At the crossroads of merger control and FDI: the ACM's Kyndryl/Solvinity decision about IT mergers with digital sovereignty concerns
Blog Competition & EU Law Insights

When a global American IT giant moves to absorb one of the Netherlands' most prominent managed services providers for the public sector, not only regulators but also parliament and public opinion take notice. That is exactly what happened when the Dutch Authority for Consumers and Markets (ACM) reviewed Kyndryl's proposed acquisition of Solvinity. The resulting decision, issued on 26 February 2026, is required reading for anyone working at the intersection of competition law, technology, and public procurement.

The case in a nutshell

The Dutch subsidiary of the American Kyndryl Holdings, Inc., a globally operating IT services provider spun off from IBM in 2021, sought to acquire full and exclusive control over Solvinity, an IT services provider active in the Netherlands with a significant client base in the public sector, including ministries, municipalities, and semi-governmental organisations.

The notification was filed on 18 November 2025. The deal attracted attention not only at the ACM, but was simultaneously notified to the Bureau for Investment Screening (BTI) under Dutch FDI legislation. BTI assessed the transaction on national security grounds, which is a separate and distinct track from the ACM's merger control review. While the regulators were reviewing the case, Dutch parliament debated the protection of public services from change of control over key suppliers.

The ACM cleared the deal without conditions as it concluded that the acquisition did not significantly impact competition on the market for IT services in view of the limited joint market share of the parties and the abundance of competitors. But the decision's real value lies in how the regulator got there.

Defining the markets for IT services?

Both Kyndryl and Solvinity are active as IT service providers across a broad range of services covering technical infrastructure, applications, and information systems, operating across infrastructure, platform, and application layers. As managed service providers, they handle the daily management, security, and maintenance of clients' IT infrastructure, platforms, and applications — services that can be delivered on cloud infrastructure provided by hyperscalers.

The ACM examined whether the Dutch IT services market should be segmented by functionality (consulting, infrastructure implementation and management, application services, IaaS, and business process services) or by sector (government, financial services, healthcare, and others). Ultimately, the ACM left the precise market definition open, concluding that the outcome of its assessment would not change regardless of how the market was segmented.

The ACM also flagged evidence suggesting a possible separate market for sovereign IT services for the public sector, but again left the question open, as it did not affect the substantive analysis.

Non-competitive concerns from customers

The most striking feature of this case was the depth and breadth of - mostly non-competitive - concerns raised, particularly by public-sector clients and members of parliament. The Taskforce for ICT Continuity of the Ministry of the Interior submitted a formal view arguing that digital autonomy is one of the most important competitive parameters in the cloud and IT services market, and expressing serious concern that US legislation, including the CLOUD Act and FISA, would become applicable to Solvinity following the acquisition, enabling the US government to access confidential data and potentially disrupt critical public services.

Public-sector customers of Solvinity named by the Taskforce in its submission included the Ministries of the Interior, Social Affairs, Health, and Justice and Security, the municipality of Amsterdam, Logius, and the National Police.

Despite this, the ACM's competition analysis led it to a clear conclusion:

The ACM found it implausible that the proposed acquisition would lead to a significant impediment of effective competition on the Dutch IT services market or any possible sub-markets, leaving the exact demarcation undefined as the combined market share of the parties on any possible markets would not exceed 15%. The ACM considered that the parties face strong competitive pressure from multiple Dutch and European IT providers, and that the parties were not each other's closest competitors in the Dutch market for implementation and management of IT services to the public sector.

Crucially, the concerns raised in the investigation related not so much to a lack of competition at the moment of procurement, but to the dependency that arises once a client has already chosen an IT provider and is mid-contract - a situation the acquisition itself does not materially change.

The ACM plainly acknowledged the sovereignty concerns, but drew a sharp legal distinction: the risks primarily affect government customers that cannot switch immediately after the acquisition or did not have a contractual escape in their contracts, but these risks are not caused by a restriction of competition arising from the merger as such; at the point of re-tendering, sufficient European and Dutch alternatives exist.

Practical Takeaways

1. Market share still matters, even in sensitive digital markets. The Dutch IT services market was estimated at approximately €24 billion in 2024, with the parties' combined share amounting to roughly 0-5% of that total. Even in the most narrowly defined sub-market of infrastructure implementation and management services to the public sector, the combined market share reached only about 15%, with strong competition from players including Conclusion, Capgemini, Atos, Sopra Steria, T-Systems, Cegeka, Netcompany, and Intermax. Low market shares remain a powerful clearing signal.

2. Digital sovereignty is entering the competition law hemisphere, but it has limits. The ACM produced a remarkably detailed contextual analysis of digital autonomy and sovereignty, citing Dutch and European policy frameworks emphasising that geopolitical developments create concrete risks for governmental functioning, and noting that the Dutch coalition agreement for 2026-2030 explicitly sets digital autonomy as a baseline principle for government. But, and this is critical, the ACM was clear that sovereignty concerns, however legitimate, only become grounds to block a merger if they are caused by a restriction of competition. Here, they were not.

3. Switching costs and lock-in are competition concerns, but pre-existing ones. The ACM recognised that public-sector clients of complex IT services face real switching barriers, with transitions that can take years and cost a meaningful share of contract value, but the merger itself does not change those barriers. Public buyers should take note: the time to negotiate robust exit strategies, contractual change-of-control clauses, and open-standard requirements is before you sign the contract and should be part of the tender requirements.

4. Procurement structure matters. The ACM noted that the Dutch public sector represents over €3.1 billion - more than 13% of the total Dutch IT services market - and that collective procurement by government could act as a meaningful disciplining force on providers. The case reinforces the strategic value of bundled public purchasing and standardised tendering requirements.

5. National security and competition reviews are distinct legal areas. The parallel FDI review on national security grounds runs entirely separately from the ACM's merger control assessment, as it should be. Practitioners advising on cross-border acquisitions of critical infrastructure providers must navigate both tracks simultaneously; they answer different questions and apply different legal tests.

Conclusion

The ACM's Kyndryl/Solvinity decision is a snapshot of competition law in transition. The regulator engaged seriously with the geopolitical and sovereignty anxieties of public-sector clients, dedicating considerable analysis to digital autonomy as an emerging competitive parameter. But it ultimately stayed within its legal lane: the question before it was whether the merger would restrict competition, not whether it would change the geopolitical landscape. On that question, the answer was no.

For legal and business readers, the broader message is clear. Digital sovereignty concerns are reshaping how public clients think about IT procurement, how providers compete, and how regulators frame their analysis. Those dynamics will only intensify. The next clearance decision may not be so straightforward.