OLRF
Part 2 The Architecture

Chapter 7

The Registry — The Public Record of Machine-Applicable Law

Last updated: 2026-04-10 Open for review

The Registry as the Official Gazette of Normative Specifications

Every functional legal order depends on a publication mechanism: a formally designated, reliably authenticable channel through which enacted law is made known to those it binds, with sufficient certainty about its content, its authority, and its temporal applicability. In Germany, this function is served by the Bundesgesetzblatt. In the United Kingdom, by the official record of Parliamentary Acts. In the European Union, by the Official Journal. In each case, the mechanism of publication is a constitutional requirement: a rule that was enacted but never published has not, in the full legal sense, entered into force. The publication record is the moment at which law becomes binding, and the publication archive is the permanent record of what was binding, when, and for whom.1

The OLRF proposes that machine-applicable law requires the same quality of publication infrastructure as human-readable law. The Registry is the institution through which this requirement is proposed to be met. It is the formally designated channel through which Decision Trees, Coverage Maps, DataPoint schemas, and (in Models B and C) agent certification records are published, authenticated, versioned, and made permanently available: to AI systems that query them at the moment of evaluation, to courts that need to reconstruct the normative basis of a decision years after it was made, to auditors verifying that a system applied the correct version of a norm, to public authorities, to companies, and to citizens exercising their right to know the rules that governed the decision that affected them.

Like the Bundesgesetzblatt, the Registry does not create law. It publishes what the responsible authority has produced, authenticated, and authorised for use. The Registry’s function is declarative, not legislative. Its authority is archival and authenticating, not normative. And just as the Bundesgesetzblatt’s value lies not in any individual entry but in the completeness, permanence, and reliability of the record it maintains, the Registry’s value lies in its guarantee that every Decision Tree ever published, in every version, under every signature, for every validity period, remains accessible, verifiable, and legally addressable, without exception and without limit of time.

The Registry Across the Three Models

The Registry’s core function (publication, authentication, versioning, permanent availability) is constant across all three models. What varies is the scope of what the Registry contains.

In Model A, the Registry contains Decision Trees, Coverage Maps, and DataPoint schemas. These are the complete normative infrastructure required for deterministic evaluation. Any conformant engine can query the Registry, retrieve the applicable Decision Tree, verify its signature, and evaluate submitted facts against it. The Registry is, in this model, the single authoritative source of the normative specification.

In Model B, the Registry’s scope expands to include agent certification records. Because the Legal Agent performs the subsumption (with the Decision Tree serving as the validation framework), the question of which agents are qualified to perform which types of legal reasoning becomes constitutionally significant. The Registry documents which agents have been certified for which legal domains, at what capability level, by which authority, and under what conditions. This is the public accountability mechanism for the shift in normative authority from the tree toward the agent.

In Model C, the Registry’s scope expands further to include audit protocol specifications: the formal description of how the retrospective audit against the Decision Tree is to be conducted, what consistency metrics are applied, and what deviation thresholds trigger review. Because the tree does not operate during the decision process in Model C, the audit protocol becomes the primary structural safeguard, and its specification must be as publicly available and as formally governed as the Decision Tree itself.

Across all three models, the Registry serves the same constitutional function: ensuring that the normative basis of automated governance is not proprietary, not hidden, and not contingent on the continued cooperation of any commercial operator. It is public infrastructure for a public function.

Technical Architecture: Append-Only, Cryptographically Signed, Temporally Addressable

The Registry’s technical architecture is derived directly from its constitutional function. Three properties are required.

Append-only means that the Registry never deletes, overwrites, or modifies any entry once it has been published. A Decision Tree that is superseded by a new version remains in the Registry, permanently and in its original form. A Decision Tree whose legal basis was subsequently found to be incorrect remains alongside the correcting version. There is no mechanism to remove, alter, or suppress an entry once made.

This requirement is the technical implementation of a constitutional principle: that the normative basis of a decision, once applied to a citizen, cannot be retroactively altered or erased. A court hearing a challenge to a decision made three years ago must be able to establish what the Decision Tree in force at the moment of that decision said, not what it says now after correction, but what it said then, at the moment it was applied. An append-only architecture guarantees this with certainty that no other technical approach can match. Every version is permanent. Every moment in the Registry’s history is reconstructable.

Cryptographically signed means that every entry carries a digital signature, produced by the responsible authority using eIDAS-compliant procedures or equivalent national standards, that authenticates both the content of the entry and the identity of the signing authority.2 The signature is computed over the canonical JSON representation, canonicalised according to RFC 87853, eliminating the possibility that formatting differences could produce different hashes for semantically identical content.

