The Solvinity Ban: Testing the Limits of Public Interest

The Dutch cabinet has prohibited the acquisition of Solvinity by the American company Kyndryl. The reasoning is classified. The legal basis is unclear. And none of the three most obvious grounds stand up self-evidently to closer analysis. The question then becomes: is this a victory for digital sovereignty, or an ad hoc decision that offers the illusion of control while leaving the underlying problem unaddressed?

Solvinity, Kyndryl and DigiD

First, the facts. Solvinity is not a telecom operator. It is a cloud infrastructure provider — bluntly put, a hoster — which, among other things, supplies the infrastructure platform on which DigiD^[1] runs, hosted in a government data centre. DigiD itself is managed by Logius, part of the Ministry of the Interior and Kingdom Relations. Solvinity therefore delivers the underlying infrastructure but does not manage the application. In addition, Solvinity hosts "Berichtenbox," the official digital mailbox within "MijnOverheid" (the Dutch government's citizen portal), and provides services to the Ministry of Justice and Security.

Kyndryl, spun off from IBM in 2021 as an independent listed company, describes itself as the world's largest IT infrastructure services provider, with 73,000 employees, fifteen billion dollars in revenue, and clients in more than sixty countries, including three quarters of the Fortune 100. In terms of revenue, that is roughly three times the size of KPN. The company intended to acquire Solvinity outright — buying its shares and continuing to operate it as a subsidiary.

The proposed acquisition led to public uproar: citizens and prominent figures filed summary proceedings to block the DigiD contract with Solvinity, and the House of Representatives adopted, by 141 votes, a motion against renewal if the takeover went ahead. There were also calls to bring DigiD in-house at Logius. The court rejected the claims — termination would jeopardise the functioning of DigiD.

The takeover has nonetheless been blocked — through the relatively obscure route of a negative recommendation from the Investment Screening Bureau (Bureau Toetsing Investeringen, BTI). Anyone wishing to acquire a controlling interest in a party that plays an important role in Dutch telecommunications infrastructure must notify this body in advance. The BTI then examines whether the acquisition poses a risk to the public interest. The legal basis is Chapter 14a of the Telecommunications Act, better known as the Undesirable Control in Telecommunications Act (WOZT, Wet ongewenste zeggenschap telecommunicatie). The name is misleading: the Act reaches further than classic telecom. The WOZT introduces the concept of "telecommunications party," which according to the Explanatory Memorandum covers a broad circle of parties that play an important role in the functioning of telephony and internet in the Netherlands, including hosting services, internet exchanges, trust services and data centres. As a hoster, Solvinity falls within that definition.

The European corridor

The WOZT permits the minister to impose a ban on an acquisition if obtaining control "may lead to a threat to the public interest." State Secretary Aerdts' letter to Parliament does no more than refer to that. No further explanation, no specification of which public interest is precisely threatened, no substantiation as to why. Not legally required, but frustrating nonetheless.

"Public interest" sounds like a broad concept that the minister can fill in at her own discretion. It is not.

The European Union is built on four fundamental freedoms: the free movement of goods, persons, services and capital. A ban on an acquisition restricts at least the first two. That is permitted, but only if the restriction is justified by public order, public security, or essential state security interests. Those are the only permitted grounds. Economic interests ("we want this company to remain in Dutch hands") do not qualify. Nor does industrial policy.

The legislator was aware of this. Article 14a.1 of the Telecommunications Act links "public interest" to those European concepts: public order and security within the meaning of Articles 45, 52 and 65 TFEU, and essential state security within the meaning of Article 346 TFEU. The Explanatory Memorandum explicitly acknowledges that the ban constitutes an obstacle to free movement and must withstand the European test.

But what then constitutes a valid public security ground? The Court of Justice has produced forty years of case law on this. The bar lies considerably higher than the political debate around Solvinity would suggest.

The Luxembourg bar

In 1984 the Court accepted that petroleum products are vital enough to justify restrictions — not only the economy but "the institutions, essential public services and even the survival of its inhabitants" depend on them (Campus Oil, C-72/83). In 2002 it struck down broad state veto powers in privatisations in France and Portugal, but upheld limited Belgian golden shares in two energy companies — precisely because these were objectively defined and proportionate.

The synthesis came in 2023 with Xella Magyarország (C-106/22), on modern FDI screening. The Court formulated four requirements. The restriction must be based on a genuine and sufficiently serious threat to a fundamental interest of society — real, sufficiently serious, directed at a fundamental interest. It must rest on precise, pre-known criteria. It must be open to judicial review. And the objective pursued must not be attainable through less intrusive measures.

The Court applied that test to the Hungarian blockade of an acquisition of a sand-extraction company and struck it down: regional security of supply of construction materials is not a fundamental interest of society. DigiD is of course a different story. But the criterion sets requirements for every ban — including this one.

Three plausible grounds, and why none is simple

The reasoning is not public. The letter to Parliament only says that the BTI has identified "a risk to the public interest." Parliament will receive a confidential briefing. Parliamentary questions have been submitted, but the chance that the reasoning will be made public is small — the WOZT only prescribes publication of the fact that there is a ban, not of the substantiation, and the BTI works confidentially.

