TL;DR: DigiD, the Netherlands’ national digital identity system handling 550 million logins in 2024, nearly got sold to a US company without government knowledge. The Dutch Data Protection Authority warned this dependency on foreign infrastructure threatens national operations. Small businesses face identical vendor lock-in risks. Exit strategies prevent dependency from becoming liability.
Core Answer
What happened: Solvinity, the company behind DigiD, was acquired by US firm Kyndryl without notifying Dutch authorities until the deal went public.
The risk: Under the US Cloud Act, foreign companies controlling Dutch infrastructure are subject to legal coercion, data access demands, and gag orders. The government has no visibility or control.
Why this matters for small businesses: Vendor lock-in affects small organizations more severely because switching providers costs more relative to size. You face egress fees, migration complexity, and operational disruption.
What to do: Document critical dependencies, verify vendor jurisdiction, build exit clauses into contracts, test data export annually, and diversify providers for critical systems.
The pattern: Dependencies without exit paths become liabilities when ownership or regulations change. Build exit strategies before you need them.
What Happened to DigiD
I’ve watched the Dutch government treat digital sovereignty like a conference topic. Something for academics to debate while infrastructure decisions happened elsewhere.
Then DigiD nearly got sold to a US company.
DigiD is the national digital identity system. Every adult in the Netherlands uses it to file taxes, arrange insurance, access government services. The system recorded more than 550 million logins in 2024. Usage rose 15% compared to 2023.
The system connecting citizens to their government was about to change ownership. The government didn’t know until the acquisition was publicly announced.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) sent a letter that should make every founder in this country pay attention.
Why the Dutch Data Protection Authority Issued a Warning
The AP didn’t soften the message.
They warned that the Netherlands could be brought to “a complete halt” if another country leverages Dutch dependency on foreign IT suppliers. A shutdown of digital systems could result in “unforeseeable and possibly irreversible societal, economic, and personal harm.”
The AP pointed to the International Criminal Court in The Hague, which relies on Microsoft for email services. Dependency has already been exploited. The shifting geopolitical landscape makes this vulnerability more dangerous.
Here’s the mechanism most founders miss: when critical infrastructure depends on foreign providers without exit strategies, economic transactions become security liabilities.
You lose control the moment ownership changes hands. Ownership changes without your input.
Bottom line: National infrastructure becomes vulnerable when essential services depend on foreign providers without robust exit mechanisms.
How the Dutch Government Lost Control of DigiD
The Dutch government revealed something embarrassing in their response to the DigiD situation.
They weren’t told that Solvinity (the company behind DigiD) was being acquired until the information went public. They only knew since May 2025 that Solvinity was in acquisition talks because a director at Logius requested to break Solvinity’s embargo to inform contacts at the Dutch Home Office.
The infrastructure connecting millions of citizens to their government was changing ownership. The entity responsible for that infrastructure had no obligation to notify the government until the deal was done.
The Exit Strategy Gap
Public sector technology contracts systematically lack termination clauses that account for ownership changes. This creates lock-in scenarios where governments lose negotiating power and control at the same time.
For expat entrepreneurs running small businesses in the Netherlands, this pattern sounds familiar:
You sign a contract with a vendor. The vendor gets acquired. Suddenly you’re dealing with a different company, different terms, different priorities. You face expensive and complex migration.
Now scale that to national infrastructure.
Key point: Missing exit clauses in contracts create vendor lock-in where ownership changes strip you of negotiating power and operational control.
How the US Cloud Act Creates Hidden Legal Exposure
Under the US Cloud Act, Kyndryl (the acquiring company) gets compelled to hand over metadata, logs, encrypted backups, and network-traffic information without notifying Dutch authorities.
Directors of Kyndryl face criminal prosecution for refusal. That creates strong legal coercion.
Gag orders are standard under FISA 702. Companies may not disclose the existence of orders unless explicitly permitted. The Dutch government acknowledged that “at least in theory, US authorities could, if necessary, gain access to the data processed by Solvinity on behalf of the state.”
The Jurisdictional Trap Most Founders Miss
You think you’re making a commercial decision about infrastructure. You’re making a decision about jurisdiction, legal exposure, and who gets to compel access to your data without your knowledge.
The mechanism works like this:
Step 1: You contract with a vendor for critical services.
Step 2: That vendor operates under foreign jurisdiction.
Step 3: Foreign authorities compel access without notifying you.
Step 4: The vendor is legally prohibited from telling you this happened.
You have no visibility. No control. No recourse.
Key point: Commercial infrastructure decisions become jurisdictional exposure when vendors operate under foreign legal frameworks that allow coerced data access without notification.
Why Vendor Lock-In Hits Small Businesses Harder
The Netherlands faces this at national scale. Small businesses face it at operational scale. The mechanism is identical.
