On May 25, 2026, the Dutch government did something its foreign-investment screener had never done before: it said no. State Secretary Willemijn Aerdts, acting on a binding recommendation from the Investment Screening Bureau (Bureau Toetsing Investeringen, BTI), prohibited US firm Kyndryl from acquiring Dutch cloud provider Solvinity. It was the BTI's first outright prohibition since the bureau became operational in 2020, and it landed on a target that explains the nerves: Solvinity runs the infrastructure behind DigiD, the national digital-identity login, and MijnOverheid, the citizen government portal.
The decision rests on a specific legal hook — the Telecommunications Sector (Undesirable Control) Act (Wet ongewenste zeggenschap telecommunicatie, WOZT) — and a specific fear: extraterritorial US data access. Under the US CLOUD Act, American authorities can compel a US-headquartered company to produce data regardless of where it is stored. If the company operating the plumbing of Dutch digital identity answered ultimately to Washington, the reasoning goes, the Netherlands could lose practical control over who can reach 16.5 million citizens' login and tax data.
The strongest case for the block
It is worth stating the regulator's case at full strength, because it is not weak. DigiD is not an ordinary SaaS contract; it is the front door to medical, pension, insurance, and tax services for nearly the entire adult population. The CLOUD Act conflict-of-laws problem is real and unresolved: a US controller can face a lawful American order and a conflicting Dutch or EU one simultaneously. Contractual data-localisation clauses do not dissolve that tension, because they bind the subsidiary, not the parent's legal exposure. At a May 29 post-Cabinet press conference, Prime Minister Jetten framed it plainly — certain data belonging to Dutch citizens should "remain in Dutch hands" — and stressed that the BTI is a fully independent advisory body. For genuinely sovereign infrastructure, wanting a controller that sits unambiguously inside your own jurisdiction is a defensible instinct, not reflexive protectionism.
Why the tool is still too blunt
Grant the worry, and the question becomes proportionality — the test the government itself invokes, calling its review "country-neutral, risk-based and proportionate." A merger veto is the heaviest instrument in the box. It does not merely keep DigiD in Dutch hands; it kills an entire corporate transaction, signals to every US technology investor that the most sensitive Dutch assets are off-limits, and invites the retaliation the Cabinet was visibly anxious to deny. Jetten acknowledged American "frustration" while insisting the move was not politicised — a hard line to hold when the decisive variable is the acquirer's nationality.
The more revealing fact is what the government did next. On June 4, it announced that the DigiD platform will be re-tendered under the Defence and Security Procurement Act (Aanbestedingswet Defensie- en Veiligheid), explicitly because that framework offers "more possibilities to limit risks for national security" than ordinary EU procurement. That is the proportionate tool — and it was available all along. Procurement design lets the state set hard sovereignty conditions (jurisdiction of control, key custody, audit rights, exit terms) on the specific contract that matters, without vetoing ownership of the company as a whole. The existing Solvinity contract runs to August 2028, leaving ample runway to migrate the workload on the state's own terms. If the security objective can be met through how you buy the service, blocking who owns the vendor is a sledgehammer where a scalpel was in reach.
The market-led alternative the Dutch already have
There is also a better model sitting right next door, and the competition regulator has already blessed it. On April 1, 2026, seven Dutch providers — KPN, Centric, Info Support, Intermax, Nebul, Previder and Uniserver — launched the Open Cloud Alliantie, pooling roughly €2.5 billion in combined turnover behind shared open standards so customers can move between them and bid jointly for government work. The Netherlands Authority for Consumers and Markets (ACM) reacted positively; chief executive Martijn Snoep noted that "alliances such as this one can boost market forces by creating new players which are in a better position to compete with large US providers."
That is the pro-innovation path to the same end. Dependence on US hyperscalers — an NOS analysis found 67% of some 16,500 government, hospital and school domains rely on at least one American cloud provider — is best cured by building credible European supply, not by walling off demand. Sovereignty earned through competition is durable; sovereignty imposed through investment vetoes is brittle, litigious, and easily mistaken for industrial policy. Solvinity has already gone to court demanding the State's full reasoning, which means the block's real-world durability is now a judicial question, not a settled fact.
The line to watch
The Solvinity case is a reasonable first use of a power that was always going to be used eventually. The danger is precedent drift: from a narrow, well-justified worry about one population-scale identity system to a habit of reading "public interest" expansively whenever the buyer flies the wrong flag. The Dutch have shown they have the better instruments — security-grade procurement and pro-competition market-building. The test now is whether the first veto stays the exception, or becomes the reflex.