A senior civil servant at Logius, the agency that runs DigiD, went public. Internal warnings about a supplier acquisition were not translating into action. His claim, stripped of the institutional politics, is straightforward. If the IT company running the DigiD platform joins a US group, the national identity infrastructure slides under US jurisdiction. That is the DigiD sovereignty risk in one sentence, and it should alarm every EU organisation that depends on a similar supply chain.
What the DigiD sovereignty risk actually means
DigiD is the identity system through which virtually every adult in the Netherlands accesses tax authorities, healthcare portals, pensions and public services. Logius, part of the Ministry of the Interior, owns the service. Solvinity, a Dutch IT provider, runs the platform. The US group Kyndryl plans to acquire Solvinity. If the deal closes, critical Dutch public infrastructure falls under the CLOUD Act and FISA Section 702.
That is not theoretical. US law compels US-based companies to hand over data or grant access on request of federal authorities, including data held on European soil. Gag provisions can prevent the company from saying so. For an identity platform touching health records, income and social security data, this exposure differs qualitatively from a regular cloud contract.
Why “the data stays in the Netherlands” misses the point
Official reassurances lean on geography. The DigiD database sits in a government data centre. The supplier only operates the platform. The BSN is passed in protected form. All true, and all beside the point. Schrems II settled this question in 2020. The Court of Justice of the EU held that what matters is not where the data physically rests. It is who can access it and under which legal regime. A supplier with operational privileges can reach systems, logs and keys, whether or not it chooses to. If that supplier answers to a foreign intelligence framework, the data is exposed.
Three risks hiding behind “only a platform supplier”
Three concrete dangers run through the internal analysis at Logius and the wider expert commentary. First, confidentiality. MijnOverheid aggregates data from dozens of agencies. A supplier under US jurisdiction can, in the worst case, be compelled to grant access to systems that touch this data. Second, integrity. Control over identity infrastructure is control over authentication itself. A hostile or coerced actor with platform-level access could in principle impersonate users inside tax, benefits or healthcare systems. Third, availability. Foreign control over a national identity rail hands a foreign government a switch it should not have. In a period of geopolitical friction, that is a lever no EU state should concede.
What the EDPB already told us
The EDPB’s Recommendations on supplementary measures set out the test clearly. Where a third-country regime allows disproportionate public-authority access, contractual safeguards are insufficient whenever the provider can see data in the clear. In some scenarios, the only compliant answer is not to use the provider for that data at all. Public-sector controllers carry a heightened duty to apply this test seriously, which is exactly what the DigiD sovereignty risk now tests in public.
Why contracts cannot fix the DigiD sovereignty risk
The instinct, when a supplier problem appears, is to write a stronger contract. Require the supplier to challenge overbroad requests. Add notification clauses. Build in data minimisation. These clauses are necessary, but they do not neutralise a foreign public-authority power that structurally overrides contract law. Schrems II is explicit on this point.
If the supplier relationship continues, technical insulation is the only serious mitigation. That requires:
- End-to-end encryption of personal data with keys held exclusively by Dutch public bodies
- Strict separation of duties so supplier staff cannot reach production systems
- Independent code review to detect covert logging or hidden backdoors
The EDPB’s own analysis suggests that for many platform scenarios this level of insulation is not realistically achievable. Which is precisely why the supplier choice itself is the decision that matters.
What every EU organisation should take from this
The DigiD sovereignty risk is not a Dutch anomaly. It is a worked example of a question every EU organisation running critical systems should already be asking. Who owns your suppliers? Who owns your suppliers’ suppliers? Under which legal regime do they operate? If the answer exposes your data or continuity to a foreign legal order, that is already your version of the DigiD sovereignty risk.
The point is not anti-American. The point is jurisdictional. EU law on data protection is not compatible with US surveillance law, and no amount of contractual optimism closes that gap. Organisations that wait for a political fix will be explaining to regulators why they did.
Map your own supplier stack before someone else does it for you. Start with the Digital Sovereignty Prep Track.
Newsletter
Releted Blogs
LATEST NEWS
AI governance is not a future problem
Regulation is already in effect. Your competitors are already building internal capability. The gap between ‘we are aware of AI’ and ‘we have operational control’ is closing, and it closes faster with a structured framework.
Book a 30-minute discovery call. No obligation. We will assess where your organisation stands and what a realistic starting point looks like.
No sales pressure. No jargon. Just a structured conversation about your organisation's AI readiness.