When Cloud Becomes Critical Infrastructure: Why the Solvinity–Kyndryl Block Matters

Cloud used to be a technical decision. Pick a provider, move the workloads, reduce the server room noise, and enjoy fewer mysterious blinking lights in a cupboard nobody wanted to maintain.

That version of cloud is over.

Today, cloud infrastructure is not just where applications run. It is where citizens identify themselves, where governments deliver services, where healthcare systems exchange data, where financial platforms operate, and where national resilience quietly depends on a chain of suppliers most people never hear about until something goes wrong.

That is why the Dutch government's decision to block the sale of Solvinity to the American IT services company Kyndryl matters. This was not just another acquisition in the managed-services market. It became a symbolic case in the Dutch debate around digital sovereignty, critical infrastructure, and dependency on foreign technology providers.

In plain English: this was not about who runs “some servers.” It was about who controls infrastructure that supports services Dutch citizens depend on.

What happened?

Solvinity is a Dutch cloud and managed-services provider with a role in hosting infrastructure connected to Dutch government services, including systems linked to DigiD. DigiD is the digital identity system millions of Dutch citizens use to access government and public-service portals. That immediately moves the discussion out of ordinary IT procurement and into national security territory.

Kyndryl, a U.S.-based IT services company, wanted to acquire Solvinity. The deal had already drawn political attention because ownership of a strategically important Dutch supplier would move under American control. After review by the Dutch investment-screening authorities, the government blocked the acquisition on public-interest grounds.

The key point is that the concern was not primarily competition. Competition regulators may look at whether a deal harms market dynamics, pricing, or customer choice. This case was about something different: security, dependency, jurisdiction, and control.

Or, less politely: who gets to sit close to the digital keys of the kingdom?

Why DigiD changes the conversation

DigiD is not just another login system. It is one of the digital front doors to the Dutch state. Citizens use it to access tax information, healthcare-related services, benefits, pensions, municipal services, and other public platforms. If the infrastructure behind such a service becomes unavailable, compromised, or subject to unwanted external pressure, the impact is not limited to one company's operations.

It becomes a public problem.

That is why infrastructure around digital identity deserves a different level of scrutiny. A normal cloud workload can often be moved, isolated, redesigned, or replaced. A national identity access layer is more sensitive. It touches trust, continuity, privacy, and government legitimacy.

When people cannot access essential services, they do not blame an architecture diagram. They blame the government. Fairly or not, nobody wants to hear that “the dependency chain was complicated” while trying to arrange healthcare, taxes, or benefits.

The sovereignty issue

The debate around Solvinity and Kyndryl is part of a much bigger question: how much control should European countries retain over critical digital infrastructure?

Digital sovereignty does not mean rejecting foreign suppliers. That would be unrealistic, expensive, and in many cases technically silly. Modern IT depends on global technology ecosystems. The issue is not whether foreign technology can be used. The issue is whether critical services remain controllable, auditable, legally protected, and resilient when geopolitical pressure increases.

This is where U.S. ownership became politically sensitive. Lawmakers and public-interest groups worried that a U.S.-owned operator of sensitive Dutch government infrastructure could become exposed to American legal frameworks, intelligence demands, sanctions pressure, or strategic geopolitical interests.

That does not mean Kyndryl did anything wrong. It means the risk model changed because ownership matters. Jurisdiction matters. Legal exposure matters. Operational control matters.

Cloud does not float above politics. It lives in data centres, contracts, laws, ownership structures, support models, and escalation paths. Very practical. Slightly less fluffy than the word “cloud” suggests.

Why this is a cybersecurity issue

At first glance, this may look like a political or legal story. It is also very much a cybersecurity story.

Cybersecurity is not only about firewalls, malware, phishing, and endpoint agents silently demanding updates at the worst possible time. It is about protecting confidentiality, integrity, availability, and control. A supplier that hosts critical infrastructure becomes part of the security boundary. If that supplier changes ownership, the risk profile changes.

The same technical system can become more sensitive because the governance around it changes. Who can access the environment? Who manages incidents? Who controls support tooling? Where are logs stored? Which jurisdictions apply? Can administrators outside the country be compelled to assist a foreign authority? What happens during a geopolitical dispute? Who has the power to interrupt service?

These are not paranoid questions. They are governance questions. And for critical national infrastructure, governance is security.

The bigger lesson for business owners

This case is not only relevant to governments. Business owners should pay attention because the same pattern applies at a smaller scale.

Many organisations have moved critical operations into cloud platforms, SaaS systems, managed-service contracts, identity providers, backup platforms, and outsourced security tooling. That is normal. It can be smart. It can also create dependencies that are poorly understood until an audit, incident, acquisition, outage, or regulatory question exposes them.

The Solvinity case is a useful reminder that “outsourced” does not mean “risk transferred.” If a supplier operates something essential for your business, their ownership, jurisdiction, resilience, and access model matter.

A practical supplier review should include more than uptime and pricing. It should ask where data is stored, who can access it, how support is delivered, what laws apply, how incidents are handled, whether subcontractors are involved, what happens if ownership changes, and how easily the service can be replaced or migrated.

Not glamorous. Very useful. The clever kind of boring.

Sovereignty is not anti-cloud

One mistake in this debate is treating sovereignty as if it means going backwards. It does not. Sovereignty is not the opposite of cloud. It is a requirement for using cloud responsibly in sensitive environments.

The right question is not “cloud or no cloud?” The right question is “which workloads need stronger control, and what does that control actually require?”

Some workloads are perfectly fine on standard public cloud services. Others need stricter data residency, local operations, customer-controlled encryption keys, isolated support models, contractual safeguards, or sovereign cloud platforms. The answer depends on the data, the service, the sector, and the impact of failure.

A mature cloud strategy does not treat every workload the same. It classifies risk and applies the right level of control. Revolutionary stuff, apparently.

What organisations should do now

The Solvinity decision should push organisations to review their own dependency chains. Start by identifying which suppliers support critical processes. Then map where data lives, who has administrative access, which jurisdictions apply, and whether the business can continue if that supplier becomes unavailable, compromised, sold, or legally constrained.

Pay special attention to identity systems, backup platforms, managed cloud environments, security monitoring, payment systems, customer portals, and operational platforms. These are often the systems that quietly hold the business together.

This does not mean replacing every supplier tomorrow. That would be expensive chaos with a procurement label. It means understanding the risk and making deliberate decisions instead of relying on comforting assumptions.