Open Civic Standard — Global Standards Review Committee

Network Theory Applied Research Institute | May 2026 | ntari.org

What follows is an AI generated report on the current state of the Open Civic Standard for ethical, rights-respecting, secure, accessible, and culturally-responsive civic software, under development by the Network Theory Applied Research Institute. By volunteering you will take part in a committee advancing the standard from a western-centered approach to one focused on respecting the standards of people everywhere in line with NTARI's global mission. Learn more at ntari.org.

What Is the Open Civic Standard?

The Open Civic Standard (OCS) is a composite compliance baseline for civic software — the digital tools that underpin democratic participation, public services, and community governance. Rather than targeting the minimum requirement of any given jurisdiction, OCS takes the ceiling: wherever regulators disagree, it adopts the most protective rule.

OCS 1.0.0 is built on five domains:

1. Accessibility (WCAG 2.2 AA, Section 508, EN 301 549, AODA)
2. Licensing and Open Source Integrity (AGPL-3.0, REUSE 3.0, SBOM/SPDX, OpenChain ISO/IEC 5230)
3. Data Privacy and Governance (GDPR, CPRA, DPIA requirements)
4. Security (OWASP ASVS, EU Cyber Resilience Act)
5. Interoperability (OpenAPI 3.x, JSON-LD, Unicode CLDR)

All five domains draw almost exclusively on US and EU frameworks. NTARI broadcasts resources across six language communities — Arabic, Chinese, French, Hindi, Portuguese, and Spanish — whose jurisdictions contribute standards that either exceed current OCS requirements or cover areas OCS does not address at all. This report summarises a global research effort across 85+ national frameworks to identify what must change.

What Our Research Found

Across all six language communities research identified 47 specific provisions that exceed current OCS protections, and 8 entirely new domains that civic software must address to serve global communities responsibly.

Key Finding: OCS 1.0.0 is a strong Western baseline. It is not yet a global standard. Frameworks from Arabic, Chinese, Hindi, Portuguese, and Spanish-speaking jurisdictions introduce requirements that are entirely absent from US/EU law.

The Five Existing Domains: What Needs Upgrading

Domain A — Accessibility | ENHANCED OCS leads on WCAG 2.2 AA. Gaps: France's RGAA requires mandatory accessibility statements with annual audits and compliance scores. Brazil's LBI mandates criminal penalties for accessibility failures across all websites — public and private. New Zealand requires the same WCAG 2.2 AA standard for internal systems (intranets), not only public-facing sites.

Domain B — Licensing | CURRENT AGPL-3.0 and REUSE 3.0 remain strong globally. France's Digital Republic Law formally designates source code as an administrative document, reinforcing the open approach. No major ceiling standards were identified elsewhere.

Domain C — Data Privacy | ENHANCED GDPR is a floor, not a ceiling. Quebec Law 25 requires confidentiality by default — all tracking technologies must be deactivated until express consent is given, the strictest consent architecture globally. South Korea's PIPA notifies individuals of breaches before notifying authorities. Saudi Arabia's PDPL requires a dual adequacy test for cross-border data transfers — technical adequacy and national security clearance. India's DPDP Act mandates 22-language consent notices and sets the child threshold at 18 for all children, with no materiality threshold for breach reporting.

Domain D — Security | ENHANCED OWASP ASVS covers application security well. The gap is infrastructure and operational security. Australia's ASD Essential Eight mandates 48-hour patching for critical internet-facing systems, phishing-resistant MFA with hardware keys, and daily backups with quarterly restoration testing — none of which ASVS specifies. India's CERT-In requires 6-hour incident reporting. Saudi Arabia's National Cybersecurity Authority defines 114 prescriptive controls alongside a workforce framework mapping 40 job roles with knowledge, skills, and abilities requirements.

