Three Files, One Sovereignty Problem

Between July 2025 and April 2026 three files play out in the Netherlands at once, each of which would on its own be a statecraft question, and which together show the actual position of the Netherlands in 2026. There is a data breach at a Franco-Luxembourg health company in which the data of nearly a million Dutch women were stolen and a ransom was paid to a Russian-speaking criminal organisation. There is a Chinese chip manufacturer in Nijmegen of which the Dutch state has taken effective control with an emergency act from 1952. And there is the impending acquisition of the IT supplier behind DigiD and MijnOverheid by an American company that falls under the CLOUD Act. Three different foreign parents, three different forms of dependency, three different responses from the Dutch state. What they share is the underlying pattern: control over Dutch critical infrastructure no longer rests in Dutch hands, and the state is inclined to intervene only once geopolitical pressure forces it.

---

I. Eurofins and the health-data breach

The facts in a statecraft frame

The Dutch state has delegated a public core task, the cervical-cancer population screening to which citizens are actively called by that same state, through the RIVM, the National Institute for Public Health and the Environment, and Bevolkingsonderzoek Nederland, the national screening organisation, to five private screening laboratories. Clinical Diagnostics NMDL has since 2018 been a subsidiary of the Franco-Luxembourg Eurofins Scientific, a listed life-sciences conglomerate with some 65,000 employees in 59 countries and a pro-forma turnover of more than 6.5 billion. Security monitoring of the Dutch environment lay with an international Eurofins SOC, operating under ‘key guidance documents’ from the parent company. The local Dutch IT department was formally ultimately responsible, but the actual architecture was transnational.

Between 3 and 6 July 2025 the ransomware-as-a-service operation Nova, a rebrand of RALord with presumably Russian-speaking infrastructure and operating presumably from a safe jurisdiction, gained undetected access to a legacy environment for three days. That environment fell, according to Eurofins, through ‘human error’, outside the scope of the SOC monitoring. The account that was compromised had a sixteen-character password but no MFA. The discovery took place on 6 July. BVO NL was informed only on 6 August.

What happened here, in statecraft terms: a state responsibility for the health data of ultimately 941,000 Dutch women, generated by a state-recommended screening, was pushed outward through three layers of governance (RIVM, BVO NL, Clinical Diagnostics NMDL, Eurofins SOC) to the point at which no one within the Dutch sovereign reach was any longer the effective owner of the risk.

The ransom incident

The most geopolitically relevant event receives not a letter in the IGJ report of 8 April 2026, the report of the Health and Youth Care Inspectorate, but appears in every other source. Eurofins paid Nova, presumably around 1.3 to 1.6 million euros in Bitcoin, on the basis of Nova’s own formula of two per cent of the parent company’s assets. Northwave confirmed this, RTL Nieuws had it confirmed by Nova itself, and parts of the data nevertheless appeared on the leak platform because Nova held that the victim had broken the agreement by involving the police.

This means in practice that a private actor within a state-organised population screening, with the personal data of Dutch citizens, carried out a transaction with a criminal organisation presumably operating from Russian territory. The Dutch state is not the legal principal of that payment and Eurofins is not an agent of the state, only a chain partner via BVO NL. But the moral and administrative reality is that public responsibility for the execution of a state-recommended screening was effectively used to finance a hostile non-state actor, without any formal Dutch decision-making about that transfer. Under a state that takes itself seriously this would be a national-security discussion about who is competent at all to negotiate a ransom, in the name of citizens taking part in a government-offered screening, with organised crime. In the Netherlands it is a footnote in an enforcement letter from a regulator that states explicitly that it is not even allowed to impose a fine.