The signature serves three functions simultaneously. It authenticates authorship: the signature establishes that this specific version was produced and approved by the authority whose certificate is bound to the signature. It guarantees integrity: any modification after signature, even a single character, would corrupt the signature, making any modification immediately detectable. And it establishes non-repudiation: the signing authority cannot subsequently deny having published this version, because the signature is cryptographically bound to their identity and the content of the signed document.

The Registry’s cryptographic chaining (where each entry’s hash includes a reference to the previous entry’s hash, creating a tamper-evident chain analogous to the structure of a distributed ledger) provides integrity guarantees that extend across the entire history of the Registry, not merely to individual entries. An attempt to alter any historical entry would invalidate not only that entry’s hash but every subsequent entry in the chain, making the alteration immediately detectable. The Registry’s integrity does not depend on the trustworthiness of any single actor. It is enforced by the mathematics of cryptographic hashing.

Temporally addressable means that every entry carries a precisely specified validity period (a validFrom timestamp and, where applicable, a validUntil timestamp) that makes it possible to determine, for any point in time, which version of any Decision Tree was in force. The Registry’s query interface supports temporal queries: given a norm identifier and a timestamp, it returns the Decision Tree that was in force at that moment. Given a Decision Package identifier, it reconstructs the complete normative context at the exact moment the Decision Package was produced.

This temporal precision implements the constitutional rule that a person cannot be judged by a standard that did not exist at the time of their conduct. A citizen who received an automated determination on a specific date was subject to the Decision Tree in force on that date, not the one subsequently corrected or updated. The Registry’s temporal addressability makes this principle enforceable in practice4.

Four Guarantees

The three technical properties (append-only, cryptographically signed, temporally addressable) combine to produce four guarantees, each addressing a specific deficit in the current paradigm of digital governance.

Authenticity is the guarantee that a Decision Tree published in the Registry is what it claims to be: the normative specification as interpreted and authorised by the responsible authority, not a private implementation produced by a vendor, contractor, or developer acting without formal authorisation. In the current paradigm, the question “who authorised this implementation?” is typically unanswerable. Publication in the Registry transforms this: by signing and publishing a Decision Tree, the responsible authority asserts, with cryptographic verifiability, that this is the specification it has authorised. In the current paradigm of automated governance, the connection between a software implementation and a formal act of the responsible authority is typically undocumented: the system was procured, delivered, and deployed, but no formal administrative act authorises the specific normative logic it contains. The Registry’s signature requirement is proposed as the mechanism that closes this gap: publication of a signed Decision Tree in the Registry is itself a formal act of the responsible authority, attributable, verifiable, and challengeable on the same terms as any other administrative act.5

Integrity is the guarantee that what is retrieved today is identical to what was published on the date of signing. In a governance environment in which the consequences of norm manipulation could be enormous (a slightly altered income threshold, a quietly removed exception, a changed parameter) the ability to verify the integrity of the normative basis of every decision is a precondition for trust6.

Temporal traceability is the guarantee that the normative history of every Decision Tree is completely and permanently accessible. This guarantee matters for at least three categories of legal proceeding. In administrative appeals, it establishes the norm applicable at the moment of the challenged decision. In compensation claims arising from errors in automated systems, it establishes when an error was introduced, how long it was in force, and how many decisions were affected during that period. In criminal proceedings involving automated systems, it establishes whether the system, at the material time, correctly reflected the legal requirements it was supposed to enforce7.

Judicial reviewability is the guarantee that flows from the combination of the previous three: that the normative basis of any automated decision is accessible to a court reviewing that decision, in a form that the court can engage with, not as a technical artefact requiring expert witnesses to decode, but as a formally structured, legally arguable account of how the applicable norm was specified and applied. Courts are familiar with reviewing the legal reasoning of administrative officials. The Registry gives them, for the first time, the normative specification of automated systems, in a form that supports the same quality of review8.

Federated Operation: Sovereignty and Interoperability

The Registry is not designed as a single, centralised, globally operated repository. It is designed as a federated system, in which each jurisdiction operates its own Registry instance with full sovereignty over the norms it contains, while connecting to other instances through standardised interfaces that enable cross-border queries without requiring any jurisdiction to cede control over its own normative infrastructure.

The case for federation is constitutional before it is technical. Legal sovereignty, the authority of a democratic legislature to enact binding rules for the territory and persons within its jurisdiction, is the foundational premise of the rule of law in a world of distinct political communities. A Registry architecture that required all jurisdictions to publish their Decision Trees to a shared central repository governed by an external body would impose a form of normative dependency that no sovereign state could accept and that no democratic theory of law would endorse. The machine-executable form of a nation’s laws is as sovereign as the laws themselves. The infrastructure that holds it must reflect that sovereignty.

