Blog

Five lessons from the near-takeover of DigiD

The near-takeover of DigiD by an American party was one of the clearest lessons in digital sovereignty the public sector has had in years. A vital system used by millions to log in suddenly came into view for foreign control, through a supplier. The takeover was blocked, but the lesson remains. In this article we distil five concrete lessons that every public organisation can take away.

In short
  • Sovereignty lies in the supply chain, not just the system.
  • "Servers in the Netherlands" is no guarantee — jurisdiction counts (CLOUD Act).
  • Know the owner behind your supplier, and track acquisitions.
  • Arrange control and an exit up front, not in haste afterwards.
  • A safety net is not a strategy: build sovereignty in up front.

In brief: what happened

DigiD is the digital key with which more than 18 million Dutch citizens log in to government, healthcare and their pension fund. The technology beneath it does not run at the government itself, but at supplier Solvinity. When it emerged that Solvinity would be acquired by the American company Kyndryl, broad unrest followed — with a petition of nearly 200,000 signatures as a signal.

The government intervened and blocked the takeover under the investment-screening test; Logius stressed that "DigiD is and remains Dutch" and moved to a new tender under a stricter regime. Good news. But the fact that it could get this far is exactly what makes it worth studying. Here are the five lessons.

Lesson 1: Sovereignty lies in the supply chain, not just the system

The sting: DigiD itself remained in Dutch hands, but the supplier nearly did not. A system can be formally national, while the party that builds, hosts or manages it comes under foreign control. Digital sovereignty is only as strong as the weakest link in your supply chain.

The lesson is to look not only at your own systems, but at the whole chain beneath them. Who supplies, who hosts, who manages — and who owns them?

Lesson 2: "Servers in the Netherlands" is no guarantee

A common reassurance is that the data is stored in the Netherlands or the EU anyway. But the location of a server says little about jurisdiction. A company with a US parent falls under American legislation such as the CLOUD Act, even when the data physically sits here.

The lesson is to ask, for every supplier, not "where is my data" but "under which law does the party that can access it fall". That is a fundamentally different, and far more important, question.

Lesson 3: Know the owner behind your supplier

Many organisations know who their supplier is, but not who owns that supplier — or who could acquire it tomorrow. It is precisely that ownership structure that determines under which interests and which legislation your critical system ultimately falls.

The lesson is to actively track ownership and control, not only at the tender stage but throughout the contract. An acquisition changes the playing field, even if the service itself stays the same.

Lesson 4: Arrange control and an exit up front

When the unrest broke out, everything had to be arranged in haste: emergency plans, tests, a new tender. It worked, but under high pressure and with a lot of improvisation. It is far cheaper and calmer to set agreements down in advance.

The lesson is to include control, data portability and an exit scenario as standard in contracts with critical suppliers. Can you switch if you have to, without bringing your organisation to a halt? You want to know that answer before things go wrong, not after.

Lesson 5: A safety net is not a strategy

The case showed that the Netherlands is not powerless: the investment-screening test, a security analysis and an emergency plan together formed a safety net, and the takeover was blocked. Encouraging. But a safety net that only kicks in when things nearly go wrong is not a structural solution.

The lesson is that sovereignty must be built in up front, not rescued afterwards. Treat dependence on a single party as a risk you actively manage — not out of distrust of technology, but out of responsibility for what you protect.

What this means for your organisation

You do not have to manage DigiD to apply these lessons. Every municipality, public body and partnership runs on a chain of suppliers and cloud services. The question "what happens if this party is acquired?" belongs in every tender and every supplier contract.

Start small: map out which suppliers are critical, who owns them and which law they fall under, and record how you could switch. That is how you turn digital sovereignty from an empty slogan into a verifiable property of your organisation.

How to stay in control

The near-takeover of DigiD is a free lesson in how vulnerable — and how defensible — our digital sovereignty is. It is precisely at that intersection of information security, supplier management and public frameworks that we work as DWDA.

Want to know how sovereign your organisation really is? Take our free maturity scan and receive an immediate report with concrete next steps. Prefer to spar about a critical supplier or an ongoing tender? With our starter vouchers we deliver a first analysis for a fixed price, without long-term commitment. Feel free to get in touch and we will look together at where your biggest risks and opportunities lie.

The five lessons at a glance — feel free to share.
The five lessons at a glance — feel free to share.
TdW
Tom de WaardFounder · Interim CMO & digital transformation partner

Founder of DWDA and interim CMO. For over thirty years — since 1993 — Tom has helped organisations from SME to multinational with digital strategy, marketing and transformation. As the face of an award-winning digital case at Nutricia (Danone) he won several public awards, including the Customer Data Award and the LOVIE Awards. In recent years he has focused strongly on the public sector: he helps (semi-)government organisations, such as Sabewa Zeeland, modernise and make use of today's systems and techniques — with information security and compliance as the fundamental starting points. Tom translates strategy into execution, with AI and governance as the common thread.

More about the team → Connect on LinkedIn