Summary
- 1KEY BV is best understood from the public record as a Dutch managed ICT and connectivity operator with its own RIPE NCC resource footprint, not as a carrier whose scale can be inferred from number resources alone.
- Its economic offer is paid accountability: redundant internet access, managed network and systems work, security operations, cloud workplace support, backup, vendor coordination and rapid help desk response for organisations that cannot treat outages as ordinary inconvenience.
- The investment case remains limited by missing public data on revenue, gross margin, churn, customer concentration, contract length, equipment refresh cycles and the economics of its upstream and data-centre dependencies.
Reliability has to be priced before anyone knows whether it will be used
The economic incentive behind paid reliability is not the same as the incentive behind a faster line. A customer can test speed every day. It can compare advertised bandwidth, monthly access fees and installation times. Reliability is different. It is bought in advance, often by people who will be judged only when something breaks. The buyer pays for a provider to hold spare capacity, documented processes, reachable staff, backup paths and supplier leverage before an outage happens. The provider carries cost even when the customer sees nothing.
That is the useful lens for 1KEY BV. The company presents itself as an ICT partner whose work spans cybersecurity, modern workplace, network and system management, and a fixed-monthly package called PowerPack. Its home page says it keeps digital security central, offers direct contact with advisers and lists portals for ticketing, fixed telephony, mobile telephony and project management. The same page gives a Den Bosch address, a Dutch chamber-of-commerce number, a VAT number and a direct phone number. None of that proves profitability. It does define the commercial promise: customers should be able to outsource a bundle of technical responsibility to a local provider instead of assembling their own mix of connectivity, firewall, workplace, backup, phone and security support.
The public-resource record adds a second layer. RIPE NCC lists 1KEY BV at Afrikalaan 11a, 5232BD Den Bosch, with service area in the Netherlands. The RIPE Database records organisation ORG-BA778-RIPE as 1KEY BV, country NL, registration number 17272267, organisation type LIR, with admin and abuse contacts and references to maintainer mnt-1key. The same public database links the organisation to IPv4 allocation 185.91.12.0 to 185.91.15.255, IPv6 allocation 2a05:e680::/29 and aut-num AS39114. RIPEstat observations show AS39114 announcing the 185.91.12.0/22 block and the four covering /24 prefixes in July 2026, with the /22 seen since March 2015. PeeringDB separately lists 1Key for ASN 39114, describes the profile as Cable/DSL/ISP, and records a European scope.
Those records matter, but they should not be read lazily. An ASN, a prefix or a PeeringDB profile is evidence of network operation and resource stewardship, not evidence that a company has national retail scale, transit-market pricing power or a large subscriber base. The better inference is narrower and more useful: 1KEY BV has chosen to maintain resources and routing identity that can support its managed connectivity and hosted service promises. That choice comes with annual fees, administrative work, routing hygiene, abuse handling, vendor relationships and operational exposure. It can improve control and credibility. It also adds cost to a business that still has to earn its margin customer by customer.
The article therefore tests the company as a local accountability business with a network-resource layer. The central question is not whether 1KEY BV owns an ASN. It is whether the company can convert that operational responsibility into enough recurring revenue to pay for skilled people, upstream links, replacement equipment, monitoring, security tooling and the dull but necessary work of compliance.
The operating boundary is managed ICT with a connectivity backbone
1KEY BV's website does not present a narrow ISP product catalogue. It presents a managed ICT bundle. The services named on the home page are cybersecurity, modern workplace, network and system management, and PowerPack. The modern workplace page says the company manages workplaces, servers, networks, local and cloud servers, user support, onboarding and offboarding, password managers, Microsoft 365 Business Premium access and updates. The cybersecurity page lists managed security services, a security scan, dark-web monitoring, managed firewall, Microsoft 365 alerting, 24/7 SOC, vulnerability scanning, threat hunting, email security and endpoint protection. The infrastructure expertise page adds backup, cloud backup, disaster recovery as a service, redundant internet connections, network equipment, Wi-Fi, cloud servers and cloud applications.
That bundle places 1KEY in the space between a telecom carrier, an MSP and a systems integrator. A pure access provider can sell circuits and avoid taking ownership of the customer's application environment. A pure workplace MSP can resell cloud licenses and remote support without carrying a routing identity. 1KEY's public material points to a more integrated model. Its network and system management page says a good connection becomes visible when it slows or falls away, and that the company provides not only a fast internet connection but also a reserve connection. It says 1Key takes the entire connection infrastructure into management, from cabling to network, and makes it its responsibility. The infrastructure page says each office environment is fitted with redundant internet connections and monitored, with failures switching in milliseconds while 1Key contacts suppliers.
