Digital ID, big tech and the Dutch dilemma
A planned US takeover of critical infrastructure raises troubling questions
The Dutch are known for many things, some of the most obvious being windmills, tulips, liberal drug laws and the colour orange. Beyond these more eye-catching features, there’s also the reputation of the Dutch character: direct, no-nonsense, thrifty and partial to a dry humour that doesn’t always translate.
In essence, they’re thought of as a well-organised, clever and sensible bunch. And with one of the best standards of living in Europe, they tend to be assumed to be doing things generally right.
It’s because of this renown for competence and control that people within the country as well as onlookers abroad are particularly unnerved by a situation unfolding in the country at the moment. The Dutch, it appears, have sleepwalked into a situation where their digital ID platform - critical infrastructure for a variety of government and private processes - will likely soon be in the hands of US big tech and, by extension, within the potential scope of US government control.
* This article is also available now in audio format on the TDTM podcast. Follow on Spotify or Apple Podcasts to receive new episode updates right away. *
The Amsterdam warning
On 13 October 2025, councillors for the municipality of the Netherlands’ largest and capital city, Amsterdam, were satisfied with their day’s work.
A few months previously the local government, made up of the three biggest left-wing and centrist parties (Groen Links, PvdA, and D66), had confronted the fairly dry task of procuring a company to provide a cloud-based filesharing system for municipal business. Driven by principles and security concerns, they had decided against big tech options like Microsoft Sharepoint and, that day, had announced their choice of Dutch-headquartered firm Solvinity to provide a bespoke option.
It was a move away from US-owned tech providers and part of a broader national, and indeed EU-wide, mission to disentangle critical services from dependence on foreign companies. Their choice was vindicated by a high profile report published just a week later by De Nederlandsche Bank (DNB) and the Netherlands Authority for the Financial Markets (AFM) warning of the risks of increasing reliance on IT providers outside of Europe. In a world of increasingly complex soft power games even between allies, as well as threats to hardware such as undersea internet cables, the risk and the consequences of trusting essential services to offshore providers were just too great.
Not even one month later though the celebration came to an abrupt end when it was announced that Solvinity, the Dutch-operated company which had been chosen by Amsterdam council to provide its cloud services, was being acquired by US-owned firm Kyndryl.
Amsterdam councillors spoke of feeling betrayed, with one Groen Links councillor noting that “we tried to find someone to help us avoid American technology, now they’ve also been hijacked” and questioning whether Solvinity’s representatives had known of the takeover negotiations when bidding for Amsterdam’s tender as a proudly Dutch-operated outfit. Efforts to outrun American big tech had led right back to the thing they’d tried to avoid.
And the problem would turn out to be much bigger though than idealistic municipal councillors colliding with the reality of global tech.
Digital entanglements
What people soon realised was that Solvinity wasn’t some new kid on the block bidding for local tenders: it already provided critical infrastructure for managing information at the national government level. It was, in fact, profoundly embedded in and essential to the running of vital state services.
The most significant is that Solvinity runs the platform behind DigiD, the digital identity verification system which gatekeeps a wide range of government and private systems. Basically every adult citizen in the Netherlands has the DigiD app on their phone which they use routinely to confirm their identity using a passcode or biometric recognition. At the back-end of the infrastructure, this highly personal data is linked up with citizen numbers (similar to social security numbers) which are the permanent paper identities which have been assigned to every individual who has ever lived (legally) in the Netherlands.
Solvinity also provides platforms for the Dutch Ministry of Justice and Security, the Public Prosecution Service, the judiciary and in effect, “the entire judicial chain.” The Dutch government has also now confirmed that Solvinity platforms are used by the Ministry of Social Affairs and Employment, the Ministry of Health, Welfare and Sport, and the Ministry of Finance.
Subject to regulatory approval, takeover by Kyndryl will mean all of these platforms will now have a new, American owner.
And while some people, including the more left-inclined Amsterdam councillors, object broadly to the idea of American big tech on anti-corporate and even environmental principles, the issue has been catching attention across the political spectrum due to some specific, concrete concerns.
