From self-built to fully outsourced, this analysis reveals how the choice of software delivery model impacts control, transparency, and national sovereignty.
The Dutch tax authority's plan to outsource VAT processing to an American company has sparked intense debate, but the real issue goes far beyond software licensing. While discussions have focused on using American software, the critical detail that's emerged is that this software—and the servers it runs on—would be entirely managed by Americans. This "VAT-as-a-Service" model represents a fundamental shift in how governments handle critical infrastructure, and the implications are profound.
To understand why this matters, we need to examine the spectrum of how organizations can run important computer systems. This ranges from building everything yourself to completely outsourcing to third parties. Let me walk through these models, from most to least control.
0) Self-Built: Maximum Control, Maximum Responsibility
Historically, the most critical software was built in-house, though often using existing libraries and frameworks as building blocks. This approach still powers the core of tax authorities and banks today. The Dutch Electoral Council, for example, built their own counting software called Abacus.
Building your own software takes time and effort, and might seem old-fashioned. But when you're doing something unique that no one else does the same way, you often have no choice. This is how the tax authority currently handles its most important tax functions.
Self-building gives you maximum understanding and flexibility, but also maximum responsibility. The source code can be shared for complete transparency—ideal for elections, digital identity systems, and other critical functions. This approach is supremely suitable for your most critical and unique applications, but only if your application is truly special (like VAT processing).
1) Traditional Licensed Software, Self-Installed
Companies and governments traditionally bought software licenses delivered on floppy disks or CD-ROMs. The customer installed the software according to the manual, or after taking a course. If the vendor disappeared or there was a dispute, the software kept working. Licenses were often "perpetual"—they never expired, though the software might become outdated.
WordPerfect exemplifies this model. The advantage is that the customer truly understands how the software works because they installed it themselves. The vendor could go out of business and there'd be no immediate problem.
This approach requires investing in your own expertise—something governments in 2026 often find annoying. Can't the market handle that? There's been recent confusion about "the license." The government allegedly tried to unlawfully procure 3.3 billion euros in software licenses, but reading the documents reveals this is about services, not licenses.
Buying software (taking a license) and installing it yourself is a good way to run critical services, especially services delivered worldwide.
2) Installed by the Vendor
Some software became so complicated over decades that it required a consultant to install. Oracle is a prime example. Licenses were often paid annually instead of being valid indefinitely. Most modern software is now extremely difficult to install yourself.
When a vendor (or consultant or integrator) does it for you, the software still runs "on your property," but you're more dependent on the vendor or consultants. The natural learning process of installing software yourself is missing.
With careful attention, this can work, but you must actively work to understand the software anyway.
3) Turnkey Delivered and Integrated
It's also possible to get partners/vendors to not only deliver software but also integrate it with other systems within the company. Delivery happens "turnkey": the customer can turn the key and the system starts.
The downside is that the company has even less idea what's going on. The vendor has plugged in all the cables and made various adjustments here and there. The recipient is now essentially helpless and permanently dependent on the vendor and partners, especially if something needs to change.
(Unless enormous effort is made to understand what happened, which almost never happens.)
Police tap rooms are typically in this state: heavily dependent on the vendor, who must keep coming to help. This is usually inadvisable for critical services because you develop little of your own expertise.
4) Turnkey PLUS Management & Maintenance ("Managed Service")
You can also get the whole thing delivered turnkey, with the vendor additionally promising to maintain and support it continuously. The software then stands "on your property," but you have almost no say anymore. The management of the software, and the underlying computer, is then not in your hands.
This is also known as a "managed service." If the vendor stops maintaining or makes mistakes, you have no idea what to do. Because your people have no access to the product and also don't know how it should be managed.
However, if maintenance stops for a short time, the software will keep running for a while. You're in the air for days or weeks. But then it stops and your service delivery collapses anyway.
The vendor also has complete access to your data, and if you want the vendor to take nothing with them, you must strictly control that. This usually falls by the wayside.
This is the proposed plan for the new VAT solution at the tax authority! This is inadvisable for critical services (like VAT) because you're 100% dependent on your vendor, you don't know what the software is doing, can't take over management, and can never leave.
5) Fully "As a Service"
The maximum variant of this progression is when there's no software at the user's location anymore. The software runs at the vendor or somewhere in another cloud. There's little or no software on the user's property.
If the vendor stops providing the service, everything stops immediately. This is how large parts of central government and all municipalities are taking Microsoft 365 (or planning to). Some try to keep it somewhat in-house.
You must be very sure of your vendor to do this, and according to the National Cloud Policy, this should only be done if there's a concrete plan to also leave again. We're not complying with that policy, by the way! Unbelievable but true.
Intermediate Forms
The above models from 0 to 5 also have intermediate forms. An organization can hire a lot of external personnel, so expertise is (temporarily) present. But hiring also just (compulsory) leaves again, and with it the expertise.
"Doing things yourself" can mean many things this way. Maybe not so much yourself after all.
Conversely, on servers rented somewhere else, you can still be very independent. Those servers can be rented anywhere. It doesn't have to be physically in your own data center (DC) to have control over it. And having it in your own DC doesn't matter if management is done by an external party.
In Conclusion
Ask carefully when an important organization buys something new for a critical service. Are they building it themselves, possibly using existing standard software like databases? Or are they taking someone else's software under license, but with their own operational experience? Or are they running the software "on paper" on their own property, but someone else (almost) does everything? And do you therefore have little visibility into it?
Or has a choice been made for total outsourcing, where an important organization is essentially only putting the logo on it, but otherwise has practically little to say, and the data is also outside the door.
It's good to have crystal clear insight into this. What's failing at the tax authority with VAT software, causing us to potentially hand over control of 80 billion euros/year in revenue to America.
Hopefully, the Second Chamber will still come to its senses.
For further reading:
Comments
Please log in or register to join the discussion