There is renewed political attention for the Dutch government’s increasing dependence on American cloud services. This is prompted by recent reports that many government organizations do not have a clear exit strategy to reduce their use of these foreign platforms. The institutions involved include the Dutch Employee Insurance Administration (UWV) and the Social Insurance Bank (SVB).

Members of parliament from GroenLinks-PvdA and NSC have asked Minister Van Hijum of Social Affairs for clarification. They want to know which processes, registers, communication facilities and organizational components are currently hosted in the cloud by American service providers. In addition, they ask for an overview of planned and intended migrations to such platforms.

Source: security.nl

Risks of foreign legislation on Dutch data

A central point of concern is the impact of American legislation, such as the Cloud Act and the Foreign Intelligence Surveillance Act (FISA). These laws give American authorities access to data stored by American companies in certain cases, even if that data is located outside the US.

The members of parliament want to know from the minister what the possible consequences are for the confidentiality of data of Dutch citizens and government agencies. What if all this data falls into the hands of a foreign state actor? What risks do we run as a society? These are legitimate questions and clarity helps us to better assess the risks.

Data sovereignty is not a luxury, but a necessity

The current dependence on American cloud services undermines our digital autonomy. Government organizations increasingly rely on technologies that may fall under foreign jurisdiction. We make agreements and record this in contracts, but to what extent does this really protect our data? These are topics that give food for thought.

Although commercial cloud services offer undeniable advantages in terms of scalability, flexibility and costs, it is essential not to underestimate the risks. Because:

  • Who really has control over the data?
  • Which legislation applies to that data?
  • How vulnerable is the Netherlands if this access is suddenly restricted or abused?

Control over data is not just a technical or legal issue, but touches on the core of our public services, control and national security.

The need for a cloud exit strategy and hybrid cloud​

We use cloud solutions and infrastructures, but have we also thought about a clear cloud exit strategy? A roadmap that determines how and under what conditions to say goodbye to a supplier. Without such a strategy, there is a risk of long-term dependency and organizations are locked into ecosystems that are difficult to exit.

That is why it is important for organizations to think about:

  • Opting for a hybrid cloud, where critical systems are hosted on European or sovereign infrastructure and really sensitive information is kept on-premise and fully under their own control.
  • Setting requirements for the location of data storage and encryption, so that sensitive data remains within the EU and encrypted.
  • Using data classification to determine which information may or may not be stored in the public cloud or on-premise.
  • Implementing monitoring and access control, so that there is always insight into who has access to which data and what happens to it.

Direction and control are essential for data security

Digital infrastructure is the backbone of our society. Anyone who wants to maintain control over the privacy, security and continuity of their data must also have control over the technology on which their data is processed and stored.

The parliamentary questions are not only justified, but also send an important signal: without direction on cloud use, we will lose control of our own digital future. It is time for a well-considered strategy in which data sovereignty, risk management and transparency are central. The crucial question is:

📌 “What happens to our data if the rules of the game in the supplier’s country suddenly change?”

That is not a hypothetical scenario, but a real risk that we need to think carefully about.