Exit DigiD: the only missing piece is political will
The Kyndryl/Solvinity acquisition exposes a fundamental weakness: the Netherlands has a "sovereign" identity application (DigiD) running on infrastructure that can be sold to foreign entities subject to extraterritorial laws (US CLOUD Act).
By Jurg van Vliet
Executive Summary
The Kyndryl/Solvinity acquisition exposes a fundamental weakness: the Netherlands has a "sovereign" identity application (DigiD) running on infrastructure that can be sold to foreign entities subject to extraterritorial laws (US CLOUD Act).
This document outlines a practical architecture to replace DigiD with a fully sovereign stack using existing open-source components and European infrastructure.
Key insight: Switching from DigiD to Yivi solves nothing if the underlying infrastructure remains US-controlled. Sovereignty requires the full stack.
Current State: The Dependency Chain
┌─────────────────────────────────────────────────────────────┐
│ CITIZEN INTERACTION │
│ DigiD App │
│ (Dutch, Open Source) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ AUTHENTICATION SERVICE │
│ DigiD Backend (Logius) │
│ (Dutch Government) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ PLATFORM LAYER │
│ Solvinity │
│ (UK PE → Kyndryl/US) ← PROBLEM │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ DATA SOURCES │
│ BRP, RDW, Kadaster, etc. │
│ (Dutch Government DCs) │
└─────────────────────────────────────────────────────────────┘
The Problem: Even though DigiD is "Dutch," operational control of the platform layer gives Kyndryl (and by extension, US authorities) potential leverage over:
- Service availability
- Incident response
- Technical roadmap
- Staff with access to systems
Target State: Sovereign Identity Stack
Architecture Overview
┌─────────────────────────────────────────────────────────────┐
│ LAYER 1: WALLET (Citizen Device) │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Yivi │ │ NL-Wallet │ │ Third-party │ │
│ │ (PBDF) │ │ (MinBZK) │ │ EUDI Wallet │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ All open source, credentials stored on device │
└─────────────────────────────────────────────────────────────┘
│
OpenID4VC / ISO 18013-5
│
▼
┌─────────────────────────────────────────────────────────────┐
│ LAYER 2: CREDENTIAL ISSUANCE │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Sovereign Issuer Infrastructure │ │
│ │ • PID Issuer (connects to BRP) │ │
│ │ • Driving License Issuer (connects to RDW) │ │
│ │ • Diploma Issuer (connects to DUO) │ │
│ │ • Health Credential Issuer (connects to CIBG) │ │
│ └─────────────────────────────────────────────────────┘ │
│ Running on: Kubernetes / European Cloud │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ LAYER 3: TRUST INFRASTRUCTURE │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ PKI / CA │ │ Revocation │ │ Schema │ │
│ │ (PKIoverheid│ │ Service │ │ Registry │ │
│ │ or EU CA) │ │ │ │ │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ LAYER 4: GOVERNMENT REGISTERS (Authentic Sources) │
│ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐ │
│ │ BRP │ │ RDW │ │ Kadaster│ │ DUO │ │ CIBG │ │
│ └────────┘ └────────┘ └────────┘ └────────┘ └────────┘ │
│ (Existing Dutch infrastructure) │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ LAYER 5: SOVEREIGN INFRASTRUCTURE │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Kubernetes Platform │ │
│ │ GitOps / ArgoCD / Flux │ │
│ └─────────────────────────────────────────────────────┘ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ European Cloud Providers │ │
│ │ Scaleway │ Hetzner │ OVHcloud │ IONOS │ Fuga │ │
│ └─────────────────────────────────────────────────────┘ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Government Data Centers │ │
│ │ (ODC-Noord, Rijks DC) │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Component Selection
Layer 1: Wallets (Already Solved)
| Component | Provider | License | Status |
|---|---|---|---|
| Yivi | Privacy by Design Foundation (NL) | Apache 2.0 | Production |
| NL-Wallet | MinBZK | Open Source | Beta (GitHub: MinBZK/nl-wallet) |
| EU Reference Wallet | European Commission | Open Source | Reference Implementation |
Action: No change needed. Multiple open-source options exist.
Layer 2: Credential Issuance
This is where DigiD's function moves. Instead of authenticating directly, citizens:
- Bootstrap once (prove identity)
- Receive verifiable credentials in wallet
- Present credentials to services (no central auth needed)
Open Source Issuance Components:
| Component | Provider | License | Notes |
|---|---|---|---|
| walt.id | walt.id GmbH (AT) | Apache 2.0 | Full stack, EUDI-aligned |
| Credo | OpenWallet Foundation | Apache 2.0 | TypeScript, OpenID4VC |
| Procivis One | Procivis AG (CH) | Apache 2.0 | Production-grade |
| Yivi issuer | PBDF | Apache 2.0 | Already integrated with NL systems |
Recommended: walt.id or Yivi issuer infrastructure, deployed on sovereign Kubernetes.
