2025 was the tipping point:
The past year has made one thing crystal clear: innovation in healthcare is no longer just about technology, but about trust. In a world where digital healthcare applications, artificial intelligence, and data sharing are increasingly at the heart of healthcare, the question is no longer whether you manage data securely, but how.
TL:DR - Briefly
- 2025, with multiple data leaks and legal developments, showed how vulnerable healthcare data is.
- The CLOUD Act and political pressure increase the risk for data stored with foreign cloud providers.
- New European regulations (NIS2, AI Act) require healthcare institutions to demonstrably manage data and chain security.
- A sovereign Dutch private cloud offers the combination of compliance, security and innovation that healthcare needs.
- 2026 will be the year of acceleration: from awareness to action.
In 2025, we saw a series of events, both globally and nationally, that exposed the vulnerability of healthcare data. Major data breaches, geopolitical pressure, and new legislation made it painfully clear that organizations can only innovate sustainably if they keep their data under their own legal protection. For the Dutch healthcare system, this means: the move to a private sovereign cloud is no longer optional, but necessary.
Jurisdiction over location: control over healthcare data has become a prerequisite
In 2025, it became clear again that the physical location of data storage doesn't automatically determine who has access to it. Legal authority, or jurisdiction, is decisive.
The American CLOUD Act For example, it stipulates that US authorities can demand data from US companies, even if that data is physically stored in the Netherlands or elsewhere in Europe. This directly touches on the core of healthcare data: data that belongs in the Netherlands may fall under foreign law. Microsoft confirmed this in July 2025 during a hearing in the French Senate.
De General Audit Chamber warned in early 2025 that the Dutch government itself lacks sufficient insight into its cloud dependency. In the report Dutch Central Government in the Cloud The Court of Audit concluded that two-thirds of the services examined had not carried out a mandatory risk analysis. This means there is insufficient certainty about digital sovereignty and data protection.
Politically, the topic is no longer optional. In July 2025, the Ministry of Digital Affairs, together with several EU Member States, the 'Non-paper on Strengthening Cloud Sovereignty'In it, the Netherlands advocates for more European control over crucial infrastructure, precisely to make public sectors such as healthcare less dependent on non-European cloud providers.
For healthcare organizations, the message is clear: as long as data remains in the hands of parties under foreign jurisdiction, there remains a risk that sensitive patient information will fall outside the reach of Dutch and European privacy legislation. Legal oversight is therefore no longer a formality, but a prerequisite for safe and reliable care.
Data breaches and cyber incidents expose structural weaknesses
The past year has once again shown how vulnerable the healthcare sector is.
In July 2025 came to light that hackers had broken into the laboratory NMDL in Rijswijk, which conducts population surveys for the Dutch Population Survey. Initially, this involved data from 485.000 people, but in September it turned out that almost 941.000 Dutch people were affectedThe stolen data included names, addresses, dates of birth, citizen service numbers and test results.
This data breach was not an isolated incident. The The Dutch Data Protection Authority (AP) reported In July 2025, the healthcare and welfare sector once again topped the list in the number of reported data leaks: in 2024, this involved 6.873 notifications, significantly more than in other sectors. Uniserver analyzed the figures, and sees that it is a structural problem.
What these incidents have in common is the lack of chain managementOften, the cause lies not within the hospital's own walls, but with external laboratories, software vendors, or data processors. The lesson is clear: as a healthcare organization, you cannot outsource your responsibility. Only when data is processed within your own, sovereign infrastructure can you maintain control.
New legislation makes action inevitable
In addition to incidents, regulatory pressure is also increasing.
