Argues that the Dutch government correctly identified that 'data stays in Frankfurt' architecture is insufficient when the operator's parent company remains subject to extraterritorial legal compulsion. The CLOUD Act and Schrems II make corporate jurisdiction the only meaningful test for critical national identity infrastructure authenticating 14 million citizens.
Surfaces the NL Times reporting that the Dutch State Secretary for Digitalization explicitly framed DigiD as critical national infrastructure comparable to the power grid. The procurement language now bakes jurisdictional eligibility into the contract itself rather than relying on technical safeguards.
Frames the Dutch move as resolving the two-year deadlock over the EU Cloud Certification Scheme (EUCS) sovereignty requirement by simply writing it into a contract clause. Where Germany has Gaia-X talking points and France has SecNumCloud, the Netherlands chose action over harmonization for its flagship identity service.
The Dutch government has decided that DigiD — the national digital identity platform that 14 million Dutch citizens use to log into tax filings, healthcare portals, pension records, and roughly 1,000 municipal and federal services — will only be operated by a company headquartered in Europe. The current operator's contract is up for retender, and the procurement language now bakes in jurisdictional eligibility, not just technical and security requirements.
This is a procurement rule that no amount of "data stays in Frankfurt" architecture can satisfy: the test is corporate domicile, not data location. The Dutch State Secretary for Digitalization framed it as a sovereignty matter — DigiD is critical national infrastructure on par with the power grid or the payments rail, and the operator of that infrastructure cannot be subject to extraterritorial legal compulsion from a non-EU jurisdiction.
The direct trigger is the US CLOUD Act, which lets US authorities compel US-parented companies to produce data regardless of where it is physically stored, plus the long shadow of Schrems II, the 2020 CJEU ruling that invalidated Privacy Shield and made transatlantic personal-data transfers a permanent legal minefield. For a service that authenticates the entire adult population of a country, the Dutch position is that even a theoretical compulsion risk is unacceptable.
This is the first time a major EU member state has translated the sovereignty argument from speeches into a hard procurement constraint on a flagship national service. Germany has muttered about it for years via Gaia-X; France has its SecNumCloud label; the EU Cloud Certification Scheme (EUCS) has been deadlocked for two years over exactly this "sovereignty requirement" question. The Netherlands just resolved the debate unilaterally for its own identity platform — no certification scheme needed, just a contract clause.
The technical community will reflexively reach for the "but the data never leaves the EU" defense. That defense is dead on arrival here, and it has been since the CJEU ruled on Schrems II. The court was explicit that encryption-at-rest and EU data centers do not neutralize the legal compulsion vector if the operator's parent can be served a US subpoena. AWS European Sovereign Cloud — announced as a legally separate EU entity with EU-resident staff, EU board, EU jurisdiction — is the hyperscaler attempt to thread this needle. It is not yet operational, and the Dutch language appears to require an existing European operator, not a US subsidiary structured to look European.
Community reaction on Hacker News split predictably. The libertarian-procurement camp called it protectionism that will produce a worse, more expensive system run by a national champion with no competition. The sovereignty camp pointed out that the US has run identical "buy American" rules on defense and critical infrastructure for 80 years and nobody calls that protectionism. The more interesting third position: a national identity platform is not a market, it is a constitutional artifact, and applying market-efficiency logic to it is a category error. If your tax authority's login system is operated by a company that can be gagged by a foreign court order, you do not have a functioning rule of law over your own citizen records — regardless of how well the system performs on uptime SLOs.
The precedent risk for hyperscalers is the part worth tracking. France's next major public-sector retender — Health Data Hub has been in legal limbo since 2020 specifically over Microsoft hosting — now has political cover to write the same clause. Germany's BSI has been telegraphing this direction for the Bundescloud. If three of the four largest EU economies adopt corporate-domicile procurement floors for critical citizen services, the addressable market for AWS GovCloud-EU, Azure Sovereign, and Google Sovereign Controls shrinks from "all EU public sector" to "everything except the politically sensitive parts" — which is exactly the high-margin core.
If you sell SaaS into European public sector, ministries, or regulated industries adjacent to government (healthcare, energy, finance), the bar you are being measured against just moved. "SOC 2, ISO 27001, data residency in eu-west-1" was the answer in 2023. "EU-domiciled legal entity, EU board, EU-resident operations staff, contractual immunity from non-EU process" is the answer being prototyped now. Your enterprise sales team should know which of those rows your company can credibly check.
If you build on top of a US hyperscaler and sell to EU governments, you have a transitive exposure problem. A Dutch ministry buying your product is buying your AWS dependency, and that dependency is the disqualifying factor — not your own corporate structure. The mitigations are non-trivial: deploy on OVH, Scaleway, Hetzner, or Exoscale for the EU public-sector SKU; structure the EU entity with genuine operational independence; or wait for AWS European Sovereign Cloud and bet that the Dutch interpretation will accept it. The first option is real engineering work and a margin hit. The third is a 2027-or-later bet on a legal interpretation that has not been tested.
If you maintain an open-source identity stack — Keycloak, Authentik, Ory, Zitadel — this is a tailwind, because the procurement logic favors operators who can demonstrate they control the entire software supply chain end to end, and a controllable OSS base is easier to defend than a black-box SaaS dependency. Expect EU systems integrators to start packaging "sovereign-ready" reference architectures on these stacks in the next 12 months.
The DigiD decision is not the endgame — it is the opening move in what is going to be a multi-year reshaping of EU public-sector cloud procurement. The interesting question is not whether other member states follow (they will), but whether the European Commission tries to harmonize the rule via EUCS or lets each country write its own, which would produce a patchwork that is even worse for hyperscalers than a single strict standard. Either way, the era of selling "EU data residency" as the sovereignty answer is over. The new test is corporate jurisdiction, and that is not something you can fix with a region selector.
Finally taking the digital threath from USA, Israel and China serious.
Finally.But now they want NL Wallet to use Google and Apple accounts for login, so this is happening again.
Here is my naive take on sovereignty, and how everything should work in the new "USA decided to kill its own dominance, and attack its allies" world. The world is now balkanized, let's live in that reality.1. Almost every country has amazing universities with software tracks. A big is
IDK what it's like now, but DigiD used to be 2 racks in a separate cage. Even if you can access the floor, you're not getting physically near the servers.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
As a French person, I'm confused as to why DigiD is not a government-run project like FranceConnect is. I'm even more bewildered that an American company thought that they could take over the national identity management system of an European country, as if this was business as usual.