A growing legal battle in the Netherlands is raising serious questions about data sovereignty, national security, and control over critical digital infrastructure.
Three Dutch citizens have launched legal proceedings to block the acquisition of Solvinity, a key hosting provider behind the country’s national digital identity system DigiD, by a US-based company, Kyndryl.
If approved, the deal could effectively place the backbone of the Netherlands’ digital identity infrastructure—used by more than 16 million people—under foreign ownership.
Why This Matters: DigiD Is Critical National Infrastructure
DigiD is not just another government application. It is the core authentication system that enables Dutch citizens to:
- Access healthcare services
- File taxes
- Communicate with government agencies
- Manage pensions and unemployment benefits
In simple terms, DigiD functions as the digital gateway to public services.
👉 Any disruption or compromise could impact millions of citizens and essential sectors of daily life.
The Core Concern: Foreign Control Over Sensitive Data
At the center of the controversy is a fundamental question:
Should a foreign company control the infrastructure behind a national identity system?
Privacy experts and lawmakers are concerned that:
- Sensitive personal data could become accessible under foreign legal frameworks
- The system could become vulnerable to external influence or intervention
- Critical digital services could be exposed to operational or geopolitical risks
One of the biggest fears is the potential for a “kill switch” scenario, where access to essential services could be disrupted—whether intentionally or due to external pressure.
The Proposed Acquisition
In November 2025, Kyndryl announced its intention to acquire Solvinity, the Dutch company hosting DigiD infrastructure.
If this acquisition proceeds:
- Kyndryl would gain operational control over systems supporting DigiD
- A US-based entity would indirectly influence the infrastructure of a national identity platform
This has triggered strong reactions across political, legal, and technical communities.
Political Response and Government Position
The Dutch House of Representatives has already raised concerns and requested actions to prevent the acquisition.
However, the government has indicated limitations in its ability to act quickly.
The responsible minister stated:
- Switching providers before August 2026 is considered too risky
- Migration would require:
- Extensive preparation
- Careful execution
- Significant time and coordination
👉 This highlights a critical issue: dependency on existing vendors creates lock-in risks for governments
Legal Action: Citizens Push Back
The lawsuit filed by three citizens aims to:
- Prevent the contract extension with Solvinity
- Delay or block the acquisition
- Ensure parliamentary oversight before any decision
This is not an isolated legal challenge.
Multiple Legal Challenges Are Emerging
This case is part of a broader pushback against the deal:
- A senior privacy official responsible for DigiD previously filed a lawsuit
- A group of journalists and tech experts formed a foundation and launched legal action
- Citizens are now taking the issue to court through summary proceedings
👉 The common goal:
Keep national digital identity infrastructure under Dutch or European control
Why Experts Are Concerned
This situation touches on several high-risk areas that security and technology leaders should pay attention to:
1) Data sovereignty risks
National identity systems process:
- Personal identification data
- Healthcare-related information
- Financial and tax data
Control over such systems is directly tied to national sovereignty.
2) Supply chain and vendor dependency
Governments increasingly rely on external vendors for critical infrastructure.
But this creates:
- Long transition timelines
- High switching costs
- Operational dependency
👉 Once a system is deeply integrated, changing providers becomes extremely difficult.
3) Geopolitical exposure
When infrastructure crosses borders:
- Legal jurisdictions overlap
- External policies may apply
- Political tensions can introduce new risks
4) Concentration of control
A single service like DigiD acts as a central gateway to multiple systems.
If compromised or disrupted:
- Healthcare access could be impacted
- Financial processes could fail
- Government services could be interrupted
What This Means for Security Leaders
This case is a strong reminder that cybersecurity is no longer just about threats and vulnerabilities—it’s also about ownership and control.
Key takeaways for organizations:
✅ Identify critical systems that rely on external providers
✅ Evaluate vendor dependency risks
✅ Include geopolitical risk in security planning
✅ Ensure contingency and exit strategies for core platforms
✅ Treat identity infrastructure as tier-1 critical systems
Common Misconceptions
❌ “If the system is secure, ownership doesn’t matter”
👉 Control and jurisdiction matter just as much as technical security
❌ “Cloud or outsourcing reduces risk”
👉 It can reduce operational burden—but increase dependency and exposure
❌ “Migration can always be done later”
👉 This case shows switching providers can take years
FAQs
What is DigiD?
DigiD is the Netherlands’ national digital identity system used by over 16 million citizens to access government services.
Why are citizens suing?
They want to prevent foreign control over infrastructure linked to national identity and sensitive personal data.
What is the main risk?
Loss of control over critical systems, potential data access concerns, and operational dependency on a foreign entity.
Why can’t the government change providers quickly?
Because migrating critical infrastructure requires time, planning, and coordinated execution to avoid disruption.
What is the broader impact?
This case highlights growing global concerns about digital sovereignty and control over critical infrastructure.
Conclusion
The legal battle over DigiD is not just about one acquisition—it reflects a larger global shift.
Governments and organizations are starting to realize that:
👉 Control over digital infrastructure = control over national resilience
As more critical systems move into outsourced and global environments, the key question becomes:
Who really controls your most important systems—and what happens if that control changes?
