Dutch Regulators Urge Faster Break From Entrenched IT Dependencies

Dutch Regulators Urge Faster Break From Entrenched IT Dependencies

By
Key Takeaways
  • Regulators Warn of Concentration Risk: Five Dutch regulators said reliance on a small group of IT providers threatens the continuity of services for businesses, public authorities and citizens.
  • Autonomy Means Choice, Not Isolation: Digital autonomy does not require technological independence, but greater control, interoperability and the practical ability to switch providers.
  • Procurement Can Reshape the Market: Public authorities and businesses should prioritize open standards, interoperability and provider portability when purchasing IT services.
  • Collective Demand Could Support Alternatives: The government and corporate sector can pool demand and act as launch customers for European and sector-specific digital services.
  • DORA and NIS2 Add Regulatory Weight: The recommendations align with broader requirements to manage technology supply-chain risk and strengthen operational resilience.
Deep Dive

Five Dutch regulators have asked the government and corporate sector to reconsider a choice that rarely feels momentous when it is made: who supplies the technology beneath the business.

That choice has accumulated consequences. When public authorities and companies rely on the same small group of IT service providers, a disruption no longer belongs neatly to one customer or one system. A cyber incident, service failure or geopolitical rupture can pass through a shared provider and reach businesses, public services and citizens at once. What appeared to be an efficient purchasing decision becomes a common point of exposure.

The Netherlands Authority for Consumers and Markets, the Dutch Authority for the Financial Markets, the Dutch Data Protection Authority, De Nederlandsche Bank and the Dutch Authority for Digital Infrastructure set out that warning in a joint report, “Towards digital autonomy.” Presented to Willemijn Aerdts, minister for the digital economy and sovereignty, the report calls on businesses and public authorities to move faster in reducing unwanted technological dependencies.

The problem, as the regulators describe it, is not simply that a handful of providers have become large. It is what size permits dependency to become. Heavy reliance on a small number of non-European service providers restricts customers’ freedom of choice, while the cost and complexity of switching make that freedom increasingly theoretical. A company may retain the contractual right to leave and still discover that its systems, data and operations have made departure all but impractical.

The report does not confuse digital autonomy with technological isolation. The Netherlands need not produce every server, platform and application it uses. Greater autonomy means something more practical: preserving enough choice and control that public authorities and businesses can withstand disruption, work with different providers and change course when circumstances require it.

That depends partly on architecture. More open IT systems can allow services from different providers to work together, lowering the barriers that keep customers attached to a single supplier. Open standards, interoperability and credible support for switching providers are therefore not technical details buried somewhere in a procurement document. They determine whether an institution possesses alternatives or merely talks about them.

The regulators want public authorities and companies to make those considerations part of how they buy technology. A low price or sophisticated service may answer the immediate procurement question, but it says little about what happens when the provider fails, the relationship deteriorates or the wider geopolitical setting changes. Digital autonomy asks buyers to examine the exit before signing the entrance papers.

Still, procurement requirements cannot create alternatives that do not exist. The report therefore gives the Dutch government a more active role. By pooling demand for European digital services and serving as a launch customer, it could give emerging providers the scale and credibility needed to compete. Public purchasing would become more than an administrative exercise. It would help shape the market from which future purchases are made.

Businesses can exert similar influence if they act together. The regulators encourage companies within the same sector to combine demand and support the development of IT services suited to their particular needs, noting that competition rules provide ample room for such collaboration. One company may not represent enough business to justify a new service. An industry might.

IT providers are also being asked to collaborate more closely in building robust European alternatives. The purpose is not to exchange foreign concentration for European concentration and declare the matter settled. It is to widen the field of credible suppliers, make movement between them more realistic and give customers leverage that dependence has gradually taken away.

That call sits within a broader effort to bring digital supply chains under firmer control. The EU’s Digital Operational Resilience Act requires financial entities to manage information and communications technology risks, including those arising through external providers. The Netherlands’ new Cyber Security Act, which transposes the NIS2 Directive into Dutch law and is set to take effect Aug. 15, likewise emphasizes supply-chain risk and the resilience of essential and important entities.

Both regimes give practical weight to the regulators’ recommendations. A business cannot make itself resilient merely by documenting its dependence more carefully. If an essential provider fails, there must be somewhere else to go, and moving there must be possible before the interruption does its damage. The distinction between an exit plan and an exit is the distance between paper and operations.

The five regulators said they want a digital infrastructure in which public authorities and businesses retain greater control over their IT systems, with resilience, continuity and security placed at its center. They have invited businesses and other organizations to contact them with questions about the recommendations.

Their message distributes responsibility widely because the dependency itself was built collectively. Government helped shape the market through procurement. Businesses accepted architectures that became difficult to leave. Providers built services that do not always work easily with those of their competitors. Reversing that pattern will require the same forces to move in a different direction and to do so before the next disruption reveals how little freedom remained.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong