A Herring with Sharks’ Teeth: The Dutch Government Blocks a US Investor for National Security Reasons

The Dutch block of Kyndryl’s bid for Solvinity illustrates how national‑security screening can trump traditional foreign‑direct‑investment (FDI) pathways when critical digital services are at stake. Solvinity runs the DigiD platform and other government‑backed identity systems, making its data flows a potential conduit for foreign intelligence under US extraterritorial statutes such as the CLOUD Act. By invoking the telecommunications security regime, the Netherlands signaled that the integrity of public‑sector data now outweighs the economic benefits of a high‑profile acquisition.

Europe’s broader trend toward digital sovereignty has already produced high‑profile interventions, most notably the Dutch curbs on Nexperia’s semiconductor assets amid Chinese influence concerns. The Solvinity case extends that logic to an allied nation, demonstrating that the EU’s risk‑based, country‑neutral framework can target any jurisdiction whose legal environment threatens data protection or strategic autonomy. The BTI’s assessment mirrors mechanisms used by the United States’ CFIUS and the UK’s National Security and Investment Act, focusing on continuity of critical processes, exclusive knowledge, and undesirable strategic dependencies.

For investors, the precedent raises the stakes of due‑diligence in data‑sensitive sectors. Prospective buyers must now evaluate not only financial metrics but also the host country’s legal exposure to foreign data‑access mandates. Dealmakers are likely to incorporate digital‑sovereignty clauses, consider joint‑venture structures, or seek local‑partner ownership to mitigate screening risks. As more governments adopt similar safeguards, the cross‑border M&A playbook will evolve, emphasizing compliance with emerging data‑security regimes as a core component of transaction strategy.