The WOZT contains in Article 14a.4 paragraph 2 an exhaustive list of grounds. Three are plausible. First, however, a legal-technical point: the WOZT has been further elaborated in the Decree on Undesirable Control in Telecommunications, which establishes objectively measurable thresholds: internet access or telephony to more than 100,000 end users, data centre services with more than 50 MW of power capacity, hosting of more than 400,000 .nl domain names, or provision of services to the intelligence services, Defence, NCTV or National Police. Neither Solvinity nor DigiD clearly meets any of these criteria. I will simply assume the BTI has scrutinised this carefully.

American jurisdiction as a threat ground

The most frequently heard argument is structural and comes in two variants. The Americans will thus gain power over DigiD, with their strict unilateral legislation. American ambassador Popolo has acknowledged in a reaction that there are "legitimate security concerns" surrounding the acquisition, suggesting he too is thinking along these lines. The WOZT calls this an "undesirable person or state" (Art. 14a.4 paragraph 2 point a) "for which there are grounds to suspect that it has the intention to influence a telecommunications party in order to enable misuse or deliberate outage."

The first such ground of influence is the CLOUD Act: American legislation obliges American companies to cooperate with data demands, including for data held outside the US. Kyndryl as the American parent company would bring Solvinity under that jurisdiction. The risk: covert access to DigiD data. This touches on paragraph 3 point a: misuse in the form of unlawful infringement of the confidentiality of communications.

The second variant concerns sanctions orders. A sanctions order from the US President can compel an American company to cease all services to a sanctioned party. That is not a hypothetical scenario. The Trump administration has imposed economic sanctions on the prosecutor of the International Criminal Court in The Hague — later extended to judges and prosecutors — and visa restrictions on former European Commissioner Thierry Breton and four others for their role in the Digital Services Act.

In the same context, Microsoft has provided to the US Congress the names of Dutch civil servants working on implementation of the DSA. So far without visible consequences for these individuals, but the signal is clear. If Trump puts the Dutch government, a ministry or an agency on a sanctions list, Kyndryl is legally obliged to cease its services. The result is a deliberate outage of DigiD — not desired by Kyndryl, but legally unavoidable through the ownership relationship.

The sanctions argument has two advantages over the CLOUD Act argument. It is more concrete: there is a documented pattern of use against European institutions and individuals, whereas the CLOUD Act is an abstract competence. And the gag-order problem falls away: sanctions are public, so the threat is falsifiable — exactly what the CLOUD Act argument lacked.

But both variants share the same fundamental problem: they are generic. The CLOUD Act applies to every American company. So do sanctions obligations. Not only to Kyndryl, but equally to Microsoft, Amazon, Google, IBM and Accenture. Companies that are currently providing government services throughout Europe. Kyndryl itself is currently rebuilding the entire IT infrastructure of the Ministry of Defence. You cannot maintain that a company is trustworthy enough for Defence but too dangerous for DigiD.

And the inconsistency is broader than Defence. The central government runs on Microsoft 365, Azure and Teams for tens of thousands of civil servants. Municipalities also use the Microsoft environment on a massive scale, as do many other government and semi-government organisations. The Court demands a genuine and sufficiently serious threat. A legal regime that attaches to an entire category of companies cannot be an unacceptable risk in one case and a manageable point of attention in another.

On top of this comes the legal-technical argument that the criteria in Article 14a.4 paragraph 3, as elaborated in the Decree on Undesirable Control in Telecommunications, all concern internet access, telephony and very large data centres. I have great difficulty fitting Solvinity or the DigiD service under those criteria.

The letter to Parliament makes the striking statement that the Netherlands "attaches great value to the presence of foreign, including explicitly American, technology companies." Radboud University legal scholar Evert-Jan Breukink, co-author of a handbook on the WOZT, infers from this that "the reason for concern probably lies at the level of Kyndryl itself."

Kyndryl's financial situation

On 9 February 2026 — in the middle of the BTI investigation — Kyndryl disclosed that it could not file its quarterly report. The audit committee was investigating cash management practices and internal controls. The SEC opened an enforcement investigation. On the same day, the CFO, the General Counsel and the Controller left. The share price lost 55%. PricewaterhouseCoopers' audit opinion was withdrawn. Among the weaknesses identified: "tone at the top.”

This provides a hook in Article 14a.4 paragraph 2 sub c: a ban is justified if the acquirer "has such a track record that this significantly increases the risk" that the consequences listed in paragraph 3 occur. The argument is specific (it applies only to Kyndryl), concrete (verifiable via SEC filings) and current. Exactly the kind of individual circumstance that the Xella test requires.

Strategically it is plausible that the BTI chose this ground. A ban based on governance grounds avoids the principled sovereignty debate that a CLOUD Act ban would provoke. It does not create a precedent that blocks every future American acquisition. And it does not put the Netherlands on a collision course with Washington or Brussels.

