Beyond the Cloud Act

When most people think about risks from US ownership of European infrastructure, they think of the Cloud Act, the US law that enables American law enforcement to demand data from US companies regardless of where it’s stored. But experts speaking at the committee hearing identified a more immediate concern: US sanctions legislation.

Lokke Moerel, professor of global ICT law at Tilburg University, was blunt. “It is the authority of the US, and the president himself, to issue sanctions against persons, organisations, countries in the interest of national security.” She explained that whilst the Cloud Act involves judicial processes and public scrutiny, sanctions can be imposed unilaterally.

Evelyn Austin, director of digital rights organisation Bits of Freedom, made it concrete. “There are now nine employees of the International Criminal Court who, due to a decree from President Trump, are not allowed to receive American services. That’s not just inconvenient, it’s genuinely life-disrupting. And those are only nine people. With DigiD, it could happen on the scale of an entire society.”

For Austin, the threat isn’t theoretical. When asked whether she saw a sliding scale if the right direction wasn’t taken, her answer was stark. “I don’t know if it’s a sliding scale, because I think the crisis is already here. So, in that sense, we might already be somewhere at the bottom of the slide.”

Kyndryl’s defence

When Kyndryl’s turn came to address the committee, senior vice-president Piet Bil opened with reassurance. The company, a four-year-old spin-off from IBM that operates in 60 countries, has experience with nations where digital sovereignty is a crucial priority. Bil outlined three layers of protection: technical, organisational and legal.

According to the company, there would be no technical capability to access Solvinity customer data or disable services from outside the European Union (EU). “Data remains in the Netherlands,” Bil emphasised. “The services will continue to be provided within the EU. And access to the data is only possible on EU territory.” 

On the organisational level, Bil promised that Kyndryl would refer any government request, including from the American government, to the end customer, inform customers of every request and resist improper demands. He pointed to Kyndryl’s transparency report, noting that the company claims never to have received a request from a foreign government for EU customer data.

The company’s opening statement added two legal safeguards: appointing a Europe-based data guardian with authority to decide on data access requests; and promising that Kyndryl Netherlands would seek a ruling from Dutch courts if the American headquarters attempted to force access or disable services in violation of Dutch or EU law.

But the assurances didn’t entirely dispel concerns. Sarah El Boujdaini, an MP from the centre-liberal D66 party, raised the issue of American gag orders – the possibility that the US government could demand data without the company being permitted to inform its customers. “That risk remains, even though you’ve taken all these mitigating measures,” she observed.

Rob Bravenboer, Kyndryl’s managing director for the Netherlands, had earlier stated that Kyndryl Netherlands would be led by a Dutch board of directors and an independent supervisory board consisting of Dutch citizens. Yet the fundamental question remains: what happens when American law and Dutch interests collide?

The procurement trap

For Amsterdam’s city council, the acquisition announcement late last year came as a cold shower. The municipality had, for the first time, explicitly included digital autonomy as a criterion in its tender for public cloud management. “That was the first time we did that,” said deputy mayor Alexander Scholtes during the Digital Affairs Committee roundtable. “And Solvinity came out on top. We thought: a nice Dutch company, even an Amsterdam company, that can help us become more digitally autonomous.”

Shortly afterwards came news of the proposed takeover. “That was an unpleasant surprise for us,” added Scholtes. The situation revealed just how complex digital autonomy is, even when governments actively prioritise it. Solvinity was already 60% owned by British private equity firm Vitruvium Partners, but European procurement rules prohibit steering on ownership structures.

“You’re not allowed to steer on ownership or ownership structures,” said Scholtes. “So you can look at requirements around knowledge to develop services in the field of digital autonomy. You can look at flexibility. But my point is that with the current requirements, you can’t sufficiently steer towards digital autonomy.”

It’s a fundamental tension the case exposes. Even when public bodies explicitly seek sovereign solutions, market dynamics and procurement frameworks can undermine those aims. As one position paper presented to the committee noted, the current situation is the result of gradual outsourcing without an integral decision-making moment to consider whether this is desirable.

Three roads forward

During the committee’s hearings, experts outlined fundamentally different approaches. Some argued for working within the new reality, using contractual safeguards and technical measures to manage risks. Logius is exploring additional protections: encrypting data in databases, restricting platform access to a handful of employees with all actions explicitly logged, and potentially bringing some of Solvinity’s tasks in-house.

This approach found support from industry representatives who cautioned against oversimplifying the issue. Jelmer Schreuder from NLdigital warned that focusing solely on a supplier’s country of origin was too crude. The discussion should be based on mature risk management, he argued, not on simplifications like “domestic equals safe”. He emphasised that practical safeguards, such as ensuring Dutch civil servants can only cooperate under Dutch law, often provide stronger protection than legal remedies for situations beyond direct control. Marijn van Vliet from Digital Infrastructure Netherlands Foundation added that digital autonomy encompasses more than data security alone, including economic resilience and geopolitical positioning.

Others advocated rejecting the acquisition outright and building European alternatives. Jeroen Wouda from sovereign cloud provider Uniserver argued that digital sovereignty isn’t an ideal, but a strategic choice available today. “The knowledge, technology and expertise exist. Today, not tomorrow,” he said. Wouda called for public-private partnerships where market forces drive efficiency and innovation, but the Netherlands builds on the strength of its own digital sector.

A third group proposed a middle path. Tilburg University’s Moerel suggested a dual approach – accepting some dependency while investing heavily in European alternatives for the most critical infrastructure. The question everyone circled back to was which infrastructure is critical enough to warrant that investment?

Austin put it starkly: “There have been many vision documents written. But the simple question – which infrastructure is so critical that it should be secured first? – we don’t have an answer to yet. There is no roadmap yet.”

The ghost of DigiNotar

For the Netherlands, the stakes are personal. In 2011, certificate authority DigiNotar was hacked, leading to its bankruptcy and a national security crisis. Austin invoked that memory. “We must prevent a Solvinity crisis with the right direction,” she said. The DigiNotar collapse demonstrated how quickly digital infrastructure failures cascade into real-world consequences.

The government is responding. Behind closed doors, an interdepartmental task force has been negotiating with Solvinity and Kyndryl for weeks. Meanwhile, two independent review processes are underway: a competition assessment by the Authority for Consumers and Markets; and a security review under the Undesirable Control Telecommunications Act. Until these assessments are complete, the transaction cannot proceed.

Logius has also established a revised vision for its infrastructure. Voorbraak acknowledged that choices and contractual agreements from the past may no longer be appropriate. The ultimate goal, he said, is to develop a Dutch cloud, a government cloud, eliminating dependence on commercial parties.

The Solvinity case illustrates challenges that many European governments now face. Digital infrastructure that seemed purely technical – server capacity, storage, networking – turns out to carry geopolitical weight. Procurement frameworks designed to promote competition and prevent protectionism weren’t built to account for jurisdictional risk. And the gradual nature of outsourcing meant that by the time the strategic implications became clear, dependence was already embedded.

The Netherlands isn’t alone in facing these questions. As American technology dominance becomes more visible and geopolitical tensions intensify, every European nation must decide: which digital infrastructure is too critical to leave vulnerable to foreign control? What level of dependency is acceptable? And how much are we willing to invest in alternatives?