.png)
1 day ago
3
The Dutch government, provinces, municipalities, and vital industries rely far more heavily on American cloud services than previously disclosed, exposing sensitive data to potential U.S. surveillance. NOS identified 1,722 websites belonging to Dutch governmental and semi-governmental bodies or critical companies that depend on at least one U.S.-based cloud provider.
This includes not only websites but also email services and internal communications. Experts warn that this reliance poses a major risk, particularly in the event of political conflict with the United States. Among the government entities using American cloud services are nine of the 15 Dutch ministries.
The dependency is especially high among Dutch municipalities. NOS earlier reported that two-thirds of municipalities use Microsoft email servers. However, updated analysis shows that only Hardinxveld-Giessendam does not use any American cloud service. All Dutch provinces rely on U.S. cloud infrastructure.
This dependence extends to national-level institutions such as the Authority for the Financial Markets (AFM), the Security Council—which consists of the chairs of the 25 Dutch safety regions—and the Tweede Kamer.
“There is a big risk. It’s technically not hard for the U.S. government to read along,” ICT expert Bert Hubert, a longtime advocate for reducing reliance on American cloud infrastructure, told NOS. “They can even go back and say, ‘Give me the emails from the Tweede Kamer from 20 years ago.’”
The AFM told NOS that the use of U.S. cloud services is a “relatively recent development” and is being “closely monitored.” However, switching providers is not easy, the regulator said.
The Association of Netherlands Municipalities (VNG) described the risks as “limited” and emphasized the reliable services delivered by companies like Microsoft. The umbrella organization for Dutch provincial governments stated that public procurement regulations make it difficult to exclude non-European providers. Exiting the U.S. cloud would have “enormous practical implications,” the group said. “Nevertheless, we are thinking about how we can strengthen our digital autonomy.”
Although Dutch authorities and businesses usually agree to store data within the European Union, the risk of U.S. access remains. In 2018, the U.S. government passed a law explicitly allowing its authorities to obtain data stored outside the United States. Other U.S. intelligence laws further expand this capability.
Concerns about this access have grown since the reelection of President Donald Trump, especially after Microsoft was forced to shut down the email account of the chief prosecutor at the International Criminal Court. Observers fear that Trump could use American cloud infrastructure to pressure other international institutions.
The risks reportedly go beyond surveillance. With the press of a button, the U.S. government could disable or manipulate more than 650 Dutch websites belonging to government agencies and vital industries. This includes sites operated by De Nederlandsche Bank, the national police, the Ministry of Foreign Affairs, and Crisis.nl—the government’s designated crisis information portal for the Dutch public.
Even the Dutch government’s job application platform, WerkenVoorNederland, runs on American servers. “It might be of interest to U.S. authorities to see who’s applying for a job at, say, the AIVD [the Dutch intelligence service],” Hubert told NOS. “But that’s still somewhat theoretical,” he added. “The real risk lies with email. It’s much harder to remove your email data than to move your website.”
The use of American cloud infrastructure is reportedly especially concerning in critical sectors. Among 97 essential organizations examined by NOS, 69 use U.S.-based email services. Even KPN, a major Dutch telecom provider offering email to its customers, uses Microsoft’s mail servers.
While ministries handle their own email systems, nine of the 15 ministries use Microsoft Teams or Webex for chatting or video conferencing—tools that also run on American infrastructure and are potentially accessible to the U.S. government.
Brad Smith, Vice Chair and President of Microsoft, confirmed to NOS that a court order in the United States could apply to data stored outside the country. “But we will go to court in such cases,” he added.
Microsoft has previously gone to court to challenge such orders and won. Ironically, that court victory prompted the U.S. Congress to pass legislation explicitly allowing American authorities to access foreign-stored data.
Smith argued that a treaty should be established to set clear rules. “Such a treaty has been in the works for ten years. If it ever comes to fruition, it would be a very good thing. There would be clear regulations about under which circumstances data from a foreign government may be requested, and how,” he said. In his view, such access should only occur with judicial oversight.
NOS based its findings on DNS data from all websites listed in Dutch government registries and from a manually compiled list of websites belonging to vital companies. This DNS data reveals where website infrastructure is hosted.
They analyzed DNS records related to websites, mail, and other relevant technical configurations. In technical terms, they looked at A, MX, NS, CNAME, and TXT records—including SPF—and domain verification keys for platforms like Office 365. IP addresses behind the records were linked to specific providers using the WHOIS database of regional IP registries.