But the ground has a logical gap. The consequences in paragraph 3 are triggered by "misuse or deliberate outage." Financial mismanagement increases the risk of unintended outage — insolvency, underinvestment, organisational failure — but not of deliberate misuse. A company that does not have its accounting in order is not for that reason inclined to deliberately sabotage DigiD.

Does mismanagement make them more vulnerable to the CLOUD Act or sanctions orders? No. The CLOUD Act is a legal obligation, not a request that you resist by being financially healthy. Microsoft is legally just as obliged to comply with a CLOUD Act warrant as Kyndryl in dire straits. At most, there is more willingness and capacity at Microsoft to challenge such an order than at a struggling, leaderless company. But that really is too thin.

Mismanagement as an espionage risk

A risk I do see some merit in, and which is Kyndryl-specific: mismanagement makes you more vulnerable to espionage.

A company with material weaknesses in internal controls, a "tone at the top" problem, and a CFO, General Counsel and Controller who have left, is a company where employees are easier to bribe, where firewalls are less consistently maintained, where access rights are less strictly managed, where anomalies in data traffic are noticed less quickly. Not by the American government via the CLOUD Act, but by any intelligence service that takes an interest in the data of millions of Dutch citizens. China, Russia, or whoever. Or, for that matter, also the NSA or FBI: a poorly secured router is less hassle than a CLOUD Act warrant with an accompanying gag order.

The Rotterdam District Court has essentially already validated this reasoning. In 2023, it reviewed the ban on Huawei and ZTE equipment in critical network components of T-Mobile (now Odido), imposed via the Telecommunications Security and Integrity Decree (Bvit). The language of Article 2(2) Bvit is almost identical to that of Article 14a.4 paragraph 2 sub a WOZT — both speak of a state, entity or person of which it is known or for which there are grounds to suspect that it has the intention to misuse or cause the outage of [a network/service]. The court accepted that Chinese intelligence legislation requiring Huawei to cooperate with espionage (Art. 7 National Intelligence Act 2017), combined with the country's "offensive cyber programme targeting the Netherlands," constitutes a concrete and non-mitigable security risk.

The parallel is not exact — the Huawei ban targeted products in the network, not ownership, and ran via a different law. But the principle stands: third-country legislation that compels cooperation with intelligence services is a recognised security risk under Dutch telecommunications law.

For Kyndryl, the argument then runs as follows. The governance problems increase the broader risk that the infrastructure is vulnerable to misuse by third parties, because internal controls fail. Under paragraph 2 sub c, the BTI then does not need to argue that Kyndryl itself will misuse DigiD, but that Kyndryl's track record increases the risk that the infrastructure it manages will be misused — by whoever.

It is the strongest of the three arguments. But it stretches the wording of the law. Article 14a.4 paragraph 3 speaks of "misuse or deliberate outage of the telecommunications party." Grammatically, the telecommunications party is the object — it concerns misuse of Solvinity, not by Solvinity. That leaves room: the consequences in paragraph 3 sub a ("unlawful infringement of the confidentiality of communications") do not presuppose that the owner itself commits the infringement. They describe the result. If mismanagement by the owner (whether by China, the US itself, or whoever) increases the chance that third parties bring about that result through espionage or sabotage, sub c is in principle applicable.

And now

Kyndryl can lodge an objection and subsequently appeal to the Rotterdam District Court, with further appeal to the Trade and Industry Appeals Tribunal (CBb). The question is whether they will do so. If the decision rests on the governance problems, Kyndryl is cornered: challenging it requires publicly disputing the seriousness of precisely those problems that in the US are the subject of a securities class action and an SEC investigation. The fact that an earlier ban under the Vifo Act was converted into conditional approval following objection shows that the instrument is not unassailable, but that case presumably did not involve a company with comparable internal turmoil.

If proceedings are pursued, the case is potentially landmark. As a court of last instance, the CBb is in principle obliged to refer preliminary questions to the Court of Justice. Solvinity/Kyndryl would then become the first case in which the Court rules on national investment blockades in digital infrastructure.

The real problem

The Solvinity ban is understandable. It is also legally vulnerable — regardless of which ground the BTI has chosen.

The WOZT is written for scenarios in which a sanctioned entity or an identifiable instrument of a state acquires control over telecommunications infrastructure. Not for a jurisdictional conflict inherent in the American legal system that applies to every American company. Not for a governance crisis at a specific acquiring party. And certainly not for the broader question that is actually at stake: how do you organise the digital sovereignty of a continent that has outsourced its government infrastructure to companies subject to the laws of third countries?

That question is not answered with an ad hoc takeover ban. It is answered with a framework that sets requirements for every company that manages European government infrastructure, regardless of nationality. The revised EU FDI Screening Regulation is a step in that direction, but it is not yet in force.

Until then, the Netherlands is left with a decision whose legal sustainability depends on a reasoning that no one (yet) can see. The reflex to applaud that decision as a sovereignty win is understandable. But a takeover ban that fails in court delivers the opposite of sovereignty: it proves that we cannot get it right legally. It is high time for a law that does.

[1] DigiD (Digitale Identiteit) is the Dutch government's official online login system, used by citizens and residents to securely access government, healthcare, and education services in the Netherlands.