Trump has free rein over Dutch government data
The Netherlands relies heavily on American IT service providers such as Microsoft, Google and Amazon for the storage of government data.
Published on February 13, 2025
Merien founded E52 with Bart in 2015. He thought journalism should capitalize on AI, and our AI tool, Laio, was his idea. He likes to get angry about hydrogen and mobility and writes columns about it.
The Dutch government is largely dependent on American tech giants such as Microsoft, Google, and Amazon for its digital infrastructure. This dependence becomes an acute security risk with Donald Trump in power and Elon Musk at his side. Where the US was previously a reliable ally, growing trade tensions and differing views on Ukraine create new risks. The American government has proven in the past that it does not shy away from spying on its allies, as was evident in the bugging of Angela Merkel's telephone. Now that crucial Dutch government communications are routed through the systems of American companies, we have an urgent problem.
Complete dependence on American tech giants
The Dutch government relies on American technology companies for virtually all of its digital services. All Dutch municipalities use Microsoft products such as Office 365, Teams, and Azure for their daily operations. This dependence is so deep that only 9% of the municipalities consider a switch to other suppliers feasible, writes Binnenlands Bestuur. The use of Microsoft cloud services in particular is widespread - from email to storage of sensitive documents. The recent police hack, made possible by weak security in Microsoft Outlook, shows how vulnerable this dependence makes us. In this hack, the data of 65,000 police officers was stolen. The lack of in-house IT expertise within the government makes it difficult to develop alternatives. Furthermore, there are few SaaS solutions that support 'bring your own cloud', which limits adoption by (semi-)government organizations. This situation did not arise through a conscious choice, but through years of lack of investment in digital infrastructure, according to Tweakers magazine.
Passwords then, now and in the future: 'Admin123 just doesn’t cut it anymore'
In the Cracked by Jordens series, we look at the cyber security of consumers and businesses in the Netherlands. Today we cover the evolution of passwords.
No control over own data
The dependence on American cloud technology means that much crucial government data is outside of Dutch control. Microsoft may claim that data remains within the EU, but that offers no guarantee against access by American authorities. The situation has arisen due to a lack of local knowledge and resources to set up our own infrastructure. The problem is exacerbated by the fact that there is no fully-fledged European alternative to the American cloud giants. The municipality of Delft even calls a mature European alternative “a utopia”. This situation makes the Netherlands vulnerable to both legal and illegal access to sensitive government data.
Lawful access via CLOUD Act
The CLOUD Act, introduced in 2018, gives US authorities far-reaching powers to demand data from US companies, regardless of where it is stored. This means that even data that is physically stored in Dutch data centers can be requested by US authorities. The law was specifically designed to circumvent legal obstacles that arose from the outdated Stored Communications Act of 1986. For the Dutch government, this means that sensitive policy documents, for example on trade tariffs or strategic positions vis-à-vis the US, could be accessible to American authorities. The NCSC warns that European companies with data processing in Europe may also fall under the CLOUD Act. This extraterritorial effect of American legislation makes it increasingly difficult to comply with European laws and regulations in the field of information security. The law has received support from large technology companies such as Microsoft, AWS, Apple, and Google.
New threat under Trump and Musk
With Donald Trump back in power and Elon Musk as head of the new Department of Government Efficiency (DOGE), an acute threat has arisen. DOGE has been given far-reaching access to federal data systems and works with young, inexperienced employees who not consider themselves bound by normal government protocols. Musk's teams have requested access to sensitive government databases and payment systems. There is great concern among politicians about the secrecy and possible illegality of these actions. The US has proven in the past that it does not shy away from spying on allies. For example, it is said to have intercepted Angela Merkel's phone in 2021. That hack was never officially proven, but it did lead to a diplomatic crisis. With DOGE's uncontrolled access to government systems, the risk of Dutch data being misused is now greater than ever.
Short-term solutions
Alternative solutions must be sought immediately for the most sensitive government information. This may mean that some systems temporarily become less user-friendly, but security must come first. Open source alternatives such as OpenStack and Proxmox are available but require technical knowledge that is often insufficiently present. The VNG advocates a national research agenda on digital dependence and supports the search for alternatives. Framework agreements with multiple cloud providers can reduce dependence on Microsoft. It is crucial that we retain our sovereignty when it comes to the data we manage. For highly sensitive data, consideration should be given to storing it offline or only on servers under direct Dutch control. This requires extra effort but is necessary for national security.
Autoscriber secures Microsoft's support for its clinical intelligence platform
By supporting Autoscriber, Microsoft wants to support its healthcare clients. “The administrative burden of health workers and the lack of structured and interoperable data are known problems.”
European cooperation essential
In the long term, a joint European approach is necessary to reduce dependence on American technology. Approximately 37% of Dutch municipalities would prefer a European alternative to Microsoft. The European Data Protection Supervisor sees the CLOUD Act as conflicting with the GDPR. Various projects are already underway to set up a federated European cloud, such as ECOFED. According to experts, without serious investment in European alternatives, these will simply not happen. The choices we make now will determine our digital autonomy for decades to come. As a mega-economy, the EU must catch up in the field of technology. European cooperation is essential to achieve a scale that can compete with American tech giants.
Fundamental reorientation
The Netherlands must fundamentally reorient itself with regard to its digital infrastructure. The current situation, in which government organizations are completely dependent on Microsoft, is untenable. Investments must be made in training IT personnel and building up our own expertise. The government must have the courage to choose less user-friendly but safer systems where necessary. Collaboration with local providers should be investigated, even if the costs may be higher. The digital sovereignty of the Netherlands should not be dependent on the whims of foreign powers. This requires political courage and significant investments. But the costs of doing nothing are much higher in the long run.