Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
Iran Conflict 2026
19APR

Dutch block first US cloud takeover

4 min read
11:05UTC

Dutch minister Willemijn Aerdts prohibited Kyndryl's EUR 100m purchase of Solvinity on 26 May, the first US deal ever blocked under Dutch investment screening, because the firm hosts the country's national digital-identity system.

← Back to Russia yes, Iran no: Treasury signs only one waiverJump to analysis ↓
ConflictDeveloping
Key takeaway

The Netherlands blocked a US cloud takeover with existing screening law, achieving CAIDA's aim before CAIDA exists.

Dutch minister Willemijn Aerdts prohibited Kyndryl's EUR 100m acquisition of cloud provider Solvinity on Tuesday 26 May, citing risk to the public interest 1. Kyndryl is a US-listed IT infrastructure firm spun out of IBM; Solvinity is a Dutch provider that hosts DigiD, the national digital-identity system citizens use for tax, healthcare and pensions, along with the MijnOverheid government portal. The decision is the first US deal ever blocked under the Dutch Investment Screening Bureau, the body that reviews foreign investments for national-security and public-interest risk.

The ground was the US CLOUD Act, the 2018 statute (the Clarifying Lawful Overseas Use of Data Act) that lets American authorities compel US-linked companies to disclose data held anywhere in the world. That is the precise argument underpinning CAIDA's public-sector restrictions . The Dutch competition authority ACM (the Authority for Consumers and Markets) had cleared the deal on antitrust grounds in February; investment screening ran on a separate track and reached the opposite conclusion. A Kyndryl spokesperson said the firm was "extremely disappointed" 2.

The split outcome shows two regimes testing different questions. Competition law asks whether a deal harms the market; investment screening asks whether foreign control harms the state. The CLOUD Act argument only bites on the second. While CAIDA waited for a College vote , The Hague reached for screening law it already held and reached the result the flagship regulation is still trying to mandate. The precedent is now citable by every member state, including the Berlin government using College silence to blunt the Brussels version.

Deep Analysis

In plain English

Kyndryl is an American IT company that spun out of IBM. It tried to buy Solvinity, a Dutch cloud company that runs the digital-identity system every Dutch person uses to log into government websites for their taxes, doctor and pension. The Dutch government stepped in and said no. The reason was a US law called the CLOUD Act, which lets American authorities demand access to data held by US-owned companies anywhere in the world, including in Europe. The Dutch government decided that having an American firm in control of their national ID system created too much legal risk, even though competition regulators had already approved the deal on separate grounds.

Deep Analysis
Root Causes

GDPR and the US CLOUD Act operate on different jurisdictions with no conflict-of-laws resolution between them. EU data-protection law (GDPR) governs how data may be processed in Europe; the US CLOUD Act governs what American authorities may demand from US-owned processors. These two regimes have no conflict-of-laws resolution mechanism.

A US company operating under both simultaneously cannot fully comply with both when they conflict. The Dutch screening bureau concluded that this structural irresolvability, not any misconduct by Kyndryl, made the public-interest risk unacceptable for national digital-identity infrastructure.

A secondary driver is that DigiD's architecture concentrates access to virtually all Dutch state-to-citizen interactions in a single platform. Tax, healthcare, pensions and government portals share the same credential system. Fragmentation across separate systems would reduce the blast radius of any compelled disclosure, but the Netherlands built efficiency and the current vulnerability in the same architectural choice.

What could happen next?
  • Precedent

    The ruling is the first successful use of EU member-state investment screening to block a US cloud acquisition on CLOUD Act grounds, setting a replicable template across 27 member states.

    Medium term · Assessed
  • Risk

    US trade officials may classify member-state investment screens on CLOUD Act grounds as non-tariff barriers, adding them to the Section 301 dossier already covering DMA cloud probes.

    Short term · Reported
  • Consequence

    European digital-identity infrastructure consolidation via US acquirers is now legally exposed in any member state with an investment screening mechanism modelled on the Dutch bureau.

    Long term · Assessed
Sources:The Next Web
Mentions:DG DIGIT →CLOUD Act →Amsterdam →Huawei →Germany →European Parliament →Brussels →Parliament →Heritage Foundation →Nvidia →Berlin →Willemijn Aerdts →Netherlands →Kyndryl →Solvinity →Dutch Investment Screening Bureau →Authority for Consumers and Markets (ACM) →MijnOverheid →The Hague →
First Reported In

Update #7 · Sovereignty arrives, minus Brussels

The Next Web· 3 Jun 2026
Read original
Causes and effects
Caused by
CAIDA due before College, scope cut
The Netherlands blocking action demonstrates that member states already hold the sovereignty tool CAIDA is legislating, applied independently of the Brussels timetable.
Occurred 3 Jun 2026
Read story →
This Event
Dutch block first US cloud takeover
A member state used national screening law to do what CAIDA is still waiting to legislate, proving the sovereignty tool already exists outside Brussels.
Different Perspectives
Israel
Israel
IDF Chief Eyal Zamir declared on 3 June there was no ceasefire for his forces, and strikes killed at least 10 civilians and one Israeli soldier on 4 June. The IDF killed Hezbollah's chief engineer and warned three south Lebanon villages to evacuate on 5 June, advancing into ground the unsigned Washington framework has not caught.
Hezbollah / Lebanon
Hezbollah / Lebanon
Naim Qassem rejected the Washington Lebanon framework on 4 June as "absurd, humiliating and insulting", blocking a ceasefire instrument that required Hezbollah to withdraw north of the Litani before any Israeli withdrawal. Over one million Lebanese remain displaced; the framework's collapse prolongs that toll.
Iran
Iran
Foreign Minister Araghchi publicly coupled the Lebanon ceasefire to the Iran-US nuclear track on 4 June, carrying IRGC authority rather than his own civilian mandate. The IRGC delegation has sent no HEU counter-proposal since Araghchi confirmed no progress that same day; Mojtaba Khamenei's 21 May order to keep the 440.9 kg stockpile inside Iran remains operative.
United States
United States
Rubio placed the Iran-US deal at 95 per cent complete on 4 June while the administration signed no Iran instrument and OFAC designated only Cuban targets. Trump separately disclosed and rejected an airlift plan to collect Iran's HEU stockpile, claiming the material is "entombed", a claim the IAEA cannot verify.
China
China
Beijing's MOFCOM Blocking Rules constrain OFAC enforcement on the mainland; China has not corroborated Trump's verbal account of any bilateral summit, and the rial's failure to hold its Rubio bounce, combined with the IRGC's stablecoin rail closure, increases Chinese yuan-denominated oil-payment exposure through Hormuz.
Bahrain
Bahrain
The IRGC struck Bahrain on 3 June as its sirens sounded and its PAC-3 magazine neared exhaustion; excluded from Rubio's 2 May emergency resupply, Bahrain received a 50-round Federal Register notice on 1 June on an 18-month delivery timeline, meaning it is defending the US Fifth Fleet headquarters on the last rounds it has.