A European Parliament report estimates that the EU relies on non-EU countries for over 80% of digital products, services, infrastructure, and intellectual property. This dependency drives the EU push for digital sovereignty.
Vendor lock-in disproportionately impacts small organizations.
Research shows that vendor lock-in risks reduce cloud migration and affect widespread adoption of cloud computing. Smaller organizations are vulnerable because they rely on a single cloud support supplier for their requirements.
The Real Cost of Switching Providers
Switching cloud providers is expensive. You face:
Egress fees: Charges for moving data out of the current provider’s infrastructure.
Migration time: Operational downtime while systems transfer.
Infrastructure integration: Rebuilding configurations, retraining staff, updating integrations, testing everything.
Migration requires more than moving data storage. You rebuild your entire operational stack.
For small businesses, this is especially challenging. You may not have the resources to research and compare other solutions. Vendor lock-in leads to escalating costs, diminished performance, and increased security vulnerabilities.
Key point: Vendor lock-in costs more relative to organizational size, making small businesses disproportionately vulnerable to provider changes, price increases, and service disruptions.
What This Means for Your Business Operations
The DigiD crisis reveals a structural problem in how digital infrastructure decisions get made.
When individual government bodies independently contract with foreign providers, the cumulative effect creates concentrated dependency that no single agency addresses. This fragmented decision-making amplifies systemic risk.
Your business does the same thing.
You use Google Workspace for email. Stripe for payments. AWS for hosting. Slack for communication. Each decision makes sense individually. Together, they create a web of dependencies where losing access to one service cascades into operational paralysis.
Build Exit Strategies Before You Need Them
The AP’s warning to the Dutch government applies directly to your operations: you need exit strategies before you need them.
Here’s what that looks like in practice:
Document your critical dependencies. List every service that would stop your business if it disappeared tomorrow. Include payment processing, hosting, email, communication tools, accounting software, CRM systems.
Check ownership and jurisdiction. Know where your vendors are incorporated. Know which legal frameworks govern their operations. Know whether they get compelled to hand over data or shut down access without notifying you.
Build provider portability into contracts. Negotiate termination clauses that account for ownership changes. Require data export capabilities in standard formats. Establish service level agreements that include migration support.
Test your exit paths annually. Export your data. Verify you’re able to use it. Check whether you have the technical capability to migrate if needed. Identify gaps before they become emergencies.
Diversify where concentration creates risk. You don’t need to avoid all foreign providers. You need to avoid single points of failure in critical systems. A multi-cloud approach prevents dependency on a single vendor.
Key point: Fragmented vendor decisions create concentrated operational dependency where a single service disruption cascades into business paralysis.
How Europe Is Responding with Sovereign Cloud Infrastructure
Europe is responding structurally.
The European Commission issued a €180 million tender for sovereign cloud infrastructure in late 2025. This establishes a benchmark for how sovereignty is applied in practice to cloud services, with specific, quantifiable metrics for technological sovereignty.
The global sovereign cloud market is projected to reach over €235 billion in three years. 75% of enterprises outside the US are expected to have digital sovereignty strategies by 2030.
What the Cloud and AI Development Act Means
The European Commission plans to introduce the Cloud and AI Development Act (CADA) in 2025. The goal is to triple the EU’s data center capacity within seven years and create a common framework for public sector cloud procurement.
This will likely establish EU-wide eligibility requirements that restrict participation by non-EU companies.
Risk and Opportunity for Expat Entrepreneurs
For expat entrepreneurs in the Netherlands, this shift creates both risk and opportunity.
Risk: Your current infrastructure may become more expensive or restricted as regulations tighten. Compliance requirements will increase. Vendors may exit the European market rather than adapt.
Opportunity: Demand for EU-based alternatives will grow. Businesses that demonstrate data sovereignty and regulatory compliance will have competitive advantages. Government contracts will increasingly favor domestic providers.
Key point: European digital sovereignty initiatives will restrict non-EU cloud providers, increasing compliance costs while creating competitive advantages for businesses using EU-based infrastructure.
What Founders Should Do Now
The Dutch government is scrambling to fix a problem they should have prevented. You don’t have to repeat their mistake.
Here are the control points that reduce your exposure:
Immediate Actions
Audit your vendor dependencies this quarter. Create a spreadsheet. List every critical service, who provides it, where they’re based, and what happens if they disappear. This takes two hours. It prevents months of panic later.
Prioritize exit capability over feature richness. When evaluating new vendors, ask about data export, API access, and migration support before asking about features. The ability to leave cleanly is a security requirement.
Separate critical functions across providers. Don’t let one vendor control multiple critical systems. If your payment processor also hosts your customer database and handles your email, you have concentrated risk.
Strategic Planning
Build a 90-day migration plan for your top three dependencies. You don’t need to execute it. You need to know you could. Document the steps, identify the costs, test the export process. Update it annually.