Clouds in America
Solvinity is already not a Dutch company but owned by the British-majority venture capitalist Vitruvian Partners. The app which DigiD operates on is also managed by separate company Logius, which is Dutch owned and operated, while Solvinity provides only the data platform behind it.
But US-owned, as it turns out, has different implications to majority-British-owned. And it makes little difference if there is a Dutch-controlled wrapping around the final product in question.
The problem is the US Cloud Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018, which requires US-based tech companies to hand over any data in their systems to US law enforcement if a warrant is issued, regardless of where in the world that data is stored. Section 702 of the Foreign Intelligence Surveillance Act (FISA) also grants the US government the right to intercept electronic communications relating to non-US citizens abroad. Section 702 was supposed to expire in 2024 but was extended, despite EU leaders noting that it sits in direct conflict with European privacy law (GDPR).
The Dutch Ministry of Justice itself commissioned research in 2022 into whether the Cloud Act was applicable to EU entities. The answer came back as a very clear ‘yes,’ with firm GreenbergTraurig which had carried out the research advising that in order to keep data out of reach of the Cloud Act,
“In no case can the EU Entity have a U.S. parent company, as the parent would be considered to have possession of or control over the data of its subsidiary.”
Going further, they even add that “it is advisable not to employ US nationals who have access to relevant data” because the Cloud Act and other legal mechanisms can compel data from US citizens based in Europe, leaving them with the unenviable choice of breaking EU privacy laws or being sanctioned by their own government.
The kill-switch
Data privacy is not the only risk though or even the most serious one. A US parent company could also be compelled to switch off or shut down infrastructure operated by one of their subsidiaries, temporarily or permanently, in the name of risks to US security or interests.
This kind of risk had been accepted in the past on the basis that such powers would be sparingly used and not without good reason. Given the erratic behaviour of the second Trump administration, European politicians and the public are now more sceptical as to whether this ‘reasonable use’ assumption still holds.
The ability to switch off critical domestic infrastructure is quite something to trust to another sovereign nation, even between fast allies. But we are talking now about a card in the hand of a President who views America’s alliance with Europe as a raw deal he inherited and resents. The US could always hold critical reliance on its tech platforms over the EU were it to try and apply sanctions for, say, the US unilaterally placing a military presence in Greenland.
In May 2025, the Chief Prosecutor of the International Criminal Court in The Hague suddenly found that he couldn’t log into his email account. It turned out the US government had ordered Microsoft, owner of the email platform in question, to block his account, apparently in response to the ICC issuing warrants for Israeli Prime Minister Benjamin Netanyahu. The ICC isn’t national government infrastructure, of course, but it shows that the kill-switch can be used.
Incredibly, the Dutch Government has now revealed that it was not told that Solvinity was to be acquired by a US-owned company until this information was publicly announced. It had known since May 2025 that Solvinity was in acquisition talks with someone, but then only because a director at Logius (which runs the DigiD app) had requested to break Solvinity’s embargo to inform contacts at the Dutch Home Office. It seems odd that the government itself didn’t have to be informed of critical infrastructure acquisition by a foreign entity, or that it seemingly couldn’t find out who this was when tipped off as a courtesy. But maybe that’s because no one worried as much about this in the past.
The Dutch Government has again acknowledged that “at least in theory, US authorities could, if necessary, gain access to the data processed by Solvinity on behalf of the state,” should the Kyndryl acquisition of Solvinity go ahead. It is currently making an inventory of critical processes would be affected, as well as exploring what a sovereign government cloud could look like as longer-term alternative.
Solvinity has responded with a not entirely reassuring Q&A about the takeover and insistence that it remains Dutch-operated and bound by GDPR:
An “extremely unlikely” possibility of a data request is a possibility nonetheless. And since GDPR is plainly incompatible with instruments like the Cloud Act, it’s unclear what the promise to “never share customer data unless legally required to do so” means in practice. Nor does anyone involved want to admit to the possibility that DigiD could be taken offline at the request of the American authorities.
