Strategic Resilience Analysis

Declarations Are Easy.
True Ownership Requires a Plan.

Nations pass laws, build data centres, and declare sovereignty — while running critical operations on infrastructure they do not own, cannot audit, and cannot easily replace. The question Citadel asks: if your primary supplier were unavailable tomorrow — for any reason — what breaks, and how fast?

⚖️ The Citadel Principle — Sovereignty Is Pro-Resilience, Not Anti-Anyone
The goal is not to remove any vendor from your stack. Good technology is good technology. The goal is to never be fully dependent on any single supplier, jurisdiction, or platform for a function critical to national continuity. The standard is not isolation. The standard is optionality.
"No country is completely digitally sovereign. The goal is not a 100% domestic stack. It is diversified exposure, so no single supplier's outage or policy change can halt your operations." — Thierry Carrez, OpenInfra Foundation · KubeCon 2026
01 · Legal The Legal Architecture
6 jurisdictions · jurisdiction follows the company, not the data

Every major technology-producing nation has passed laws asserting its right to access data held by its companies — wherever in the world that data physically sits. When you choose a vendor, you accept their home jurisdiction's legal access framework.

🇺🇸
United States — CLOUD Act 2018 · Active
Compels any US-incorporated company — AWS, Microsoft, Google — to produce data stored anywhere on earth. Jurisdiction follows corporate control, not data location. A server in Riyadh running on AWS is reachable.Extraterritorial reach
🇨🇳
China — National Intelligence Law 2017 · Active
Article 7 requires all organisations to "support, assist, and cooperate with national intelligence efforts." Applies extraterritorially to Chinese entities abroad. Any technology of Chinese origin may be subject to state access without disclosure to the user.Extraterritorial reach
🇪🇺
EU — GDPR · Data Act · AI Act 2018–2026
Restricts data leaving EU jurisdiction. Fines: €20M or 4% of global turnover. The "Brussels Effect" makes EU rules de facto global standards. 2025: €2.3 billion in GDPR fines — 38% year-on-year increase.Inbound & outbound controls
🇬🇧
UK — Investigatory Powers Act 2016 · Amended 2024
In 2024, the UK secretly ordered Apple to build a global backdoor into iCloud — including non-UK users' data. UK–US CLOUD Act agreement (2022) creates fast-track mutual data access across Five Eyes.Extraterritorial reach
🇮🇳
India — DPDP Act + Sectoral Rules 2023 · Enforcement 2025
Applies to any entity processing Indian residents' data. Sectoral regulators (RBI, IRDAI, SEBI, TRAI) impose additional localization mandates. India's Stack model — government-built open APIs — is the most applicable model for Saudi Arabia's digital public infrastructure ambitions.Localization + extraterritorial scope
🇸🇦
Saudi Arabia — PDPL · NCA CCC-2 · SAMA Full enforcement Sept 2024
PDPL: prior approval for cross-border transfers, fines up to SAR 3M. NCA CCC-2 mandates sensitive workloads on Saudi territory. SAMA imposes independent financial data residency rules. The legal foundation exists — operationalising it is the work.Localization + transfer controls
Practical conclusion: Every vendor carries its home jurisdiction's legal obligations. This is not a reason to avoid any particular vendor. It is a reason to make vendor selection a deliberate governance decision — not a convenience default. An organisation using AWS for non-sensitive workloads, a European provider for citizen data, and locally-hosted infrastructure for classified data has made a risk-stratified architecture decision. That is sovereignty in practice.
02 · Stack Where the Stack Is Concentrated
6 domains · Cloud · Email · AI · Chips · Payments · Comms
US-origin China-origin EU / regional alternatives Mixed / emerging
Cloud & Compute
Three hyperscalers hold most enterprise compute
AWS, Azure, and Google Cloud serve most global enterprise workloads. When AWS had an outage (Oct 2025), banking and government portals across multiple continents failed simultaneously. Saudi Hexagon DC (480MW, Jan 2026) is the infrastructure answer. Activating it is the governance work.
AWSAzureGoogle CloudAlibabaOVHcloudHexagon DC (KSA)
Email & Collaboration
Every ministry runs on two US productivity suites
Microsoft 365 and Google Workspace are single points of failure under the CLOUD Act. The ICC precedent (Feb 2025): the kill switch was pulled in hours. Open-source alternatives — Nextcloud, OpenDesk, Proton — are production-ready at government scale.
M365Google WorkspaceNextcloudOpenDesk
AI & LLMs
National AI strategy runs on models governed elsewhere
