Author’s Note & Acknowledgement
The perspectives presented in this article are solely those of the author and are intended to stimulate public discourse on digital sovereignty. A comprehensive technical audit of the software mentioned is not publicly available, and there is a distinct lack of transparency from the Department of Information Technology (DIT) regarding the ownership structures, source code accessibility, and contractual terms of the digital systems now embedded in public life. The analysis here is based on observable outcomes, verifiable public records, the government’s own published policy documents, and direct examination of the DIT’s public code repository at github.com/ditkrg.
This lack of transparency is not a peripheral concern — it is the central one. When citizens cannot verify the security of systems they are compelled to use, the risks outlined below remain not only possible but unaddressable.
I write this as a proud citizen of the Kurdistan Region. I am genuinely moved by Prime Minister Masrour Barzani ‘s vision to build a modern, digital Kurdistan — a vision that, in its ambition and its energy, represents something this region has needed for a long time. Watching our government invest in digital infrastructure, push for a cashless economy, and attempt to modernize public services fills me with real hope. The Prime Minister’s commitment to this transformation is not in question. His vision is not in question. What this article questions — specifically and critically — is the technical execution, the structural decisions, and the roadmap being used to turn that vision into reality. A great vision deserves a sound foundation. Right now, the foundation has cracks that need to be addressed before they become irreversible.
I also address Hiwa Afandi , Head of DIT, as the technical architect of this future. In the coming weeks, I plan to follow up specifically on the transparency of government software procurement. As the DIT moves to digitize every government operation, the public deserves to know exactly how these systems are built, who owns the code, and how our data is being protected.
A Shiny Surface, A Murky Foundation
Walk into a government office in Erbil, Sulaymaniyah, or Duhok today, and the scene is polished. Brand-new terminals and modern interfaces suggest a region stepping boldly into the digital age. From the e-Psûle payment platform to the Projay Runaki electricity initiative, from school management software to digital identity cards, the Kurdistan Regional Government is moving fast to digitize public life.
And some of it is working. The Runaki project is delivering 24-hour electricity to millions of families who waited decades for it. The MyAccount initiative has brought over 900,000 civil servants into the banking system. These are real achievements, and they deserve recognition. This article does not deny them.
But underneath the surface, a deeper and largely unexamined question remains: who actually controls the systems our government now depends on? While officials frame this wave of digitization as a leap toward sovereignty, a careful look at the public record — including the government’s own GitHub account — tells a different and more troubling story. We are not building digital independence. In critical areas, we are constructing a dependency trap, and doing so with almost no public accountability, no published procurement records, and no verifiable evidence that the people making these decisions understand what they are signing away.
A great vision, executed poorly, can produce outcomes worse than no vision at all. That is the risk Kurdistan faces today.
The Government’s GitHub: What the Code — or Its Absence — Actually Says
Any serious assessment of the KRG’s digital program must begin with a simple, verifiable fact that anyone can check for themselves. The DIT maintains a public GitHub account at github.com/ditkrg, verified as authentic by GitHub itself through domain ownership of gov.krd.
That account contains 27 public repositories. An examination of all of them reveals the following: there is no source code for e-Psûle. There is no source code for any Runaki billing system. There is no source code for KRD Pass. There is no source code for the Kurdistan Financial Management System. There is no source code for the Population Information System. There is no source code for the Payroll Management System. There is no source code for the Border Crossing Control System — despite a 2023 government press release explicitly describing it as “developed entirely in-house by the DIT.” Not one citizen-facing or government-facing application appears anywhere in the public repository.
What the GitHub does contain tells its own story. The repositories consist almost entirely of forks of other organizations’ open-source projects — a database backup script forked from a private developer, a modal sheet component forked from Wolt the food delivery company, a car logos image dataset forked from a hobbyist, DNS configuration tools forked from Kubernetes. The handful of original repositories are small internal developer utilities: a RabbitMQ message queue manager, a workflow state machine, a number-to-Kurdish-words converter. One repository — a fork of Hyperswitch, an open-source payment orchestration platform — hints at the architecture behind e-Psûle, but the government has never publicly acknowledged this.