Outsourcing data sovereignty
There can be good reasons for letting third parties manage sensitive data, chief among them the promise that experts can provide better cyber security than a government or a business usually can. But it still remains glaringly obvious that trusting any outsider with access - not to mention the ability to switch off critical infrastructure - is a big risk in its own right.
Clearly the safest thing to do, from a data sovereignty perspective, is to run these type of systems properly in-house. So why and how did we get to the point where most governments which are not superpowers like the USA and China don’t even consider using technology of their own to protect and manage their data? To even start making a quick tally of the number of major databases and systems which use cloud platforms - whether in the Netherlands or in the UK - is to very quickly discover widespread reliance on the ‘big three’ of Microsoft Azure, Amazon Web Services, and Google Cloud, all headquartered in the USA.
There is an answer to this, and the Netherlands provides a pretty good illustration.
To those who know anything about digital ID and state systems for managing personal data on the population, the Netherlands is also something of a model case, up there with Estonia and Denmark as countries which others strive to imitate. The Dutch have had a population register - meaning a live database of information on everyone resident in the country (and including former residents abroad) - since 1850. Along with the Nordic countries, they were pioneers in data management. For 150 years, the Dutch were never in doubt that they could handle their own information themselves.
A key moment came when Dutch population records went digital in 1994. In 2005, DigiD was introduced as a quick way of verifying identity in order to access records which are linked to a person’s unique citizen number (BSN). Some time in the 2010s, DigiD became a smartphone app. And while technically its only compulsory use is in order to submit a tax return, the ease of the app has made it the default verification method for lots of everyday processes.
DigiD is the main gateway to managing one’s health insurance (which is compulsory), dealing with tax, pay, benefits, and pensions, registering to get married, applying for student finance and even, in some areas, reporting a broken streetlamp. It’s the kind of one-size-fits-all identity verification tool that proponents of the new digital ID cards policy proposed in the UK last year find extremely sexy.
When the time came for identity verification to go digital, there was never a serious suggestion of building such a system in-house. One company was commissioned to build and run the public-facing front-end and another to manage the infrastructure at the back.
More broadly - and all around the world - it was during the transition to digital that it became the norm to outsource parts of government systems to private, specialist companies. This started already in the 1980s, a decade of rapidly improving digital technology and when the hardware was so scarce and expensive that certain processes simply had to be outsourced. As computers became more affordable and user-friendly, governments could start to rig up their own infrastructure for managing data.
But there quickly emerged another problem of security. As a general rule, the security on off-the-shelf products was fairly weak and vulnerable to hackers, and the main producers were too slow to prioritise security in design. Bill Gates himself expressed personal shame about Microsoft’s poor security already in 2002, at least internally. Instead of in-built security improving, a side-industry of cyber security solutions emerged, offering firewalls, anti-virus scanners, encryption and protection that was the user’s responsibility to maintain.
Because standard computing equipment is just nowhere near secure enough to protect sensitive data, government departments now face the choice of spending a lot of money to come up with their own fix for this or commissioning it from a third party which offers something ready-to-go. The vast majority of the time, the second option is cheaper, at least in the short term.
What’s interesting is that while this technical expertise is far less scarce in general than it was in the past and while, in theory, it should be easier than ever for governments to create their own secure platforms, reliance on third party tech providers has only increased.
This likely has to do with the emergence of Silicon Valley as a powerful seller of ever-evolving tech ‘solutions,’ at the same time that public sectors have shown very little interest in trying to attract similarly qualified and motivated people to work directly for them.
The irony is that something like a cloud-based digital ID platform is actually pretty straightforward to produce and maintain. Simplicity is the key to these kinds of system: the fewer vectors along which information travels, the better. But building something like that seems like a totally unrealistic challenge and an unjustifiable cost to most governments now. There’s not enough of the right kind of technical expertise within civil services already, and that’s where the conversation stops. But the cost of decades of under-investment in this area is catching up with us.
The view from the UK
In September, the UK government announced a plan to introduce digital ID in the UK which in practice would mean an app similar to the Netherlands’ DigiD, backed by a platform where both biometric and written personal information could be stored.