Layer 3: Trust Infrastructure
| Component | Current | Sovereign Alternative |
|---|---|---|
| PKI/CA | PKIoverheid | ✓ Already Dutch |
| Revocation | TBD | Self-hosted OCSP/CRL or Status List 2021 |
| Schema Registry | TBD | EU Trusted List / Dutch registry |
Layer 4: Government Registers
No change needed — BRP, RDW, etc. are already Dutch government infrastructure. The issuers connect to these via existing government APIs (Haal Centraal, etc.).
Layer 5: Infrastructure
Current Problem: Solvinity (→ Kyndryl) provides managed cloud services.
Sovereign Alternatives:
| Provider | Country | Certifications | Notes |
|---|---|---|---|
| Scaleway | FR | SecNumCloud, HDS | Sovereign cloud, K8s native |
| OVHcloud | FR | SecNumCloud, HDS, ISO27001 | Large scale, sovereign options |
| Hetzner | DE | ISO27001 | Cost-effective, bare metal |
| IONOS | DE | ISO27001, BSI C5 | Enterprise focus |
| Fuga Cloud | NL | ISO27001, NEN7510 | Dutch, government clients |
| CloudVPS/Tilaa | NL | ISO27001 | Dutch, smaller scale |
| Leafcloud | NL | - | Sustainable, Dutch |
| Government DC | NL | Rijksoverheid standards | Highest sovereignty |
Recommended Architecture:
- Primary: Government DC (ODC-Noord) for core issuance
- Secondary: Dutch provider (Fuga) or FR provider (Scaleway) for edge/redundancy
- Kubernetes-native deployment with GitOps
Migration Path
Phase 1: Parallel Issuance (6 months)
CURRENT NEW
┌─────────┐ ┌─────────────┐
│ DigiD │ │ Yivi/NL-Wallet │
│ (auth) │ │ (wallet) │
└────┬────┘ └───────┬───────┘
│ │
│ ┌──────────────────────┘
│ │
▼ ▼
┌─────────────────────┐
│ Services accept │
│ BOTH methods │
└─────────────────────┘
Actions:
- Deploy sovereign issuer infrastructure (walt.id/Yivi on K8s)
- Connect to BRP via Haal Centraal for PID issuance
- Connect to RDW for driving license credentials
- Government services accept wallet credentials alongside DigiD
Phase 2: Wallet-First (12 months)
┌─────────────────────────────────────────┐
│ BOOTSTRAP (one-time) │
│ ┌─────────┐ ┌─────────────────┐ │
│ │ Physical │ OR │ Existing DigiD │ │
│ │ ID + NFC │ │ (legacy bridge) │ │
│ └────┬────┘ └────────┬────────┘ │
│ └──────────┬─────────┘ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ PID Issuance │ │
│ │ (sovereign) │ │
│ └────────┬────────┘ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ Wallet receives │ │
│ │ credentials │ │
│ └─────────────────┘ │
└─────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────┐
│ DAILY USE (ongoing) │
│ │
│ Wallet ──────► Services │
│ (no DigiD needed) │
│ │
└─────────────────────────────────────────┘
Actions:
- New users onboard directly to wallet (skip DigiD)
- Physical ID + NFC becomes primary bootstrap
- DigiD remains as fallback bridge
Phase 3: DigiD Sunset (24 months)
┌─────────────────┐
│ Physical ID │
│ + NFC reader │
│ + Biometric │
└────────┬────────┘
│
▼
┌─────────────────┐ ┌─────────────────┐
│ PID Issuer │─────►│ Wallet │
│ (sovereign) │ │ (Yivi/NL-Wallet)│
└─────────────────┘ └────────┬────────┘
│
▼
┌─────────────────┐
│ All services │
│ wallet-only │
└─────────────────┘
DigiD: Deprecated, maintained for legacy only
Solvinity dependency: Eliminated
Technical Implementation
Kubernetes Deployment
# Example: Sovereign Issuer on Kubernetes
apiVersion: apps/v1
kind: Deployment
metadata:
name: pid-issuer
namespace: sovereign-identity
spec:
replicas: 3
selector:
matchLabels:
app: pid-issuer
template:
metadata:
labels:
app: pid-issuer
spec:
containers:
- name: issuer
image: waltid/issuer:latest # or custom build
env:
- name: BRP_API_URL
valueFrom:
secretKeyRef:
name: haal-centraal-credentials
key: api-url
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: pkioverheid-signing
key: private-key
resources:
limits:
memory: "512Mi"
cpu: "500m"
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
GitOps Structure
sovereign-identity/
├── base/
│ ├── pid-issuer/
│ │ ├── deployment.yaml
│ │ ├── service.yaml
│ │ └── kustomization.yaml
│ ├── mdl-issuer/ # Mobile Driving License
│ ├── revocation-service/
│ └── trust-registry/
├── overlays/
│ ├── production/
│ │ ├── secrets.enc.yaml # SOPS encrypted
│ │ └── kustomization.yaml
│ └── staging/
└── infrastructure/
├── scaleway/
└── government-dc/
Security Requirements
- HSM for signing keys: All credential signing keys in hardware (PKIoverheid HSM or equivalent)
- mTLS everywhere: Service mesh (Istio/Linkerd) for internal communication
