Advisory
Nations pass laws, build data centres, and declare sovereignty — while running critical operations on infrastructure they do not own, cannot audit, and cannot easily replace. The question Citadel asks: if your primary supplier were unavailable tomorrow — for any reason — what breaks, and how fast?
⚖️ The Citadel Principle — Sovereignty Is Pro-Resilience, Not Anti-Anyone
The goal is not to remove any vendor from your stack. Good technology is good technology. The goal is to never be fully dependent on any single supplier, jurisdiction, or platform for a function critical to national continuity. The standard is not isolation. The standard is optionality.
“No country — including the United States itself — is completely digitally sovereign. The goal is not a 100% domestic stack. It is diversified exposure, so no single supplier’s outage or policy change can halt your operations.”
— Thierry Carrez, General Manager, OpenInfra Foundation · KubeCon 2026
Every major technology-producing nation has passed laws asserting its right to access data held by its companies — wherever in the world that data physically sits. When you choose a vendor, you accept their home jurisdiction’s legal access framework.
Compels any US-incorporated company — AWS, Microsoft, Google — to produce data stored anywhere on earth. Jurisdiction follows corporate control, not data location. A server in Riyadh running on AWS is reachable. Extraterritorial reach
Article 7 requires all organisations to “support, assist, and cooperate with national intelligence efforts.” Applies extraterritorially to Chinese entities abroad. Any technology of Chinese origin may be subject to state access without disclosure to the user. Extraterritorial reach
In 2024, the UK secretly ordered Apple to build a global backdoor into iCloud — including non-UK users’ data. UK–US CLOUD Act agreement (2022) creates fast-track mutual data access across Five Eyes. Extraterritorial reach
PDPL: prior approval for cross-border transfers, fines up to SAR 3M. NCA CCC-2 mandates sensitive workloads on Saudi territory. SAMA imposes independent financial data residency rules. The legal foundation exists — operationalising it is the work. Localization + extraterritorial scope
Cloud & Compute
Three hyperscalers hold most enterprise compute
AWS, Azure, and Google Cloud serve most global enterprise workloads. When AWS had an outage (Oct 2025), banking and government portals across multiple continents failed simultaneously. Saudi Hexagon DC (480MW, Jan 2026) is the infrastructure answer. Activating it is the governance work.
AWS
Azure
Alibaba Cloud
OVHcloud
Hexagon DC (KSA)
Email & Collaboration
Every ministry runs on two US productivity suites
Microsoft 365 and Google Workspace are single points of failure under the CLOUD Act. The ICC precedent (Feb 2025): the kill switch was pulled in hours. Open-source alternatives — Nextcloud, OpenDesk, Proton — are production-ready at government scale.
Nextcloud
AI & LLMs
National AI strategy runs on models governed elsewhere
HUMAIN OS (PIF/Aramco, Feb 2026) is Saudi Arabia’s sovereign answer. Until HUMAIN is at scale, every Arabic-language AI workload runs on foreign models subject to vendor training policies, safety guardrails, and deprecation decisions — outside Saudi control.
Semiconductors
Every AI chip requires a US export licence
Advanced AI compute depends on NVIDIA GPUs — designed in California, manufactured in Taiwan — all subject to US export controls. Every AI data centre built today is contingent on continued US export licence approval. RISC-V offers a long-term design sovereignty path.
Payment Infrastructure
GCC commerce runs on pre-sovereignty payment rails
SWIFT, Visa, and Mastercard underpin all cross-border GCC commerce. Payment infrastructure can be used as a policy instrument — Russia’s SWIFT disconnection proved it. India’s UPI and Brazil’s Pix prove a domestic rail is achievable. The Arab world has no equivalent at scale.
Public Communications
Crisis comms run on foreign-governed platforms
Government crisis broadcasts flow through X, Meta, YouTube, and TikTok — platforms whose availability is controlled by private corporations in foreign jurisdictions. A platform suspension can disrupt a government’s ability to reach its citizens without any political act of any adversary.
| Layer | Current State & Alternatives | Vendor Origin | Optionality |
|---|---|---|---|
| AI / LLM | Highly concentrated. HUMAIN OS emerging. Open-source (Llama, Mistral, Qwen) provide partial alternatives. | US-dominant | Concentrated |
| Cloud compute | Three-vendor concentration. Hexagon DC and STC Cloud provide local alternatives. Hybrid architecture is the sovereign path. | US-dominant | Concentrated |
| Email & collab | Alternatives are production-ready. Schleswig-Holstein: 40,000+ mailboxes migrated, €15M/year saved. Barrier is organisational, not technical. | US-dominant | Alternatives exist |
| Semiconductors | Most geographically concentrated. Advanced fab only in Taiwan and South Korea. RISC-V enables long-term design sovereignty. | Global chain | Concentrated |
| Payment rails | Domestic rail viable and proven. mBridge multi-CBDC GCC pilot underway. Does not require displacing SWIFT for international trade. | Mixed | Alternatives exist |
| Operating systems | Linux is mature for servers and desktops. Government-scale OS migration proven by Schleswig-Holstein. Mobile OS sovereignty remains the hardest unsolved problem globally. | US-dominant | Partial (servers) |
| Public comms | No regional alternative at scale. Government broadcast channels and Matrix/Signal provide partial independence. | US / CN split | Concentrated |
| Subsea cables | Multi-stakeholder ownership increasing. Gulf states co-investing in new routes. Redundant landing stations reduce single-route failure risk. | Mixed |
01
Mission Critical Telecommunications sovereign architecture
Identify the 20% of your stack whose failure halts 80% of operations. Build owned, auditable alternatives for those layers first. Everything else can stay with best-in-class providers on commercial terms.
