Dutch Parliament Demands Protection of Citizen Data from US Control
The Hague, Wednesday 21 January 2026
Parliament has mandated immediate action to shield DigiD infrastructure from US jurisdiction, fearing the acquisition of host Solvinity could grant American authorities access to critical Dutch identity data.
Legislative Firewall Against Foreign Jurisdiction
Following our previous coverage on the risks facing Dutch digital sovereignty [https://siliconpolder.nl/533499e-Digital-Sovereignty-Cybersecurity/], the political landscape has shifted decisively. On Wednesday, 21 January 2026, a parliamentary majority in The Hague formally instructed both the caretaker and the incoming Cabinet to exhaust all options to prevent Dutch DigiD data from falling under American control [1][4]. This mandate responds directly to the impending acquisition of Solvinity, the manager of the DigiD infrastructure, by the US-based IT firm Kyndryl [3][6]. The urgency of this directive follows a technical briefing held on Tuesday, where experts warned Members of Parliament that the acquisition could expose sensitive citizen data to the jurisdiction of the United States government [1][2]. While Parliament acknowledges it cannot legally force a private entity to abandon a commercial acquisition, the motion compels the government to explore alternative interventions, such as persuading Solvinity to reconsider or migrating the government’s IT service, Logius, to a different provider [1][6].
The ‘Red Button’ Risk and Geopolitical Leverage
The parliamentary concerns are rooted in the expansive reach of US legislation, such as the Cloud Act of 2018, which grants American authorities the power to demand data from US-owned companies regardless of where that data is physically stored [3]. During the technical briefing, IT expert Bert Hubert illustrated the geopolitical stakes, warning that US leadership could leverage this access as a pressure point. Hubert posited a scenario where a US President might threaten to ‘push the red button’ at Solvinity—effectively disabling DigiD—if the Netherlands opposed US foreign policy, such as sending military aid to Greenland [3]. This capability could paralyse essential services, as DigiD is the gateway for citizens to access health insurers, pension funds, and tax authorities [1][6]. Furthermore, privacy advocates have highlighted the risk of blackmail, noting that access to login metadata could reveal a citizen’s visits to specialised medical practices [3]. GroenLinks-PvdA MP Barbara Kathmann summarised the sentiment, stating fears that the US administration could ‘shut down our digital government with the single push of a button’ [1].
Strategic Interventions and Future Governance
To mitigate these risks, proponents of digital sovereignty are advocating for structural safeguards. One proposal gaining traction is the state acquisition of a ‘golden share’ in Solvinity, which would grant the Netherlands veto power over critical strategic decisions [1][6]. Alternatively, VVD MP Silvio Erkens has argued that if the deal proceeds without legal guarantees against US access, the government must strip Solvinity of its responsibility for DigiD activities entirely [1][5]. This scrutiny aligns with broader public sentiment; a petition calling for the halt of the takeover had garnered over 87,000 signatures by late 2025 [5]. Looking ahead, the incoming coalition government appears poised to institutionalise these concerns. D66 leader and prospective Prime Minister Rob Jetten confirmed that the new Cabinet will include a minister with specific responsibility for digital security and a ‘clear mandate’ to address such vulnerabilities [1][2]. A parliamentary debate on digital security remains scheduled to take place before the spring recess in mid-February to formalise these strategies [2][5].
Accelerating European Digital Autonomy
The controversy surrounding the Solvinity acquisition serves as a catalyst for a wider pivot away from reliance on American hyperscalers. The House of Representatives has expressed a clear intent to reduce the dependency of government institutions on US cloud services in the coming years, aiming for greater national and European self-reliance [2][6]. This shift is not merely defensive but represents a strategic realignment of the Dutch digital economy. Tech industry leaders have already sent an urgent letter to the Bureau for Verification of Investments (BTI), which is currently reviewing the acquisition, arguing that the deal fundamentally compromises national security [3][8]. As the BTI conducts its review, the consensus in The Hague is that preserving the integrity of the nation’s digital identity infrastructure is a non-negotiable prerequisite for future governance [3][8].