Netherlands blocks US takeover of vital digital supplier

Original Article ↗ Hacker News Discussion ↗

Context: Solvinity, DigiD, and the Blocked Takeover

  • Solvinity runs key infrastructure for DigiD, the Dutch e-ID used for authentication to most government and many healthcare systems.
  • DigiD is owned by Logius (a government body); Solvinity provides hosting/sysadmin.
  • There’s debate on access: some say as hoster Solvinity can technically access everything; others claim government-owned hardware and separation of duties limit access, but details remain unclear.
  • Logius is reportedly heavily vendor‑locked into bespoke systems; migrating away is estimated at 5+ years.

Sovereignty, US Law, and Data Access

  • Central concern: US laws (CLOUD Act, FISA 702) allow US authorities to compel access to data held by US companies, even if hosted abroad.
  • Many argue this makes any US ownership of DigiD infrastructure unacceptable, both for privacy and for control (risk of pressure/sanctions via service disruption).
  • Others note that data-sharing with allies and warrants exist anyway; some see the main issue as control over critical infrastructure, not just privacy.

Dutch and EU Political Dynamics

  • Dutch parliament previously voted (almost unanimously) to end the Solvinity contract, but the government extended it; blocking the takeover was then the remaining lever.
  • Some see this as a healthy democratic correction under public pressure; others see a troubling clash between government and parliament.
  • Several expect Kyndryl to challenge the decision in Dutch/EU courts and predict a possible overturn, especially given Dutch government reliance on Microsoft and other US vendors, which may undermine the justification.

Alternatives, Architecture, and “Digital Sovereignty”

  • Multiple comments call for keeping essential public infrastructure entirely under domestic or EU control (sovereign cloud), not just “trusted US vendors.”
  • Proposals include:
    • Joint EU e-ID stacks (e.g., inspired by Estonia, or an EU “fast ring”).
    • Lighter designs like OAuth/OTP-based systems instead of full PKI, and “privacy by architecture” where vendors cannot access data even in principle.
  • Others emphasize that beyond technology, governments need teams for availability, continuity, audits, and accountability—open source alone is insufficient.

Critique of Outsourcing and Structural Issues

  • Many question why such vital infrastructure is outsourced at all, pointing to:
    • Public-sector pay/stack choices (heavy Microsoft use) making hiring harder.
    • Long‑term contractor dependence and vendor lock‑in.
    • Neoliberal privatization logic that moves core state functions into private hands.
  • Some worry that blocking foreign takeovers without matching domestic capital could deter future entrepreneurs or investors; others counter that it encourages sovereignty‑aligned companies and levels the field against foreign-capital-backed competitors.