/s3/static.nrc.nl/wp-content/uploads/2025/12/15183332/171225ECO_2027292902_digid.jpg)
The Dutch government’s digital identity system, DigiD, has grow the focus of growing concern over data privacy and national security following reports that a senior privacy official warned of potential risks tied to the proposed takeover of its IT service provider by an American company. Pieter van Oordt, the chief privacy officer at Logius — the government agency responsible for managing DigiD — reportedly spoke out publicly after facing internal backlash for raising alarms about the implications of Kyndryl’s planned acquisition of Solvinity, the Dutch firm that hosts the platform on which DigiD operates.
According to verified reports from Dutch public broadcaster NOS and other reputable outlets, Van Oordt warned that if the takeover proceeds, the U.S. Government could gain access to sensitive personal data stored in MijnOverheid, the online portal where Dutch citizens can view the information the government holds about them. This includes names, addresses, dates of birth, income details, and other administrative data. His concerns stem from an internal Logius investigation that found the IT service provider managing MijnOverheid could, in principle, access the personal data visible in the system.
Van Oordt stated in interviews with NOS and other media that once Solvinity falls under American ownership, its infrastructure would be subject to U.S. Legislation, including laws that allow federal agencies to request data under national security grounds — potentially without the knowledge of the data subjects or the Dutch government. He emphasized that even additional security measures implemented by Logius might not be sufficient to fully protect Dutch citizens’ data from foreign access under such circumstances.
The warning comes amid broader scrutiny of the deal, which has raised questions about data sovereignty and the risks of outsourcing critical government IT functions to foreign-owned entities. Logius has confirmed that while Solvinity provides the technical platform for DigiD, it does not own or control the system. DigiD remains under the authority of the Dutch government, with Logius setting operational and security standards. Still, the physical and technical infrastructure supporting the service is hosted in government data centers but managed by Solvinity, creating a layer of dependency that privacy advocates argue introduces vulnerability.
In response to the concerns, Logius said it is conducting a thorough review of the potential implications of the takeover for service continuity, security, and privacy. The agency stated that if unacceptable risks are identified, it will take immediate action to safeguard the system. Officials reiterated that the safety and reliability of DigiD remain the top priority, and that no changes will be made without rigorous assessment.
The debate over the Solvinity-Kyndryl transaction reflects wider anxieties about how digital public infrastructure is managed in an era of increasing geopolitical tension and cross-border data flows. As governments worldwide rely on private contractors for essential digital services, the DigiD case highlights the challenges of ensuring that convenience and efficiency do not come at the cost of autonomy, privacy, or national control over citizen data.
What is DigiD and why does it matter?
DigiD is the digital authentication system used by millions of Dutch residents to access government services online, including tax filings, benefit applications, healthcare appointments, and municipal affairs. It functions as a secure login method, allowing citizens to verify their identity when interacting with public sector websites and apps. Introduced in the early 2000s, DigiD has become a cornerstone of the Netherlands’ digital public infrastructure, with over 13 million active users as of recent government reports.
The system is not merely a convenience tool; for many, especially those with limited mobility or living abroad, DigiD is essential for accessing basic rights and services. Its widespread apply means that any disruption or compromise could affect a significant portion of the population’s ability to engage with the state.
Because DigiD grants access to sensitive personal data through MijnOverheid — where users can see what information agencies like the tax authority, social services, or municipalities hold about them — its security is intrinsically linked to broader privacy protections. A breach or unauthorized access could expose individuals to identity theft, fraud, or misuse of personal information.
Who is Pieter van Oordt and what did he warn about?
Pieter van Oordt serves as the Chief Privacy Officer (Functionaris Gegevensbescherming) at Logius, the executive agency under the Dutch Ministry of the Interior and Kingdom Relations responsible for managing DigiD and other government IT systems. In this role, he is tasked with ensuring compliance with data protection laws, including the EU’s General Data Protection Regulation (GDPR), and advising on privacy risks associated with government data processing.
Van Oordt’s warning emerged after an internal Logius investigation, reportedly shared with the Ministry of the Interior in November 2024, concluded that the company managing the IT infrastructure for MijnOverheid — currently Solvinity — could access the personal data visible in the portal. He told NOS that if Kyndryl, a U.S.-based IT infrastructure provider spun off from IBM, completes its acquisition of Solvinity, the resulting entity would fall under U.S. Jurisdiction.