That is a materially different commercial promise from "we will advise you which broadband plan to buy." The provider is selling the customer a responsible party. If a line fails, the customer should not need to know whether the problem sits with cabling, a modem, a firewall, a wireless access point, a VPN, a phone system, a cloud workload or an upstream supplier. The customer wants one accountable vendor to isolate the fault, call the right supplier, keep users working and explain the risk.
The customer cases reinforce that boundary. In the Vught municipality case, 1Key says it built an emergency Covid location over a weekend, including internet, Wi-Fi, a telephone exchange and a special emergency number, using a radio link from a nearby school and a VPN tunnel through a firewall. In the Soleo case, the company describes network management for 12 international locations, private cloud servers, VPN and Microsoft 365 work after Soleo acquired HMS. In the Exes case, it says it created a central IT structure linking Dutch and foreign offices, with secure VPN, cloud workplace and shared storage. In the HMS case, it says it helped a contact-centre operation support privacy-sensitive GGD Covid calls with cloud services, a 24/7 SOC, endpoint security and VPN for flexible workers.
These are company-authored cases, so they should not be mistaken for independent proof of customer satisfaction or financial scale. They still help define the service surface. 1KEY is not merely selling abstract bandwidth. It is selling operational continuity for municipalities, engineering companies, contact centres, installation firms and professional-service businesses whose own customers or citizens feel the pain when systems fail.
The operating boundary also affects risk. When a provider promises a managed workplace, redundant connectivity, backup, security, phone service and vendor management, it can earn a broader wallet share than a circuit reseller. It can also be blamed for more failures. The same customer that pays for a single point of contact will expect that point of contact to absorb confusion across Microsoft services, access networks, firewalls, wireless equipment, end-user devices, backup jobs, cyber alerts and third-party suppliers. The revenue line may look diversified. The support burden can become concentrated.
The business model is recurring accountability, not one-off installation
The clearest public evidence of 1KEY's intended commercial model is PowerPack. The PowerPack page describes an all-in-one package for a fixed monthly amount, from outage service to strategic IT roadmap partner. Its components include backup, cybersecurity, awareness training, consult, help desk support, monitoring, partner management and business reviews. The page describes a sequence: a vulnerability scan and four to six weeks of monitoring, a proposal and base agreement, rollout over one to three months, then daily monitoring, updates and quarterly progress discussions.
That structure matters because recurring-service economics work only when the provider gets the mix of price, scope and support intensity right. A fixed monthly fee can be attractive to a customer because it converts irregular technical problems into a budgeted operating expense. For the provider, it can create stable revenue, deeper customer retention and cross-sell opportunities. It can also create hidden margin leakage. A customer with old equipment, weak internal processes and heavy support demand can consume far more help desk, field and engineering time than the monthly fee anticipated. A customer with a fragmented application estate can turn "single point of contact" into unpaid project management across suppliers.
The PowerPack pillars show where revenue may come from. Backup and disaster recovery imply backup infrastructure, storage, software licenses and restore testing. Cybersecurity implies security tooling, endpoint protection, SIEM or SOC services, firewall management, identity controls and incident workflows. Awareness training implies content and follow-up. Consult implies senior time. Help desk support implies staffing, ticketing, remote tools and onsite visits. Monitoring implies alerting systems and routine maintenance. Partner management implies vendor coordination. Business reviews imply account-management discipline.
This is potentially more valuable than access resale because the customer is buying outcome confidence rather than a commodity line. The company can charge for risk reduction, not only for throughput. But the customer's willingness to pay depends on the perceived cost of downtime, the trust placed in 1KEY's staff and the credibility of the provider's evidence. A small professional-services firm may value a local provider who answers quickly and knows its environment. A larger enterprise may demand certifications, audited controls, formal service-level commitments, cyber-insurance documentation and procurement depth. The same capabilities that win a local SME can be insufficient for a regulated or highly distributed buyer.
The home page's daily statistics show how the company wants this economics to be read. It lists numbers for cybersecurity services, average seconds before the system manager is on the phone and online workplaces under management. The cases page carries similar statistics but with a different workplace count. The difference is a warning, not necessarily a red flag. Website counters are often updated at different times or tied to dynamic marketing blocks. They are useful as signals of the company's chosen proof points: security volume, response speed and managed workplace count. They are not audited operating metrics. An investor or lender would need the underlying ticket data, customer count, contract mix and renewal history before using them in a valuation.
