Introduction
The concerns in the Lower House about the American takeover of Solvinity – a supplier that provides services for DigiD – show how vulnerable our digital chains are. If a critical supplier suddenly falls into foreign hands, there is immediate risk around data access, legislation and continuity. For any organization that depends on cloud and IT services, this is a clear signal: mature supplier risk management is necessary, especially towards NIS2.
1. What makes the DigiD case so sensitive.
Solvinity manages infrastructure for DigiD and other government services. An acquisition by a foreign company can lead to:
- New jurisdictions that can claim access.
- Uncertainty about security processes and governance.
- Risks to continuity and dependency.
This is not just about DigiD. Every organization – from healthcare institutions to industry and finance – works with suppliers that can change hands unexpectedly. Without insight into the chain, immediate risk arises.
2. Why this is a wake-up call for every entrepreneur and CISO
The digital world of organizations is growing rapidly: cloud services, software, billing platforms, AI tools. Your company forms a complex digital ecosystem with often hundreds of vendors.
That ecosystem is becoming increasingly important:
- Legislation such as NIS2 and DORA establishes chain responsibility.
- Executives discuss digital sovereignty and dependencies.
- Organizations want to know: what are we stuck with, and what happens if one party fails?
Those who only look at individual pieces of the puzzle – contracts, certificates, individual scans – miss the big picture needed to truly understand risk.
3. What NIS2 calls for around supply-chain risk.
NIS2 requires organizations to:
- Identify chain risks: which suppliers are critical and why?
- Implement security requirements throughout the chain.
- Supplier risk management to be demonstrably organized.
- Continuous monitoring: changes such as acquisitions should be noticed quickly.
The DigiD case study shows how unexpected such changes occur and how immediate the impact can be.
4. Use case: unexpected acquisition in your chain
Suppose one of your critical IT suppliers is suddenly acquired by a foreign party. Within hours, risks can mount:
- Data is covered by other legislation.
- Security agreements should be reassessed.
- Continuity and governance become uncertain.
Without active supplier risk management, you don’t notice it until the newspaper writes about it. Then you’re too late to respond appropriately.
An effective approach means:
- immediately receive signals when ownership changes,
- understanding risk impact,
- clear reporting for governance, security and compliance.
5. How RiskStudio helps
5.1 Understanding the entire digital ecosystem
RiskStudio gives organizations a complete picture of their digital ecosystem: companies, products, dependencies and even the shadow suppliers behind suppliers. This makes visible:
- Who really has access to your data and systems.
- Which technology and cloud providers are behind services.
- How dependencies run through your organization.
- Jurisdiction & ownership structure: understanding which laws and regulations apply to suppliers as well as who legally owns or parent companies.
You don’t just see individual suppliers, but the whole – essential to understanding supply chain risks.
5.2 Informed first in incidents
RiskStudio links cyber intelligence directly to your ecosystem:
- Alerts about data breaches, vulnerabilities or poor cyber hygiene are linked to the appropriate organizations.
- You see immediately which suppliers are affected and where impact may occur.
- You can prioritize: intervene first where it matters.
Instead of being reactive, you become proactive – crucial in incidents or takeovers.
5.3 Risk-based and collaborative work
Legislation such as NIS2, DORA and ISO 27001 requires a risk-based, structured approach. RiskStudio supports this by:
- clear risk profiles for each supplier;
- reports for boards, auditors and compliance;
- collaboration between departments: everyone sees their own dependencies and can report incidents.
This creates active engagement rather than passive awareness.
6. Checklist: are you prepared for this type of acquisition?
- ☐ Do you know who ultimately owns your critical suppliers?
- ☐ Do you know what jurisdictions your data falls under?
- ☐ Do you understand sub-suppliers and dependencies?
- ☐ Do you continuously monitor cybersecurity status of vendors?
- ☐ Can you demonstrate that your vendor risk management is NIS2-proof?
7. Next step: try RiskStudio or receive a free CompanyReport
Start your free trial
👉 https://riskstudio.com/trial/
Experience directly how RiskStudio makes your ecosystem insightful.
- Insight into supplier risks within minutes.
- No installation, no onboarding.
- Helpful dashboards, alerts and reports.
Receive a free CompanyReport
👉 https://riskstudio.com/companyreport/
Within 30 minutes you will receive a clear picture of your digital footprint, cyber rating and dependencies. Ideal as a first step toward ecosystem monitoring.
Conclusion
The DigiD takeover shows how quickly supply-chain risks can arise. Without an overview and up-to-date intelligence, steering is virtually impossible. With RiskStudio, you get a grip on your digital ecosystem, stay ahead of risks and work toward NIS2 with confidence.
Practical tip: start with the top 20 most critical vendors and map their digital footprint and dependencies. Build from there.