“I can say it simply: the United States could shut down DigiD for an extended period and issue secret information requests,” Van Oordt was quoted as saying in the Volkskrant, a claim reiterated in NOS coverage. He argued that even contractual safeguards or technical enhancements by Logius might not prevent U.S. Authorities from compelling data disclosure under laws such as the Clarifying Lawful Overseas Use of Data (CLOUD) Act or executive orders invoking national security.
His public remarks reportedly led to criticism within certain government circles, with sources indicating he faced pushback for speaking out — a situation described in Dutch media as being “neergesabeld,” or figuratively “cut down.” Despite this, Van Oordt maintained that his duty to protect citizens’ privacy required him to raise the issue publicly when internal channels failed to produce adequate reassurance.
What is the status of the Solvinity-Kyndryl deal?
As of the latest verified reports from April 2024, Kyndryl had announced its intention to acquire Solvinity, a major Dutch IT services provider specializing in public sector and healthcare clients. The deal, valued at several hundred million euros according to financial reports, would expand Kyndryl’s presence in Europe and strengthen its capabilities in managing critical government IT infrastructure.
Solvinity, headquartered in Utrecht, provides managed services, cloud solutions, and cybersecurity support to numerous Dutch government bodies, including Logius. It has been a long-term partner in maintaining the DigiD platform, which runs on its systems but within Dutch government-operated data centers.
The acquisition has triggered reviews by Dutch authorities, including Logius and the Ministry of the Interior, due to concerns about data protection, service continuity, and potential foreign influence. While the transaction remains subject to regulatory scrutiny, no official prohibition has been issued, and both companies have stated they are cooperating with reviews.
Neither Kyndryl nor Solvinity has commented directly on the specific privacy concerns raised by Van Oordt in public statements, though both have emphasized their commitment to compliance with European data protection standards and contractual obligations to government clients.
What are the implications for data privacy and national security?
The DigiD case underscores a growing dilemma for governments: how to leverage private-sector expertise in digital infrastructure without compromising control over sensitive citizen data. Unlike commercial services, government systems like DigiD handle information that is fundamental to civic participation — from voting rights to social benefits — making their integrity a matter of public trust.
Legal experts note that under U.S. Law, particularly the CLOUD Act of 2018, American authorities can compel U.S.-based companies to produce data stored on servers overseas if the company is under U.S. Jurisdiction. While the data would need to be relevant to a criminal investigation, critics argue the standards for access are lower than those required under European frameworks, and gag orders can prevent companies from informing users or governments about such requests.
While Logius has stated that DigiD data is stored in Dutch government data centers and that access controls are in place, the concern remains that the entity managing the infrastructure — if under foreign control — could be legally compelled to assist in data access, even if it cannot directly extract the data due to technical or contractual barriers.
Privacy advocates have called for greater transparency, urging the Dutch government to consider alternatives such as bringing critical IT functions back in-house or mandating stricter residency and ownership requirements for providers of essential public digital services. Some have suggested modeling such rules on those applied to critical energy or telecommunications infrastructure.
What happens next?
As of now, Logius continues its assessment of the potential risks associated with the Kyndryl-Solvinity transaction. No formal deadline for the review has been publicly announced, but officials have indicated that a decision will be based on whether the deal can be structured to meet Dutch security and privacy standards.
The Dutch House of Representatives (Tweede Kamer) has similarly expressed interest in the matter, with several members submitting written questions to the Minister of the Interior and Kingdom Relations about the safeguards in place and whether additional legislation is needed to prevent foreign control of critical digital infrastructure.
For citizens concerned about their data, official guidance remains available through Logius and the DigiD helpdesk at digid.nl/contact. Users are encouraged to monitor official channels for updates, though individual actions are limited given that DigiD is a mandatory system for accessing many government services.
This situation remains fluid, and any significant developments — including regulatory decisions, public statements from officials, or changes to the transaction structure — will be reported through verified government and news sources.
If you have questions about DigiD, data privacy, or digital public services in the Netherlands, consider sharing your thoughts or experiences in the comments below. Your input helps foster informed discussion on issues that affect us all.