On 25 May 2026, State Secretary Aerdts (Economic Affairs) made a decision that IT professionals across the Netherlands had been anticipating for months: the American takeover of Solvinity by Kyndryl has been prohibited. Solvinity manages the infrastructure on which DigiD, MijnOverheid and Digipoort run. The Bureau Toetsing Investeringen (BTI) concluded that the takeover posed a risk to the public interest, and the state secretary invoked the Undesirable Control of Telecommunications Act (Wozt) to block the sale.
We are glad about this. Critical national infrastructure for authentication should not fall under the jurisdiction of a country whose legislation (think of the CLOUD Act) enables access to data or the blocking of services. Keeping DigiD on European, and preferably Dutch, infrastructure is exactly the outcome that fits the digital sovereignty ambitions also set out in the 2026-2030 coalition agreement.
A justified decision, but not a solution
It would be tempting to read this decision as “crisis averted”. It isn’t. Blocking the takeover removes the acute threat, but leaves the underlying vulnerability fully intact.
The contract with Solvinity has been extended until August 2028. After that, the government has to choose again, and the same questions return to the table: with which party do you place the identity layer of an entire country, and how do you prevent that party from later ending up in foreign hands anyway? Tweakers sketched five future scenarios for DigiD: from extending with Solvinity and switching to another Dutch or European provider to setting up a state-owned company. What all those scenarios share: they move the dependency, they don’t remove it.
That’s the crux. As long as citizens’ identity depends on a single centralised service at a single supplier, every takeover, every data breach and every outage remains a systemic risk. A different logo on the contract changes nothing about that.
For organisations: don’t let this be false reassurance
We see a real risk. Now that the takeover is off the table, organisations’ urgency to look at alternatives alongside DigiD could fade away. “It turned out fine, didn’t it?” Yivi as an alternative to DigiD may consequently become less in demand, while the problem that sparked the debate is still exactly as large.
We prefer to flip the reasoning around. The Solvinity episode is not an incident that has been resolved, but an eye-opener that shows how fragile a centralised monoculture is. Organisations that want to reduce their dependency on a single identity system would do well to work on alternatives precisely now, in relative calm and not under crisis pressure. Yivi is already running in production, among others at the Municipality of Nijmegen, and proves that data minimisation and citizen control are not a distant dream.
We believe in evolution, not replacement
To be clear: our point is not that DigiD should disappear. DigiD works, is widely trusted, and is the obvious way for millions of Dutch citizens to log in. We don’t believe in a hard break, but in an evolution: from a centralised login method to a wallet model in which users carry their own data and decide for themselves what they share.
That is exactly the direction Europe set out with eIDAS 2.0 and the EUDI wallet. In that model the identity layer is no longer a single central honeypot, but a decentralised whole in which no single takeover, supplier switch or outage can bring down the entire system. Yivi offers that wallet technology, including zero-knowledge proofs for maximum privacy, today.
The real showstopper: the absence of legal frameworks
In conversations with organisations that want to put Yivi alongside DigiD, we keep running into the same obstacle. It’s not the technology, and it’s not the will. It’s legal uncertainty. Many government organisations are driven by compliance: if the law doesn’t explicitly require something, they don’t do it. The (political) will is often there; we regularly speak with administrators and civil servants who see the importance of wallets. But the initiatives die in the bureaucratic mill. Without a clear Dutch legal framework regulating the status, liability and recognition of wallets, no one dares to make the call to put a wallet solution into production.
This is where a dangerous misunderstanding arises. Many parties are waiting for “the legislation”, assuming it’s still a long way off. But eIDAS 2.0 is a European regulation and therefore directly binding. From the end of 2026, every member state must have at least one certified EUDI wallet available, and from the end of 2027 large private parties such as banks, insurers, transport and energy are required to accept those wallets. So the framework already exists, and the deadlines are approaching fast.
The problem is on the Dutch side. The government itself acknowledges that the NL wallet will not meet the European deadlines and that the first version won’t yet meet all requirements. The national implementation, partly via the Digital Government Act, is lagging behind the European pace. This creates a vacuum: Europe is binding, but the Dutch translation is taking its time, and organisations don’t know where they stand.
This is where there’s work for all of us. Organisations need to realise that eIDAS 2.0 is not a distant future but a European reality with hard deadlines. Waiting until The Hague has dotted every i means you’ll be left playing catch-up. Those who start experimenting and building now will be ready when the framework closes; those who wait, start too late.
Conclusion
Blocking the takeover of Solvinity is good news and a sensible decision. DigiD stays on European infrastructure, and that deserves applause. But let’s see it for what it is: a postponement, not a cancellation, of a structural issue. The dependency on a centralised identity layer remains, the contract expires in 2028, and the road to a wallet-based future has been mapped out by Europe but is being delayed by the Netherlands.
Our call to organisations: don’t use this breathing space to sit back, but to build forward. Evolve along towards wallets, experiment with proven alternatives, and don’t be held back by the myth that “the legislation isn’t there yet”. It is, at the European level. The question is whether we have the will to get to work with it now.
Further reading
- Tweakers: Five future scenarios for DigiD: tweakers.net
- NOS: State secretary prohibits American takeover of Solvinity: nos.nl
- Why Yivi is a proven alternative to DigiD: Read our blog
- Yivi and the private EUDI wallet: Read our blog
- The 2026 coalition agreement and digital sovereignty: Read our blog
- What is Yivi: docs.yivi.app
- Get in touch: yivi.app/contact