US bid for Dutch ID infrastructure raises sovereignty issues
When US IT large Kyndryl introduced its proposed acquisition of Solvinity in November 2025, few outdoors the Netherlands paid a lot consideration. However within the nation itself, the information prompted concern.
Solvinity runs the infrastructure behind DigiD, the nationwide digital identification system utilized by 16.5 million Dutch residents. The proposed takeover prompted an pressing technical briefing and parliamentary roundtable, in addition to a 140,000‑signature petition.
The case exposes a elementary stress going through governments throughout Europe. As dependence on US tech giants turns into more and more seen and geopolitical tensions rise, the query is not whether or not digital sovereignty issues, however which infrastructure is just too vital to depart weak to international jurisdiction.
DigiD isn’t a peripheral system. It’s the gateway via which Dutch residents entry their authorities. In 2025 alone, it processed 645 million authentications, a determine that’s rising at 10% to fifteen% yearly. Residents use it to file tax returns, entry healthcare data, apply for advantages and work together with nearly each public service.
Since 2020, Solvinity has offered the infrastructure platform that retains DigiD operating, together with MijnOverheid, the federal government’s citizen communication portal, and Digipoort, the enterprise companies gateway. Logius, the Dutch authorities’s digital infrastructure organisation, maintains management over structure, safety necessities and governance. The DigiD software itself, together with information processing and coverage management, stays fully in authorities palms. However the technical continuity will depend on a non-public infrastructure supplier. And now that supplier is about to turn out to be American.
Bert Voorbraak, common director of Logius, emphasised the stakes throughout a technical briefing to the Digital Affairs Committee. “The continuity of the service is actually crucial,” he mentioned. The understatement belied the size of concern.
Past the Cloud Act
When most individuals take into consideration dangers from US possession of European infrastructure, they consider the Cloud Act, the US regulation that permits American regulation enforcement to demand information from US corporations no matter the place it’s saved. However specialists talking on the committee listening to recognized a extra rapid concern: US sanctions laws.
Lokke Moerel, professor of world ICT regulation at Tilburg College, was blunt. “It’s the authority of the US, and the president himself, to subject sanctions towards individuals, organisations, nations within the curiosity of nationwide safety.” She defined that while the Cloud Act includes judicial processes and public scrutiny, sanctions might be imposed unilaterally.
Evelyn Austin, director of digital rights organisation Bits of Freedom, made it concrete. “There at the moment are 9 workers of the Worldwide Legal Courtroom who, as a consequence of a decree from President Trump, are usually not allowed to obtain American companies. That’s not simply inconvenient, it’s genuinely life-disrupting. And people are solely 9 individuals. With DigiD, it may occur on the size of a complete society.”
For Austin, the menace isn’t theoretical. When requested whether or not she noticed a sliding scale if the proper route wasn’t taken, her reply was stark. “I don’t know if it’s a sliding scale, as a result of I feel the disaster is already right here. So, in that sense, we would already be someplace on the backside of the slide.”
Kyndryl’s defence
When Kyndryl’s flip got here to deal with the committee, senior vice-president Piet Bil opened with reassurance. The corporate, a four-year-old spin-off from IBM that operates in 60 nations, has expertise with nations the place digital sovereignty is a vital precedence. Bil outlined three layers of safety: technical, organisational and authorized.
In accordance with the corporate, there can be no technical functionality to entry Solvinity buyer information or disable companies from outdoors the European Union (EU). “Information stays within the Netherlands,” Bil emphasised. “The companies will proceed to be offered inside the EU. And entry to the information is simply attainable on EU territory.”
On the organisational degree, Bil promised that Kyndryl would refer any authorities request, together with from the American authorities, to the tip buyer, inform prospects of each request and resist improper calls for. He pointed to Kyndryl’s transparency report, noting that the corporate claims by no means to have obtained a request from a international authorities for EU buyer information.
The corporate’s opening assertion added two authorized safeguards: appointing a Europe-based information guardian with authority to resolve on information entry requests; and promising that Kyndryl Netherlands would search a ruling from Dutch courts if the American headquarters tried to pressure entry or disable companies in violation of Dutch or EU regulation.
However the assurances didn’t fully dispel issues. Sarah El Boujdaini, an MP from the centre-liberal D66 occasion, raised the difficulty of American gag orders – the likelihood that the US authorities may demand information with out the corporate being permitted to tell its prospects. “That threat stays, though you’ve taken all these mitigating measures,” she noticed.
Rob Bravenboer, Kyndryl’s managing director for the Netherlands, had earlier acknowledged that Kyndryl Netherlands can be led by a Dutch board of administrators and an impartial supervisory board consisting of Dutch residents. But the elemental query stays: what occurs when American regulation and Dutch pursuits collide?