02
Diversify, Don't Isolate
Estonia runs X-Road alongside AWS. India built UPI and still uses global cloud. The goal is never single-vendor dependency — not zero foreign engagement.
03
Audit What You Actually Own
Most organisations cannot answer: what data do we hold, where does it live, who has contractual access? Sovereignty begins with an honest inventory — not a policy declaration.
04
Build to Switch
Vendor lock-in is the enemy of optionality. Open standards and interoperable APIs keep switching costs low and negotiating leverage high — with any vendor, anywhere.
05
Test Continuity, Not Just Plans
Helsingborg (Sweden) ran a full one-year live simulation — would elderly residents receive prescriptions during a complete digital blackout? A plan on paper is not a capability. Resilience is proven through operational exercises.
06
Build the Talent to Maintain It
Schleswig-Holstein migrated 40,000+ mailboxes and 30,000 workstations — saving €15M annually. The barrier was organisational training and political will, not technology. Sovereign infrastructure requires sovereign engineers.
The principle that jurisdiction follows the company, not the data is not unique to any one country. Every major technology-producing nation has passed laws asserting its right to access data held by its companies — wherever in the world that data physically sits. When you choose a vendor, you accept their home jurisdiction’s legal access framework.
Enacted 2018 · Active · Executive agreements: UK (2022), Australia (2024)
Compels any US-incorporated company — AWS, Microsoft, Google, Apple, Meta — to produce data stored anywhere on earth, bypassing diplomatic channels. Jurisdiction follows corporate control, not data location. A server in Riyadh running on AWS is reachable. In 2025, Microsoft admitted it cannot guarantee data sovereignty for EU customers.
“The CLOUD Act shifts jurisdiction from where the data sits to who controls it.” — Exoscale Legal Analysis, 2025
Extraterritorial reach
Intelligence Law 2017 · CSL 2017 · DSL 2021 · Active
Article 7 requires all organisations and citizens to “support, assist, and cooperate with national intelligence efforts.” Applies extraterritorially to Chinese entities abroad. Combined with CSL and DSL, any technology of Chinese origin may be subject to state access requirements without disclosure to the user.
Extraterritorial reach
GDPR 2018 · DGA 2023 · Data Act 2025 · AI Act 2026
The EU restricts data leaving EU jurisdiction. Any organisation processing EU residents’ data must comply with GDPR — regardless of incorporation location. Fines: €20M or 4% of global turnover. The “Brussels Effect” makes EU rules de facto global standards. The Data Act further restricts transfers to non-EU authorities.
242-FZ 2015 · SORM active · RuNet Law 2019
242-FZ mandates Russian citizens’ data be stored exclusively on Russian servers. SORM requires FSB-controlled interception equipment at all providers. The RuNet Law enables technical disconnection from the global internet — tested operationally in 2021. Ukraine reversed its localization rules in 2022 to migrate data to foreign cloud during conflict.
Extraterritorial reach
Enacted 2016 · Amended 2024 · CLOUD Act partner since Oct 2022
Extraterritorial reach
TOLA 2018 · US–Australia CLOUD Act Agreement Jan 2024
DPDP Act 2023 · Enforcement from 2025 · Active
The DPDP Act applies to any entity processing Indian residents’ data — regardless of incorporation. Sectoral regulators (RBI, IRDAI, SEBI, TRAI) impose additional localization mandates. A multinational in Indian banking, insurance, and telecom must comply with three separate data residency frameworks simultaneously. India’s India Stack model reduces private foreign vendor dependency without requiring exclusion.
PDPL full enforcement Sept 2024 · NCA CCC-2 active · SAMA active
PDPL requires prior approval for cross-border transfers; fines up to SAR 3M plus imprisonment. NCA CCC-2 mandates sensitive and critical government workloads on Saudi territory. SAMA imposes independent financial data residency rules. The legal foundation for sovereignty exists — operationalising it is the work.
Every layer of the digital stack has dominant vendors. The resilience question is not quality — it is concentration. Understanding where single points of failure exist is the beginning of a sovereignty plan.
National Intelligence Law · Cybersecurity Law · Data Security Law
AWS, Azure, and Google Cloud serve the majority of global enterprise workloads — including Saudi government ministries. When AWS had an outage (Oct 2025), it disrupted banking and government portals across multiple continents simultaneously. Owning your compute for critical workloads changes the risk profile. Saudi Arabia's Hexagon DC (480MW, groundbreaking Jan 2026) is the infrastructure answer. Activating it is the governance work.