The best commercial reading is therefore conditional. If 1KEY can price PowerPack and related managed services per workplace, per location and per risk tier while limiting unlimited support exposure, the model can produce attractive recurring revenue. If it underprices complex customers to win trust, or absorbs too many vendor problems without charging for them, local accountability becomes a margin trap.
Network resources give 1KEY control, but not automatic scale
The RIPE and routing records are the most concrete non-marketing evidence in the public file. The RIPE member page identifies 1KEY BV and service area in the Netherlands. The RIPE Database identifies ORG-BA778-RIPE as a Local Internet Registry and lists the address, Dutch registration number and maintainer references. The resource records show IPv4 allocation 185.91.12.0/22, IPv6 allocation 2a05:e680::/29 and AS39114. The AS39114 aut-num record uses as-name nl-1key and records import and export lines with AS43350 and AS174. The route record for 185.91.12.0/22 lists origin AS39114. RIPEstat's routing-status data in July 2026 observed five IPv4 prefixes, 1,024 IPv4 addresses and no announced IPv6 space for AS39114 at the observation time.
For a regional managed-network operator, that resource footprint has several possible uses. It can support provider-addressed customer connectivity. It can support hosted services, VPN concentrators, management systems or failover designs. It can support better control over reverse DNS, routing policy, abuse handling and migration between upstream suppliers. It can also make the company less dependent on customer lines whose address space belongs entirely to a retail carrier.
The footprint is not large. A /22 equals 1,024 IPv4 addresses before internal allocation choices, network reservations and customer use. In a world where IPv4 addresses have scarcity value, that is meaningful but not a national scale marker. The IPv6 allocation is large by design, as RIPE IPv6 allocations normally are, but RIPEstat showed no IPv6 announcements for the AS at the observed point. That does not prove the company lacks IPv6 capability in every context; it does mean the public routing view did not show IPv6 originations for AS39114 when checked.
PeeringDB adds a useful but caveated interconnection signal. The API lists ASN 39114 under the name 1Key, with an open general peering policy, European scope, one exchange count and facility presence associated with NIKHEF Amsterdam and KoloDC NL1. Its listed Speed-IX exchange entry shows 10Gbps but has an operational flag set to false. That single flag is important. A self-maintained PeeringDB record can lag reality in either direction. A listed port that is not marked operational is not the same as a live, revenue-bearing exchange connection. The prudent conclusion is that 1KEY has shown intent or history around interconnection presence, but the public record does not prove current exchange capacity or traffic volumes.
The upstream picture is similarly limited. The AS39114 RIPE aut-num record lists AS43350 and AS174 in import and export statements. AS43350's RIPE record identifies NFORCE, while AS174 is widely associated in the routing world with Cogent. These records show routing-policy declarations, not signed contracts, committed data rates or physical path diversity. They are enough to say 1KEY's network identity depends on upstream connectivity and external routing relationships. They are not enough to say what 1KEY pays, whether it has multiple independent last-mile paths for each customer, or how resilient its hosted service stack is under supplier stress.
Resource evidence should therefore increase confidence in operating seriousness while not substituting for financial evidence. A company that maintains an ASN, address space, abuse contacts, RPKI validity and routing visibility has operational responsibilities that a brochure-only reseller does not. But the central economic test remains pricing. Network control is valuable only if customers pay for the risk reduction it provides.
The cost base is mostly fixed before the outage happens
The expensive part of reliability is preparedness. A provider can promise a quick response only if it has people, monitoring, tools and supplier processes ready before a ticket arrives. 1KEY's public offer implies several cost buckets that are not optional if the company wants to keep its promise.
The first is people. The about page presents a named team including Rob Willemen, Linda van Summeren, Dennis Jumelet, Stefan Baan, Mike van Baast, Stefano Smulders, Wies de Groot, Kimberley Koetsier, Levi van Stiphout and Koen Cooijmans. The roles and seniority mix are not fully disclosed, but the service model requires a range of skills: help desk, networking, Microsoft 365, endpoint management, security, backup, project delivery, vendor escalation and account management. Staff are the largest risk in most managed-service businesses. Skilled technicians are expensive to hire, hard to replace and easy to overload when customer environments are poorly standardised.
