On April 1, 2026, seven Dutch IT providers launched the Open Cloud Alliantie: KPN, Centric, Info Support, Intermax, Nebul, Previder, and Uniserver. Their manifesto asks the Dutch government to score sovereignty as a weighty criterion in cloud tenders. The most important consequence of that launch is not technological; it is procurement-linguistic.
TL;DR
- The Alliantie is a voluntary coalition of seven Dutch cloud providers launched April 1, 2026. ACM-endorsed, supported by Stichting DINL and TNO, no separate legal entity.
- Its primary impact is the procurement vocabulary it activates. The DICTU sovereignty scoring instrument (January 2026), the cabinet's Vision on Digital Autonomy (December 2025), and the Rijksbrede IT-Sourcingstrategie (February 2026) gave Dutch buyers a framework. The Alliantie supplies a credible Dutch answer.
- No government tender has been awarded to OCA members yet. The actual 2026 government cloud moves are the StackIT framework deal (April 24, German provider) and the SSC-ICT digital workplace migrating off public cloud.
- AWS European Sovereign Cloud and Azure Local are real but cannot satisfy the legal dimension of the DICTU instrument: Amazon, Inc. and Microsoft Corporation remain US-incorporated regardless of where the servers sit.
- For most workloads the Alliantie does not need to win. It needs to make "we evaluated a Dutch sovereign option" a defensible line item in your RFP. After April 1, that line is free.
Table of contents
- The seven and what they actually sell
- Why the launch landed when it did
- The procurement-language shift
- Where the Alliantie fits and where it does not
- The hyperscaler counter-offer
- A one-page RFP evaluation matrix
- Key takeaways
The seven and what they actually sell
Treat the Alliantie as seven competing companies that agreed on one paragraph of shared positioning, not as a single product. Workload fit is per provider, not collective.
| Provider | Primary offering | Strongest sovereignty story |
|---|---|---|
| KPN | Sovereign VMware-based private cloud (CloudNL); enterprise networking | Enterprise and government workloads; classified defense via the KPN + Thales cloud announced April 9 |
| Centric | Government IT outsourcing; full portfolio migrating to own sovereign cloud in 2026; Mynte GOV-AI platform | Dutch municipalities and provinces; the only OCA member with a municipality-specific data model |
| Info Support | Custom development with managed deployment on sovereign infrastructure | Project delivery where development capacity is bundled with sovereign hosting |
| Intermax | Sovereign IaaS; managed Kubernetes via subsidiary Guida, HAVEN-compliant | Dutch public-sector Kubernetes workloads with HAVEN compliance |
| Nebul | Private cloud, GPU infrastructure, sovereign AI inference; ISO 9001, 22301, 27001, 27017, 27018, 27701, NEN 7510, SOC 2 | Sovereign AI workloads; the strongest certification footprint in the alliance |
| Previder | Colocation, VPS, managed hosting; NEN 7510 certified | Healthcare data and regulated industries |
| Uniserver | VPS, managed and hybrid cloud; ISO 27001 since 2015, NEN 7510 since 2016 | SME and mid-market sovereign hosting with documented exit strategy |
A few things that table flattens worth surfacing. The Alliantie is a marketing coalition, not a legal entity. There is no stichting, no coöperatie, no joint contracting vehicle. The ACM's Martijn Snoep blessed the structure precisely because it is competitive coordination on policy, not on price. The one documented shared commitment is moral: if a member is acquired by a non-European party, the remaining members will collectively step in to operate that member's services. That commitment lives in press coverage. It is not in any public legal document I could find.
The seven are also not "the" Dutch sovereign cloud. Leaseweb, arguably the largest Dutch-headquartered provider, is pursuing European sovereignty through IPCEI-CIS and is deliberately not part of the Alliantie. SURF runs the entire academic and research sector cloud under cooperative governance. Any article that talks about "the OCA seven" should not be read as "the Dutch market."
Why the launch landed when it did
The Alliantie did not invent the sovereignty conversation. It walked into a hallway four documents had already lit.
In January 2025, the Algemene Rekenkamer published Het Rijk in de cloud, reporting that 67% of critical Dutch government cloud services had no risk assessment on file and that more than half were hosted on AWS, Microsoft, or Google. That report was the parliamentary alarm.
In June 2025, MPs Bruyning and Thijssen carried a motion asking that by 2029, at least 30% of government cloud storage and applications come from Dutch or European providers. Adopted by a parliamentary majority. Politically significant, not yet a binding legal mandate, but in procurement, political signals function as forward guidance.
In December 2025, the cabinet published its Vision on Digital Autonomy. One stated measure: "tighten cloud policy, secure storage of government data under European law."
