Pierluigi Paganini
May 27, 2026
Dutch Government told Kyndryl it can’t buy Solvinity. That sentence doesn’t sound dramatic, but what it means is this: a European government just blocked an American IT company from acquiring the firm that runs DigiD, the platform Dutch residents use to book a doctor’s appointment, buy a house, file their taxes, and interact with virtually every public service in the country. The deal was worth roughly €100 million. The Dutch government said no anyway.
“The Dutch government is blocking a United States-based company’s attempts to acquire a key online identification IT supplier.” reads the post published by Politico.
Kyndryl announced the acquisition in November 2025. The reaction was immediate. Concerns spread that a critical piece of Dutch digital infrastructure would fall under foreign control, and the investment screening authority took those concerns seriously. State Secretary for Digital Economy Willemijn Aerdts wrote to parliament on Tuesday to confirm the government had adopted the authority’s advice in full. The purchase was seen as posing “a possible risk to the public interest”
The Dutch government was careful to frame the decision as principled rather than anti-American.
“The Netherlands attaches great value to the presence of foreign, especially U.S.-based tech companies, and their added value to the Dutch economy and digital infrastructure, but it maintains, at the same time, an independent investment screening framework aimed at protecting the public interest and which applies equally to all investors, independent of their country of origin.” states the letter to parliament.
The underlying concern is the US CLOUD Act. Passed in 2018, it gives American law enforcement and intelligence agencies the power to compel US companies to hand over data stored on servers anywhere in the world, regardless of the host country’s privacy laws. If Kyndryl owned Solvinity, the data behind the Dutch national identity system would theoretically be reachable by US authorities on demand. That’s not a hypothetical Europe wants to test right now.
Kyndryl didn’t take it quietly. The company called the decision “extremely disappointed” and went further: “The politicization of this process has overshadowed the clear and important benefits this transaction would have brought to Solvinity’s customers and Dutch citizens.”
It’s a pointed line. Whether the process was politicized or simply working as designed depends on where you sit.
The timing matters beyond the Netherlands. The decision lands a week before the European Commission unveils its tech sovereignty package, a set of proposals to cut Europe’s dependence on foreign technology across cloud, microchips, and AI. The Dutch block gives Brussels a concrete, live example to point to. What The Hague did with one screening authority this week, Brussels may soon ask every member state to replicate by law.
For any American technology company selling cloud or managed services to European public institutions, the message is plain. A signed deal and a clean antitrust review aren’t enough. The question regulators are now asking is simpler and harder: can you guarantee that your own government can’t reach into European data when it decides to? Most US companies can’t honestly answer yes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Dutch Government)
