The Netherlands is facing a pivotal decision that could redefine its approach to digital sovereignty and national security. At the center of the debate is the planned acquisition of Solvinity — a key operator of the country’s digital identity infrastructure — by the American tech giant Kyndryl. With critical public services at stake and geopolitical tensions rising, Dutch lawmakers are weighing the risks of foreign control over essential digital systems that underpin the everyday lives of millions of citizens
The proposed acquisition of the Dutch IT service provider Solvinity by the American multinational Kyndryl has triggered significant apprehension within the political establishment of the Netherlands. The core of the controversy centers on Solvinity’s pivotal role in managing the infrastructure that supports DigiD, the national digital identity system used by millions of Dutch citizens to securely access a wide range of essential public services, including taxation, healthcare, pensions, and municipal administration. Although Kyndryl has offered assurances that foreign interference in critical Dutch public digital services will be effectively prevented through a combination of technical, organizational, and legal safeguards, members of the Dutch Parliament have expressed ongoing reservations and are calling for additional binding guarantees.
DigiD, a system developed and maintained under the authority of Logius, an agency that operates under the Ministry of the Interior and Kingdom Relations, is at the heart of the Dutch e-government ecosystem. While Logius retains ownership and overarching responsibility for the digital identity framework, Solvinity is entrusted with the operation and maintenance of the technical infrastructure on which DigiD depends. This includes the administration of servers, data traffic, cybersecurity protocols, and hosting environments that are located within government-controlled data centers on Dutch territory. The strategic sensitivity of this infrastructure has made the proposed acquisition a subject of intense scrutiny, particularly given the potential implications for national sovereignty and the autonomy of public digital infrastructure.
Kyndryl, a company that emerged as a spin-off from IBM’s managed infrastructure services division and now operates globally as an independent IT infrastructure services provider, has stated unequivocally that Solvinity would continue to operate in compliance with European data protection regulations. The company has emphasized that neither Solvinity nor Kyndryl would have access to the contents of personal user data handled through DigiD, and that any request for data by third parties, including foreign governments, would be transparently communicated to clients. However, critics point to the extraterritorial reach of U.S. legislation, such as the CLOUD Act, which could, in theory, compel American parent companies to disclose data held by their subsidiaries abroad, even when such data is stored in compliance with EU data protection laws. This perceived legal vulnerability has become a central point of concern among lawmakers, cybersecurity experts, and digital sovereignty advocates.
Members of the Dutch Parliament from several parties, particularly the GreenLeft–Labour Party (GL-PvdA) and the progressive liberal Democrats 66 (D66), have raised the alarm over the potential erosion of national control over a system so integral to the functioning of the Dutch state. They argue that despite the presence of safeguards, legal uncertainties remain unresolved and the risk, however remote, of a disruption or compromise in DigiD’s operations cannot be dismissed. These parties have proposed legislative or regulatory interventions to ensure that any service supporting the operational integrity of DigiD remains under direct or indirect Dutch control. Such proposals could involve requirements for majority Dutch ownership of service providers managing critical public infrastructure or the introduction of specific licensing conditions linked to national security interests.
The figures surrounding DigiD underscore the strategic importance of the system: with over 16.6 million registered users and more than 645 million login sessions recorded in the previous year alone, it constitutes one of the most actively used digital public service systems in the European Union. It enables citizens to carry out administrative interactions across virtually every sector of public life and is deeply integrated into the operational workflows of hundreds of governmental and semi-governmental organizations.
While the acquisition of Solvinity by Kyndryl has not yet been finalized, it is subject to a multilayered review process that includes national security assessments and strategic interest evaluations by the Dutch Ministry of Economic Affairs and Climate Policy. This ministry holds the authority to block acquisitions of critical infrastructure providers if such transactions are deemed to pose unacceptable risks to the continuity, security, or integrity of essential national interests. The decision-making process in such cases can extend over several months and involves coordination with intelligence services, regulatory bodies, and potentially the European Commission.
Past precedents, such as the recent dispute involving the Chinese-owned semiconductor manufacturer Nexperia and its operations in the Netherlands, illustrate the complex geopolitical and economic consequences that may arise when national governments intervene in cross-border corporate transactions on grounds of security and strategic autonomy. Such interventions may lead to diplomatic friction, retaliatory measures, or protracted legal challenges under international trade law.
More broadly, the Solvinity-Kyndryl case has once again highlighted the structural dependence of European public digital infrastructure on non-European technology companies. It has reignited debates across the continent regarding digital sovereignty, data localization, and the necessity of developing indigenous capabilities in cloud computing, cybersecurity, and IT infrastructure management. As transatlantic relations experience periodic strains and as European policymakers grow increasingly wary of foreign access to sensitive data ecosystems, cases like this are likely to become more frequent and contentious in the years ahead. The Dutch government’s decision, whatever direction it takes, will likely serve as a precedent for how EU member states navigate the delicate balance between openness to foreign investment and the imperative to safeguard national digital resilience.