The supervisory system as paper architecture

Read the closing passage of the IGJ report again. ‘Under the Wabvpz the inspectorate, in so far as it supervises this act, is not competent to deploy punitive measures.’ That is the whole Dutch enforcement architecture in one sentence. The legal obligation to work in accordance with NEN 7510 has existed since the Decree on electronic data processing by care providers. In the three years preceding the incident not a single audit was carried out. The supervisor with sector knowledge (IGJ) may only impose remedial measures. The supervisor that may impose fines, the Autoriteit Persoonsgegevens (AP), the Dutch Data Protection Authority, has no sector knowledge and routinely takes years over a file of this magnitude. The maximum GDPR figure of 20 million or 4 per cent of global turnover sounds frightening until one realises that Eurofins holds a working-capital buffer for incidents of this category that absorbs the fine as a cost item.

NEN 7510 functions here as compliance theatre. SCAL within Eurofins Netherlands held certification, NMDL and LCPL did not, and no one within Eurofins governance or within the state apparently had the interest or the mandate to bring that discrepancy to escalation. The managing director told the inspectorate that he did not know whether an audit had ever been done, and had to find out after the inspection visit.

The report also cites NEN 7512 Chapter 5 as a tested norm for data exchange between care providers: ‘Before the framework is established, it should become clear, for the communicating parties as a whole, what degree of risk is acceptable.’ To the question of which guidelines Clinical Diagnostics applied in the exchange with BVO NL came the answer that it used technical standards arising from the configuration of electronic patient records, such as Edifact and HL7v2. That is a protocol answer to a governance question. The norm requires that parties, prior to the exchange, jointly establish the acceptable level of risk, and no documentation of that existed. The legal framework asks on paper for precisely what, in reality, turned out not to exist, and the enforcement is silent. That is a stronger indictment than the fact that a norm was breached: here a norm was breached of which the supervisor itself acknowledges that it is an essential requirement for an effective information-security management system.

Regulatory avoidance through corporate restructuring

The passage on NMDL is, in statecraft terms, the most cynical. Between the incident in July 2025 and the plan of approach in February 2026, the laboratory activities of NMDL were transferred entirely to LCPL and the Accreditation Council withdrew NMDL’s accreditation in November 2025. Result: the plan of approach for NEN 7510 certification need, according to Eurofins, cover only LCPL, because NMDL as an operational entity has effectively been dissolved. The entity where the hack took place therefore no longer exists, in enforcement terms, in the same form. Any future sanctions are directed at an empty shell, while the actual undertaking carries on under another name. This is exactly the pattern that private-equity-driven health-sector concentrations make possible, and exactly why Dutch supervisory architecture designed for foundations and family businesses no longer fits the reality of the sector.

The pattern: passive transfer without intervention

The Dutch response to Eurofins is in essence a letter report. No processing ban, no temporary suspension of the care relationship, no reconsideration of the outsourcing model, no revision of the NZa concentration test, the test by the Dutch Healthcare Authority, on resilience grounds. The state created the dependency through outsourcing, and the state then watches as a foreign parent negotiates with criminal actors over the data of Dutch citizens. This is the first of the three patterns: passive toleration.

---

II. Nexperia and the 1952 emergency act

The facts in a statecraft frame

Nexperia is based in Nijmegen, descended from Philips/NXP, and since 2018 owned by the Shanghai-listed Wingtech Technology. Wingtech was placed on the U.S. Entity List in December 2024, which prohibits American firms from doing business with it. In late September 2025 the Ministry of Economic Affairs activated the Goods Availability Act, the Wet beschikbaarheid goederen, an emergency act from 1952 that can, in exceptional cases, secure the availability of strategic goods. On 12 October 2025 the cabinet announced that it had taken effective control. The Enterprise Chamber, the Ondernemingskamer, shortly afterwards suspended the Chinese CEO Zhang Xuezheng and placed German interim leadership at the helm. The Amsterdam court confirmed the measures subsequently.

The grounds were twofold. Officially: serious failings in business operations that threatened continuity and national security. According to later reconstructions in NRC and other media: the CEO was emptying out the company, wished to move wafer production to China, had let British IP on MOSFET production flow to another Chinese company under his control, wished to close a research centre in Munich and dismiss forty per cent of the European staff. Behind the scenes direct American pressure is said to have played a part too: Washington let Nexperia know that it would itself end up on the Entity List if it did not dismiss the Chinese CEO.

