Kim Loohuis recently shared something that caught my attention: "𝗗𝗲 𝗼𝘃𝗲𝗿𝗻𝗮𝗺𝗲 𝗱𝗶𝗲 𝗵𝗲𝘁 𝗱𝗶𝗴𝗶𝘁𝗮𝗹𝗲 𝗵𝗮𝗿𝘁 𝘃𝗮𝗻 𝗡𝗲𝗱𝗲𝗿𝗹𝗮𝗻𝗱 𝗿𝗮𝗮𝗸𝘁". In the same post, Kim notes that the Tweede Kamer is worried about the takeover of DigiD supplier Solvinity by the US company Kyndryl, pointing out the scale: DigiD has 16.5 million users and processed 645 million authentications in 2025.

That combination of reach and dependency is exactly why this story is bigger than a regular M&A headline. When a country runs vital public services through a small set of suppliers, ownership changes can turn into governance questions overnight. Kim frames it as a fundamental choice: do we accept that our most vital digital infrastructure ends up in non-European hands, or do we choose autonomy, and what are we willing to pay for it?

Below, I want to expand on Kim's dilemma, add context on what is really at stake, and outline practical options that policymakers, CIOs, and citizens should be debating.

Why DigiD is not "just another IT contract"

DigiD is the front door to the Dutch digital government. It is how citizens authenticate for taxes, benefits, healthcare portals, municipality services, and countless other workflows. That makes DigiD infrastructure "systemic": if it is unavailable, slow, compromised, or politically constrained, the ripple effects go far beyond one vendor.

Two points in Kim's post underline the systemic nature:

DigiD has 16.5 million users and processed 645 million authentications in 2025.

At that scale, you are not only dealing with technology risk, but also societal continuity risk. A failure is not a local incident. It is a national event.

The political trigger: Solvinity acquired by Kyndryl

Kim describes the immediate concern: Solvinity, a key DigiD supplier, is being acquired by Kyndryl. Even without assuming bad intent, foreign ownership changes the risk profile because it can introduce:

New legal exposure (for example, disclosure obligations under non-EU jurisdictions)
Different corporate incentives (profit, restructuring, consolidation)
Supply chain shifts (offshoring, subcontracting, platform standardization)
Operational dependencies (tools, support, cloud contracts) that are harder to unwind

The public debate often collapses into a simple question: "Can we trust company X?" I think Kim's post hints at the deeper issue: trust is not a strategy. Governance is.

"Nederland heeft nu geen formeel instrument om deze deal te blokkeren"

One line from Kim is particularly sobering: the Netherlands currently has no formal instrument to block this deal. That is not just a legal detail. It is a policy gap.

Many countries have strengthened investment screening for sensitive sectors (defense, telecom, energy). Digital identity and authentication increasingly belong in that same category because they enable access to everything else.

Kim also mentions that some professors argue for rejecting the deal under the Vifo framework (investment screening). Regardless of the legal outcome, the fact that experts are even asking "can we, should we" shows that digital identity is now treated as strategic infrastructure.

What the Tweede Kamer heard: a spectrum from "crisis now" to "we can mitigate"

Kim recounts a week of briefings and conversations led by the commissie Digitale Zaken, chaired by Barbara Kathmann: a technical briefing, a roundtable, and a discussion with Kyndryl.

What I find valuable in Kim's description is the diversity of perspectives:

Experts warning that the crisis is already here
Aldermen who explicitly chose a Dutch supplier in procurement, only to face an ownership change months later
Kyndryl representatives describing how they would mitigate risks
Academics urging rejection under investment screening logic

That mix matters, because each group is reacting to a different layer of the problem:

1) Technical risk (cybersecurity and resilience)

Authentication services are prime targets. Threats include DDoS, credential stuffing, supply chain compromise, insider risk, and misconfiguration. Ownership can affect security posture through staffing, tooling, and incident response processes.

2) Legal and geopolitical risk (jurisdiction and leverage)

Even if data stays in the Netherlands, corporate control can still create leverage. For instance: who holds keys, who can access logs, who can be compelled to share information, and what happens during diplomatic tension or sanctions regimes.

3) Operational risk (continuity and exit)

The question is not only "is it secure today" but "can we exit tomorrow". Vendor lock-in is often a slow burn until a takeover, a reorganization, or a pricing change turns it into a fire drill.

4) Democratic legitimacy (public trust)

Citizens expect the state to be in control of the mechanisms that grant access to the state. If trust erodes, adoption and compliance suffer, and alternative channels become overloaded.

The core dilemma Kim puts on the table: autonomy has a price

Kim asks the uncomfortable but necessary question: if we choose autonomy, what are we willing to pay?

I think that question deserves a more concrete framing. Autonomy is not binary. It is a bundle of capabilities, and each capability has a cost.

Here are practical layers of autonomy, from minimal to maximal:

Option A: Accept the deal, harden the contract

If blocking is not feasible or not chosen, then the state can still raise the bar. That means contract clauses and oversight such as:

Data residency and strict access controls (including admin access, logging, and audits)
Clear incident response obligations with joint playbooks and escalation timelines
Independent security assessments and continuous monitoring requirements
Source code escrow or build reproducibility guarantees where relevant
Strong exit clauses: migration support, documentation, and penalties for obstruction

This is the cheapest short-term path, but it assumes enforcement capacity. The government must be able to audit, verify, and act.

Option B: Allow the deal, but reduce single-supplier dependency

This is the "diversification" route. Reduce systemic risk by changing architecture and procurement:

Multi-vendor operations for different components
Segmentation of identity, authentication, and hosting responsibilities
Standard interfaces that enable replacement

It can be expensive and slow, but it targets the structural problem Kim hints at: the country should not be cornered by one ownership change.

Option C: Build or anchor a European-controlled core

If the concern is specifically non-European control, then the policy aim becomes: ensure the decisive control points remain within EU jurisdiction.

That could mean:

A European-controlled operator for the most sensitive parts
A public or semi-public entity with strong governance
A procurement framework that treats digital identity as strategic infrastructure

This option is politically and financially heavier, but it aligns most directly with the "digital sovereignty" framing.

Option D: Treat identity as a national security capability

The most ambitious path is to treat authentication as critical national infrastructure in the strictest sense, with dedicated funding, talent pipelines, and long-term planning similar to water management or flood defenses.

This is where the real "what are we willing to pay" question bites. Because the cost is not only money, but also:

Longer procurement cycles
Less convenience in the short term
Higher demands on public sector expertise

What I hope policymakers ask next

Kim's post reads like an invitation to debate, not a closed verdict. If I were turning her framing into a checklist for the coming months, I would ask:

What are the non-negotiables for DigiD continuity and control?
Which control points matter most: ownership, operations, data, keys, or architecture?
Do we have the oversight capacity to enforce mitigations?
What is the exit plan, and how quickly can it be executed?
Should investment screening explicitly include digital identity suppliers?

Because the risk is not only that "this" deal goes wrong. The risk is that every future deal becomes a scramble because the Netherlands never defined what it will and will not outsource.

Closing thought

Kim Loohuis put it plainly: this takeover touches "het digitale hart van Nederland". I agree with the underlying message. The right debate is not about fear of one company. It is about designing governance that survives ownership changes, geopolitical shocks, and the messy reality of the vendor ecosystem.

If the Netherlands chooses more autonomy, it will pay more. But the bill for not choosing can arrive later, in a form nobody wants: lost trust, rushed migration, or crisis-driven policymaking.

This blog post expands on a viral LinkedIn post by Kim Loohuis, Tech & Business Content Writer | Journalist bridging complexity and clarity. View the original LinkedIn post →