Domain E — Interoperability | ENHANCED OpenAPI 3.x remains best practice. Spain's ENI mandates 26-element metadata schemas for government system integration. Saudi Arabia's ZATCA transaction infrastructure — real-time XML validation, cryptographic stamps, QR codes, and immutable audit trails — provides a replicable model for civic procurement transparency. India's IndEA offers federated architecture patterns for whole-of-government deployment.

Eight New Domains Required

The most significant finding is not upgrades to existing domains — it is eight areas of civic software governance that OCS does not address at all.

Domain F — Indigenous Data Sovereignty CARE Principles, OCAP® (Canada), and Te Mana Raraunga (Māori) establish that Indigenous nations hold inherent sovereignty over data about their peoples. Civic platforms — especially census, health, environmental, and geographic systems — must implement collective consent (Free, Prior, Informed Consent), community-controlled access, and data storage within Indigenous jurisdiction. Individual privacy frameworks cannot substitute for collective governance rights.

Domain G — Algorithmic Accountability and AI Ethics 51 jurisdictions now regulate automated decision-making beyond data privacy. China requires algorithm registration with a 10-day filing window before deployment. Nigeria's NDPA and Saudi Arabia's PDPL establish rights to object to automated decisions with explanation. Spain's AEPD published comprehensive agentic AI guidance in February 2026. UNESCO's AI Ethics Recommendation, adopted by 194 states, requires Ethical Impact Assessments before deployment. Civic software using AI for eligibility, allocation, or analysis needs bias testing, explainability mechanisms, human oversight, and an ethics review process.

Domain H — Data Localization and Sovereignty 23+ jurisdictions mandate local data storage. Saudi Arabia requires a 24-month transition to SDAIA-qualified providers for critical infrastructure. Morocco classifies systems by impact severity, with the highest levels requiring local hosting. Kenya, Nigeria, Rwanda, Vietnam, and Zambia impose sector-specific localization for government and sensitive data. OCS currently has no data residency framework, no qualified hosting provider criteria, and no Transfer Impact Assessment requirements beyond GDPR's standard contractual clauses.

Domain I — Digital Rights and Workplace Protections Spain's LOPDGDD Title X (Articles 79–97) establishes a Digital Rights Charter with no US or EU equivalent: the right to digital disconnection (workplace tools must respect off-hours), internet neutrality, universal access as a policy goal, digital testament for posthumous data management, and workplace device privacy with worker co-determination. Tunisia's Constitution Article 24, Chile's Article 19, Ecuador's Article 66, and Colombia's Articles 15 and 20 elevate privacy and digital rights to constitutional status, establishing a stronger legal foundation than statutory law alone.

Domain J — Workforce Competency and Training Saudi Arabia's SCyWF defines 5 categories, 12 specialty areas, and 40 job roles — each with Knowledge-Skills-Abilities mappings — as cybersecurity requirements, not aspirational targets. UAE ADGM requires formal DPO Competency Statements with qualification assessment. OCS currently has zero personnel qualification provisions. Qualified people are a security control.

Domain K — Digital Transaction Infrastructure Saudi Arabia's ZATCA FATOORA e-invoicing system mandates real-time government API validation, cryptographic stamps, standardised XML, and immutable audit trails for financial transactions. Applied to civic procurement, public budgets, and benefits distribution, this model provides a technical transparency standard that OCS currently lacks entirely.

Domain L — Privacy Management Systems ISO 27701:2025 and NIST Privacy Framework 1.0 provide operational frameworks for achieving privacy compliance — governance structures, risk assessments, performance metrics, privacy-enhancing technologies, and maturity models — that GDPR compliance alone does not specify. OCS mandates outcomes; it does not yet specify how to achieve them systematically.

Domain M — Comprehensive Security Management ISO 27001:2022 covers organisational security — supply chain risk, business continuity, physical controls, personnel screening, internal audit — that OWASP ASVS (application-level only) does not reach. Australia's ASD Essential Eight adds prescriptive operational controls including application whitelisting, 48-hour critical patching, and daily backups tested quarterly. These are not overlaps with ASVS — they are a complementary layer.