The intervention pattern

This is fundamentally different from Eurofins. Here the Dutch state did intervene, and with an instrument that had lain untouched in the toolbox for 73 years. The Goods Availability Act of 1952 is post-war defence legislation, intended to safeguard scarce strategic goods in times of crisis. The fact that this instrument is activated in 2025 against a Chinese owner of a chip producer says three things at once. One: the Netherlands now explicitly treats semiconductors as a crisis category, like food or ammunition in 1952. Two: the regular competition and investment-screening toolkit (the Wet Vifo, the Security Screening of Investments, Mergers and Acquisitions Act, and the BTI, the Investment Screening Bureau) did nothing to stop this acquisition in 2018, so it must now be intervened retroactively with emergency law. Three: the actual occasion lies at least as much in Washington as in The Hague.

Wingtech is now preparing an international arbitration case against the Dutch state. The Chinese auditor refuses to approve the 2025 annual figures because Wingtech has had no access since late September to the systems and information of Nexperia units outside China. It reported a net loss of more than a billion euros for 2025. China has formally protested through its Ministry of Commerce, with the standard formulation that the Netherlands should not interfere in internal company affairs and that the Enterprise Chamber ruling constitutes a serious violation of the rights of Chinese companies.

In statecraft terms this is the first serious use of Dutch emergency legislation in a strategic technology sector since the Cold War. It is also a direct demonstration that the Dutch state, under sufficient pressure, is indeed willing to take effective control away from a foreign owner. At the same time it is painful that this willingness arose not from an autonomous Dutch risk analysis in 2018 when Wingtech acquired Nexperia, but from a combination of American export controls and the conduct of the Chinese CEO. The Netherlands reacts here, it does not anticipate. And it reacts in coordination with, or under pressure from, an American ally that is itself no disinterested actor.

The second pattern is therefore: reactive intervention under alliance pressure, with instruments that had always existed in the same legislation but had never been deployed.

---

III. DigiD, Solvinity and Kyndryl

The facts in a statecraft frame

DigiD is the Dutch identity platform through which, in 2025, some 700 million authentications take place annually for 16.5 million citizens, linked to the citizen service number (BSN). It is managed by Logius, an agency of the Ministry of the Interior. The actual IT-platform service is outsourced to Solvinity, a Dutch provider. In addition, some 100 million items of official message traffic run each year through MijnOverheid.

In the autumn of 2025 it became known that the American Kyndryl, a spin-off from IBM and itself U.S.-listed, wishes to acquire Solvinity. The intended acquisition falls under screening by the Investment Screening Bureau on the basis of the Wet Vifo. Central is the question of whether Solvinity, after acquisition, would fall under the American CLOUD Act and related extraterritorial legislation, and could thereby in theory be compelled to hand over the data of Dutch citizens to American authorities. In the extreme case Washington could block access to DigiD.

In late November 2025 State Secretary Eddie van Marum said on the WNL Sunday programme that DigiD ‘remains Dutch’ and that Solvinity ‘has no access’ to DigiD. On 17 December 2025 he retracted that statement in answer to parliamentary questions from Barbara Kathmann (GroenLinks-PvdA): the acquisition could indeed lead to the leaking of personal data and other critical government information to American parties, ‘at least in theory’. The cabinet’s internal security analysis showed that the platform, ‘given its current architecture, cannot be sealed off in such a way that the supplier could no longer reach the data/personal data’.

In early April 2026 a senior official at Logius, Van Oordt, called publicly via LinkedIn for a ‘chic solution’: postpone the acquisition by a few months and use that time to remove DigiD and MijnOverheid from Solvinity. He is so convinced of its importance that he is considering bringing a court case against the ministry and the state himself. His employer is aware of this.

