Dutch Railway NS Awards €400 Million IT Contract to American Firm Despite Security Concerns

2026-02-10 data

Utrecht, Tuesday, 10 February 2026.
Netherlands’ state-owned railway operator NS has contracted DXC Technology for critical IT infrastructure management despite mounting European concerns about American tech dependency. The six-to-twelve-year deal worth up to €400 million covers hosting and system monitoring previously handled by Dutch firm KPN. Experts warn this decision undermines digital autonomy efforts, particularly as DXC won with the lowest bid but didn’t score highest on quality metrics.

Contract Details and Timeline

In December 2025, NS awarded the contract to Enterprise Services Nederland, the Dutch subsidiary of American technology giant DXC Technology [1]. The agreement, which officially begins operations, will see DXC take over hosting, technical application management, and continuous real-time monitoring of computer systems from Dutch telecommunications company KPN, which had previously handled most of these services [1][2]. The contract runs for a minimum of six years with an option to extend to twelve years, carrying a total value of up to €400 million [1][2][3]. According to confidential tender documentation reviewed by NRC, DXC Technology secured the contract by submitting the cheapest bid, despite not achieving the highest quality scores among competing suppliers [1][2][4].

Scope of Services and System Classifications

DXC Technology will manage what NS characterizes as “non-mission-critical” systems that do not process personnel or passenger data [1][5]. These systems include ICT infrastructure supporting financial planning and train maintenance operations [6][7]. NS IT Director Hessel Dikkers emphasized that if the systems managed by DXC were to fail, “trains would not come to a direct standstill” [6][7]. Critical systems essential for train operations and passenger information provision remain housed with Dutch IT providers, according to NS spokesperson statements [1][2]. The American company will specifically handle hosting services, technical application management, and what the industry terms “chain monitoring” - the continuous oversight of interconnected computer systems [1][8].

Expert Warnings on Digital Sovereignty

The decision has drawn sharp criticism from cybersecurity and legal experts who argue NS is underestimating the strategic implications of the contract. Professor Lokke Moerel, who specializes in global ICT law at Tilburg University, told NRC that “NS fails to recognize that these hosting services themselves constitute critical infrastructure for the Netherlands” [1]. Moerel warned that “digital autonomy must be the starting point” and cautioned that “if everyone acts like NS, we will never build our own digital infrastructure” [1][8]. The professor highlighted concerns about US sanctions law, noting that American legislation allows the government to request data from companies or prevent them from servicing certain clients, even when operations occur through overseas subsidiaries [2]. Technology expert Bert Hubert, a former intelligence services supervisor, observed that NS has been shifting toward American suppliers for years, but called this particular step concerning given current data security considerations [7].

Broader Context of American Tech Dependency

The NS contract award comes amid heightened political sensitivity about European dependency on American technology companies [1][2]. In January 2026, the Dutch Parliament demanded government action to keep DigiD identity system data out of American hands, following concerns about the potential acquisition of Solvinity by US firm Kyndryl [1]. Solvinity manages the cloud infrastructure supporting both DigiD and MijnOverheid.nl, critical government digital services [1]. Under the US Cloud Act, American cloud service providers can be legally required to make information available to US government authorities, even when data is stored in Europe [2]. The new Dutch coalition government has explicitly stressed the need for digital autonomy in its coalition agreement [2][7]. However, NS IT Director Dikkers noted that current procurement law prevents the company from rejecting or disadvantaging American firms solely based on nationality, and argued for clearer government guidelines to support digital strategic autonomy [6]. From June 1, 2026, stricter rules under the Algemene Beveiligingseisen voor Rijksoverheidsopdrachten (ABRO) will apply to state participations, but NS completed this contract award before those regulations took effect [4][8].

Bronnen

digital sovereignty IT infrastructure