The Netherlands has drawn a firm line around its most widely used digital identity system. Starting with the contract after August 2028, only a European company will be allowed to operate key parts of the DigiD platform. State Secretary Eric van der Burg of the Interior Ministry laid out the policy in a letter to parliament on June 5. The decision follows months of mounting worry over foreign access to sensitive personal information.
DigiD serves more than 16.5 million Dutch residents. They rely on it to file taxes, arrange health insurance, claim pensions and handle municipal affairs. The system sits at the center of daily government interaction for most citizens. Any disruption or unauthorized reach into its data would ripple across public services.
But the move isn’t sudden. It builds directly on the cabinet’s recent veto of a U.S. takeover. Last month officials blocked Kyndryl’s planned purchase of Solvinity, the Dutch cloud provider that currently hosts infrastructure for DigiD and the related MijnOverheid portal. The Investment Screening Bureau, known as BTI, had advised that the deal posed “a possible risk to the public interest.”
Politico reported that State Secretary Willemijn Aerdts informed parliament the review was “country-neutral, risk-based and proportionate.” The Netherlands values American tech investment, her letter stressed, yet maintains independent safeguards. Concerns centered on the U.S. CLOUD Act. It lets American authorities demand data from U.S.-owned companies even when servers sit in Europe.
Solvinity itself had promised to fight any such requests. Company officials insisted DigiD would remain under Dutch control. They could not, however, offer ironclad guarantees against American legal pressure. Parliament grew skeptical. MPs from multiple parties pressed the government to keep the platform out of foreign hands. One lawmaker, Progressief Nederland’s Barbara Kathmann, warned a U.S. owner could “turn off our digital government with one flick of the switch.”
The cabinet first extended Solvinity’s contract to buy time. A Dutch court backed that extension in May, citing risks to service continuity. Then came the full block of the Kyndryl deal. And now the policy has hardened into a rule for the future.
Van der Burg chose the Defense and Security Procurement Act, or ADV, to run the next tender. “The reason for this is that the ADV offers more possibilities than a regular European tender to limit risks to national security,” he wrote. The law lets officials restrict bidders to European firms when security demands it. Countries whose laws allow extraterritorial data demands are effectively excluded.
This isn’t protectionism dressed up as policy. Officials frame it as risk management. Data on DigiD and MijnOverheid will also receive stronger encryption. That change stems from a classified review tied to the Solvinity-Kyndryl case, according to the NL Times.
European governments have grown more assertive about digital control. The Dutch action fits a pattern. Regulators across the bloc eye cloud providers, data flows and critical infrastructure with fresh caution. A Jones Day analysis published in June noted the veto marks the first prohibition under the BTI since it began operations in 2020. It signals “heightened focus on EU digital sovereignty,” the law firm wrote, linking the case to broader efforts like the EU Data Act and Gaia-X initiatives.
Yet practical questions remain. Solvinity, currently owned by a British investor, has managed the platform under strict oversight from Logius, the government agency within the Interior Ministry. Logius sets all standards, security rules and architectural decisions. Solvinity employees cannot alter the system without explicit approval. The arrangement kept core control in Dutch hands even as technical operations sat with a private supplier.
The upcoming tender will test how many credible European candidates exist for such specialized work. Running a national digital identity platform at this scale demands proven expertise in high-security cloud hosting, continuous compliance and rapid incident response. Not every domestic or EU firm can meet those bars.
Public reaction has been muted so far. Earlier polls, however, showed widespread unease. One survey found 87 percent of residents would abandon DigiD if a U.S. firm gained control. That level of distrust surprised some officials. It also underscored how deeply the system has embedded itself in ordinary life. Lose confidence in its security and usage could drop. Government services would slow. Administrative costs would climb.
Van der Burg avoided framing the policy as anti-American. “It is not about whether a company is American or not,” he told lawmakers. The test is whether the country of headquarters can compel data handover regardless of European wishes. The distinction matters for future trade talks and tech partnerships. It keeps the door open to American innovation while closing one specific gate.
Implementation will unfold over the next two years. The current Solvinity contract runs through 2028. Van der Burg promised another update to parliament once the new operator is chosen. In the meantime, encryption improvements will roll out. Oversight from Logius will stay tight. And the debate over digital sovereignty will likely intensify.
Other European capitals are watching. The Netherlands has turned a single blocked deal into standing policy. That precedent could influence tenders for electronic ID systems in neighboring states. It adds concrete weight to years of talk about reducing dependence on non-EU cloud providers. Results will show whether the approach delivers both security and operational excellence. For now, the Dutch government has chosen control over convenience. The platform that millions log into each week will stay under European stewardship.
WebProNews is an iEntry Publication