Citadel
Sovereign

Advisory

Home  ›  The Framework

Digital Sovereignty Maturity Model

Five levels. Six dimensions.
Measurable. Actionable.

Adapted from Carnegie Mellon’s CMMI. The model tells you where you are. The four phases are how you move. Phase 3 — the Stress Test — is the gate between L2 and L3 that no one else can certify you through.

01

Design

Exposure map · Kill-switch register · Target architecture across six dimensions

02

Visibility

Build and deploy the sovereign stack — compute, data, identity, AI, comms

03

Stress Test Google-grade

Millions of simulated clients. Fault tolerance. Geo-redundancy. RTO certified. No one else does this.

04

Full sovereign capability

KAUST-certified sovereign engineers. Self-replicating. We drive ourselves out — deliberately.
01 · Levels Digital Sovereignty Maturity Model — L0 to L4
5 levels · CMMI-adapted · Phase 3 is the gate

Phase 1 (Design) produces your L0→L1 gap score. Phase 2 (Demonstrate) drives L1→L2. Phase 3 (Stress Test) is the gate between L2 and L3 — the threshold no one else can certify you through. Phase 4 (Train) completes L3→L4 and makes us redundant.

L0

Foreign dependent

No visibility

  • Kill-switch fully exposed
  • Data location unknown
  • No audit capability
01 Design

L1

Visibility

Know what you have

  • Kill-switch register live
  • Sovereign observability
  • 90-day roadmap active
01 Design ✓
02 Demonstrate

L2

Controlled access

You decide who enters

  • HSM/KMS sovereign
  • CMEK deployed
  • P25 key sovereignty
02 Demo ✓
03 Stress Test →

L3

Local alternatives

Can operate independently

  • Hexagon DC failover live
  • HUMAIN OS deployed
  • 100K+ device validated
03 Stress ✓
04 Train →

The gate no one else can certify you through

L4

Full sovereign capability

Self-sustaining

  • National framework law
  • GCC standard-setter
  • TTT graduates deployed
04 Train ✓ — We leave

D1 — 25% weight

Cloud & Compute

Where does your compute live, who owns the data centre, and who controls activation keys for your infrastructure?
L0 All workloads on foreign cloud. No in-country alternative.

L0 Hexagon DC + STC Cloud validated. 99.999% availability certified..

D2 — 20% weight

Data Residency

Where does your national data actually live — and who holds the encryption keys? PDPL compliance is the floor, not the ceiling.

L0 Data location unknown. Exits borders freely. No PDPL compliance.

L0 All sensitive data in-country. SDAIA audit trail complete. CMEK enforced.

D3 — 15% weight

Identity & Access

Who controls authentication for your citizens and officials? A suspended IdP is a suspended government.

L0 Vendor-controlled IdP (Azure AD/Okta). No local audit trail.

L0 Nafath as primary. OpenLDAP/Keycloak fallback. HSM local keys. NCA-certified.

D4 — 15% weight

AI & Analytics

Who trained the models making decisions inside your government? Whose laws govern the inference?

L0 All inference hits foreign endpoints. Model weights not inspectable.

L0 HUMAIN OS + local Arabic LLM. On-prem inference. Foreign AI dependency eliminated.

D5 — 15% weight

Public Safety Comms

P25 / MCPTT emergency networks. Who holds the activation keys for police, fire, and ambulance communications?
L0 Motorola/Harris KKEK held by vendor. Remote deactivation possible.
L0 In-country KMF. KKEK sovereign. 3GPP MCPTT on STC 5G as fallback.

D6 — 10% weight

Legal & Contractual

Do your vendor contracts give you a kill-switch right? Whose jurisdiction applies? Change-of-control clauses in place?
L0 No data residency clauses. No kill-switch rights. No change-of-control protection.
L0 Kill-switch termination rights in all contracts. SLA penalties enforced. SAGIA-compliant.

