Citadel
Sovereign

Advisory

← All case studies

M&A sovereignty loss

February 2025 · International

Kyndryl acquires Solvinity (DigiD)

Risk visible at

Risk: L0

Mitigated at

Mitigated: L3

— What happened
US firm Kyndryl acquired Solvinity, operator of DigiD — the Netherlands’ national citizen identity platform used by 17 million citizens. Overnight, authentication for an entire nation passed into US corporate control. No national veto existed. No change-of-control clause had been required in the original procurement. No one had tracked Solvinity’s ownership structure.
— Root cause
Vendor ownership structure not tracked. No change-of-control rights in contract. No sovereign IdP alternative existed. A single corporate acquisition eliminated a nation’s control over citizen identity — without any act of government, any policy change, or any legal challenge.
— How our model mitigates this
Prevention (our model)
At Level 1, we map the full corporate ownership structure of every critical vendor — subsidiaries, parent entities, and jurisdictions. Change-of-control clauses are inserted into all critical vendor contracts, giving government a 180-day exit right on acquisition by a foreign entity.
Detection (our observability)
Quarterly vendor corporate structure review automatically flags new subsidiary registrations or parent company changes in Five Eyes jurisdictions. An alert fires before any acquisition completes, giving procurement legal standing to invoke the clause.
— Our specific action
We identify DigiD-equivalent systems as Level 0 during the pilot assessment, flag M&A exposure as CRITICAL in the kill-switch register, and architect a sovereign IdP (Nafath-equivalent) so that no corporate acquisition of a foreign vendor can ever affect citizen authentication again.

— Source & reference

Published source

Cabinet raises concerns over U.S. firm Kyndryl buying Solvinity, key to DigiD

NL Times

Read the source
Commission an assessment
Could this happen to you?
Our Level 0 assessment maps every exposure of this type across your digital estate — in 4 weeks, at a price a director can approve. The findings answer this question precisely.
Commission an assessment →

Citadel Sovereign Advisory

Your hardware, your software, your sovereignty?

sovereignty-services.com
info@sovereignty-services.com · © 2026