or leak sensitive data on millions.
  • Regulatory conflict of interest: The Ministry both sets access rules and operates the dominant platform — an inherent governance conflict.
  • Economic displacement: Privileged integration and free access to state data disadvantage private IT and fintech companies.
  • Political vulnerability: Control over a single platform enables selective service denial — a tool for political leverage.

Potential Abuse Scenarios

If the system falls into the wrong hands:

  • Political pressure: Region-specific service shutdowns, targeted payment delays.
  • Economic coercion: Blocking critical business services.
  • Mass surveillance: Loyalty scoring based on transactions and movements.
  • Data monetisation: Sharing user profiles with third parties without informed consent.

Internal risks include unauthorized use, leaks, or sale of citizen data by insiders.

Leadership as a Risk Factor

Unlike distributed models where functions are divided across institutions, Ukraine’s setup centralises control under one minister, who can directly influence:

  • Security architecture
  • API access rules
  • Service integration priorities
  • Key staffing

Checks and balances are weak: most technical rules are set by secondary regulations, with limited parliamentary or judicial oversight.

A leadership change could radically shift the system’s role — from service delivery to political control.

Advantages That Can’t Be Ignored

Technological: Single interface, instant transfers, transparency, lower transaction costs.
 Social: Easier access for younger citizens and those in remote areas.

International Comparisons

  • Estonia’s X-Road: Distributed control, multiple ministries, independent data protection authority.
  • India’s Aadhaar: Initially centralized, later restricted after mass data leaks and privacy violations.
  • China’s Social Credit System: Illustrates the authoritarian potential of such architectures.

Recommendations

Legislative safeguards:

  • Mandate at least two independent ID methods and service channels.
  • Separate regulator and operator roles.
  • Time-limit any restrictions on alternatives.

Technical measures:

  • Open, equal-access APIs.
  • Segregate personal, financial, and behavioural data.
  • Regular independent security audits with public reports.

Institutional controls:

  • Independent oversight body for digital platforms.
  • Antimonopoly review for every major integration.
  • Public reporting on data use and technical decisions.

Conclusion

Digital unification of public services is positive — if the architecture serves the public, not the platform. When identification, registry access, and payment routing are concentrated under one person, the result is not just efficiency, but a systemic risk point for democracy.

Ukraine’s Diia model showcases both the promise of digital governance and the dangers of over-centralisation. The question is not whether we trust today’s leadership — but what powers we hand to tomorrow’s.

History shows: tools of control built with good intentions eventually reach those willing to misuse them.
 The time to act is now — while the system can still be redesigned, before change becomes politically impossible.