The procedural counter-reading and its limit

For anyone inclined to explain away the difference between Nexperia and Kyndryl as rule-of-law diligence, a defensible counter-reading is available, and it will be put forward with some routine by everyone at Economic Affairs or the Interior. Nexperia was an acute intervention against what the Enterprise Chamber in fact established as asset stripping in real time, with visible IP outflow, the threatened closure of the Munich research centre and the announced dismantling of the European staff base as facts on the table at the moment of intervention. Kyndryl is an announced acquisition running through the regular Vifo screening, with statutorily fixed deadlines. On that reading the difference in pace is a function of the difference between an emergency power and a regular screening regime, not of geopolitical courage.

That counter-reading is internally consistent but falls on one fact. In May 2025, four months before the Vifo screening of Kyndryl began, Microsoft, on the instruction of the White House, cut off the e-mail and other Microsoft services of the chief prosecutor of the International Criminal Court in The Hague. That is no longer a hypothetical CLOUD Act scenario. An American cloud supplier acted on the order of an American executive order against an official of an international court on Dutch territory. On the Nexperia logic this would be an acute-risk fact rendering the regular screening regime insufficient, because it refutes the assumption of controllability through regular instruments. In the Kyndryl screening that acute-risk fact turns out not to translate, or not visibly, into a different pace or a different toolkit. The screening remains formally BTI-compliant, while the actual security analysis internally already concluded that the architecture cannot be sealed off so that the supplier could no longer reach the data, and while a senior internal official deems it necessary to escalate publicly because the department fails to make a decision.

The procedural reading is correct for the pace, but does not explain why the Microsoft-ICC incident was no occasion to step outside the regular Vifo regime, while at Nexperia less direct evidence of extraterritorial action was enough to activate the emergency act from 1952. The difference that remains, once the procedural explanation has been accounted for, is no more than this: against China it is possible, As regards the United States, The Hague dares not act for now, even after the risk has already been materially demonstrated in practice on Dutch territory.

This is the third pattern: indecision and shifting policy statements under pressure from an ally from which the Netherlands does not wish, or believes it cannot, break free, even after the acute risk has become visible.

---

Synthesis: three colours of dependency

What the three files show together is that the Netherlands, in 2026, takes three different intervention stances towards control of three different categories of critical infrastructure, and that those stances are determined more by the identity of the foreign parent than by the nature of the risk.

With commercial dependency on an EU/private actor (Eurofins, Franco-Luxembourg) the response is passive acquiescence. The state watches as a foreign company negotiates with criminal organisations over the data of Dutch citizens, and its own supervisors have no teeth. There is no reconsideration of the outsourcing model.

With geopolitical dependency on a rival state actor (Wingtech, China) and under alliance pressure there is an intervention, and with instruments from the Cold War toolbox. The intervention is reactive, not anticipatory, and it comes at least as much from Washington as from The Hague.

With infrastructural dependency on the ally itself (Kyndryl, USA) there is hesitation, retraction of earlier firm statements, formal screening that drags on, and public escalation by internal officials because the department fails to make a decision. The fact that an American company, in 2025, on the instruction of the White House, already cut off an ICC official on Dutch territory from his working tools turns out to be insufficient to conduct the screening on grounds other than formal BTI criteria.

The common denominator is a state that allowed the architecture of its critical infrastructure to come about for years without serious sovereignty screening, and that now has to decide reactively, file by file, whether, how and on whose behalf it acts at all. The three patterns, passive toleration with the commercial, reactive intervention under pressure with the geopolitical, and hesitation with allies, are not the result of a coherent doctrine. They are the result of an ad hoc response to situations that come at the Dutch state along different mechanisms.

What this says about the Netherlands in a fragmenting international order

For anyone following the sounds from Brussels, Washington and Beijing of the past eighteen months, the direction is unmistakable. The international order is fragmenting along technological, legal and monetary blocs. Extraterritorial legislation (the CLOUD Act, the Entity List, EU CSRD/DORA) is increasingly used as an instrument of geopolitical policy. Ransomware and cyber operations increasingly operate from jurisdictions that do not cooperate with investigation. Critical infrastructure in every EU member state is being strategically re-mapped as national security rather than as internal market.