Standout Provisions by Region

Arabic-Speaking Jurisdictions

Saudi Arabia's PDPL requires a dual adequacy test for cross-border transfers — both technical adequacy and national security clearance — stricter than GDPR's self-assessment model. Egypt's PDPL mandates case-by-case pre-authorisation from the Personal Data Protection Centre for all international transfers, unlike GDPR which permits standard clauses without individual approval. Tunisia's Constitution Article 24 elevates data privacy to a constitutional right — the strongest possible legal foundation. Morocco's dual classification system assesses both data sensitivity and system impact severity, a more comprehensive approach than data classification alone.

Chinese-Speaking Jurisdictions

China's PIPL Article 24 explicitly prohibits unreasonable differential pricing in automated decisions — stronger than GDPR Article 22, which does not address pricing. Singapore's PDPA mandates DPO appointment for all organisations (not just high-risk processing), with published contact details. Singapore's Cybersecurity Act 2024 requires 2-hour incident reporting, regulates third-party-owned critical infrastructure, and establishes a temporary security elevation framework for elections and emergencies. South Korea's PIPA (2026) uniquely requires individuals to be notified of breaches before authorities are notified.

French-Speaking Jurisdictions

Quebec Law 25 requires confidentiality by default — all tracking technologies must be deactivated unless express consent is given — the strictest consent architecture identified globally. France's RGAA 4.1.2 specifies 106 testable accessibility criteria (versus WCAG's approximately 70 AA criteria), mandates annual audits, and permits public naming of non-compliant entities. Switzerland's FADP imposes personal criminal liability of up to CHF 250,000 against individuals, not just organisations. The Malabo Convention recognises regional origin and parental filiation as sensitive data categories — an African cultural context entirely absent from GDPR.

Hindi / Indian Subcontinent

India's DPDP Act 2023 sets the child threshold at 18 (versus GDPR's 13–16), absolutely prohibits child profiling, tracking, or targeting, mandates 22-language consent notices, and imposes no materiality threshold for breach reporting — all breaches must be reported. India's CERT-In requires 6-hour incident reporting, 180-day log retention with time synchronisation, and 5-year retention for cloud, VPN, and VPS providers. India's IS 17802 makes WCAG 2.1 AA mandatory for the private sector under the RPWD Act, with criminal enforcement and 155 organisations penalised in February 2025 alone.

Portuguese-Speaking Jurisdictions

Brazil's LBI Article 63 makes accessibility mandatory for all websites in Brazil — public and private — with criminal penalties of 2–5 years imprisonment, the broadest mandatory accessibility scope identified globally. Brazil's LGPD grants rights over deceased persons' data, allowing heirs to access and manage it, and includes an explicit right to anonymisation (Article 18). Brazil's GOV.BR digital identity system provides three-tier authentication with over 170 million enrolled users, a practical model for government service integration.

Spanish-Speaking Jurisdictions

Spain's LOPDGDD Title X establishes a Digital Rights Charter found nowhere else: the right to disconnect from workplace tools, internet neutrality, digital testament, and workplace device privacy with worker co-determination. Spain's AEPD published 71 pages of agentic AI guidance in February 2026 covering memory management for AI agents, purpose limitation for multi-activity agents, and controller accountability regardless of AI autonomy. Chile's Ley 21.719 (2024) introduces Prevention Models allowing compliance programmes to mitigate sanctions and elevates data protection to constitutional status. Ecuador's LOPDP requires breach notification within 5 days — stricter than GDPR's 72 hours — and has an active enforcement track record.

Sub-Saharan Africa

South Africa's POPIA extends data protection rights to juristic persons (organisations), not just natural persons, and carries criminal penalties of up to 10 years imprisonment. Nigeria's NDPA 2023 establishes tiered compliance thresholds (Data Controllers/Processors of Major Importance = 200+ data subjects in 6 months), requires an annual Compliance Audit Return, and includes AI-specific provisions in primary legislation. Kenya's DPA 2019 mandates registration of all controllers and processors with the Office of the Data Protection Commissioner. The ECOWAS Supplementary Act, revised in November 2024, provides a regional harmonisation framework across West Africa.