- Zero-trust network: No implicit trust, all connections authenticated
- Audit logging: Complete trail of all credential issuances
- Air-gapped signing: Most sensitive operations in isolated environment
Governance Model
Operational Control
| Function | Responsible | Location |
|---|---|---|
| Wallet development | MinBZK + PBDF | Netherlands |
| Issuer operations | Logius or new agency | Netherlands |
| Infrastructure | Government DC + NL/EU cloud | Netherlands/EU |
| PKI | PKIoverheid | Netherlands |
| Standards | EDICG + NL delegation | EU/Netherlands |
Legal Structure
- No foreign ownership in critical path
- No CLOUD Act exposure: All operators EU-based
- GDPR-only jurisdiction: No extraterritorial data access
- Open source mandate: All components auditable
Cost Comparison
Current State (estimated)
| Item | Annual Cost |
|---|---|
| Solvinity contract | €XX million |
| DigiD operations (Logius) | €XX million |
| Infrastructure | Included in Solvinity |
Sovereign Stack (estimated)
| Item | Annual Cost | Notes |
|---|---|---|
| European cloud (Scaleway/Fuga) | €2-5M | Depending on scale |
| Government DC allocation | €1-3M | Shared infrastructure |
| Kubernetes platform team | €1-2M | 5-10 FTE |
| Open source integration | €0.5-1M | Contributions, customization |
| Total | €4.5-11M | Potentially lower than current |
Note: Actual figures require detailed analysis. The point is that sovereign infrastructure is not necessarily more expensive than vendor dependency.
Risk Analysis
Risks of Staying (Solvinity → Kyndryl)
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| CLOUD Act data request | Medium | High | None (legal obligation) |
| Service disruption (geopolitical) | Low | Critical | Limited (single vendor) |
| Price increases (lock-in) | High | Medium | Limited (switching costs) |
| Loss of operational autonomy | High | Medium | None |
Risks of Migration
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
| Migration complexity | Medium | Medium | Phased approach |
| Skill gap | Medium | Low | Training, hiring |
| Interoperability issues | Low | Medium | Standards compliance |
| User adoption | Medium | Medium | Communication, UX focus |
Recommendations
Immediate (0-3 months)
- Block or condition the Kyndryl acquisition via Bureau Toetsing Investeringen
- Accelerate NL-wallet release timeline
- Mandate wallet acceptance for new government services
- Publish sovereign infrastructure RFP for alternative to Solvinity
Short-term (3-12 months)
- Deploy pilot issuer infrastructure on Dutch/EU cloud
- Connect first registers (BRP, RDW) to new issuers
- Enable dual authentication (DigiD + wallet) for all services
- Build operations team for sovereign infrastructure
Medium-term (12-24 months)
- Default to wallet for new citizen onboarding
- Migrate existing DigiD users to wallet credentials
- Phase out Solvinity dependency
- Full sovereign operations
Conclusion
The question isn't "DigiD or Yivi?" — it's "sovereign stack or not?"
Switching apps while keeping US-controlled infrastructure is security theatre. True sovereignty requires:
- ✅ Open source wallets (Yivi, NL-wallet) — available today
- ✅ Open source issuance (walt.id, Credo) — available today
- ✅ European PKI (PKIoverheid) — available today
- ✅ European cloud (Scaleway, Fuga, etc.) — available today
- ✅ Kubernetes expertise — available today
The only missing piece is political will.
Appendix A: Open Source Component Links
- NL-Wallet: https://github.com/MinBZK/nl-wallet
- Yivi: https://github.com/privacybydesign/irmago
- walt.id: https://github.com/walt-id/waltid-identity
- Credo: https://github.com/openwallet-foundation/credo-ts
- EU Reference Wallet: https://github.com/eu-digital-identity-wallet
- OpenWallet Foundation: https://openwallet.foundation/projects/
Appendix B: European Cloud Providers
- Scaleway: https://www.scaleway.com
- OVHcloud: https://www.ovhcloud.com
- Hetzner: https://www.hetzner.com
- Fuga Cloud: https://fuga.cloud
- Leafcloud: https://www.leaf.cloud
- IONOS: https://www.ionos.com
Appendix C: Standards
- OpenID4VC: https://openid.net/sg/openid4vc/
- SD-JWT: https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
- ISO 18013-5 (mDL): Mobile Driving License standard
- eIDAS 2.0: Regulation (EU) 2024/1183
- ARF: https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/