The OLRF’s federated Registry model proposes to achieve sovereignty and interoperability simultaneously through a straightforward approach: each jurisdiction maintains its own Registry instance, with full administrative control over its norms, its signing keys, its access policies, and its governance processes. Cross-jurisdictional queries are handled through a standardised interface that enables one jurisdiction’s systems to query another’s Registry, with appropriate authentication and authorisation, without requiring either jurisdiction to modify its internal governance arrangements.

This model has been proven at scale in analogous federated architectures: the eIDAS framework for cross-border identity recognition, the European Data Spaces architecture for cross-sector data exchange,9 and the Gaia-X initiative for federated cloud infrastructure10. The OLRF Registry extends the same federation pattern to legal infrastructure, applying it to the specific requirements of norm publication, signature verification, and temporal query that machine-applicable law requires.

The handling of norm conflicts in a federated system deserves specific attention. When a cross-border process involves norms from two or more jurisdictions (as is common in social security coordination, cross-border tax compliance, or intra-EU regulatory proceedings) the respective Decision Trees may produce different or conflicting outcomes for the same facts. The Registry’s role in this context is to document the conflict, not to resolve it. Norm conflict resolution is a question of private international law, of bilateral and multilateral treaty arrangements, and ultimately of the courts. It is not a technical question that any Registry architecture can or should resolve unilaterally. What the Registry provides is the infrastructure for making conflicts explicit: a cross-border Decision Package that records the outcomes of evaluation under both jurisdictions’ Decision Trees, together with the normative basis of each, gives the court or competent authority the material needed to apply the relevant conflict-of-laws rule with clarity, completeness, and full traceability. The Registry does not decide which law prevails. It ensures that both laws are visible11.

Federation and Digital Sovereignty

One further dimension of federated Registry operation connects directly to a concern that runs through this entire paper: the protection of Digital Sovereignty of Nation States in Europe and beyond. A federated Registry architecture, in which each state maintains its own instance under national law and institutional governance, is structurally resistant to the form of platform dependency that represents the greatest long-term risk to (European) legal infrastructure.

A centralised Registry operated by a technology company, even under contract to public authorities, would create a form of normative dependency as significant as energy dependency or communications dependency: the state’s ability to publish, modify, and revoke the machine-applicable form of its own laws would be contingent on the continued cooperation of a commercial operator. The federated model eliminates this dependency by design. Each jurisdiction’s Registry is sovereign infrastructure, operated under public law, accountable to democratic institutions, and technically independent of any commercial platform. The interoperability between instances is achieved through open standards, not through commercial agreements12.

This is not an incidental feature of the OLRF Registry architecture. It is one of its central strategic purposes. The chapter on digital sovereignty develops this argument in full. For present purposes, it is sufficient to note that the federated Registry is proposed as the institutional form of a principle: that the infrastructure through which a democratic state publishes, authenticates, and governs the machine-applicable form of its law must remain under sovereign control, as a matter of constitutional necessity rather than policy preference.

Footnotes

  1. For the constitutional requirement of publication as a condition of legal validity: BVerfGE 65, 283 (Volkszählung, 1983), establishing that legal norms must be accessible to those they bind. In the broader comparative context: Fuller, L.L., The Morality of Law, Yale University Press 1964, pp. 49—51 (identifying promulgation as one of the eight principles of legality, whose violation constitutes a failure of the “inner morality of law”). The OLRF Registry extends this principle from statutory text to normative specifications: a Decision Tree that is applied but never published in the Registry has not, in the full constitutional sense, been promulgated.

  2. eIDAS Regulation (EU) No. 910/2014, Art. 25 ff.

  3. RFC 8785 (JSON Canonicalization Scheme), IETF 2020

  4. The constitutional prohibition of retroactive application of law (Rückwirkungsverbot) is one of the most firmly established principles of German constitutional law. The Bundesverfassungsgericht distinguishes between “genuine” retroactivity (echte Rückwirkung), in which a norm retroactively changes the legal consequences of a completed factual situation, and “quasi” retroactivity (unechte Rückwirkung), in which a norm affects ongoing factual situations for the future. Genuine retroactivity is in principle unconstitutional: BVerfGE 13, 261 (271) (1961); BVerfGE 72, 200 (242) (1986). At EU level, the principle is enshrined in Art. 49(1) of the Charter of Fundamental Rights (“No one shall be held guilty of any criminal offence on account of any act or omission which did not constitute a criminal offence under national law or international law at the time when it was committed”). In administrative law, the corresponding principle is that the legal basis applicable at the time of the administrative act governs its lawfulness: Kopp, F.O. and Ramsauer, U., Verwaltungsverfahrensgesetz: Kommentar, 24. Aufl., C.H. Beck 2023, § 35 Rn. 28—31. The OLRF Registry’s temporal addressability translates this principle from the domain of statutory text (where temporal applicability is governed by publication dates in the Official Gazette) to the domain of normative specifications (where temporal applicability must be governed by validFrom/validUntil timestamps in the Registry). Without temporal addressability, a court reviewing a challenged automated decision would face a problem that has no analogue in traditional administrative law: the normative specification that produced the decision may have been silently updated since the decision was made, with no mechanism to reconstruct what was in force at the material time.