In January 2026, DICTU published the Toetsingsinstrument Soevereiniteit Clouddiensten v1.0.1, a scoring rubric across five dimensions (legal, data and AI, technology, operational, human) on a 0-4 scale. Adopted by PIANOo and NOREA. For the first time, a Dutch procurement officer scoring a cloud bid had an official, citable framework that treated US corporate exposure as a measurable weakness, not just a paragraph of concern.
In February 2026, the cabinet's Rijksbrede IT-Sourcingstrategie made "digitale strategische autonomie" a formal procurement principle and established a Centre of Excellence for sourcing expertise.
The April 1 manifesto is the industry response to all of that. An alliance of competitors organizing the week after the IT-Sourcingstrategie went live is not coincidence. It is a credibility signal aimed at the procurement officers now holding the DICTU instrument in their hands. The launch was timed.
The concrete incident that made the timing urgent: in November 2025, US firm Kyndryl (an IBM spinoff) announced its intent to acquire Solvinity, the Dutch company managing the infrastructure behind DigiD. The ACM approved the acquisition on February 26, 2026. Parliament passed a motion not to renew the DigiD hosting contract with Solvinity if the acquisition completes. Citizens filed lawsuits. The case made one thing legible to procurement officers that white papers had failed to: a Dutch company managing Dutch citizen identity data can become subject to the US CLOUD Act through a single corporate acquisition.
The procurement-language shift
Before December 2025, "we considered a Dutch sovereign provider" was an asterisk in vendor-selection documentation. Permissible. Required a paragraph of justification. Rarely survived the cost spreadsheet.
After the December Vision, the January DICTU instrument, and the April 1 manifesto, "we evaluated a Dutch sovereign option" is a line item that defends itself. The chain of reasoning a procurement officer can now point at:
- Policy. The cabinet's published vision treats data sovereignty as a state priority.
- Method. The DICTU instrument is the published, PIANOo-endorsed scoring rubric.
- Supply. The Alliantie supplies a named, public list of providers whose legal exposure scores cleanly on the legal dimension.
That chain did not exist as a coherent unit twelve months ago. Each piece existed in fragments. What changed in April 2026 is that the chain is now defensible at the procurement-committee level without legal counsel having to assemble it from primary sources.
This is also where the argument needs honesty. Critics inside the procurement profession are already naming structural problems with the framework. Martin van Leeuwen of Epikouros Consulting argued in DutchITChannel on April 7 that the DICTU instrument creates a structural asymmetry: bidders are typically Managed Service Providers reselling Azure or AWS, and a Dutch MSP can score perfectly on the human and operational dimensions and still fail on the legal dimension because the underlying platform is US-incorporated. His claim is that requiring level 4-5 on legal dimensions excludes more than 70% of the addressable bidder market. That is a real critique, not a marketing complaint.
The honest read on the procurement shift: the vocabulary is defensible, but the rubric is still calibrating. Procurement officers using the DICTU instrument as a hard exclusion gate will narrow their bidder pool dramatically. Using it as a scored weight rather than a gate is the version that survives appeal.
Where the Alliantie fits and where it does not
Where the workload fit is genuine:
- Healthcare data and other NEN 7510 workloads. Previder, Uniserver, and Nebul carry the certification.
- Dutch public-sector Kubernetes. Intermax via Guida is HAVEN-compliant, the Dutch government standard for platform-independent Kubernetes hosting.
- Municipality-specific applications. Centric is the only OCA member with a municipality-tuned application portfolio and the only one publicly committed to migrating its full portfolio into its own sovereign cloud in 2026.
- Sovereign AI inference. Nebul runs NVIDIA-certified GPU clusters and explicitly markets EU-only data processing. Centric's Mynte platform targets government AI specifically.
- Workloads where CLOUD Act exposure is the disqualifying factor. All seven members are NL-incorporated with no US parent. That is the structural advantage no hyperscaler sovereign wrapper can match.
Where the fit is weak or absent:
- Global CDN. None of the seven operate a CDN footprint outside the Netherlands. By design. Globally distributed content needs a layered architecture with the sovereign provider for origin and a non-OCA CDN for delivery.
- Managed AI services at hyperscaler breadth. Nebul has GPU inference, Centric has Mynte for municipalities. Neither approaches the catalog depth of Azure OpenAI Service or AWS Bedrock. Bert Hubert's framing, reported in Computer Weekly: "European firms are selling timber, when customers want ready-made furniture." Fair, on managed AI specifically.
- Serverless compute and database-as-a-service breadth. No Lambda-equivalent. No Aurora-equivalent.
- True multi-region intercontinental redundancy. Dutch-focused datacenters mean no intercontinental failover story.
For any workload that needs both regulated-industry sovereignty and global delivery, the realistic 2026 answer is a layered architecture, not a single OCA contract.
The hyperscaler counter-offer
The honest counterargument: AWS, Microsoft, and Google have all shipped sovereign offerings in the past year, and they cannot be hand-waved away.
