The possible acquisition of Dutch IT service provider Solvinity by American giant Kyndryl is causing considerable unrest among politicians and regulators. During a roundtable discussion in the House of Representatives on January 27, 2026, experts and interest groups warned that the continuity of vital digital processes, including DigiD, is at risk due to excessive dependence on foreign players. The discussion touches on the core of Dutch digital sovereignty: who actually controls the infrastructure that citizens and the government rely on every day?
Solvinity plays a crucial role in the Dutch digital infrastructure as the driving force behind the platform on which DigiD runs, which is managed by Logius and hosted in a Dutch government data center. For more than 16.5 million active users, DigiD is the primary gateway to digital government services and organizations with a public task, from the Tax and Customs Administration to healthcare. Precisely because Solvinity provides the technical platform, experts fear that an American owner could be forced to hand over data or shut down services through extraterritorial legislation, such as the Cloud Act. Bits of Freedom succinctly summarized this concern with the statement "if Trump wants it, the Netherlands comes to a standstill," exposing both the vulnerability of Dutch digital autonomy and the dependence on a single means of identification.
Although Logius and Solvinity emphasize that DigiD will continue to operate in a Dutch government data center, that data will remain in the Netherlands, and that only a limited number of authorized employees will have access, they acknowledge that the potential takeover warrants a thorough risk analysis. Both Logius and Solvinity state that in the event of unacceptable risks, "immediate appropriate measures" will be taken to guarantee the security and reliability of DigiD, but the key question for debate remains whether legal and technical measures are sufficient if ultimate control lies with a foreign parent company.
In an urgent letter to the informateur, the Dutch Autoriteit Persoonsgegevens AP) warned that the Netherlands has become too dependent on a small number of foreign providers for vital processes, ranging from identification and taxation to benefits and healthcare. This concentration, combined with extraterritorial surveillance legislation and increasing geopolitical tensions, creates a risk that digital infrastructure could be used as a political lever. The AP points to previous examples where cloud services or payment facilities were affected by foreign sanctions and measures, with potentially disruptive effects if similar situations were to arise in Dutch vital chains.
In the eyes of the regulator, it is not just a matter of privacy, but also of national security and the continuity of the digital rule of law. When a limited number of large, mainly American providers are deeply embedded in vital infrastructure, the European GDPR is confronted in practice with competing legal systems and security interests. This shifts the Solvinity case from a 'normal' takeover to a test case for the question of how far the Netherlands and the EU are willing to go in protecting strategic digital infrastructure against external pressure.
Local authorities are also feeling the effects of this concentration of power. The municipality of Amsterdam had selected Solvinity based on criteria relating to digital autonomy and security for the management of its public cloud environment, and now sees the possible takeover as a direct threat to its intended public control. In collaboration with the national government, Amsterdam is investigating the legal and contractual options for adjusting or possibly terminating the collaboration if public control, data protection, and transparency regarding ownership are no longer sufficiently guaranteed.
The Clingendael Institute argues that cloud services should be formally designated as "strategic digital infrastructure," comparable to energy and telecom networks, so that the government can gain more structural control over acquisitions in this layer of infrastructure through the Vifo Act (security assessment of investments). Meanwhile, the House of Representatives is exploring whether the scope of the Vifo Act can be expanded and whether cloud services, in addition to data centers, should be explicitly included in the screening regime in order to better mitigate national security risks.
The Solvinity case is acting as a catalyst for a broader debate on structural solutions to strengthen Dutch digital independence. One frequently mentioned option is the development of a government cloud: a public cloud under Dutch management, in which core registers, identification tools, and other vital data are stored without falling under foreign jurisdiction. This is in line with European initiatives on cloud sovereignty and GAIA-X, but requires political willingness to invest in a separate, less 'convenient' infrastructure, and to actually use it for vital applications.
In addition, experts are calling for more flexibility in procurement rules so that, in the case of sensitive services, it is possible to explicitly focus on European or national digital sovereignty, rather than solely on price and functionality. European procurement frameworks currently place a strong emphasis on non-discrimination and market access, which makes it difficult to impose formal requirements on the ownership structure and origin of cloud providers, precisely where vital interests are at stake. Clingendael and organizations such as Privacy First argue that the government should be able to take a majority stake in strategic digital service providers or, in extreme cases, bring them entirely under public management if national security and continuity are at stake. At the same time, Bits of Freedom points to the risk of a "DigiD monoculture" and advocates for multiple, interchangeable means of identification and open standards, so that the failure or politicization of one platform does not paralyze the entire country.
Public resistance to the takeover is growing rapidly and has now resulted in legal action. A broad coalition of civil society organizations has gone to court to block the takeover, thereby forcing the government to make its duty of care explicit: the digital infrastructure that millions of citizens rely on every day must not become a pawn in foreign interests and surveillance legislation. Privacy First emphasizes that DigiD and similar infrastructure must not fall into American hands, because American surveillance legislation is at odds with the European GDPR and the fundamental right to data protection.
Meanwhile, voices in the Dutch House of Representatives are growing louder, calling for the Netherlands to regain control over the management of platforms that run vital government services, and for the government to "take charge" to prevent DigiD from falling under American influence through corporate structures. The outcome of this conflict will set a precedent for how the Netherlands deals with ownership, control, and protection of its vital digital infrastructure in the coming years—and thus with the practical implementation of digital sovereignty in a world where cloud and data are cross-border, but public values should not be.
