RS.00Research library

Eight long-form papers, from the platform councils.

Architecture deep-dives, regulatory analyses, sector-specific patterns and security runbooks — written for procurement, security and architecture teams that need more than a marketing page. Citation-ready PDFs, refreshed quarterly.

RS.CTCategories

Architecture3
Regulatory1
Sector1
Deployment1
Security1
Sustainability1

RS.LBPaper library

RS.01Architecture
2026-04-08·28p·38m
The economics of sovereign platform substrate · 2026 outlook
Sovereign datacenter deployment carries a specific cost geometry — capital up front, marginal-cost flat, recovery ahead of horizon-3 — that breaks the SaaS-only TCO model most public-sector procurement teams use. We model the break-even surface across L.04 / L.05 / L.06 programmes in EU, GCC, and East Africa.
AuthorsPlatform Council · FlyttGo Technologies Group
Key takeaways
- L.05 sovereign break-even lands at 28-34 months in EU, 22-30 months in GCC
- Sovereign-region hardware refresh cycle moved from 4 years to 5.5 years (2022 → 2025)
- Multi-tenant amortisation reduces sovereign cost gap to managed SaaS by 41% above 6 tenants
Read paper Download PDF
RS.02Regulatory
2026-03-22·22p·30m
eIDAS 2.0 readiness · what relying parties need before 2026
EU Regulation 2024/1183 mandates Member-State Digital Identity Wallets in production by 2026. We translate the Architecture Reference Framework into a relying-party readiness checklist with an issuer / verifier / wallet matrix, OID4VP integration patterns, and a per-jurisdiction trust list anchoring guide.
AuthorsIdentra Trust Council · External counsel · pseudonymised
Key takeaways
- OID4VCI / OID4VP final 1.0 spec landing in 2025; relying parties should target draft conformance now
- Trust list anchoring is the single highest-effort migration line item; budget 6-12 weeks
- SD-JWT is winning over JSON-LD VC across EU member-state pilots; default to SD-JWT proofs
Read paper Download PDF
RS.03Architecture
2026-02-18·34p·46m
Multi-objective provider routing under regulatory constraints
Provider routing in regulated mobility marketplaces optimises cost × time × coverage simultaneously while satisfying constraints that change per jurisdiction (cabotage, hazmat, weight-class, driver hours). We document the constraint solver architecture, the heuristic warm-start strategy, and the production telemetry that gets P99 routing latency to 184 ms across EU + MENA.
AuthorsTransify Engineering Council
Key takeaways
- Constraint-solver-first beats heuristic-first by 14% on routing quality at the cost of 1.8x latency
- Heuristic warm-start recovers most of the latency without sacrificing solver quality
- Per-corridor cache drops P99 by 23% on warm corridors; cold corridors fall back to live solve
Read paper Download PDF
RS.04Sector
2026-01-30·26p·35m
GCC + MENA public-sector deployment patterns
GCC + MENA public-sector procurement diverges meaningfully from EU norms in three places: data residency posture, arabic-first UX expectations, and SAMA-style payment-rail orchestration. We synthesise patterns observed across 7 GCC + MENA programmes, including the regulator hand-off protocol, the in-Kingdom sovereign substrate, and the Arabic localisation surface depth required.
AuthorsMENA Platform Group · GCC Transport Authority (anonymised)
Key takeaways
- In-jurisdiction data residency is non-negotiable in KSA; DM.03 sovereign deployment is the only viable mode
- Arabic-first UX must include hijri calendar, RTL layout, and per-emirate jurisdiction routing
- CBUAE retail payment-services regulation alignment requires 6-9 months lead time on Payvera
Read paper Download PDF
RS.05Security
2026-01-12·31p·42m
Post-quantum migration runbook for institutional platforms
NIST FIPS 203/204/205 finalised in 2024; NSA CNSA 2.0 requires full PQ migration by 2030 (signing) / 2035 (everything). We document the FlyttGo migration runbook: hybrid-first sequencing, per-surface algorithm map, crypto-agility gateway architecture, and the test harness covering 8 cryptographic surfaces across the platform.
AuthorsPlatform Security Council
Key takeaways
- Hybrid classical+PQ first is the only safe path; pure-PQ rollouts have 3 known interop failures industry-wide
- TLS X25519MLKEM768 hybrid is the Q3 2026 target across all inbound and inter-service traffic
- Code-signing migration to ML-DSA + ECDSA hybrid lands first; the supply-chain-attack delta is largest
Read paper Download PDF
RS.06Sustainability
2025-12-04·18p·24m
CSRD scope-3 attribution for platform-infrastructure tenants
EU CSRD requires scope-3 emissions tracking from software vendors starting FY2026. Most platform vendors ship a single-figure annual disclosure; that does not meet auditor expectations at scale. We document the per-tenant per-region carbon attribution model, the SCI emission factors per workload type, and the auditor-friendly export pack.
AuthorsSustainability Council
Key takeaways
- Software Carbon Intensity (SCI) is the right unit; per-tenant attribution is the right granularity
- Region-aware grid intensity dominates the carbon model; a sovereign Riyadh deployment is 4.2x EU baseline
- Auditor-friendly exports include per-month per-tenant CSV + a reconciliation manifest
Read paper Download PDF
RS.07Architecture
2025-11-15·24p·32m
Agent-driven platform architecture · MCP + audit envelope
AI agents (Claude, ChatGPT, Cursor) are moving from observation to operation against platform APIs. We document the architecture FlyttGo built to make agent-driven operations safe: workspace-scoped tokens, the same audit envelope humans use, per-tool rate caps, and the human-in-the-loop tier on high-impact surfaces.
AuthorsPlatform Engineering Council
Key takeaways
- MCP discovery via /.well-known/mcp.json is the de-facto standard; OpenAI, Anthropic, Cursor align here
- Workspace-scoped tokens with explicit tool allowlists block 100% of out-of-scope agent calls at the gateway
- HITL on high-impact tools (payment writes, identity issuance) is the only viable safety posture for institutional buyers
Read paper Download PDF
RS.08Deployment
2025-10-22·20p·26m
Deployment substrate selection · DM.01 / 02 / 03 / 04 decision framework
Buyers regularly pick the wrong deployment substrate for their programme. We document the four-substrate decision framework — managed SaaS (DM.01), customer cloud (DM.02), sovereign datacenter (DM.03), and confidential compute (DM.04, planned) — with a 9-criterion scoring matrix that surfaces the right answer in under an hour.
AuthorsPlatform Council
Key takeaways
- Most L.03 / L.04 programmes are over-provisioned at DM.03 sovereign — DM.02 customer-cloud is the right call
- Regulator-bounded flows force DM.03; nothing else gets the data-residency posture right
- Confidential compute (DM.04) opens a fourth shape for ultra-sensitive workloads — defence, intelligence, regulated finance
Read paper Download PDF

RS.NXWhere the research goes next

Long-form papers earn trust the marketing site can't.

The research library is one input into procurement and security review. The four pathways below take a research-driven team into product surfaces.

Eight long-form papers, from the platform councils.

The economics of sovereign platform substrate · 2026 outlook

eIDAS 2.0 readiness · what relying parties need before 2026

Multi-objective provider routing under regulatory constraints

GCC + MENA public-sector deployment patterns

Post-quantum migration runbook for institutional platforms

CSRD scope-3 attribution for platform-infrastructure tenants

Agent-driven platform architecture · MCP + audit envelope

Deployment substrate selection · DM.01 / 02 / 03 / 04 decision framework

Long-form papers earn trust the marketing site can't.

Short-form insights

Reference programmes

Sandbox tenant

Open scoping