What the takeover is, and why it matters
A planned acquisition would place Dutch cloud and managed-services company Solvinity under the control of Kyndryl, a U.S.-based IT services firm. The deal is still subject to regulatory clearance, but it has already triggered fresh concern in The Hague because Solvinity is a major supplier for parts of the Dutch government’s digital infrastructure, including the platform DigiD runs on.
DigiD is used by millions of people to access government and semi-government services. That makes any change around its supporting infrastructure politically sensitive, especially at a time when European governments are trying to reduce dependence on foreign tech in critical systems.
DigiD is not being “sold” but the supplier could change hands
Dutch authorities have repeatedly stressed a key distinction: Solvinity does not own DigiD. DigiD is managed by Logius, a government organisation under the Ministry of the Interior and Kingdom Relations. Solvinity provides the platform DigiD runs on, and it is hosted in a government data centre, meaning the supplier supports the service but does not control it.
That distinction is important, but it does not end the debate. Critics argue that even if data stays in Dutch facilities, foreign ownership of an essential supplier can still create pressure points, especially when maintenance, staffing, incident response, and long-term technical roadmaps depend on that supplier.
Why experts are calling this a national security risk
The newest round of warnings focuses on digital sovereignty and the risks of foreign legal reach over companies headquartered in the United States. Experts quoted in recent reporting argue that U.S. ownership can create uncertainty about whether U.S. authorities could compel access to certain data or systems, or influence operational decisions indirectly through corporate governance and compliance obligations.
The core fear is not necessarily that “someone in the U.S. can log into DigiD tomorrow.” It is that critical national infrastructure becomes harder to guarantee when a key supplier falls under another legal regime, particularly during diplomatic conflict or heightened geopolitical tension.
What the Dutch government and Logius say they are doing
After the takeover intention became public in late 2025, Dutch ministries started examining the consequences, including operational, legal, and contractual risks. Logius has said it understands the concerns and emphasised that “DigiD is and will remain Dutch,” while also investigating what the ownership change could mean for service continuity, security, and privacy.
A practical part of the government’s message has been reassurance: the state determines how DigiD works and how it is secured, and suppliers have no authority over the service itself.
Photo Credits: Dutch Brief
What is still unclear right now
Even with official reassurance, several questions remain open in public reporting:
What exactly Solvinity provides in the DigiD chain (infrastructure, managed services, specific platform components) and how easily those services could be replaced if needed.
Which safeguards are contractually enforceable, and whether the government has strong “step-in” rights if there is a dispute or a security incident.
Which regulator(s) must approve the deal and what conditions could be imposed, such as governance limits, auditing obligations, or restrictions on where certain work can be performed.
Dutch experts and watchdogs have asked for more transparency on the risk assessment and on the practical controls that would remain if a U.S. firm becomes the owner.
Why this touches a wider Dutch problem, not just DigiD
The Solvinity case has become a symbol of a broader Dutch and European challenge: governments often rely on a small number of large external tech providers for cloud hosting, security operations, and identity services. That reliance can build up slowly over years, and then suddenly become politically urgent when ownership changes or global politics shift.
In other words, even if DigiD’s servers are in a Dutch data centre, the Netherlands still needs to think about who controls the supplier’s priorities, staffing, investment, and incident response capacity over the next decade.
What could happen next
Based on what has been reported so far, there are a few plausible next steps:
Regulators approve the deal with conditions designed to reduce risk (for example, stricter audit rights, limits on subcontracting, or requirements that sensitive work be done inside the Netherlands or the EU.)
Government tightens its “exit plan” so that DigiD-related services can be migrated to another supplier or a more directly controlled environment if needed.
Political pressure grows for European alternatives, using this case to argue for more domestic capacity in cloud and critical digital services.
What is clear is that this debate will not be limited to one company. The question behind it is bigger: how the Netherlands protects essential digital systems when the supply chain includes private firms that can be bought, sold, or moved under foreign jurisdiction.
