All photos: Designed by gstudioimagen / Freepik
What is happening exactly around DigiD?
Solvinity is a Dutch cloud and security company that provides a secure infrastructure for the government. The company plays a key role in DigiD, MijnOverheid, and other critical services. Kyndryl, an American IT service provider and spinoff of IBM, wants to acquire Solvinity. This proposed acquisition is causing a heated debate in The Hague: parties in the House of Representatives are concerned about the privacy of millions of Dutch citizens and whether crucial digital national infrastructure is not 'effectively in foreign hands'.
There is a small nuance: DigiD remains legally and substantively under the control of the Dutch government, but the cloud party that hosts and manages the environment would soon report to an American parent organization. This shift could, particularly due to the American CLOUD Act, lead to problems.
DigiD, jurisdiction, and data sovereignty
The acquisition does not simply mean a relocation of servers. In fact, it could be that the servers remain on European soil while they are legally under U.S. jurisdiction. It is about jurisdiction: under which legislation does the party that technically manages your data fall?
With an American owner, Solvinity must deal with legislation such as the CLOUD Act. This requires American technology companies to hand over data to U.S. authorities under certain conditions, even if that data is physically in Europe.
The National Cyber Security Centre emphasizes two things. First, European data that is physically located in Europe is not automatically protected against non-European legislation such as the CLOUD Act. At the same time, the chance that the American government will practically request large amounts of European personal data through this route is 'certainly conceivable, but (very) small'. However, that risk remains.
This is understandably unacceptable for an identity provision like DigiD; all of the Netherlands logs in with DigiD at government institutions. These are data that you want to have 100% protected. You can compare it to a museum like the Louvre; would an existing security gap that can be used to store valuable data just be left open? What do you mean, bad example?
Moreover, this case around DigiD shows how data sovereignty has quickly developed into a full-fledged business risk and talking point. Geopolitical uncertainty and changing regulations have made data sovereignty a strategic factor that must be implemented with increasing urgency.
This case also illustrates what data sovereignty actually means. Not only that the infrastructure belongs to you, with, for example, your own data center, but especially that data must legally remain yours in any case. Jurisdiction becomes a conscious choice - American parties offer data storage on a much larger scale, while European providers offer more certainty in privacy. It turns out that it must be explicitly determined where the control remains in this case; Kyndryl would inherit the crown jewels of Solvinity.
What can IT professionals do with this concretely?
You have no influence over the DigiD deal, but you do over your own landscape. Three practical actions:
1. Make jurisdiction part of your supplier and cloud strategy
Document for each critical service: who is the ultimate owner, in which country is the parent organization located, and which legislation may apply (such as the CLOUD Act)? Link that to data classification: which data may fall under which jurisdiction - and which absolutely may not. This aligns well with existing NIS2 and Cybersecurity Act processes where supplier risk is explicitly part of it.
2. Build exit and change-of-control clauses into your contracts
Include clauses in every agreement with a cloud or managed service provider that allow you to renegotiate or terminate in the event of an acquisition by an 'undesirable' party. Combine that with a realistic exit plan: how do you get data, configurations, and logging back in a timely and usable manner if you need to migrate?
3. Design for multi-cloud and data sovereignty, not after
Prevent a single foreign party from having control over your entire identity, log, or core application landscape. Work with hybrid or multi-cloud as a starting point, with open standards and portability by design. Data sovereignty and security have now become key drivers for hybrid and multi-cloud investments, especially in public and regulated sectors.
From incident to design principle
The potential acquisition of Solvinity by Kyndryl is not an exotic exception, but an example of something that can happen to any organization: a reliable, local partner suddenly becomes part of an international corporation with different interests and different legislation.
As an IT professional, you can use this moment to make data sovereignty a design principle: not just thinking about jurisdiction when politics gets alarmed, but determining in advance which data and services must really remain "owned". Focus your architecture, contracts, and governance on that.
