Microsoft Handed Names of Dutch Regulators to a US House Committee Probing the DSA

Quick answer: Microsoft handed internal documents containing the unredacted names of Dutch civil servants enforcing the Digital Services Act to a committee of the United States House of Representatives investigating what its Republican majority frames as "tech censorship". The data, including emails, meeting minutes, and event invitations from staff at the Dutch competition authority ACM and data protection authority AP, was transmitted under US legal obligations. Two Dutch state secretaries called the disclosure "extremely concerning" and the cabinet has raised the matter with the US ambassador.

Microsoft transmitted the unredacted names of Dutch civil servants overseeing platform regulation to a committee of the United States House of Representatives investigating Republican-coded claims of "tech censorship", according to documents first reported by Vrij Nederland on 22 May 2026.

The disclosure prompted the Dutch cabinet to summon the recently-appointed US ambassador Joe Popolo for a meeting with State Secretary for Digital Economy and Sovereignty Willemijn Aerdts (D66), and drew a "more than concerning" response from State Secretary Eric van der Burg (VVD) at the Ministry of the Interior.

The materials Microsoft handed over include internal emails, meeting minutes, and event invitations from staff at the Autoriteit Consument en Markt (ACM, the Dutch competition authority) and the Autoriteit Persoonsgegevens (AP, the Dutch data protection authority). Both regulators are responsible for parts of Digital Services Act enforcement in the Netherlands. Vrij Nederland reports that the names of individual civil servants were not redacted from the documents Microsoft transmitted.

Among those named is Claes de Vreese, a University of Amsterdam political scientist whose research focuses on disinformation and platform governance. "It has a chilling effect on people," De Vreese told reporters. "It rather makes me more militant."

Why did Microsoft hand the names over?

Microsoft was legally compelled to comply with the request. US-headquartered companies must produce internal communications when ordered to do so by a Congressional committee, regardless of where the data is physically stored or whose names appear in it. The CLOUD Act provides an additional, narrower compulsion mechanism for criminal matters; here the legal authority is the broader subpoena power Congress exercises in oversight proceedings.

The information Microsoft handed over came from the company's own corporate IT systems, not from systems Microsoft hosts on behalf of the Dutch government. Both the ACM and the AP have confirmed they do not use Microsoft services to store their official email.

Vrij Nederland reports that other US tech companies also received similar requests and transmitted internal communications under the same legal pressure. It is not yet public whether those materials also contained Dutch names.

What is the House committee investigating?

The committee, controlled by the Republican majority, is examining whether European regulation of large online platforms constitutes censorship of American companies and American speech. The Digital Services Act, which entered into force in February 2024, requires platforms to act against illegal content, demonstrate algorithmic transparency, and submit to audited risk assessments. Several US politicians and tech executives have characterised these obligations as restrictions on speech rather than as consumer protection measures.

This is not the first time European officials connected to tech regulation have been targeted by US authorities. A former European Commissioner involved in platform legislation has previously faced US entry restrictions, as have staff of the International Criminal Court in connection with separate proceedings.

How is the Dutch government responding?

State Secretary Aerdts told reporters on Friday morning, ahead of the weekly cabinet meeting, that she had raised the matter directly with Ambassador Popolo during her introductory meeting with him. "If there are policy discussions, you have them with us, or if necessary in Europe, but not over the backs of civil servants," she said. The ambassador, she said, "listened and will take it back".

State Secretary Van der Burg said the cabinet still needs to establish exactly how the documents were shared and which materials were involved before drawing conclusions. "It is not yet clear which documents the data comes from, but it is of course concerning if information of this kind is being shared."

Neither minister set a timeline for reducing Dutch dependence on US tech providers. "That cannot happen overnight," Van der Burg said. Aerdts: "I hope it won't take very long, but I cannot say how long."

How are Dutch agencies responding internally?

According to Vrij Nederland, both the ACM and the AP are now communicating more often from generic mailboxes rather than naming individual case-handlers. The agencies are reportedly handling internal anxiety from staff with family in the United States who fear being denied entry on their next visit.

The practical anxiety is not abstract. Multiple precedents already exist of European officials and academics being denied US entry or sanctioned in connection with their regulatory work. For employees of Dutch authorities enforcing the DSA, the prospect of becoming personally identifiable to a US Congressional committee investigating their enforcement actions is a meaningful career and personal risk.

What is the broader context for Dutch digital sovereignty?

The Microsoft disclosure lands during a period of sharpening Dutch debate about digital dependence. Three developments in the past several months frame the urgency:

• Solvinity, the Dutch IT provider responsible for hosting DigiD (the national digital identity system), is in the process of being acquired by a US company. Once that acquisition closes, Solvinity will fall under US legal compulsion frameworks including the CLOUD Act. A petition against the acquisition gathered roughly 200,000 signatures earlier this spring.
• The Belastingdienst (Dutch Tax Administration) is currently transitioning core systems to Microsoft, over the documented objections of several parliamentary fractions in the Tweede Kamer.
• European institutions, including the Commission and the ICC, have been targeted by US sanctions or entry restrictions in connection with their regulatory and judicial work.

Aerdts placed the Microsoft disclosure within that broader frame. "We are addicted to American programs, apps and equipment in the Netherlands and in Europe," she said. "It is important that in the Netherlands and in Europe we have more choice, so that we are no longer dependent on a few companies from one or two countries."

She stopped short of announcing concrete substitution timelines.

What does this mean for European digital sovereignty policy?

The disclosure is the clearest illustration to date of a risk Dutch and European data protection authorities have flagged repeatedly since Schrems II: US-headquartered cloud and software providers can be compelled by US legal process to surface internal data about European officials, regardless of EU data residency selections or contractual data processing terms. The exposure does not vanish because the underlying data sits in a Frankfurt or Amsterdam data centre. It travels with the corporate domicile of the provider.

European-headquartered cloud and productivity providers are not subject to US Congressional subpoena power over their own internal corporate systems. For Dutch ministries, regulators, and adjacent EU member-state administrations now reviewing procurement, the Microsoft case is going to accelerate conversations that were already moving.

Browse European alternatives to Microsoft 365 and the broader European SaaS stack for context on what production-ready substitutes look like today.