This is not a technicality. GitHub is where software developers store and version-control the code they write. A government department that has genuinely built a financial management system, a biometric population registry, a digital payroll system for over 900,000 employees, and a citizen identity platform over six years would have substantially more to show. The complete absence of any application-level code raises a legitimate question the government has not answered: did the DIT actually build these systems, or did it manage contractors who built them — and if so, who are those contractors, and who owns what they produced?
The government cannot have it both ways. It cannot simultaneously claim sovereign ownership of critical digital systems and refuse to produce any public evidence of that ownership. Press releases are not source code. Ribbon-cutting ceremonies are not audits. And six years of investment — reportedly over $50 million according to PM Barzani’s own statements — should produce something more verifiable than a fork of a car logo dataset.
Who Is Making These Decisions — and Who Is Accountable When They Go Wrong?
Before examining the specific systems involved, we must ask a question that almost no one in the public debate has raised: who approved these vendor arrangements, under what process, and based on what technical evaluation?
The KRG has no published procurement register for technology contracts. There is no publicly accessible tender document, no published evaluation criteria, and no record of competitive bidding for any of the software vendor relationships described in this article. The government’s own e-procurement portal does not publish IT software contracts. The public cannot determine whether any private company won its government contract through open competition or through relationships with the decision-makers who approved it.
This matters because the advisory and decision-making structure around KRG technology procurement is opaque in a way that creates serious governance risk. The DIT reports directly to the Prime Minister’s office. That means technology procurement decisions of significant national consequence — decisions about who owns the software managing children’s education records, who controls the billing software for the electricity grid, who built the platform processing citizen payments — are made within a structure that has no published accountability mechanism and no legislative oversight body with the technical capacity to scrutinize them.
When Minister of Education Alan Hama Saeed announced the E-Assessment platform in January 2025, built with SoftMax Company, his announcement described it as “a pioneering digital service unprecedented in the public sector.” What it did not describe was the procurement process that selected SoftMax, the contract terms governing data ownership, the security standards SoftMax is required to meet, or what happens to student data if SoftMax ceases to operate. None of that information has been published, because there is currently no legal or institutional requirement that it be.
This is not governance. It is improvisation with public data. And it raises a pointed question about the advisory roles surrounding these decisions: are the people approving these contracts technically qualified to evaluate what they are approving? Do they understand the difference between owning software and licensing it? Do they understand what it means for a private company to be the legal publisher of an application holding the records of hundreds of thousands of Kurdish children? If they do understand these things and approved these arrangements anyway, that is a policy failure. If they do not understand them, that is a capacity failure. Either way, it is a failure — and citizens deserve to know which one.
Why SoftMax and the Education Sector Represents a Particularly Serious Failure
Of all the vendor relationships in the KRG’s digital program, the SoftMax arrangement in the education sector is the most clearly documented and the most deeply concerning — precisely because, unlike other cases, there is no ambiguity about who owns what.
e-Parwarda is published on both the Apple App Store and Google Play under SoftMax Company’s developer account — not the KRG’s. According to its own App Store listing, it serves as the primary application for managing schools in the Kurdistan region, handling student records, attendance, grades, schedules, and parent-teacher communications. In both stores, the developer is the legal entity responsible for the application and its data. The government is the client. SoftMax is the owner.
Then in January 2025, the Ministry of Education deepened this dependency. The E-Assessment platform — described as the first digital assessment service of its kind in the region’s public sector — was launched in strategic partnership with UNICEF and SoftMax Company, with an initial rollout across 396 government schools.
