The Kill Switch Problem: Why the Netherlands Still Can't Protect Its Digital Crown Jewels

In May 2025, something remarkable happened. Karim Khan, Chief Prosecutor of the International Criminal Court, headquartered in The Hague, on Dutch soil, was locked out of his Microsoft email account. No warning. No appeal process. Just a digital door slammed shut.

The reason? The Trump administration had sanctioned Khan over ICC arrest warrants for Israeli Prime Minister Benjamin Netanyahu. Microsoft complied. An international court, operating under international law, in a NATO allied country, was brought to its knees because its email ran through Redmond.

Let that sink in.

The ICC has since abandoned Microsoft entirely, switching to openDesk, an open-source suite developed by Germany's ZenDiS (Zentrum für Digitale Souveränität, or Centre for Digital Sovereignty). The court called the move essential to "reduce dependencies and strengthen technological autonomy." Translation: never again.

You would think the Netherlands, host country of the ICC, self-proclaimed champion of the international rules-based order, would have learned something from watching this unfold in its own backyard.

It didn't.

Enter Solvinity

While the ICC was scrambling to replace Microsoft, the Dutch government was quietly allowing its own digital crown jewels to drift toward American hands.

Solvinity is a cloud infrastructure provider based in Amsterdam. Most Dutch citizens have never heard of it. But every time you log into DigiD, the Netherlands' national digital identity system, equivalent to a government-issued online ID used for all interactions with public services, to file your taxes, apply for a passport, or check your pension? That authentication runs through Solvinity's platform.

MijnOverheid (literally "MyGovernment"), the official portal where citizens receive correspondence from government agencies? Solvinity. Digipoort (literally "DigiGate"), the secure gateway for businesses to exchange data with government agencies? Solvinity. Justitienet, the classified network connecting the Ministry of Justice and Security, courts, prosecution services, and law enforcement? You guessed it.

In November 2025, the American IT giant Kyndryl, a spinoff from IBM specializing in IT infrastructure services, announced it would acquire Solvinity. The Dutch government, which depends on this infrastructure for virtually all digital citizen services, found out the same day as the press.

Logius, the government agency under the Ministry of the Interior (Binnenlandse Zaken en Koninkrijksrelaties, or BZK) that develops and manages DigiD, had known since March 2025 that Solvinity was looking for a buyer. The name of the buyer? They learned it from the newspapers.

That's not oversight. That's negligence.

The CLOUD Act Problem

Why does American ownership matter? Because of something called the CLOUD Act.

Passed in 2018, the Clarifying Lawful Overseas Use of Data Act requires American companies to hand over data to U.S. authorities upon request, regardless of where that data is physically stored. It doesn't matter that Solvinity's servers sit in ODCs (Overheidsdatacentra, or Government Data Centres) on Dutch soil. It doesn't matter that the data is subject to Dutch privacy law and the EU's GDPR. An American parent company means American jurisdiction.

The Dutch government insists the risk is "low." They cite studies suggesting European citizens' data is unlikely to be requested under the CLOUD Act.

But here's the thing: "unlikely" is not the same as "impossible." And the ICC case proved that when Washington wants to make a point, American tech companies comply. Microsoft didn't take the ICC to court. It flipped the switch.

Imagine Trump, or any future American president, deciding the Netherlands isn't sufficiently cooperative on ASML chip export restrictions to China. Or on NATO spending. Or on any number of issues where Dutch and American interests diverge. Suddenly, 17 million Dutch citizens can't access their tax returns, health records, or government communications.

That's not a hypothetical. That's a vulnerability.

A "Vision" Without a Plan

To be fair, the Dutch government has noticed the problem. In December 2025, the cabinet adopted a new "Visie Digitale Autonomie en Soevereiniteit van de Overheid" (Vision on Digital Autonomy and Sovereignty of Government). Staatssecretaris (State Secretary, equivalent to a junior minister) Eddie van Marum of the BBB party (BoerBurgerBeweging, or Farmer-Citizen Movement) declared that the Netherlands must be able to "choose and maintain control" over its digital infrastructure.

The vision identifies all the right problems: over-reliance on American hyperscalers like Microsoft, Google, and Amazon; lack of exit strategies when vendors change ownership; insufficient in-house IT expertise. It calls for stricter cloud policies, open standards, and European cooperation.

There's just one issue: it's all talk.

The NDS (Nederlandse Digitaliseringsstrategie, or Dutch Digitalization Strategy) estimates the government needs at least €1 billion per year until 2030 to meaningfully address digital sovereignty. The detailed investment agenda? Expected in "the second quarter of 2026." Meanwhile, Kyndryl's acquisition of Solvinity could close any day now.

