11JUN

Dutch block first US cloud takeover

4 min read

09:17UTC

Dutch minister Willemijn Aerdts prohibited Kyndryl's EUR 100m purchase of Solvinity on 26 May, the first US deal ever blocked under Dutch investment screening, because the firm hosts the country's national digital-identity system.

← Back to IRGC declares Hormuz shut; US strikes again Jump to analysis ↓

ConflictDeveloping

Key takeaway

The Netherlands blocked a US cloud takeover with existing screening law, achieving CAIDA's aim before CAIDA exists.

Dutch minister Willemijn Aerdts prohibited Kyndryl's EUR 100m acquisition of cloud provider Solvinity on Tuesday 26 May, citing risk to the public interest ¹. Kyndryl is a US-listed IT infrastructure firm spun out of IBM; Solvinity is a Dutch provider that hosts DigiD, the national digital-identity system citizens use for tax, healthcare and pensions, along with the MijnOverheid government portal. The decision is the first US deal ever blocked under the Dutch Investment Screening Bureau, the body that reviews foreign investments for national-security and public-interest risk.

The ground was the US CLOUD Act, the 2018 statute (the Clarifying Lawful Overseas Use of Data Act) that lets American authorities compel US-linked companies to disclose data held anywhere in the world. That is the precise argument underpinning CAIDA's public-sector restrictions . The Dutch competition authority ACM (the Authority for Consumers and Markets) had cleared the deal on antitrust grounds in February; investment screening ran on a separate track and reached the opposite conclusion. A Kyndryl spokesperson said the firm was "extremely disappointed" ².

The split outcome shows two regimes testing different questions. Competition law asks whether a deal harms the market; investment screening asks whether foreign control harms the state. The CLOUD Act argument only bites on the second. While CAIDA waited for a College vote , The Hague reached for screening law it already held and reached the result the flagship regulation is still trying to mandate. The precedent is now citable by every member state, including the Berlin government using College silence to blunt the Brussels version.

Deep Analysis

In plain English

Kyndryl is an American IT company that spun out of IBM. It tried to buy Solvinity, a Dutch cloud company that runs the digital-identity system every Dutch person uses to log into government websites for their taxes, doctor and pension. The Dutch government stepped in and said no. The reason was a US law called the CLOUD Act, which lets American authorities demand access to data held by US-owned companies anywhere in the world, including in Europe. The Dutch government decided that having an American firm in control of their national ID system created too much legal risk, even though competition regulators had already approved the deal on separate grounds.

Deep Analysis

Root Causes

GDPR and the US CLOUD Act operate on different jurisdictions with no conflict-of-laws resolution between them. EU data-protection law (GDPR) governs how data may be processed in Europe; the US CLOUD Act governs what American authorities may demand from US-owned processors. These two regimes have no conflict-of-laws resolution mechanism.

A US company operating under both simultaneously cannot fully comply with both when they conflict. The Dutch screening bureau concluded that this structural irresolvability, not any misconduct by Kyndryl, made the public-interest risk unacceptable for national digital-identity infrastructure.

A secondary driver is that DigiD's architecture concentrates access to virtually all Dutch state-to-citizen interactions in a single platform. Tax, healthcare, pensions and government portals share the same credential system. Fragmentation across separate systems would reduce the blast radius of any compelled disclosure, but the Netherlands built efficiency and the current vulnerability in the same architectural choice.

What could happen next?

Precedent
The ruling is the first successful use of EU member-state investment screening to block a US cloud acquisition on CLOUD Act grounds, setting a replicable template across 27 member states.
Medium term · Assessed
Risk
US trade officials may classify member-state investment screens on CLOUD Act grounds as non-tariff barriers, adding them to the Section 301 dossier already covering DMA cloud probes.
Short term · Reported
Consequence
European digital-identity infrastructure consolidation via US acquirers is now legally exposed in any member state with an investment screening mechanism modelled on the Dutch bureau.
Long term · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Germany's 2018-2019 review of Huawei's role in 5G core networks traced the same structural logic: a foreign firm's domestic law obligated it to a government whose interests diverged from Germany's, regardless of the firm's own conduct or intentions.

The BNetzA process took 18 months and eventually excluded Huawei from core network functions. The Dutch decision applies an identical structural test (foreign-law compulsion risk) to cloud infrastructure, and did so in a single screening cycle rather than a multi-year standards process.

