Twice a year, the defense leadership in the Netherlands meets with the top companies that supply IT for defense. It is called the partner consultation. That sounds different from a business discussion between a client and his supplier. And that does justice to the relationships, says Michiel Borgers, director of the defense IT company (JIVC). “It is a partnership. You are at the table at the top level.”
Scenarios are discussed during that meeting. Such as: suppose that the administration of Donald Trump sees American tech companies as part of the American war apparatus. Suppose he orders the American company Kyndryl, which is currently renewing the entire defense IT infrastructure, to sabotage the Dutch defense. Can he do that?
A Kyndryl representative should then be able to tell the Deputy Commander of the Armed Forces what measures the company has taken against this. And will they last, or can the American government overrule them?
These are the same types of questions as the House of Representatives is asking now that Kyndryl may become the new owner of Solvinity, the originally Dutch company that provides technical management for the DigiD login application. A majority in the House of Representatives believes that the takeover should be stopped to prevent the American government from accessing DigiD via Kyndryl. According to representatives of Solvinity and Kyndryl, numerous technical and legal measures have been taken to ensure that such a scenario will not occur.
The Investment Assessment Bureau (BTI) is currently assessing the possible takeover against the telecom law. BTI checks whether vital infrastructure is at risk and therefore national security. Ultimately, the Minister of Economic Affairs, Heleen Herbert (CDA), decides on the takeover. The ACM ruled on Thursday that this does not cause competition problems. The concerns are about security and digital autonomy, not about market disruption.
Parliamentary questions have also been asked about Kyndryl’s role in defense. Because why could Kyndryl be a crucial partner for defense, but not be allowed to manage DigiD? Defense’s answer boils down to the fact that Kyndryl employees (screened by the MIVD) do have access to places that are essential for Dutch resilience, but Kyndryl cannot switch them on or off. Defense data does not flow through platforms or equipment that Kyndryl controls. As could happen with DigiD.
Defense largest customer
For most Dutch people, the DigiD debate is the first time they heard of Kyndryl. The name is relatively new. This is because the company was spun off from the much older and better-known IBM in 2021. It is an American listed company with an annual turnover of approximately 16 billion dollars (approximately 13.5 billion euros), which focuses on building IT infrastructure for customers. That is to say: all hardware and software that an organization needs to function.
Also read
Solvinity boss tries to remove concerns about DigiD. ‘DigiD is and remains Dutch, and it remains safe’
Defense has been the company’s largest Dutch customer since 2021. Kyndryl is the main contractor for the Frontier IT project, abbreviated as GrIT. Subcontractors include the French IT company Atos and the Dutch IT consultant Unica. Together they must modernize the entire defense IT infrastructure in about ten years and for almost 4 billion euros.
Without IT there is no fighting power. Then we cannot protect the Netherlands
This ranges from the cables to the data centers, workstations and servers. Both at rest and in action. Data centers have also been built for missions, which can be carried together by two soldiers. The consortium led by Kyndryl must also ensure that all defense applications (there are about six thousand) can run on it by 2030 and can therefore function coherently.
Its importance and scale are difficult to underestimate. “Without IT there is no combat power. Then we cannot protect the Netherlands. We cannot fulfill our role as a NATO and EU member,” summarizes Brigadier General Paul Ducheine. He is emeritus professor of cyber warfare and law at the UvA and now conducts research at the NATO Defense College in Rome.
It is also complex, because defense is large, active worldwide and consists of components that differ greatly from each other. The military police must be able to communicate securely within the criminal justice chain. The Navy mustbattlefleet‘management systems can talk to, for example, British and South Koreans. With NATO partners and beyond. And if a howitzer has used up a lot of ammunition during an army exercise in Germany, an automated signal should be sent to inventory management for replenishment – compare it to a supermarket.
Ducheine speaks of ‘green IT’ (that goes on missions), white IT (for the office), blue IT for at sea and then there is ‘disconnected, segregated IT’ during military operations.” Nowadays, frigates are like floating data centers and fighter jets like flying computers.
Too big for Dutch players
Because GrIT involves billions of euros, the House of Representatives regularly receives progress reports. They discuss in detail the planning and justification of budget overruns, but little on the question of whether defense is in danger of becoming too dependent on an American company.
When GrIT was put out to tender, it was no problem that a consortium led by an American company won the contract. Rather an advantage. America is a trusted NATO partner and it was obvious, because American companies dominate (with Chinese and Israelis) in information technology, whether it is the cables, the servers, the clouds or the software.
And with a job of this magnitude it was immediately clear that it was far too big for Dutch players. In fact, only the American giants such as IBM and HP could handle something like this. And it’s challenging even for them.
Less than a year ago – in March 2025 – the French company Atos was the uncertain factor within GrIT. The company was in financial trouble and was in danger of collapsing. A plan B was hurriedly written together with Kyndryl, the State Secretary then wrote to parliament for reassurance.
It should not be the case that we cannot deploy our military IT when the Americans are angry
It partly explains why Dutch IT experts seem to know GrIT mainly in broad terms. . They are therefore unable to assess any risky dependencies and suspect that Defense has covered them. But at the same time, they now find questions about this extremely relevant. Ronald Prins was still the boss at cybersecurity company Fox-IT when the tender started. For example, he says: “We already think it is important that we cannot log in to civilian IT when the Americans are angry. It should not be the case that we cannot use our military IT when the Americans are angry.”
In response to parliamentary questions about the use of American companies such as Kyndryl and Cisco wrote the previous State Secretary for Defense, Gijs Tuinman (BBB) on January 26 ‘no safety risks seen at this time’. “All data is processed and stored exclusively within our own defense data centers; export of that data is not permitted.” Dutch Kyndryl employees are involved in the management of the data centers. They undergo the same screening as defense personnel. “These measures effectively exclude or mitigate the influence of US legislation on IT systems,” Tuinman wrote.
This is because Kyndryl supplies ICT here according to ‘the old model’. Defense buys the software and knowledge, but stores it in its own data centers. And therefore not in an American cloud. There are no network connections to Kyndryl.
Defense director Borgers adds by telephone that purchased hardware is also checked by defense before it is put into use. Moreover, Defense always bases itself on what it says ‘last standing IT’ says: “When things get tense, we have to be able to manage it ourselves again.”
He advocates nuance and warns against comparing apples and oranges when DigiD and GrIT are compared. Kyndryl does not answer questions about the technical guarantees and the differences between DigiD and GrIT.
Defense is constantly trying to weigh whether what Trump is shouting “is really a course or a trial balloon,” says Borgers. “You want to be stable and not react every time.” Moreover, American companies are not banned in the Netherlands. As, for example, applies to Russian or in some cases Chinese companies. “If Trump takes very extreme decisions, you will run through a number of scenarios with alternatives. Then you will have a new situation.” At the moment, “we think we have taken sufficient measures and organized safeguards,” says the director. “I’m not worried.”