01

Air-gapped sovereign architecture

Your hardware. Your software. Your data. Your identity. Your uptime. Under your control — permanently.
  • Hardware sovereignty: compute, storage, and networking under national control — no vendor-managed firmware update paths
  • Software sovereignty: open-source or nationally licensed stacks validated against NCA CCC-2. No foreign activation keys
  • Identity sovereignty: Nafath-backed sovereign IdP. Zero-trust access with locally held cryptographic roots
  • Uptime sovereignty: Hexagon DC failover with RTO under 4 hours and 99.999% availability under 100,000-device load

L2

L3

02

Stress test & prove it

Millions of simulated clients. Fault tolerance certified. Geo-redundancy proven. Declaration is not demonstration.
  • Load simulation: millions of concurrent sessions against the sovereign stack — validating throughput and latency at national peak demand
  • Fault tolerance: deliberate failure injection at every layer — compute, storage, network, identity — with automated recovery validated in real time
  • Geo-redundancy: cross-region failover exercised under load. RTO under 4 hours certified. No untested assumption in the recovery path
  • Certification report: independently signed, submitted to NCA in CCC-2 compliant format

L2

L3

03

Governance and audit

Independent certification that your sovereign capability is real — not sovereignty-washed.
  • Annual DSMM audit: full six-dimension re-assessment, scored, documented, submitted to NCA in CCC-2 compliant format
  • Kill-switch register refresh: quarterly update with new precedents, vendor structure changes, and geopolitical coercion vectors
  • NCA/SDAIA/PDPL compliance package: assessment findings formatted for regulatory submission
  • Third-party certification: co-signed with KAUST university partner — converting consultant findings into academically validated conclusions

L1

L2

L3

L4

04

Local and on-premises AI

Inference that never leaves the country. Models you own. Data that never trains someone else’s system.
  • HUMAIN OS integration: architecture review, governance framework, and integration with existing ministry systems
  • On-premises LLM: LLaMA, Mistral, and Arabic-tuned models deployed on Hexagon DC or STC Cloud. No foreign API dependency
  • Model governance: training data provenance, weight custody, inference audit trails, Arabic-language bias assessment
  • AI kill-switch elimination: every foreign AI API dependency mapped, risk-scored, and replaced with a validated local inference path

L2

L3

05

Train the Trainers

We deliberately drive ourselves out of your business. KAUST-certified sovereign engineers who own this without us — forever.
  • Curriculum design: DSMM scoring, kill-switch register maintenance, NCA/PDPL compliance — co-developed with KAUST and accredited for CPE
  • Trainer certification: KAUST-issued Sovereign Infrastructure Analyst credential, recognised by Saudi government agencies
  • Cohort delivery: quarterly · 15–25 professionals per cohort · able to conduct L0–L1 assessments independently
  • Self-replication: cohort graduates become the next cohort's trainers. Saudi Arabia becomes the regional exporter of sovereign infrastructure expertise

L1

L2

L3

01
ICC / Microsoft 365 Lockout

Feb 2025 · Email & Collab · Kill-switch activated

02
Kyndryl acquires Solvinity (DigiD)

Nov 2025 · Identity · M&A sovereignty loss

03
OVHcloud / Canada court order

Sept 2025 · Data Residency · Subsidiary jurisdiction

04
AWS outage cascade

Oct 2025 · Cloud & Compute · Global Concentration risk

05
UK public sector hyperscaler lock-in

2024 · Legal · Structural dependency

06
Schleswig-Holstein Microsoft exit

Mar 2024 · Email & OS · Strategic dependency

07
Trump memo — tariffs on EU digital regulation

Feb 2025 · AI & Semiconductors · Geopolitical coercion

08
View all case studies →

Full library at cases studies

Ready to see where you sit?

Phase 1 — Design — delivers your complete six-dimension DSMM score in 8 weeks.
Explore each level →
Commission an Assessment

Citadel Sovereign Advisory

Your hardware, your software, your sovereignty?

sovereignty-services.com
info@sovereignty-services.com · © 2026