In this context the Netherlands is structurally vulnerable. Not because it lacks instruments, for the Goods Availability Act of 1952 has now proved applicable, the NIS2 and Vifo frameworks have been implemented, and the Cybersecurity Act together with the Critical Entities Resilience Act will shortly extend the duty of care to more than 8,000 organisations. The problem is not the absence of instruments, but the absence of a doctrine that deploys them in coherence before the damage has been suffered.

Sketch of what a coherent doctrine would comprise

Writing a coherent doctrine is an exercise of its own and does not belong in this piece. But the direction in which the existing toolkit should be combined can be indicated, and that is a minimum that a series on the EU and the international owes the reader. Five building blocks.

The first is an extension of the Wet Vifo from ex post to ex ante, and from its current scope (sensitive technology, vital providers) to identity infrastructure and data-aggregation nodes. Solvinity would, under the current reach of Vifo, qualify as a borderline case. The ICC precedent of May 2025 makes clear that the identity of the parent company of an aggregation node is at least as decisive for the risk as the content of the data. Whoever manages public identity infrastructure must fall under a heavier and earlier screening regime, not under the same regime as generic IT service provision.

The second is a sovereignty criterion in the NZa concentration test for care providers. At present the NZa tests on market power and care quality. The Eurofins case shows that the concentration of public processing operations at private parties under foreign control constitutes an autonomous national resilience risk, separate from the question of whether the market remains sufficient. A test criterion that treats the aggregation of public-executing processing at a single foreign parent as an autonomous resilience question closes a gap that is now exploited by private equity and transnational concentration.

The third is a revision of the Wabvpz enforcement powers. A sectoral supervisor with domain knowledge (IGJ) that has no punitive power, coupled to a general supervisor with punitive power (AP) but without sector knowledge and with multi-year processing times, delivers in practice neither deterrence nor remedy. The choice is punitive power at IGJ in addition to AP, or an integrated health-sector supervision in which domain knowledge and sanctioning power lie in one hand. Both options are better than the present situation in which Eurofins had no audit for three years and the supervisor can only courteously request confirmation of a future certification.

The fourth is a Dutch position in the European cybersecurity certification scheme for cloud (EUCS). The EUCS debate has for years revolved around whether ‘immune from non-EU law’ should be an autonomous criterion for the highest assurance levels in government cloud. France and Italy have defended that, the Netherlands has chosen a less pronounced position. The ICC precedent makes the defence of immunity from extraterritorial legislation, for the highest category of government services, not an ideological but an operational requirement. An active Dutch position in this file, coupled to a national requirement that identity infrastructure and aggregation nodes of public processing fall under that highest category, closes the cloud side of the problem that DigiD exposes.

The fifth is a doctrine for ransom payments by private chain partners in publicly mandated processing. At present a foreign parent company decides autonomously whether it pays a criminal organisation when its Dutch subsidiary is hit in a public-executing processing operation. That is an operational choice with direct national-security implications anchored in no regime at all. A duty to report prior to payment, coupled to a national decision line in which the state at least consults and in the extreme case can block, is no indefensible intervention in private contracts. It is the recognition that ransom payment in this type of chain has become a statecraft act.

These five building blocks together form no doctrine, but an architecture within which a doctrine can be written. They each make the Eurofins pattern (aggregation without screening), the Nexperia pattern (reactive intervention after the fact) and the Kyndryl pattern (hesitation with allies) individually less likely. They do not change the geopolitical position of the Netherlands; they change the toolkit with which the Netherlands operates within that position.

Closing

The IGJ report on Clinical Diagnostics, the Wingtech arbitration case and the official escalation around Solvinity are three different symptoms of the same diagnostic picture. A state that has handed out its critical infrastructure and that now, case by case, discovers what that really means in a less friendly world. The question for the coming cabinet period is not whether the three patterns should be harmonised into a single doctrine. The question is who converts the architecture sketched above into legislation, on what timescale, and with what political willingness to bear the resistance of both foreign parent companies and Dutch outsourcing interests.

Without that resistance it is not worth building the architecture, and without the architecture every next Eurofins, Nexperia or DigiD will again be treated as a surprise by the administration that allowed the present situation itself.