In February 2026, the paper argued that dependency on foreign cloud infrastructure is not a theoretical risk but a structural one. That it would produce operational consequences. That the mechanism would be legal jurisdiction, not technical failure.
On April 16, the sitting Chief Privacy Officer of the Dutch government agency that operates DigiD said this, on the record:
“I cannot put it more simply: the U.S. can switch off DigiD for an extended period and issue secret information requests.”
That is Pieter van Oordt, Chief Privacy Officer at Logius — the agency responsible for the digital identity infrastructure used by 17 million Dutch citizens. Two million login sessions per day. One hundred million government letters per year through MijnOverheid. The system through which the Netherlands files taxes, accesses healthcare, and interacts with the state.
The kill switch is no longer a metaphor. It is a documented operational capability held by a foreign government over a European nation’s identity infrastructure.
What Happened
Kyndryl — a four-year-old IBM spin-off operating in 60 countries — is acquiring Solvinity, the Dutch hosting company that has provided DigiD’s infrastructure since 2020. The Dutch competition authority ACM approved the deal on 26 February 2026. A parallel national security review under the Vifo Act is ongoing, but the commercial process is moving forward.
The acquisition transfers operational control of the following systems to a US-headquartered company:
- DigiD — national digital identity for 17 million citizens
- MijnOverheid — the citizen portal handling 100 million letters annually
- Digipoort — the government data exchange system
- National Police IT infrastructure
- Public Prosecution Service systems
- AIVD private cloud — the Dutch intelligence service
- Amsterdam’s “sovereign cloud”
Read that list again. Then consider that every one of those systems now falls under the legal reach of the CLOUD Act and FISA — US laws that compel American companies to provide data to US authorities regardless of where it is stored, and regardless of the laws of the country where it is stored.
An internal Logius security assessment, shared with the Ministry of the Interior on 24 November 2025, concluded plainly:
“The platform cannot be technically sealed in such a way that the supplier would no longer be able to access data/personal information or influence availability.”
That assessment was not shared with parliament. Van Oordt escalated to the highest civil-service level. He was not granted access to the state secretary. He is now preparing legal action against the Dutch state.
Jurisdiction, Not Geography
Kyndryl’s defence is straightforward. Data remains in the Netherlands. Services continue to be provided within the EU. Access to data is only possible on EU territory. A European data guardian will be appointed. Dutch courts will have recourse.
None of that matters under the CLOUD Act.
The CLOUD Act grants the US government de facto root access to data held by US-controlled companies, regardless of where that data is physically stored. As one analyst put it: “Forget the physical location of the data center. That’s just a file system mount point. The real control lies at the kernel level, the legal entity that owns and operates the system. Location is irrelevant when jurisdiction is absolute.”
When a US federal agency issues a request under the CLOUD Act, a US company must comply. It cannot inform the data subject. It cannot inform the host government. It cannot seek a court order in the country where the data resides. Dutch contractual safeguards — however carefully drafted — cannot override federal law in the jurisdiction that controls the legal entity.
Van Oordt is unambiguous: “Additional measures are in all cases insufficient to prevent outages of DigiD and unlawful use.”
Sanctions Are the Sharper Weapon
The CLOUD Act enables secret data access. But experts who testified before the Dutch Digital Affairs Committee identified an even more immediate threat: US sanctions.
Lokke Moerel, professor of global ICT law at Tilburg University, told the committee: “It is the authority of the US, and the president himself, to issue sanctions against persons, organisations, countries in the interest of national security.”
Sanctions are not judicial. They require no court order, no legal process, no notification. The president acts unilaterally.
This is not hypothetical. There is precedent. Nine employees of the International Criminal Court are currently blocked from receiving American services under a Trump-era decree. Nine individuals — sanctioned not for criminal activity, but for the court’s investigation into actions by US service members.
Evelyn Austin, director of Bits of Freedom, connected the dots for the committee: “Those are only nine people. With DigiD, it could happen on the scale of an entire society.”