AWS European Sovereign Cloud launched January 15, 2026, with its first Region in Brandenburg. A Netherlands Local Zone is announced. The launch achieved SOC 2, C5, and seven ISO certifications within months. It is operated by a German legal entity with EU-resident staff. A serious engineering effort.
Microsoft has shipped sovereign capabilities across European Azure regions, plus Microsoft 365 Local and Azure Local for disconnected operations. The Dutch Land Registry already runs on Azure Local.
But there is one piece no engineering effort changes: AWS, Inc., Microsoft Corporation, and Google LLC remain US-incorporated. A Greenberg Traurig legal analysis, summarized in Consultancy.nl, concluded that AWS European Sovereign Cloud "may be compatible" with the Dutch Vision on Digital Autonomy "but aspects still require definition." Lawyer-speak for: the legal dimension of the DICTU instrument does not pass cleanly today, and may not pass at any score above 3 until either the policy framework is sharpened or AWS restructures the parent relationship.
For Dutch government procurement officers scoring against the DICTU instrument, that distinction is not a footnote. It is the gating fact. It is also the structural reason the seven Alliantie members get a hearing in the first place. The hyperscalers can match every dimension except the one engineering cannot fix.
A one-page RFP evaluation matrix
If you write or review hosting RFPs in 2026, here is a matrix that separates a marketing "sovereign" claim from a structural one. The questions are the contribution; adapt the scoring scale to your own.
| Dimension | What to ask | Marketing answer | Structural answer |
|---|---|---|---|
| Corporate ownership | Where is the ultimate parent incorporated? Is there a US-incorporated entity in the ownership chain with custodial control? | "We are EU-based" | Named ultimate parent, incorporation country, and a clean ownership chain documented in the bid |
| Ownership-change protection | If the parent is acquired by a non-EU entity, what contractual or technical protections preserve continuity? | "We will inform you" | Documented buyout, hand-over, or escrow clause with named successor or escrow agent |
| Staff jurisdiction | Which staff have administrative access to your systems, where are they resident, and to what standard are they screened (BIO, AIVD A/B/C)? | "Our staff are EU-resident" | Named jurisdiction per role, named screening standard, audit logs available |
| Key custody | Who holds encryption keys for data at rest? Can the provider technically read your data without your action? | "Encrypted at rest" | Customer-controlled keys retained in EEA; provider cannot decrypt without customer action |
| Subprocessor stack | Which subprocessors does the provider use? Are any US-incorporated? | "GDPR-compliant subprocessors" | Named subprocessor list with jurisdiction per subprocessor and a change-notification clause |
| Audit and exit | What audit right do you have? What is the documented exit timeline? Is data portability tested? | "We support exit" | Named audit standard (ISAE 3402 or equivalent), documented exit timeline, tested portability format |
| Standards adherence | Which Dutch and EU standards are independently certified? NEN 7510, BIO, HAVEN, ISO 27001, ISO 27017, ISO 27018, SOC 2 | "We comply" | Independently certified, with certificate numbers and last audit date |
| Public-sector references | Has the provider delivered to comparable Dutch public-sector customers in the past 24 months? | "Yes" | Named reference customers, contract scope, contactable references |
The structural-answer column is the version that lets the procurement-committee chair sign the recommendation without legal counsel reassembling the argument from primary sources. The marketing-answer column is what you will get from a vendor that has not engaged with the DICTU instrument seriously.
For background on why "hosted in Frankfurt" is not the same as sovereign, see my earlier piece on EU data sovereignty and the CLOUD Act. For the economic context driving Dutch buyers off hyperscaler defaults, see the end of cheap shared hosting. And for the European procurement chain this connects to, NIS2 for hosting providers and clients.
Key takeaways
- The Open Cloud Alliantie is a voluntary coalition of seven Dutch providers, launched April 1, 2026, ACM-endorsed, with no separate legal entity. Treat it as policy infrastructure, not a product.
- Its primary impact is procurement-linguistic. The DICTU instrument, the December 2025 Vision, and the February 2026 IT-Sourcingstrategie gave Dutch buyers a credible framework. The Alliantie supplies a credible Dutch answer.
- No government tender has been awarded to OCA members on the back of the manifesto yet. The actual 2026 government cloud moves are the StackIT framework deal and the SSC-ICT migration off public cloud. The Alliantie is winning the conversation; it has not yet won the contracts.
- AWS European Sovereign Cloud, Azure Local, and Google's sovereign offerings cannot satisfy the legal dimension of the DICTU instrument while their parents are US-incorporated. That is the gating fact.
- For most workloads the Alliantie does not need to win every dimension. It needs to make "we evaluated a Dutch sovereign option" defensible at the procurement-committee level. After April 1, 2026, that line is free.