Dutch Parliament Tells Government to Keep DigiD Data Out of US Reach

A majority in the Dutch House of Representatives has asked the caretaker government, and the next cabinet, to do everything possible to prevent DigiD-related data from ending up in the hands of the United States government. The concern is linked to a planned takeover: the US IT company Kyndryl is set to acquire Solvinity, a Dutch firm that supplies key infrastructure used for DigiD services.

The fear is not that DigiD will suddenly “move to the US,” but that US legal powers could still apply if a critical supplier becomes American-owned. MPs want the government to set clear safeguards before the deal becomes a reality.

DigiD is the Netherlands’ main digital login used to access many government services, such as tax affairs, health-related portals, and municipal services. DigiD itself is managed by Logius, a government organisation under the Ministry of the Interior.

Solvinity’s role is as a supplier. It provides the platform DigiD runs on, and it operates in a government data centre. Logius stresses that this makes Solvinity a vendor, not the owner of DigiD, and that the Dutch government sets the security requirements and decides how DigiD works.

Even so, a supplier can still matter a great deal. If a company hosts or supports essential systems, questions arise about who can legally compel that company to hand over data, provide technical access, or influence how services are maintained.

The debate is driven by concerns about extraterritorial reach: under some US laws, American authorities can demand data from US-based companies, even if the data is stored outside the United States. Dutch politicians and cybersecurity experts worry that a US owner could be placed under legal pressure in ways that conflict with Dutch and EU rules, or at least create uncertainty around control and oversight.

This is also about trust. DigiD is tied to some of the most sensitive interactions between citizens and the state. Even a small doubt about who can access what, and under which legal system, can become politically explosive.

The parliamentary push is part of a broader chain of political scrutiny that has been building for months. MPs have already filed formal questions about the planned takeover, asking what Solvinity does for government systems, what risks exist, and what legal and contractual tools the Netherlands has to limit those risks.

In the latest step, parliament is urging the cabinet to take a firm line: prevent DigiD data from falling under US reach, and ensure the Netherlands retains effective control over systems that support DigiD.

There are several routes the government could explore, but none are simple.

One route is contractual. The government can tighten requirements for suppliers handling critical digital infrastructure, including strict rules on where data is stored, who may administer systems, and how audits and incident reporting work. Logius has already tried to address public concern by explaining governance and security requirements around DigiD’s suppliers.

Another route is procurement. If the government believes ownership changes create unacceptable risk, it can look at replacing suppliers over time. That option may be relevant because reporting in the Dutch tech press suggests the Logius contract with Solvinity is due to expire this year, which could create a decision point about renewal, restructuring, or transition.

A third route is oversight through national security screening and sector rules. The Netherlands has increasingly used investment screening tools to protect strategic infrastructure, and MPs are effectively asking whether a digital identity backbone should be treated like critical infrastructure in the same way energy or telecom networks are.

This debate is not only about one company. It highlights a wider issue where governments across Europe rely heavily on a small set of large technology suppliers, and it is difficult to switch quickly without risking service outages or security problems.

DigiD is used at massive scale. Any supplier transition must be carefully managed, tested, and secured, and it cannot easily be rushed without increasing operational risk. At the same time, politicians feel pressure to act quickly, because once an acquisition is completed, reversing course may become harder and more expensive.

The takeover is still the key trigger, but the political focus is now on safeguards. The government will likely have to explain what it can do under existing contracts, what it can demand in future contracts, and whether it will pursue alternative suppliers or structures to reduce perceived US legal reach.

For citizens, the practical takeaway is that DigiD is not expected to stop working, and officials stress that DigiD remains a government-controlled system. But the political message from parliament is clear: when a supplier is essential to national digital identity, ownership and legal jurisdiction matter, and MPs want the Netherlands to keep the final say.