Think carefully about what this means in practice. SoftMax is a private Erbil-based company founded in 2005. Its technology partners include Microsoft, Azure, and Cloudflare — all foreign proprietary platforms. It has no published public GitHub. Its data privacy practices, according to Apple’s own App Store listing, have not been independently verified by Apple. No public contract between the Ministry of Education and SoftMax has been disclosed. No security audit has been published. No data governance framework governing SoftMax’s access to student information has been made available.
The academic records, assessment results, attendance histories, and teacher evaluations of hundreds of thousands of Kurdish children — minors — are held in a private company’s proprietary system, under a private company’s terms, with no public mechanism for oversight, audit, or accountability.
This is not a partnership in any meaningful sense of the word. It is an abdication of state responsibility. The Ministry of Education has handed the data of an entire generation of Kurdish children to a private company, with no published safeguards, no transparent contract, and apparently no one in an advisory role who thought to ask what happens to that data if SoftMax is sold, goes bankrupt, is hacked, or simply decides its terms have changed.
Who approved this? Who evaluated SoftMax’s security practices before awarding them access to the records of Kurdish children? Who reviewed the data protection terms? Who decided that a private company’s App Store developer account was an acceptable home for the region’s school management system? These are not rhetorical questions. They are the minimum standard of due diligence that any responsible government owes its citizens — and particularly owes to the children who have no say in how their personal information is handled. The fact that no answers have been published is itself a serious governance failure. It raises the uncomfortable but necessary question of whether anyone in the advisory chain around this decision had the technical competence to know what questions to ask in the first place.
A Pattern Across Every Sector
The education sector is the clearest case, but it is not isolated. The pattern repeats across the KRG’s entire digital program:
The Ministry of Health’s official mobile application, Kurdistan Health, was developed by Twekl Company for information technology ltd., a private Erbil company. The app collects geolocation data from users. No public contract, security framework, or data governance agreement has been published.
The electronic procurement system — the very platform designed to bring transparency to how the government awards public contracts — was developed in cooperation with the Korea International Cooperation Agency of South Korea. A foreign government agency now holds the institutional knowledge behind Kurdistan’s public contracting infrastructure.
The digital driver’s license and vehicle registration system, which was also the first system to assign Unique Personal Numbers to citizens — the foundational identifier of Kurdistan’s entire digital identity framework — was built in partnership with Germany’s Mühlbauer Group. The bedrock of our digital identity was outsourced to a foreign corporation.
The Digital Transformation Strategy itself was produced with the support of British consulting firms Adam Smith International and Skotkonung Ltd, funded by the UK government’s Technical Assistance Facility for Iraq. The blueprint for Kurdistan’s digital future was written, in part, by foreign advisors on a foreign government’s budget.
Taken together, this is not a digital transformation strategy. It is a systematic outsourcing of state functions to whoever was available, willing, and — crucially — connected enough to secure a contract without a published competitive tender.
e-Psûle: Claims Without Evidence
On February 10, 2026, Prime Minister Masrour Barzani launched e-Psûle, a unified national digital payment platform for government bills. Official sources describe it as developed and fully owned by the KRG.
The public cannot verify this claim. The source code is not published. No independent technical audit has been made public. The DIT’s GitHub contains no e-Psûle repository. The only evidence for the ownership claim is the government’s own press releases — the same press releases that described the Border Crossing System as “developed entirely in-house” while the GitHub contains no trace of that system either.
What we can verify is that the platform processes citizen payments through a web of private banking partners — FIB, Cihan Bank, ZainCash, AsiaPay, FastPay, NassWallet, and Iraqi Islamic Bank [Source: Kurdistan24, March 2026]. And notably, Deloitte has been appointed to audit e-Psûle’s payment processes — a major foreign private firm brought in to verify a platform the government claims to own. If the government truly owns and controls this system end-to-end, why must a foreign corporation be contracted to verify its integrity, rather than making the system architecture publicly auditable?