It seems highly likely that at least some aspects of delivering the system could be outsourced to private companies. The obvious frontrunner at the time of the announcement was US-owned mega tech corporation Palantir, with whom the UK government announced that it had entered into a 1.5 billion GBP ‘strategic partnership’ on AI in defence just days prior.
Palantir already holds contracts across a range of government departments. Between 2014 and 2023, Byline Times estimates (conservatively) that £245 million was awarded to Palantir for outsourced tech services, £198 million of which came since Palantir offered its data management services to the NHS ‘for free’ in the pandemic. It runs the NHS’s Federated Data Platform (FDP), effectively the full database of UK patient records and the largest patient dataset in the western world. And yet Palantir has apparently ruled out bidding for any digital ID contracts which should emerge as it finds the idea too ‘controversial.’
There is speculation that US tech company Oracle will now be the frontrunner for the contract to build the digital ID system, should it be outsourced. Oracle already holds contracts reportedly worth £1 billion with parts of government including the Ministry of Justice, Department for Work and Pensions and Home Office, and the company is said to be investing $5 billion of its own money in UK infrastructure over the next five years. That can only mean the expectation of big future returns, including from public sector contracts. The US-owned Amazon Web Services is also a hefty provider of digital services to the UK government. According to research by Tussell, 35 public sector authorities currently use AWS services across 41 contracts worth a combined £1.1bn.
While Europe is trying to extract itself from US big tech, the UK is welcoming it with open arms. But the situation here is already different because we’ve long had a special relationship with the US on data-sharing of a kind that most European countries don’t have.
Far from being concerned by the Cloud Act, in 2019 we signed a bilateral Cloud Act Agreement acknowledging that we were happy for the US to access UK-based data as needed and receiving our own reciprocal rights to US data. A further UK-US data-sharing agreement solidified this exchange of surveillance rights in 2022.
We don’t face the same choice as our European neighbours as to whether we should do more to shield our data from the US because we’re already so deeply entangled. More than that, it’s also not clear there would be any benefit to trying to extricate ourselves, setting aside principle-based arguments about privacy and civil liberties.
What we should still be thinking about, in the same way as the EU, is the resilience of our critical data infrastructure when it’s so reliant on US platform providers. The issue of the kill-switch should still play on our minds, even if we think our special relationship with the USA makes this much less of a risk.
I wonder if we are being a bit slow in the UK to admit that critical infrastructure doesn’t just mean train tracks, reservoirs and the national grid, or even the banking system. Cloud-based data storage platforms peppered throughout government can seem like small parts in the overall machinery but can spell disaster if disrupted.
BritCard, as the new digital ID is informally named, is likely to look like something similar to the NHS App. In an interesting parallel of the Solvinity case, when the NHS app was last tendered, the contract went to IBM together with BJSS - a UK-owned company at that time. Four days after this contract was made public, BJSS was acquired by Canadian tech firm CGI. Being Canadian-owned doesn’t create more vulnerability in that particular part of the system per se, but it does show that British-owned might not always mean British-owned, just like Dutch-owned might not always mean Dutch-owned.
The best and perhaps only way to guarantee critical data systems stay online in this time in history is to keep them in-house, which means insisting on the use of cloud platforms controlled from within the territory in question.
The Dutch Attorney General is currently looking at whether Solvinity’s contract could or should be terminated in light of its US takeover, for example, on the grounds that it makes compliance with GDPR impossible. But even if the argument is there to terminate, it wouldn’t be as simple as quickly shopping around for an alternative. There are not many tried and tested options out there in the private sector, and most are in some way US-affiliated.
It will take significant investment to build domestic data infrastructure - but at least EU countries are already talking about it. With digital ID in the pipeline, now is the time for the UK to start a serious conversation about this too.
Working in the UK for a US tech company, I can tell you that fear of the CLOUD act is here too. Interestingly, AWS just opened a Sovereign Cloud service in the EU, which claims to be outside of its jurisdiction.
brill piece . . . outsourcing clouds/ data now an existential Q. is Estonia completely in house/ autonomous?