In the Netherlands, Stichting Internet Domeinregistratie Nederland (SIDN) manages the digital registration of more than 6 million “.NL” websites, including government websites such as Government.nl and politie.nl. When consumers want to access these .NL sites to file taxes, apply for rent or childcare benefits, or for vaccination programs, SIDN makes sure it’s possible. As a technical registration authority, SIDN plays a key role in the use of the .NL portion of the Internet. Today, SIDN wants to expand its core capabilities, seemingly at the expense of the collective security, stability and sustainability of the Dutch Internet to generate more revenue.
Recently, SIDN unexpectedly decided to outsource some of its relatively mundane registration work to US cloud company Amazon Web Services (AWS). As soon as the news came out, it caused a wave of shock and criticism. Academics, industry representatives from the EU cloud community, technical experts from the Internet governance ecosystem, members of civil society and politicians have all spoken about the dangers of moving some of SIDN’s functions from servers to the AWS cloud. SIDN, an organization that most Dutch internet users have never heard of even though they use its services every day, is suddenly making headlines. This case is interesting for the broader tech policy audience because it illustrates a key trend—critical government-run services being transferred to large U.S. cloud giants, with little regard for potentially harmful long-term consequences.
Why are Dutch registries moving to AWS? Why now? SIDN’s chief technology officer claimed that based on external outsourcing recommendations, no European cloud company could provide the required services. The consultation report in which he made these claims has not been made public. If SIDN’s claims are true, it suggests that European cloud companies are unable to provide relatively simple computer systems. This is an absurd assumption given that SIDN counterparts in other European countries such as France (.FR) and Germany (.DE) independently manage Internet domains. These countries and markets are much larger than the Netherlands, a small country with only 18 million residents and 6 million registered domain names.
The choice to migrate these key Internet governance services to AWS appears to have both business and technical motivations. Like many registries, SIDN is looking for ways to turn its technical expertise into new revenue streams and enter the lucrative software-as-a-service (Saas) market. Within a few sentences of the SIDN press release that caused the initial buzz, the organization also said it intended to provide domain registration software and sell it as a service, i.e., as plans, much like consumers pay for Spotify or Netflix accounts. This will be a new commercial direction for SIDN, generating recurring revenue streams on top of existing revenue. Interestingly, SIDN intends to do this not based on its own software, but by partnering with CIRA, the Canadian registration authority that runs the .CA domain.
SaaS ambitions do require a cloud platform as global as the market SIDN wants to enter. If these business plans significantly influenced SIDN’s decision to switch to a US provider, then the SIDN CTO is correct and AWS is indeed a more suitable partner than its European competitors.
SIDN is also right to note that the organization is following a broader trend. European businesses are rapidly outsourcing the management of digital systems to American companies. SIDN has further accelerated this problematic trend by loudly claiming that it is no longer possible to find a cloud provider in Europe. The well-known dangers faced by citizens expecting political independence from organizations classified as “essential service providers” under Dutch law appear to have been ignored. If the Dutch Internet Domain Name Registry (which describes itself on its website as “experts in what we do and completely independent”) also chooses to outsource key services to Amazon, who will remain independent? This gives everyone a license to outsource all technology.
To be clear, we don’t think migrating to AWS is a good idea. As a key player in the nation’s infrastructure, what business does SIDN have in the commercial software industry or with AWS? Regardless of the wisdom of the choices made by the wider European business community, we should set higher standards for “the companies behind .NL” (as SIDN once called itself). The importance of .NL cannot be overstated. An outage of .NL’s AWS service would not only disrupt the Internet in the Netherlands but also cut off communications with foreign countries. In this case, SIDN wouldn’t be at the top of the AWS Help Desk given its small size relative to the cloud giant’s global customer base. Since everything is outsourced, SIDN will have a difficult time rebuilding or rehosting its services if needed. To be good at technology, you need to actually do technology. We must openly question SIDN’s commercial ambitions, especially if it comes at the expense of control of its core capabilities and critical services.
Couldn’t the Dutch government intervene? Incredibly, .NL (which ultimately stands for “Netherlands”) does not fall under the direct purview of the government. SIDN is a private law foundation currently comprised of four different private limited companies (BVs). However, there is also the potential for stress. There is a “compact” in which the government recognizes that SIDN can operate .NL services under two provisions. First, decisions must be made in consultation with the Internet community. Secondly, there must be a “connection” with the Netherlands. It was unclear how much consultation had taken place with the government on the issue. It’s also unclear how SIDN intends to meet Connect Netherlands regulations after deciding to outsource key functions to AWS. The lack of answers to these questions highlights the importance of ensuring that the European cloud industry is at least involved in “essential” applications such as .NL, if not a major provider of these applications. SIDN appears to have breached trust in this non-binding convention by outsourcing its country domain names to organizations outside the Netherlands without in-depth consultation.
The Dutch parliament is now looking at the situation, with several politicians raising formal questions about the decision. We hope they revisit their oversight of SIDN and recognize that this core infrastructure should not become more reliant on the cloud just to make money, especially in the U.S. tech industry.