SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Dutch review clears Google Cloud for public sector use

Dutch review clears Google Cloud for public sector use

Thu, 2nd Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Google Cloud has been cleared for use by the Dutch central public sector after a data protection impact assessment by the Netherlands' strategic vendor management agency found no known high data protection risks, provided recommended measures are applied.

SLM Rijk, which manages strategic supplier relationships for the Dutch government, reviewed Google Cloud's privacy arrangements and concluded that the main issues raised during the process had been addressed. The outcome gives Dutch central government bodies a defined route to use Google Cloud services from a privacy assessment standpoint.

The decision marks an important step for Google Cloud in a European public sector market where data protection requirements often shape procurement decisions. Public authorities across the European Union face strict rules on how they process and store personal data, and cloud suppliers have come under close scrutiny over safeguards, sovereignty arrangements and contractual terms.

Google said the review was conducted in collaboration with SLM Rijk and described the result as confirmation of its privacy posture for public sector customers in the Netherlands. It added that the Dutch central public sector can now use Google Cloud, provided the measures identified in the assessment are implemented.

The assessment builds on earlier work by Dutch authorities on Google's software services. A previous Dutch data protection impact assessment of Google Workspace had already supported use of the product suite across the Dutch public sector and educational institutions, giving Google an existing reference point in the market.

Public sector scrutiny

Data protection impact assessments help public bodies and other organisations handling sensitive personal data identify privacy risks before adopting technologies or processing methods. For large cloud providers, those reviews can influence whether government departments move workloads to external platforms or keep them in more tightly controlled environments.

The Dutch process is closely watched because it often serves as a detailed benchmark for other public sector buyers in Europe. While each authority makes its own procurement and compliance decisions, assessments by central government bodies can shape the wider debate over whether global cloud providers meet European expectations on data handling and transparency.

For Google Cloud, the outcome may help ease concerns among government customers that remain cautious about using foreign-owned cloud infrastructure for sensitive workloads. European regulators and policymakers have pushed technology companies to offer clearer contractual protections, better visibility into data processing, and stronger options for customers seeking local control.

Broader context

Google said it supports independent reviews and views the Dutch government's process as an example of cooperation between public institutions, outside experts and suppliers. It also said it will continue supporting customers carrying out their own data protection impact assessments, which can be resource-intensive for large technology deployments.

That support matters because many public authorities must still conduct their own internal reviews even when a central body has completed a broader assessment. A favourable national finding can reduce uncertainty, but local entities typically remain responsible for ensuring their own use cases, data categories and security settings comply with privacy law.

Competition for European public sector cloud contracts has intensified as governments modernise digital services while trying to retain control over sensitive information. Google Cloud is competing with larger rivals and has sought to strengthen its position by highlighting privacy controls, compliance work and a growing set of assurances for regulated customers.

The Dutch decision does not remove the need for implementation safeguards, because the assessment explicitly ties its conclusion to the use of recommended measures. Public sector organisations considering Google Cloud will still need to apply the conditions set out in the review as part of their deployment and governance processes.

Google framed the result as a sign that collaboration with public bodies can resolve privacy concerns through detailed assessment rather than broad exclusion of cloud services. It said the Dutch government review found no known high data protection risks when the recommended measures are implemented.