A Dutch delicacy is maatjes – raw young herring eaten whole while held by the tail. Kyndryl must have felt very much like such a young herring yesterday when the Dutch government formally prohibited its proposed acquisition of Solvinity, the Dutch IT services provider.
The decision followed a recommendation by the Bureau Toetsing Investeringen (BTI) to block the transaction. The deal had become politically sensitive because Solvinity provides services connected to DigiD and other Dutch governmental digital infrastructure. We understand that the principal concern was that, under US ownership, Solvinity could jeopardise the public interest, which is broader than just national security, and also includes considerations around digital sovereignty and integrity of data, as a result of it becoming subject to American extraterritorial legislation, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act and the Foreign Intelligence Surveillance Act-related disclosure obligations. The decision itself will not be disclosed to the general public for security reasons.
The prohibition was adopted under the Dutch telecommunications security screening regime rather than under the broader Dutch foreign direct investment (FDI) framework introduced by the Vifo Act. However, the same authority – the BTI – is responsible for enforcing both regimes. The mechanics are structurally familiar to practitioners working with the Committee on Foreign Investment in the United States, the UK National Security and Investment Act or other European national screening systems. The BTI conducts a national security-type assessment focused on the continuity of critical processes, the integrity and exclusivity of sensitive knowledge or data, and undesirable strategic dependencies. What makes the case particularly notable is not merely the prohibition itself, but also the geopolitical direction of travel it illustrates.
Although drafted in neutral terms, the Dutch screening mechanism – like its counterparts elsewhere in Europe – was initially politically framed around Chinese acquisitions of strategic assets. That the Dutch government does not shy away from taking on geopolitical heavyweights was already evident last year, when it intervened in Nexperia and imposed temporary control measures amid concerns regarding the transfer of critical semiconductor capabilities and strategic dependence on China. The Dutch authorities justified the intervention on the basis of protecting crucial technological knowledge and capabilities considered essential for European economic security and supply chain resilience.
Questions surrounding potential US government access to data through the CLOUD Act and similar instruments have long formed part of FDI reviews in Europe. This in itself is not new – nor are calls for increased digital and data sovereignty within the EU. However, the fact that a government has actually followed through on those concerns and prohibited a US transaction is unusual, and is something that dealmakers in data-sensitive sectors will increasingly need to take into account. The Solvinity decision now demonstrates that the Dutch government is willing to apply the same logic to allied jurisdictions where concerns regarding sovereignty, data access or strategic autonomy arise. State Secretary Willemijn Aerdts explicitly stressed that the review was “country-neutral, risk-based and proportionate”, notwithstanding the fact that the acquirer was American.
Some have argued that, in the Nexperia matter, the Dutch may have bitten off more than they could chew. The same question may now arise in relation to the US. We keep our eyes focused on the shark tank and will continue to report. We keep our eyes focused on related developments and will continue to report.