The procurement lure
For Amsterdam’s metropolis council, the acquisition announcement late final 12 months got here as a chilly bathe. The municipality had, for the primary time, explicitly included digital autonomy as a criterion in its tender for public cloud administration. “That was the primary time we did that,” mentioned deputy mayor Alexander Scholtes throughout the Digital Affairs Committee roundtable. “And Solvinity got here out on prime. We thought: a pleasant Dutch firm, even an Amsterdam firm, that may assist us turn out to be extra digitally autonomous.”
Shortly afterwards got here information of the proposed takeover. “That was an disagreeable shock for us,” added Scholtes. The scenario revealed simply how complicated digital autonomy is, even when governments actively prioritise it. Solvinity was already 60% owned by British non-public fairness agency Vitruvium Companions, however European procurement guidelines prohibit steering on possession buildings.
“You’re not allowed to steer on possession or possession buildings,” mentioned Scholtes. “So you may have a look at necessities round information to develop companies within the discipline of digital autonomy. You possibly can have a look at flexibility. However my level is that with the present necessities, you may’t sufficiently steer in the direction of digital autonomy.”
It’s a elementary stress the case exposes. Even when public our bodies explicitly search sovereign options, market dynamics and procurement frameworks can undermine these goals. As one place paper introduced to the committee famous, the present scenario is the results of gradual outsourcing with out an integral decision-making second to contemplate whether or not that is fascinating.
Three roads ahead
Throughout the committee’s hearings, specialists outlined essentially totally different approaches. Some argued for working inside the new actuality, utilizing contractual safeguards and technical measures to handle dangers. Logius is exploring extra protections: encrypting information in databases, proscribing platform entry to a handful of workers with all actions explicitly logged, and probably bringing a few of Solvinity’s duties in-house.
This strategy discovered assist from business representatives who cautioned towards oversimplifying the difficulty. Jelmer Schreuder from NLdigital warned that focusing solely on a provider’s nation of origin was too crude. The dialogue needs to be primarily based on mature threat administration, he argued, not on simplifications like “home equals secure”. He emphasised that sensible safeguards, resembling making certain Dutch civil servants can solely cooperate below Dutch regulation, usually present stronger safety than authorized cures for conditions past direct management. Marijn van Vliet from Digital Infrastructure Netherlands Basis added that digital autonomy encompasses greater than information safety alone, together with financial resilience and geopolitical positioning.
Others advocated rejecting the acquisition outright and constructing European alternate options. Jeroen Wouda from sovereign cloud supplier Uniserver argued that digital sovereignty isn’t a really perfect, however a strategic selection accessible in the present day. “The information, expertise and experience exist. As we speak, not tomorrow,” he mentioned. Wouda known as for public-private partnerships the place market forces drive effectivity and innovation, however the Netherlands builds on the power of its personal digital sector.
A 3rd group proposed a center path. Tilburg College’s Moerel urged a twin strategy – accepting some dependency whereas investing closely in European alternate options for probably the most vital infrastructure. The query everybody circled again to was which infrastructure is vital sufficient to warrant that funding?
Austin put it starkly: “There have been many imaginative and prescient paperwork written. However the easy query – which infrastructure is so vital that it needs to be secured first? – we don’t have a solution to but. There is no such thing as a roadmap but.”
The ghost of DigiNotar
For the Netherlands, the stakes are private. In 2011, certificates authority DigiNotar was hacked, resulting in its chapter and a nationwide safety disaster. Austin invoked that reminiscence. “We should stop a Solvinity disaster with the proper route,” she mentioned. The DigiNotar collapse demonstrated how rapidly digital infrastructure failures cascade into real-world penalties.
The federal government is responding. Behind closed doorways, an interdepartmental job pressure has been negotiating with Solvinity and Kyndryl for weeks. In the meantime, two impartial assessment processes are underway: a contest evaluation by the Authority for Customers and Markets; and a safety assessment below the Undesirable Management Telecommunications Act. Till these assessments are full, the transaction can not proceed.
Logius has additionally established a revised imaginative and prescient for its infrastructure. Voorbraak acknowledged that selections and contractual agreements from the previous could not be applicable. The final word purpose, he mentioned, is to develop a Dutch cloud, a authorities cloud, eliminating dependence on industrial events.
The Solvinity case illustrates challenges that many European governments now face. Digital infrastructure that appeared purely technical – server capability, storage, networking – seems to hold geopolitical weight. Procurement frameworks designed to advertise competitors and stop protectionism weren’t constructed to account for jurisdictional threat. And the gradual nature of outsourcing meant that by the point the strategic implications turned clear, dependence was already embedded.
The Netherlands isn’t alone in going through these questions. As American expertise dominance turns into extra seen and geopolitical tensions intensify, each European nation should resolve: which digital infrastructure is just too vital to depart weak to international management? What degree of dependency is suitable? And the way a lot are we keen to put money into alternate options?