HUMAIN OS (PIF/Aramco, Feb 2026) is Saudi Arabia's sovereign answer. Until HUMAIN is at scale, every Arabic-language AI workload runs on foreign models subject to vendor training policies, safety guardrails, and deprecation decisions — outside Saudi control.
OpenAIGoogleAnthropicQwenMistralHUMAIN (emerging)
Semiconductors
Every AI chip requires a US export licence
Advanced AI compute depends on NVIDIA GPUs — designed in California, manufactured in Taiwan — all subject to US export controls. Every AI data centre built today is contingent on continued US export licence approval. RISC-V offers a long-term design sovereignty path.
NVIDIAIntelTSMC (Taiwan)HiSiliconRISC-V
Payment Infrastructure
GCC commerce runs on pre-sovereignty payment rails
SWIFT, Visa, and Mastercard underpin all cross-border GCC commerce. Payment infrastructure can be used as a policy instrument — Russia's SWIFT disconnection proved it. India's UPI and Brazil's Pix prove a domestic rail is achievable. The Arab world has no equivalent at scale.
SWIFTVisa / MastercardmBridge (GCC pilot)UnionPay
Public Communications
Crisis comms run on foreign-governed platforms
Government crisis broadcasts flow through X, Meta, YouTube, and TikTok — platforms whose availability is controlled by private corporations in foreign jurisdictions. A platform suspension can disrupt a government's ability to reach its citizens without any political act of any adversary.
X / Meta / YouTubeTikTok / WeChatNo regional alt. at scale
03 · Assessment Full Stack Optionality Assessment
8 layers mapped against concentration & alternatives
LayerCurrent state & alternativesOriginOptionality
AI / LLMHighly concentrated. HUMAIN OS emerging. Open-source (Llama, Mistral, Qwen) provide partial alternatives.US-dominantConcentrated
Cloud computeThree-vendor concentration. Hexagon DC and STC Cloud provide local alternatives. Hybrid architecture is the sovereign path.US-dominantConcentrated
Email & collabAlternatives are production-ready. Schleswig-Holstein: 40,000+ mailboxes migrated, €15M/year saved. Barrier is organisational, not technical.US-dominantAlternatives exist
SemiconductorsMost geographically concentrated. Advanced fab only in Taiwan and South Korea. RISC-V enables long-term design sovereignty.Global chainConcentrated
Payment railsDomestic rail viable and proven. mBridge multi-CBDC GCC pilot underway. Does not require displacing SWIFT for international trade.MixedAlternatives exist
Operating systemsLinux is mature for servers and desktops. Government-scale OS migration proven by Schleswig-Holstein. Mobile OS sovereignty remains the hardest unsolved problem globally.US-dominantPartial (servers)
Public commsNo regional alternative at scale. Government broadcast channels and Matrix/Signal provide partial independence.US / CN splitConcentrated
Subsea cablesMulti-stakeholder ownership increasing. Gulf states co-investing in new routes. Redundant landing stations reduce single-route failure risk.MixedDiversifying
04 · Principles Six Principles of Genuine Resilience
Own the critical path · Diversify · Audit · Build to switch · Test · Train
01
Own the Critical Path
Identify the 20% of your stack whose failure halts 80% of operations. Build owned, auditable alternatives for those layers first. Everything else can stay with best-in-class providers on commercial terms.
02
Diversify, Don't Isolate
Estonia runs X-Road alongside AWS. India built UPI and still uses global cloud. The goal is never single-vendor dependency — not zero foreign engagement.
03
Audit What You Actually Own
Most organisations cannot answer: what data do we hold, where does it live, who has contractual access? Sovereignty begins with an honest inventory — not a policy declaration.
04
Build to Switch
Vendor lock-in is the enemy of optionality. Open standards and interoperable APIs keep switching costs low and negotiating leverage high — with any vendor, anywhere.
05
Test Continuity, Not Just Plans
Helsingborg (Sweden) ran a full one-year live simulation — would elderly residents receive prescriptions during a complete digital blackout? A plan on paper is not a capability. Resilience is proven through operational exercises.
06
Build the Talent to Maintain It
Schleswig-Holstein migrated 40,000+ mailboxes and 30,000 workstations — saving €15M annually. The barrier was organisational training and political will, not technology. Sovereign infrastructure requires sovereign engineers.
Commission an Assessment
"The question is never which vendors to exclude. The question is: what is the minimum we must own to remain operational on our own terms?"

Citadel Sovereign Advisory delivers a four-phase journey — Design, Demonstrate, Stress Test, and Train — that ends with your people owning a certified sovereign stack, independently. We drive ourselves out of your business, deliberately.

Request a Dependency Assessment → Explore the Maturity Model →