Dutch Parliament Raises Alarm Over US Acquisition of Critical Government Infrastructure Provider

Kyndryl, the US technology services company spun out from IBM, is pursuing an acquisition of Solvinity, the cloud services provider that hosts the Netherlands' DigiD digital identity system. Dutch lawmakers raised concerns in Parliament on Friday about the potential transfer of control over sensitive national infrastructure to foreign ownership.

Solvinity provides cloud services for DigiD, the digital identity platform used by Dutch residents to access government services, as well as hosting for MijnOverheid, the government's digital mailbox platform, and infrastructure for the Central Judicial Collection Agency, which manages fines and penalties. The company was originally Dutch-founded but is now majority-owned by a British firm.

The acquisition proposal has triggered significant public opposition. A survey conducted by Radar Panel with 28,000 participants found that 87% of Dutch residents would stop using DigiD if the US takeover proceeds, while 96% expressed worry about Kyndryl's potential acquisition of Solvinity.

Parliamentary Concerns Over Data Sovereignty

Dutch lawmakers warned that the Kyndryl acquisition could expose sensitive national data to foreign control, particularly given concerns about policy shifts under the Trump administration. The core worry centers on the Netherlands potentially losing control over sensitive government data stored on foreign-controlled servers.

Concerns were raised that US government sanctions on the Netherlands could block access to services like DigiD and MijnOverheid.nl if Kyndryl completes the acquisition. This scenario would create a dependency relationship where access to critical digital infrastructure could be subject to foreign policy decisions beyond Dutch control.

The timing of these concerns reflects broader European anxiety about digital sovereignty. Dutch firms published a position paper in May warning that access to government cloud services could become a tool of geopolitical leverage—a framework that applies directly to this acquisition scenario.

The Infrastructure at Stake

DigiD serves as the primary authentication gateway for Dutch government digital services, making its availability and security critical to public administration. MijnOverheid functions as the central digital communication channel between government and citizens, handling everything from tax notifications to official correspondence. The Central Judicial Collection Agency's systems process financial penalties and enforcement actions across the justice system.

This infrastructure stack represents what security professionals would classify as critical national infrastructure—systems whose disruption would significantly impact government operations and citizen services. The current hosting arrangement places these systems under the operational control of Solvinity's data centers and technical teams.

Looking at the broader context here, this acquisition attempt fits a pattern I have observed repeatedly over three decades covering technology mergers: the collision between commercial consolidation logic and national security concerns. We saw similar tensions during the Huawei network equipment debates, the TikTok acquisition discussions, and various semiconductor industry transactions. In each case, what appeared to be routine business combinations became flashpoints for deeper questions about technological dependency and control.

Technical and Operational Implications

From an infrastructure perspective, the acquisition would transfer operational control of government workloads to a US-based organization subject to US legal jurisdiction. This includes compliance with US export controls, sanctions regimes, and potential data access requirements under laws like the CLOUD Act.

The technical reality is that cloud service providers exercise significant control over their customers' operations—from security configurations and backup policies to disaster recovery procedures and data residency. When those providers fall under foreign jurisdiction, host governments lose direct regulatory oversight of critical infrastructure operations.

For Kyndryl, the acquisition represents an expansion into European government services—a market segment that typically offers stable, long-term contracts with public sector clients. The company, which provides IT infrastructure services to enterprise clients, would gain established relationships with Dutch government agencies and proven capabilities in secure hosting environments.

Regulatory and Political Response

The parliamentary concerns signal potential regulatory intervention. European governments have increasingly scrutinized foreign acquisitions of companies handling sensitive data or critical infrastructure, particularly following the EU's push for digital sovereignty.

The Netherlands has existing mechanisms for blocking foreign acquisitions deemed contrary to national security interests. The Investment Screening Act allows government review of transactions involving critical infrastructure, and the current political response suggests this framework could be applied to the Kyndryl-Solvinity deal.

The public opposition data—87% of residents stating they would stop using DigiD—represents an unusual level of citizen engagement with infrastructure policy. While such survey results do not directly influence regulatory decisions, they create political pressure for government action and demonstrate public awareness of digital sovereignty issues.

Worth flagging: the survey methodology and question framing could influence these results significantly. Public opinion on technical infrastructure questions often shifts when the practical implications become clearer—either through actual implementation or through more detailed explanation of operational safeguards.

Implications for Digital Infrastructure Policy

This acquisition attempt arrives amid broader European efforts to reduce technological dependency on non-EU providers. The EU's Digital Services Act, Digital Markets Act, and various cybersecurity directives all reflect concerns about maintaining control over digital infrastructure.

The Netherlands faces a fundamental policy choice: whether to allow market-driven consolidation of critical infrastructure providers or to implement restrictions based on national security considerations. Similar decisions are playing out across European capitals as governments balance economic openness with strategic autonomy concerns.

The outcome of this specific case will likely influence how other European governments approach similar acquisitions. If the Netherlands blocks the transaction or imposes significant conditions, it could establish precedent for more restrictive policies toward foreign acquisitions of infrastructure providers.

The technical architecture of government digital services—currently distributed across multiple providers and jurisdictions—may need to evolve toward more domestically controlled alternatives if current policy trends continue. This would require significant public investment and longer-term planning to develop European-based alternatives to global cloud providers.