In 2026 the NIS2 guideline in effect in the Netherlands through the new Cybersecurity ActThis law imposes stricter requirements on organizations in vital sectors, including healthcare. These include mandatory risk assessments, supply chain management, incident reporting, and administrative liability. Those who haven't started preparing by 2025 will be under time pressure in 2026.
beside the European Commission launched early 2025 a action plan for cybersecurity in healthcare, aimed at increasing the digital resilience of hospitals and healthcare institutions through prevention, detection, response and recovery
At the same time, European laws such as the Cloud and AI Development Act prepared, which obliges organizations to demonstrate the security and transparency of their AI and cloud systems
Together, these developments ensure that digital sovereignty is not just a wish, but a legal necessity. For your healthcare organization, this means that choices regarding infrastructure, vendors, and governance directly impact compliance and administrative accountability.
The market is moving towards sovereignty
The movement toward sovereign solutions isn't limited to governments. The market is also making the shift.
According to research of Information Services Group (ISG) more and more Dutch organizations, including healthcare institutions, prefer cloud solutions where sensitive data remains within national borders and falls under Dutch law
This trend confirms that sovereignty doesn't contradict innovation. On the contrary: whoever controls data creates space for responsible digital progress.
The role of AI and data integrity in healthcare
The healthcare sector is on the cusp of a new phase of digitalization, in which artificial intelligence is playing an increasingly important role. Think of predictive analytics in patient care, image recognition in diagnostics, and data-driven policymaking.
But AI is only as good as the data it runs on. And that data must be reliable, up-to-date, and secure. Without data management under its own legal protection, you run the risk of algorithms being trained on incomplete or insecurely processed information.
That's why one sovereign cloud essential for the development of responsible AI in healthcare. Only in an infrastructure that meets European standards for privacy, security, and transparency can artificial intelligence contribute to better care without compromising the security of patient data.
The concept of Private AI This ties in seamlessly with innovative applications within a controlled, Dutch environment where data is not shared or analyzed outside national or European borders. A perfect example of Private AI is, for example, Fuse AIThis way, as a healthcare institution, you can continue to innovate without compromising on safety or trust.
In concrete terms: what can you do?
The transition to a sovereign cloud requires a structured approach. The key considerations are:
- Choose a Dutch supplier
Check not only where the data is stored, but also under which jurisdiction the supplier falls. - Demonstrably work according to recognized standards
Think of NEN 7510, ISO 27001 and SOC 2These standards are essential for demonstrating compliance with NIS2. - Limit dependency on the chain
Regularly evaluate the data flows within your organization and with partners. A sovereign cloud offers the possibility of keeping management, storage, and security entirely within the Netherlands. - Guarantee governance and transparency
Determine who within your organization is responsible for digital sovereignty and ensure that audits and reporting are part of the policy. - Invest in innovation with confidence
Build AI and data applications on infrastructure that complies with European standards. This creates space for innovation without risking patient safety.
Real-world example: Bernhoven and ilionx with Uniserver
A practical example shows how this works in healthcare.
Bernhoven chose together with ilionx en Uniserver for a private cloud solution in which patient data is guaranteed to remain within the Netherlands and is fully subject to Dutch and European legislation. This collaboration was initiated by Computable, Consultancy.nl is considered leading.
“By outsourcing management to the experts at ilionx and opting for a Private Cloud platform from Uniserver, we are guaranteed to keep our patient data on Dutch soil, under the protection of Dutch and EU law.” – Marc Roozen, CIO Bernhoven Hospital
This collaboration proves that healthcare institutions don't have to choose between innovation and security. A sovereign cloud makes both possible.
Ready to see how Snowflake works?
2025 was the year that made it clear that data sovereignty was no longer a theoretical concept, but a direct strategic necessity. The combination of legal risks, cyber threats, and new regulations means that by 2026, healthcare will no longer be able to function without its own sovereign cloud.
Healthcare organizations that invest in Dutch infrastructure now are investing in control, continuity, and trust. This is the foundation upon which future-proof healthcare is built.
A private, sovereign cloud doesn't mean less innovation, but rather more room for responsible progress. Healthcare deserves technology that aligns with its values: people-focused, secure, and reliable.
Would you like to know how your organization can take this step safely?
Learn more about our approach at Uniserver.nl or contact us to discuss the possibilities of a private, sovereign cloud in healthcare.