This is classic Dutch policymaking: publish a visionary document, commission more studies, and hope the problem sorts itself out before anyone has to make difficult decisions.

The Illusion of Dutch Ownership

Here's the uncomfortable truth that the Solvinity affair exposes: "Dutch" ownership was always a fiction.

When the government awarded the GDI (Generieke Digitale Infrastructuur, or Generic Digital Infrastructure) contract in 2020, covering the hosting and management of DigiD and related systems, Solvinity was already owned by Vitruvian Partners, a British private equity firm. The company was statutorily Dutch, sure. It had Dutch management and Dutch employees. But the investment horizon was British, and British private equity exists to find buyers and exit.

The government's procurement requirements demanded that data be stored in Dutch data centres, under Dutch law, accessible to Dutch courts. None of that addressed who ultimately owned the company. Because European procurement rules prohibit nationality requirements in public tenders. And so the government congratulated itself on securing a "Dutch" provider while the ownership clock was already ticking.

As one analyst on iBestuur (a Dutch platform for government IT professionals) put it: "There's often a Dutch flag above the server room, but the keys are held elsewhere."

What Could Be Done

The Tweede Kamer (the lower house of the Dutch parliament, equivalent to the House of Representatives) is now in crisis mode. A rondetafelgesprek (roundtable hearing with experts) on January 27 will examine the Solvinity acquisition. The Vaste Commissie Digitale Zaken (Standing Committee on Digital Affairs) has been holding technical briefings. Expert coalitions, including Stichting Privacy First and The Firewall, backed by prominent figures like journalist Joris Luyendijk and constitutional law professor Wim Voermans, are demanding transparency from the BTI (Bureau Toetsing Investeringen, or Investment Screening Bureau).

But there are real options on the table:

Block the acquisition. The Wet Vifo (Wet veiligheidstoets investeringen, fusies en overnames, the Security Screening Act for investments, mergers and acquisitions) allows the government to block foreign acquisitions that threaten national security. DigiD is designated as vitale infrastructuur (critical infrastructure). The question is whether anyone in The Hague has the political will to pick a fight with Washington.

Impose conditions. Even if the acquisition proceeds, regulators could require strict operational separation between Solvinity and its American parent, ironclad data localization guarantees, and Dutch government veto rights over any service disruptions.

Exit and rebuild. The contract between Logius and Solvinity expires in the second half of 2026. A new aanbesteding (public tender) could require European-only ownership. German alternatives exist: Nextcloud is open-source and GDPR-compliant. The Bundeswehr (German armed forces) just signed a seven-year contract with ZenDiS for openDesk. The Austrian military has switched to LibreOffice. The German state of Schleswig-Holstein migrated 40,000 government accounts to open-source alternatives.

Create a sovereign alternative. The DINL (Stichting Digitale Infrastructuur Nederland, or Dutch Digital Infrastructure Foundation) has proposed that critical IT contracts be awarded only to EU-owned providers. A consortium of Dutch and European parties, including SURF (the IT cooperative for Dutch education and research institutions), public bodies, and domestic investors, could acquire Solvinity outright or build a sovereign competitor from scratch.

None of these options are easy. All of them are expensive and politically uncomfortable. But the alternative is continuing to outsource the digital foundation of Dutch democracy to companies that will always, ultimately, answer to foreign governments.

The ICC Showed the Way

The International Criminal Court's decision to abandon Microsoft was expensive, inefficient, and inconvenient, the court's own words. Migrating 1,800 workstations from a deeply integrated Microsoft ecosystem to a patchwork of open-source tools is a massive undertaking.

But the ICC did it anyway. Because the alternative, remaining dependent on infrastructure that a hostile foreign power could disable at will, was unacceptable for an institution that prosecutes genocide and war crimes.

Is Dutch democracy worth less?

The Solvinity affair will likely be resolved through some combination of contractual tweaks, risk mitigation measures, and reassuring press releases. The acquisition will probably proceed. The government will declare that adequate safeguards are in place. And everyone will move on until the next crisis.

But the fundamental problem will remain: the Netherlands has built its digital public services on foundations it does not control. And in a world where American foreign policy is increasingly transactional, unpredictable, and willing to weaponize technology dependencies, that is a vulnerability the country can no longer afford to ignore.

The ICC learned this lesson on Dutch soil. It would be tragic if the Netherlands itself refused to learn it.

The author is a political analyst focusing on European affairs and digital governance. Views expressed are personal.