Government's Critical IT Dependencies: Lessons from the Solvinity Takeover

When a private company like Solvinity handles essential government services like DigiD, what happens during a takeover? A position paper argues that outsourcing critical IT without proper regulation is like handing over a toll road without ensuring it stays open.

The upcoming roundtable discussion in the Dutch Parliament about the potential takeover of Solvinity highlights a fundamental tension in modern governance: how should governments handle their increasingly critical IT dependencies? The case isn't just about one company—it's a symptom of a broader pattern where essential public services have quietly migrated into private hands without the regulatory safeguards that exist for other vital infrastructure.

The Core Problem: Unregulated Critical Dependencies

Historically, governments have been careful about outsourcing core functions. When the PTT was privatized into KPN, it came with a "golden share" for government control and extensive telecom regulation. Toll roads, even when privately operated, are heavily regulated to ensure continuous operation. The principle is clear: if a function is critical to public welfare, the government maintains strong oversight.

Yet for IT services, this principle has quietly been abandoned. Companies like IBM, Capgemini, Microsoft, and Solvinity run entire government services 24/7. This goes beyond just providing personnel—these companies operate the actual systems that citizens depend on daily.

The Solvinity case is particularly instructive. While some of their services (like the DigiD platform) might be relatively portable, the services for the Ministry of Justice and Security (JenV) are deeply embedded. The complexity is so high that even with "step-in rights" in contracts, actually taking over operations would be nearly impossible in an emergency.

Why Governments Struggle with Self-Service

There are legitimate reasons why governments outsource IT. From personal experience trying to provide business-critical services between different government agencies, the process rarely runs smoothly. Governments don't typically sign contracts with themselves, and when they do, enforcement is difficult. Disputes get resolved "through the line," which is inefficient when the line lacks technical expertise.

The administrative culture of government agencies makes agile IT operations challenging. Requesting a single server can take four months and cost a fortune. This isn't due to bad intentions—the Rijksdienst (government service) simply wasn't designed for rapid IT procurement and deployment. The history of the Rijks Computer Centrum (RCC) illustrates these challenges well.

Three Potential Solutions

1. Heavily Regulated Market Procurement

This approach mirrors how we handle toll roads and telecommunications. The government would purchase services from private companies but subject them to strict regulation that limits their freedom of action and ensures continuity.

Trade-offs:

Requires significant government expertise to maintain oversight
Risk of "regulatory capture" where the regulated entity gains too much influence
Needs specialized legislation and inspection authorities
Examples: The Netherlands Pilotage Corporation (Nederlands Loodswezen BV) operates as a pure market party but is encapsulated by special law

Implementation challenges:

The government currently lacks the technical expertise to effectively regulate complex IT services
Large providers have massive legal departments that can outmaneuver government regulators
Maintaining regulatory sharpness requires constant attention

2. Standardized, Interchangeable Services Only

Only procure services that are easily replaceable—like renting servers, containers, or standard SQL databases. This approach prioritizes flexibility and reduces vendor lock-in.

Advantages:

Enables multi-vendor strategies
Easier to switch providers when problems arise
Can reduce dependency on non-European providers
The government reportedly already rents large server volumes from Microsoft Azure for SAP—these could potentially migrate to European providers

Critical requirements:

Requires strict discipline to avoid custom solutions
Must resist the temptation to procure specialized services that aren't interchangeable
Needs ongoing technical expertise to maintain standardization

Technical considerations:

Standardization requires careful architectural decisions
Performance and integration requirements must be balanced against portability
The temptation to "just add one more feature" that creates lock-in is constant

3. State-Owned Cloud Company

Create a government-owned company (similar to Schiphol, Port of Rotterdam, or TenneT) that operates cloud infrastructure. This entity would be at arm's length from the administrative government but fully owned by the state.

Advantages:

Can operate with business agility while maintaining public accountability
Contracts with government agencies can be enforced more effectively
Can't be acquired by foreign entities
Leadership can be replaced if needed
Easier procurement (less subject to the 2012 Procurement Act)

Challenges:

Must still comply with public procurement rules when competing for government contracts
The "Market and Government" law may give private companies advantages
Salary structures within government make it difficult to attract and retain technical talent
The government culture values different skills than technical expertise

Talent retention issues:

Government pay scales can't compete with private sector salaries for top technical talent
The government has struggled to create a culture that values and respects technical staff
There have been workarounds (like classifying IT roles as "30% policy officials" to access higher pay scales), but these are exceptions
Agencies like AIVD and MIVD have succeeded in attracting technical talent, but this required significant effort

The European Dimension

The current situation leaves the Dutch government—and by extension, its citizens—dependent on American tech companies. This dependency extends beyond just technical infrastructure to data sovereignty and legal jurisdiction. European alternatives exist but require deliberate policy choices to adopt.

The Solvinity case demonstrates what happens when critical services become embedded in private companies without adequate safeguards. The complexity of modern IT systems means that "taking over" operations isn't like switching toll road operators—it requires deep technical expertise, institutional knowledge, and significant time.

Recommendations

Based on the analysis, the position paper suggests:

Immediate action: Begin migrating server-based workloads to European providers where possible. This reduces dependency without requiring major architectural changes.
Medium-term strategy: Develop clear standards for what constitutes "standardized" versus "custom" services, and enforce strict procurement discipline.
Long-term consideration: Seriously evaluate the state-owned cloud company model, drawing lessons from successful examples like Schiphol and TenneT.
Regulatory framework: Regardless of the approach, develop specialized oversight mechanisms for critical IT services, similar to telecom or financial services regulation.

The Broader Pattern

This isn't just about IT. It reflects a broader trend where governments have outsourced critical functions without maintaining the regulatory frameworks that traditionally accompanied such arrangements. The result is a form of "soft privatization" where public accountability diminishes while operational dependency increases.

The roundtable discussion on January 27th will bring together various stakeholders including Bits of Freedom, the Dutch Cloud Community, Clingendael, NLDigital, and the Stichting Digitale Infrastructuur Nederland. The presence of technical experts like Brenno de Winter and Paul Timmers suggests the conversation will move beyond political rhetoric to practical solutions.

For those unable to attend, the debate will be streamed on Debat Direct. The position paper concludes with a call for action: we must not leave critical government functions in private hands without robust oversight and regulation. The state's power cannot be delegated without maintaining control.