The digital transformation of the financial sector has accelerated in recent years. Banks, insurers and fintechs increasingly rely on a small number of, mostly non-European, technology providers for essential IT services — including cloud storage, cybersecurity, payment systems, and customer-facing platforms.

In a joint report dated 20 October 2025, De Nederlandsche Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) warn that this dependence poses a direct threat to the stability, privacy, and digital sovereignty of the European financial system.

Recent developments show that this is no longer a theoretical risk.

Concerns are growing in the Dutch Parliament following a takeover bid by U.S. firm Kyndryl for Solvinity — the company providing key IT services for DigiD and MijnOverheid. Members of Parliament fear that government data may fall under U.S. surveillance laws, with consequences for privacy, continuity, and national security.

This article explains why increasing dependence is problematic, what obligations arise from European regulations, and what financial institutions can do to mitigate risks.

What are the risks of Digital Dependence?

DNB and AFM identify four structural risks that arise when institutions heavily rely on the same dominant IT vendors:

1. Pressure on privacy and data protection
   When financial or government data is stored outside the European Union, it may be subject to foreign laws — including U.S. surveillance legislation.
   The Solvinity–DigiD debate highlights this issue. MPs warn that, in theory, a foreign power could influence the digital infrastructure of the Dutch government. The cabinet also acknowledges that such a takeover could be “concerning.”
   For financial institutions, this means: compliance with the GDPR becomes more complex, the risk of data breaches increases, and reputational damage is a real threat.

2. Vendor lock-in: Switching becomes practically impossible
   Many organisations build their entire IT landscape on one cloud platform. Switching providers is technically complex, costly, and time-consuming. This creates long-term dependence, reducing flexibility in the face of incidents, cyber threats or geopolitical tensions.

3. Concentration risk: One failure can affect an entire sector
   When multiple institutions rely on the same provider, a single outage or cyberattack can cause mass disruptions to payments, client portals, or data processing.
   Such a “single point of failure” constitutes a systemic risk capable of disrupting the entire European financial infrastructure.

4. Geopolitical tensions and extraterritorial legislation
   Financial infrastructure in the hands of foreign entities may become vulnerable to political pressure or sanctions.
   The parliamentary debate over Kyndryl and Solvinity shows how quickly essential IT services can become part of geopolitical interests.

How are Financial Institutions and IT Providers responding?

While institutions recognise the risks, in practice they remain highly dependent on non-European vendors. European alternatives are limited or still underdeveloped. Still, measures are being taken to strengthen resilience:

• contingency and recovery plans for critical IT failures;
• objective inventories of all IT dependencies;
• measures to prevent vendor lock-in;
• stricter requirements for data location and encryption.

Meanwhile, tech companies are developing “sovereign cloud” solutions, keeping European data within the EU and under local law.

What legal framework applies?

The European regulatory framework compels financial institutions to actively manage digital risks.

DORA – Digital Operational Resilience Act

DORA obliges institutions to:

• register and monitor all IT dependencies;
• develop exit strategies and contingency scenarios;
• carry out regular resilience tests;
• retain responsibility for outsourced services — with no exceptions.

Additional EU Regulations

• GDPR – strict rules on privacy and data storage;
• NIS2 – enhanced cybersecurity obligations for vital sectors, including financial institutions;
• EU Data Act – promotes data portability and requires cloud providers to facilitate switching.

What do DNB and AFM expect from Financial Institutions?

The regulators have issued a clear message: institutions must actively reduce digital dependence. Specifically, they expect:

1. Complete insight into dependencies

Institutions must know exactly:

1. which providers support critical processes;
2. where data is stored;
3. which risks arise from extraterritorial laws.

2. Active reduction of high-risk concentrations

Examples include:

2. using multiple cloud providers;
3. adopting open technologies to enable switching;
4. maintaining control over encryption keys;
5. using European solutions where feasible and responsible.

3. Crisis preparedness

Institutions must be able to continue operations during geopolitical tensions or large-scale cyberattacks — even if a provider temporarily fails.

What should organizations do now?

Current developments — from DigiD and Solvinity to the warnings from DNB and AFM — show that digital dependence is not a future concern but an urgent issue.

Key action points:

• Create a comprehensive overview of all IT services and data locations.
• Review contracts for lock-in risks and extraterritorial legal exposure.
• Prepare exit strategies and recovery plans.
• Explore European cloud solutions or hybrid models.
• Ensure legally and technically sound data control (encryption keys, access management).

Organisations that take action now will strengthen their digital resilience and reduce legal and operational risks.

Digital Dependence impacts privacy, continuity, and sovereignty

The concerns surrounding DigiD and Solvinity show that digital dependence is not just a financial risk — it is also a national and geopolitical issue. The financial sector — which heavily relies on digital infrastructure — is at the frontline.

Transparency, risk management, and strategic diversification are essential.

ACG International advises financial institutions and fintechs on digital resilience, outsourcing, cloud contracts, and compliance with DORA, NIS2 and the EU Data Act.

Would you like to know how your organisation can reduce its digital dependencies or what legal measures are required?

Feel free to contact us — our specialists are ready to assist.