Asia-Pacific

Australia's ASD Essential Eight at Maturity Level 3 requires 48-hour patching for internet-facing critical vulnerabilities, hardware-key phishing-resistant MFA, and quarterly backup restoration testing — more prescriptive than OWASP ASVS on operational security. Australia's Privacy Act 2024 creates a statutory tort for serious privacy invasions enabling class actions and damages for emotional distress. New Zealand's Web Accessibility Standard 1.2 requires WCAG 2.2 AA for internal systems (intranets) as well as public-facing sites, and defines high-stakes content requiring prioritised accessibility treatment. Vietnam's PDP Law 2026 requires cross-border transfer notifications to the Ministry of Public Security 60 days in advance.

Tensions and Conflicts

Not every global framework is compatible with OCS principles. The committee will need to address three genuine conflicts.

1. China's real-name registration requirement (CSL Article 24) conflicts with data minimisation. Government-first vulnerability disclosure (MIIT) conflicts with responsible disclosure. Algorithm pre-approval timelines conflict with iterative development. Content control requirements conflict with free expression. The recommendation is to create a documented China Extension overlay rather than integrating conflicting provisions into core OCS.
2. Data localization requirements from 23+ jurisdictions conflict with GDPR's prohibition on blanket localization mandates. Multi-region deployments can satisfy both, but require jurisdictional mapping and Transfer Impact Assessments as standard practice — currently absent from OCS.
3. Pakistan's PECA and Bangladesh's Digital Security Act contain provisions — including mandatory government access to user data — that are incompatible with OCS privacy principles. India's standards are recommended as the subcontinent baseline; both countries should be monitored for legislative improvement before jurisdiction-specific guidance is developed.

Proposed Implementation Roadmap

Phase 1 — Individual Assessment: Committee members review OCS 1.0.0 and the full global research document, then each produce an individual essay (format of choice) assessment arguing what should be integrated into OCS 2.0 and what should be left out. NTARI board members may also submit assessments. Tools available to participants include enterprise access to NotebookLM and Gemini, and a dedicated channel in the NTARI Slack workspace [ntari.slack.com].

Phase 2 — Vector Synthesis: All individual assessments are loaded into the OCS Claude project, which produces a vector position — a synthesised stance that honours the range of perspectives expressed by the group. Each participant then writes a second essay expressing their position in support of or against the vector.

Phase 3 — Language and Vote: Once consensus on the vector is established, the new language is drafted into OCS 2.0. Participants review the final text and submit a vote for or against, with written comments required alongside every vote. Voting and commentary will continue for up to three rounds.

The Opportunity

OCS 1.0.0 establishes a strong foundation for internet commons. The research confirms that its core commitments — WCAG 2.2 AA, GDPR-baseline privacy, OWASP application security, AGPL-3.0 licensing, and OpenAPI interoperability — are sound and in several areas ahead of most jurisdictions globally.

What the global review reveals is not that OCS is wrong. It is that OCS is incomplete. Civic software deployed across the Arabic-, Chinese-, French-, Hindi-, Portuguese-, and Spanish-speaking world will encounter legal obligations, cultural expectations, and community rights that the current standard does not recognise.

The most sophisticated frameworks reviewed demonstrate that protecting users and enabling civic participation are not competing goals. Quebec achieves the strictest consent architecture globally while providing clear architectural specifications for developers. Saudi Arabia integrates privacy, security, and financial transparency into a coherent national framework. Spain articulates a Digital Rights Charter that treats digital participation as a dimension of citizenship, not a product feature. India mandates 22-language consent for all children under 18, treating linguistic accessibility as a civil rights obligation. As an American nonprofit, we recognize our nation as the origin of the internet and seek to do a better job in regulating its development around the world in hopes of creating the best global communications system possible.