  5. For the extension to electronic administrative acts: § 3a VwVfG in conjunction with Art. 25 ff. eIDAS Regulation (EU) No. 910/2014, which establishes the legal framework for qualified electronic signatures and seals as equivalents to handwritten signatures.

  6. In the digital domain, the technical standard for ensuring document integrity is cryptographic hashing, in which any modification to the content produces a detectably different hash value. For the application of cryptographic integrity guarantees to legal records: European Commission, Implementing Decision (EU) 2015/1506 establishing specifications relating to formats of advanced electronic signatures and seals (specifying the technical standards under which electronic signatures and seals satisfy the integrity requirements of the eIDAS Regulation). The Registry’s cryptographic chaining extends this principle from individual entries to the entire history of the repository: an attempt to alter any historical entry invalidates not only that entry’s hash but every subsequent entry in the chain.

  7. At EU level, the principle is enshrined in Art. 49(1) of the Charter of Fundamental Rights. In administrative law, the legal basis applicable at the time of the administrative act governs its lawfulness: Kopp, F.O. and Ramsauer, U., Verwaltungsverfahrensgesetz: Kommentar, 24. Aufl., C.H. Beck 2023, § 35 Rn. 28—31. The Registry’s temporal addressability translates this principle from the domain of statutory text (where temporal applicability is governed by publication dates in the Official Gazette) to the domain of normative specifications (where temporal applicability must be governed by validFrom/validUntil timestamps in the Registry).

  8. In the context of automated governance, the European Court of Human Rights has affirmed that Art. 6 ECHR (right to a fair trial) requires that decisions substantially determined by algorithmic processes be subject to review in which the affected person can meaningfully challenge the basis of the decision: see Žilinskienė v. Lithuania, App. No. 57017/18, ECtHR 2024 (finding a violation of Art. 6 where the applicant could not effectively challenge an automated tax assessment because the algorithmic basis of the decision was not disclosed). The OLRF Registry, by making the complete normative specification permanently available in a legally structured form, is proposed as the infrastructure through which Art. 19 Abs. 4 GG and Art. 6 ECHR can be given effective meaning in an age of automated governance.

  9. European Commission, “A European Strategy for Data,” COM(2020) 66 final.

  10. Gaia-X Architecture Document,” Release 22.10, October 2022. URL: https://docs.gaia-x.eu

  11. Fuchs, M. (ed.), Europäisches Sozialrecht, 8. Aufl., Nomos 2024 (the standard commentary on the coordination regulations, documenting the persistent practical difficulties arising from the inability to compare the operative content of different member states’ norms in cross-border cases).

  12. The risk that critical public infrastructure becomes dependent on commercial platform operators has been identified as a strategic threat across multiple EU policy domains. The foundational policy statement is the Berlin Declaration on Digital Society and Value-Based Digital Government (8 December 2020), signed by all EU member states, which defines digital sovereignty as “the EU and its Member States’ ability to act autonomously and to freely choose their own solutions” and commits signatories to “strengthen Europe’s digital sovereignty and interoperability” through open standards and open-source solutions. For the specific application to legal infrastructure, see: European Parliament, Report on European Technological Sovereignty and Digital Infrastructure, A10-0107/2025 (2025), paragraph 11, calling on the Commission to “establish a comprehensive list of critical dependencies in digital infrastructure and technologies, assessing, at minimum, storage services, identity and payment systems, communication platforms, as well as the software, protocols and standards” on which public services depend. The report explicitly recognises the “increasing concentration of power in non-EU companies, which constrains Europe’s ability to innovate, compete and maintain control over its digital economy, society and democracy.” The OLRF Registry’s federated architecture is proposed as the application of this principle to a domain not yet addressed in EU policy: the infrastructure through which the machine-applicable form of law is published, authenticated, and governed. See also: Floridi, L., “The Fight for Digital Sovereignty: What It Is, and Why It Matters, Especially for the EU,” Philosophy and Technology, Vol. 33, 2020, pp. 369—378 (arguing that digital sovereignty is not protectionism but the capacity of a political community to govern itself in the digital domain, and that this capacity requires sovereign control over the infrastructure through which governance is exercised).