Projay Runaki: Real Achievement, Invisible Accountability
The Runaki electricity initiative deserves genuine credit. The project now provides 24-hour electricity to four million citizens, slashing household bills by as much as 80 percent. The improvement to daily life across the region is real, tangible, and historic.
But the software foundation of that achievement remains entirely opaque. The KRG’s own Electricity Minister described the mass rollout of smart meters as “the foundation for the success of the 24-hour Runaki electricity project.” Yet no public source — not a press release, not an academic report, not a single news article — names the company or companies supplying the meter firmware, the billing software, or the backend management systems for a project now reaching half the population [Source: IRIS/AUIS, August 2025; runaki.gov.krd].
If that vendor relationship ends — through bankruptcy, acquisition, or contract dispute — the Ministry of Electricity may find itself managing a system it cannot operate independently. That is not sovereignty. That is a different kind of blackout — one that no amount of new power generation can fix.
The Strategy’s Own Loophole
The KRG’s Digital Transformation Strategy commits to using open-source solutions only “where possible” [page 30]. Those two words are doing more damage than any individual vendor. They create a permanent escape hatch permitting closed-source, proprietary, unauditable software across any system the government deems inconvenient to build openly — which, as the evidence in this article shows, means almost everywhere that matters.
The strategy also acknowledges that it was produced with the support of British consulting firms on a UK government budget. It is worth pausing on that: Kurdistan’s plan for digital independence was authored with foreign assistance, contains a loophole that permits indefinite foreign and private vendor dependency, and has produced a digital landscape where not a single citizen-facing application can be independently verified as government-owned. A sovereign digital strategy does not contain escape clauses. It sets non-negotiable standards for code ownership, vendor accountability, and public auditability — and holds every procurement decision to those standards regardless of convenience or speed.
What Should Change
The ask here is not radical. It is the minimum standard of accountability that citizens in any functioning democracy have a right to expect from a government managing their data.
The government should immediately publish the names of all vendors involved in building and maintaining e-Psûle, Runaki’s billing systems, e-Parwarda, Kurdistan Health, and every other platform touching citizen data. It should publish the contract terms governing data ownership for every existing vendor relationship. It should mandate that future vendors sign agreements granting the KRG full, auditable ownership of all source code produced under public contract. It should establish an independent technical oversight body — separate from the DIT, which cannot credibly audit itself — with the authority and genuine technical expertise to evaluate and publicly report on the security and sovereignty of government digital systems.
And most urgently, it should answer the specific questions this article raises about the education sector: who evaluated SoftMax before awarding them access to the records of Kurdish children? Who reviewed the data protection arrangements? Who in the advisory structure around that decision had the technical background to understand what they were approving? If the answer is that no one did — or that the decision was made on the basis of convenience, familiarity, or connections rather than rigorous technical evaluation — then that advisory structure needs to be rebuilt from the ground up before more contracts are signed.
Conclusion: A Vision Worth Protecting
Prime Minister Barzani’s vision for a digital Kurdistan is worth protecting — which is precisely why it cannot be allowed to be undermined by poor execution, opaque procurement, and structural decisions that trade away sovereignty for speed.
I am proud to be a citizen of this region. I am proud to live under a government that has the ambition to imagine Kurdistan as a digital leader in the Middle East. That ambition is not the problem. The problem is what happens when great ambition meets weak accountability structures, technically underqualified advisors, and a culture of announcing achievements rather than verifying them.
The DIT’s GitHub has 27 repositories. None of them contain the code for a single government application. The Ministry of Education’s school management system is published under a private company’s App Store account. The procurement system meant to ensure transparency in government contracting was built by a foreign agency under undisclosed terms. The software managing the electricity meters of four million citizens has no named author.
This is where the vision currently lives — not in sovereign code, not in publicly accountable systems, not in a transparent record of who built what and who owns it, but in press releases and ribbon-cutting ceremonies that mistake the announcement of progress for progress itself.
A great vision deserves better than this. Kurdistan deserves better than this. And the first step toward better is being honest about where we are.