When asked whether this was a future concern or a present one, Austin replied: “I don’t know if it’s a sliding scale, because I think the crisis is already here. So, in that sense, we might already be somewhere at the bottom of the slide.”
A survey of over 28,000 respondents found that 87% of DigiD users would boycott the system if it were US-owned. Seventy-five percent said they could not manage government services without it. That gap — between the desire to refuse and the inability to function without it — is the definition of a dependency with no exit.
The Irony at the Centre
There is a detail in this story that resists belief.
Only months before the acquisition, Solvinity co-signed a public letter to the Dutch government cautioning against “te grote afhankelijkheid van grote buitenlandse (lees: Amerikaanse) cloudbedrijven” — too much dependence on large foreign (read: American) cloud companies.
They issued the warning. Then they became the vector for the very threat they described.
The competition authority approved the deal because competition law has no mechanism for jurisdictional risk. The ACM engaged seriously with the sovereignty arguments — a Taskforce ICT Continuity submitted evidence that CLOUD Act and FISA would become applicable post-acquisition — but drew a sharp legal line: sovereignty concerns, however legitimate, are not competition-law grounds to block a merger when the combined market share is below 15% and alternatives exist at re-tendering.
The alternatives exist. In theory. In practice, the switching costs for a national identity system are not measured in market share percentages but in years and political capital.
Amsterdam’s deputy mayor Alexander Scholtes revealed the structural trap: “You’re not allowed to steer on ownership or ownership structures. So you can look at requirements around knowledge to develop services in the field of digital autonomy. But my point is that with the current requirements, you can’t sufficiently steer towards digital autonomy.”
EU procurement rules actively prevent governments from choosing sovereignty. That is not a bug in the system. It is the system.
The Alternative That Already Exists
The technical counter-argument — that sovereign alternatives are immature, expensive, or years away — does not survive contact with the evidence.
A detailed architecture for a fully sovereign DigiD replacement has been published by Clouds of Europe. It uses open-source wallets (Yivi, NL-Wallet), open-source issuance components (walt.id, Credo), existing Dutch PKI infrastructure, and European cloud providers with security certifications — Scaleway, Fuga, or government data centres at ODC-Noord and Rijks DC.
Estimated cost: €4.5–11 million per year. Migration timeline: 24 months with parallel operation ensuring continuity.
Jeroen Wouda of Uniserver told the Digital Affairs Committee: “The knowledge, technology and expertise exist. Today, not tomorrow.”
The technology is ready. The open-source components are licensed. The European cloud providers are certified. The migration path is documented.
The only missing piece is political will.
What the Scorecard Says
The Great Return included thirty predictions about how Europe’s shift from cloud-first to local-first would manifest. Prediction 5.1 stated that geopolitical events would expose cloud dependency as an operational risk — not merely a theoretical sovereignty concern.
A sitting government privacy officer has now confirmed, with direct quotes, that a foreign government holds the ability to shut down a nation’s identity infrastructure and access the personal data of every citizen. An internal security assessment confirms the risk cannot be mitigated technically. Escalation to the highest levels of government produced no response. Legal action against the state is being prepared.
This is not a risk assessment. It is a status report.
Prediction 5.1 has moved from “projected” to “confirmed — exceeded.” The paper expected this class of event by 2027. It arrived in April 2026, documented by the people responsible for operating the system.
There is a pattern forming. In March, the European Commission’s AWS account was breached — 350 gigabytes taken from the institution that wrote the AI Act and enforces GDPR. Now the Netherlands faces the prospect of its entire digital identity system operating under American jurisdiction. These are not isolated incidents. They are the structural consequences of architectural decisions made years ago, coming due on a compressed timeline.
The paper’s argument was never that American companies are bad actors. It was that dependency creates leverage, and leverage will eventually be used. The CLOUD Act does not require bad intent. It requires compliance with US law by US-controlled entities. That compliance is automatic, silent, and non-negotiable.
The kill switch exists. The question now is whether it gets used — and whether Europe builds the infrastructure to make the question irrelevant before it has to find out.