Counter-parallel: The UK's 2021 Arm/Nvidia review produced a different outcome under a structurally similar question: can a US acquirer of British critical semiconductor IP be bound by contractual ring-fencing? The CMA ultimately blocked the deal on competition grounds, not national-security grounds, suggesting ring-fencing concessions are insufficient in high-dependency infrastructure but that the legal route chosen matters for precedent value.

Kyndryl paid EUR 100m for Solvinity; the block extinguishes that deal but does not require Kyndryl to divest existing Netherlands revenue. Kyndryl's direct loss covers the EUR 100m acquisition premium plus anticipated synergy revenue from Solvinity's managed-services contracts.

Any US cloud or managed-infrastructure acquirer in Europe must now price Dutch-style screening risk into deal valuations, a cost not visible in the EUR 100m Kyndryl figure itself. Any US cloud or managed-infrastructure acquirer in Europe must now price Dutch-style screening risk into deal valuations, particularly where the target holds authentication, healthcare or payment infrastructure.

The Mistral-Emmi acquisition faces no equivalent risk precisely because Mistral is French-incorporated; the distinction is origin of legal jurisdiction, not product category.

Consensus view: Leiden University professor Tineke Strik, who co-authored the European Parliament's CLOUD Act impact report, and Amsterdam-based think tank Rathenau Instituut both assess that the Dutch decision formalises what the US Foreign Intelligence Surveillance Act and CLOUD Act already impose structurally: any cloud service operated by a US-headquartered firm is legally a vector for state access, regardless of where the servers sit.

Counter-view: Heritage Foundation technology analyst Klon Kitchen argues that EU investment-screening bodies are repurposing national-security tools to achieve industrial-policy goals that competition law cannot, and that the Dutch decision signals protectionism rather than proportionate risk management. Kitchen notes Kyndryl operates no intelligence function and had offered contractual segregation of DigiD infrastructure.

Key tension: Whether CLOUD Act exposure constitutes a proportionate public-interest ground for investment screening under EU law, or whether it sets a precedent that would block any US-headquartered acquirer of European critical infrastructure indefinitely.

First Reported In

Update #7 · Sovereignty arrives, minus Brussels

The Next Web· 3 Jun 2026

Read original →

Causes and effects

Caused by

CAIDA due before College, scope cut

The Netherlands blocking action demonstrates that member states already hold the sovereignty tool CAIDA is legislating, applied independently of the Brussels timetable.

Occurred 3 Jun 2026

Read story →

This Event

Dutch block first US cloud takeover

A member state used national screening law to do what CAIDA is still waiting to legislate, proving the sovereignty tool already exists outside Brussels.

Different Perspectives

Oil markets / Lloyd's underwriters

Futures markets priced CENTCOM's strikes-complete statement as a de-escalation signal and pushed Brent down 1.7 per cent to $94.71, even as the IRGC declared Hormuz closed. Lloyd's war-risk premiums held elevated because institutional de-listing requires a UN Security Council resolution that Russia and China have just shown they will block.

Pakistan (mediator)

Interior minister Mohsin Naqvi carried dual civilian and military letters to Mojtaba Khamenei in Tehran on 6-7 June with no public response. The IRGC's Hormuz closure on 11 June shows the corps is acting independently of the channel Pakistan is using, making the mediation structurally unable to produce a binding commitment without direct IRGC access.

Russia and China

Russia and China voted against GOV/2026/40 at the IAEA Board, following through on the blocking position coordinated with Grossi in Geneva on 5 June; both states continue to oppose Western institutional pressure on Iran at every multilateral venue.

E3 and IAEA (UK, France, Germany)

The E3 co-sponsored IAEA resolution GOV/2026/40, adopted 21-3-10 on 10 June, demanding Iran disclose 440.9 kg of unaccounted HEU and admit inspectors to four denied facilities. The 10 abstentions and Russia-China noes leave any Security Council referral without a viable enforcement path.

IRGC / Iran military command

The corps declared Hormuz closed to all traffic on 11 June and claimed two vessels struck, overriding the MoU its own civilian negotiators were pursuing through Pakistan. The closure order used the Persian Gulf Strait Authority apparatus to convert a toll mechanism into a military prohibition.

Trump administration / CENTCOM

CENTCOM completed a second day of strikes on Tehran, Sirik and Minab, rejected the IRGC Hormuz closure as inconsistent with observed transit, and said strikes were complete. Hegseth framed the bombing explicitly as the negotiation: the method is coercive deal-making with no stated pause threshold.