AWS
Azure
Alibaba Cloud
OVHcloud
Every Saudi ministry runs on two US productivity suites
Microsoft 365 and Google Workspace are single points of failure under the CLOUD Act: a US government instruction can halt operations without notice. The ICC precedent (Feb 2025) is the proof point — the kill switch was pulled in hours. Open-source alternatives — Nextcloud, OpenDesk, Proton — are production-ready, deployed at government scale in Germany and France.
Microsoft 365
Nextcloud
National AI strategy runs on models trained and governed elsewhere
Every government deploying AI for public services is doing so on models built outside its borders. HUMAIN OS (PIF/Aramco, Feb 2026) is Saudi Arabia's sovereign answer. Until HUMAIN is at scale, every Arabic-language AI workload running on foreign LLMs is subject to the vendor's training policies, safety guardrails, and deprecation decisions — outside Saudi control.
OpenAI
Anthropic
Every AI chip in Saudi Arabia requires a US export licence
Advanced AI compute depends on NVIDIA GPUs — designed in California, primarily manufactured in Taiwan — all subject to US export controls. The US has restricted Gulf GPU exports without warning. Every AI data centre built today is contingent on continued US export licence approval. A multi-source supply chain and strategic stockpiling reduce this risk; eliminating it requires domestic chip production.
GCC commerce runs on pre-sovereignty payment rails
SWIFT, Visa, and Mastercard underpin all cross-border GCC commerce — built as global utilities before sovereignty was a policy consideration. The lesson of Russia's SWIFT disconnection: payment infrastructure can be used as a policy instrument by any coalition of nations. India's UPI and Brazil's Pix prove a domestic rail is achievable. The Arab world has no equivalent at scale yet.
SWIFT
UnionPay
Crisis communications run on foreign-governed platforms
Government crisis broadcasts, emergency alerts, and national discourse flow through X, Meta, YouTube, and TikTok — platforms whose policies and availability are controlled by private corporations in foreign jurisdictions. A platform outage or account suspension can disrupt a government's ability to reach its citizens through no political act of any adversary. No GCC-region alternative exists at scale.
| Layer | Current State & Alternatives | Vendor Origin | Optionality |
|---|---|---|---|
| AI / LLM | Highly concentrated. HUMAIN OS emerging. Open-source (Llama, Mistral, Qwen) provide partial alternatives. Fine-tuning on sovereign infrastructure is achievable today. | US-dominant | Concentrated |
| Cloud compute | Three-vendor concentration. Hexagon DC (KSA) and STC Cloud provide local alternatives. Hybrid architecture is the sovereign path. | US-dominant | Concentrated |
| Email & collab | Alternatives are production-ready. Schleswig-Holstein: 40,000+ mailboxes migrated, €15M/year saved. Barrier is organisational, not technical. | US-dominant | Alternatives exist |
| Semiconductors | Most geographically concentrated. Advanced fab only in Taiwan and South Korea. RISC-V enables long-term design sovereignty. Near-term: multi-vendor qualification. | Global chain | Concentrated |
| Payment rails | Domestic rail viable and proven. mBridge multi-CBDC GCC pilot underway. Does not require displacing SWIFT for international trade. | Mixed | Alternatives exist |
| Operating systems | Linux is mature for servers and desktops. Government-scale OS migration proven by Schleswig-Holstein. Mobile OS sovereignty remains the hardest unsolved problem globally. | US-dominant | Partial (servers) |
| Public comms | No regional alternative at scale. Government broadcast channels and Matrix/Signal provide partial independence. Full platform sovereignty remains an open global challenge. | US / CN split | Concentrated |
| Subsea cables | Multi-stakeholder ownership increasing. Gulf states co-investing in new routes. Redundant landing stations reduce single-route failure risk. | Mixed |
Identify the 20% of your stack whose failure halts 80% of operations. Build owned, auditable alternatives for those layers first. Everything else can stay with best-in-class providers on commercial terms.
Estonia runs X-Road alongside AWS. India built UPI and still uses global cloud. The goal is never single-vendor dependency — not zero foreign engagement.
Most organisations cannot answer: what data do we hold, where does it live, who has contractual access? Sovereignty begins with an honest inventory — not a policy declaration.
Vendor lock-in is the enemy of optionality. Open standards and interoperable APIs keep switching costs low and negotiating leverage high — with any vendor, anywhere.
Helsingborg (Sweden) ran a full one-year live simulation: would elderly residents receive prescriptions during a complete digital blackout? A plan on paper is not a capability. Resilience is proven through operational exercises.
Sovereign infrastructure requires sovereign engineers. Schleswig-Holstein migrated 40,000+ mailboxes and 30,000 workstations — saving €15M annually. The barrier was organisational training and political will, not technology.
Your hardware, your software, your sovereignty?