Watch for regulatory signals from the Autoriteit Persoonsgegevens. The AP is pushing for stronger data sovereignty requirements. Changes in their guidance will affect your compliance obligations before they become enforcement actions.
Consider EU-based alternatives for new infrastructure decisions. You don’t need to rip out existing systems. When you add new capabilities or replace aging infrastructure, factor sovereignty into the decision criteria.
Key point: Vendor dependency audits, exit capability prioritization, and migration planning turn infrastructure control from reactive scrambling into proactive risk management.
Structure Beats Scrambling
The Netherlands is learning an expensive lesson about digital sovereignty.
They treated infrastructure control as theoretical until a crisis forced them to treat it as operational. They allowed fragmented decision-making to create concentrated dependency. They signed contracts without exit strategies and discovered they had no leverage when ownership changed.
Your business doesn’t have to follow the same path.
Digital sovereignty is about maintaining control over systems that determine whether your business operates. Dependencies without exit paths become liabilities when circumstances change. Circumstances always change.
The Dutch government is now demanding coordinated national strategy, mandatory exit clauses in public sector contracts, and investment in domestic alternatives. They’re doing this reactively, under pressure, with limited options.
You do it proactively, calmly, with full control.
Structure is cheaper than recovery. Build the controls now. Save the panic for someone else.
Frequently Asked Questions
What is digital sovereignty and why does it matter for small businesses?
Digital sovereignty is control over the systems that determine whether your business operates. It matters because vendor lock-in creates operational dependency where provider changes, price increases, or service disruptions stop your business. Small businesses are more vulnerable because switching costs more relative to size.
How does the US Cloud Act affect Dutch businesses using American cloud providers?
The US Cloud Act allows US authorities to compel American companies to hand over data, metadata, logs, and backups without notifying you. Gag orders under FISA 702 mean companies are legally prohibited from disclosing these requests. You have no visibility, control, or recourse when this happens.
What are the biggest risks of vendor lock-in?
Vendor lock-in creates three major risks: escalating costs when providers raise prices without competitive pressure, diminished performance when you’re stuck with outdated infrastructure, and increased security vulnerabilities when migration becomes too expensive to fix known weaknesses.
How do I know if my business has dangerous vendor dependencies?
List every service that would stop your business if it disappeared tomorrow. Include payment processing, hosting, email, communication tools, accounting software, and CRM systems. If losing access to one service cascades into operational paralysis, you have dangerous dependency.
What should be in a vendor exit strategy?
An exit strategy needs termination clauses that account for ownership changes, data export capabilities in standard formats, service level agreements that include migration support, and documented migration steps with cost estimates. Test the export process annually to verify you’re able to use the data.
Are EU-based cloud providers safer than American providers?
EU-based providers operate under GDPR and European jurisdiction, which limits foreign government access to data. They’re not inherently safer from all risks, but they reduce jurisdictional exposure to foreign legal frameworks like the US Cloud Act. European digital sovereignty initiatives will increasingly favor EU-based infrastructure.
How much does it cost to switch cloud providers?
Switching costs include egress fees for moving data out, operational downtime during migration, and infrastructure integration work to rebuild configurations, retrain staff, update integrations, and test everything. For small businesses, this often exceeds the annual cost of the current provider.
What is the European Commission doing about digital sovereignty?
The European Commission issued a €180 million tender for sovereign cloud infrastructure in late 2025 and plans to introduce the Cloud and AI Development Act (CADA) in 2025. The goal is to triple EU data center capacity within seven years and create a common framework for public sector cloud procurement that restricts non-EU companies.
Key Takeaways
Dependencies without exit paths become liabilities when circumstances change. The DigiD crisis demonstrates how vendor lock-in strips control from governments and businesses when ownership changes or regulations shift.
Vendor lock-in costs small businesses more relative to organizational size. Switching providers requires egress fees, migration time, and infrastructure integration that often exceeds annual provider costs.
Commercial infrastructure decisions create jurisdictional exposure. The US Cloud Act allows foreign authorities to compel data access without notification. Your vendor choice determines which legal frameworks control your data.
Exit strategies are security requirements, not optional features. Contracts need termination clauses for ownership changes, data export in standard formats, and documented migration plans tested annually.
European digital sovereignty initiatives will reshape cloud compliance. The Cloud and AI Development Act will restrict non-EU providers, increasing compliance costs while creating competitive advantages for businesses using EU-based infrastructure.
Fragmented vendor decisions create concentrated operational dependency. Individual service choices make sense separately but together create cascading failure risk where losing one service stops your business.
Structure is cheaper than recovery. Build vendor dependency audits, exit capability prioritization, and migration planning into operations now instead of scrambling during crises with limited options.