The second is upstream and facility cost. A network-resource holder has to pay for transit, access, cross-connects, colocation or hosting, monitoring and equipment. The RIPE charging scheme for 2026 sets the annual contribution per LIR account at EUR 1,800, with additional charges for defined independent resources and certain ASN categories and a EUR 1,000 sign-up fee for new members. That RIPE fee is not the main cost of running a network. It is a small but visible administrative charge. The more material costs sit in upstream bandwidth, access circuits, firewall and router equipment, data-centre presence, spares, maintenance and engineering time.
The third is customer-premises and lifecycle cost. The infrastructure page says PowerPack customers receive 1Key's own equipment, which the company knows and manages, so it can guarantee a stable network and the fastest recovery times. That is commercially sensible. Standard equipment reduces support variance and lets the provider design around known failure modes. It also puts capital or lease obligations somewhere in the model. If equipment is included in the monthly service fee, 1KEY has to recover the cost over the contract life. If customers cancel early or require frequent refreshes, margin is at risk. If equipment is owned by the customer but standardised by 1KEY, the provider still needs procurement, configuration and replacement workflows.
The fourth is security tooling. The cybersecurity page lists managed firewalls, Microsoft 365 monitoring, SOC, vulnerability scanning, threat hunting, email filtering and endpoint protection. Those services often require third-party licenses, analyst time, alert triage, escalation procedures and documentation. The cost is not only the subscription paid to a supplier. It is also the work needed to avoid false positives, respond to true positives and explain evidence to customers.
The fifth is compliance and assurance. The PowerPack footer links to a document on ISO 27001 certification progress dated 1 February 2026. The Dutch NCSC's Cyberbeveiligingswet care-duty page describes measures expected under the Dutch implementation of NIS2, including risk analysis, incident handling, business continuity, backup and recovery plans, supply-chain security, cyber hygiene, secure systems, access control, cryptography and effectiveness assessment. Not every customer or supplier activity will sit in the same regulatory category, and the public record does not establish 1KEY's own legal scope under that law. The broader market direction is clear: customers increasingly expect providers to document controls, supply-chain security and continuity planning. Documentation work absorbs time even when no breach occurs.
These costs explain why "local accountability" can be valuable and dangerous at the same time. The provider can differentiate by being reachable, knowing the customer, managing suppliers and responding quickly. But every promised layer adds a claim on scarce staff time. A recurring contract that looks profitable at signing can become expensive if the customer has legacy systems, weak user discipline, many small offices, irregular field needs or strict audit demands.
Revenue evidence is sparse, so unit economics have to be inferred carefully
The public record does not disclose 1KEY's revenue, EBITDA, gross margin, customer count, average contract value, churn, backlog, cash position, debt or owner distributions. It does not publish a tariff sheet for PowerPack, per-workplace support, redundant access, hosted services or managed security. It does not disclose how many customers buy the full package compared with project work, resale, support blocks or individual services. It does not disclose the margin split between connectivity, Microsoft licensing, security tooling, equipment and labour.
That absence is not unusual for a privately held local ICT provider. It is still central to the judgment. The resource and case evidence can tell us what 1KEY claims to do. It cannot tell us whether it does it profitably.
The most important unknown is support intensity per euro of recurring revenue. A fixed monthly model works when customer environments are standardised, monitoring prevents problems, remote fixes dominate, and the provider can charge extra for project work. It fails when the provider accepts unlimited support for unstable environments or when customers expect strategic advice, emergency response, vendor management and onsite work inside a fee sized for basic help desk service. The PowerPack page's broad coverage creates pricing power only if scope is tightly defined.
The second unknown is customer mix. The case studies show a municipality, contact centres, engineering, procurement advice and installation services. That is a healthy set of vertical examples, but selected cases do not reveal concentration. A few complex customers can dominate support demand. A municipal or contact-centre account can be valuable, but it may also impose high availability expectations and procurement constraints. A small-business base may diversify risk, but small accounts can be expensive to support if each has a bespoke environment.
The third unknown is asset recovery. If 1KEY places its own equipment into customer environments, the monthly fee must recover device cost, deployment labour, replacement cycles, spares and failure risk. Equipment standardisation can improve margin over time, but only if contract duration is long enough and configurations stay consistent. If customers negotiate short cancellation terms or expect frequent upgrades without equivalent fee increases, the provider funds customer reliability out of its own balance sheet.
The fourth unknown is network monetisation. A /22 IPv4 allocation, ASN and routing visibility can support services, but address space does not automatically create revenue. It has value when tied to paying services such as managed connectivity, hosting, VPNs, firewalls or failover. It also carries opportunity cost: IPv4 addresses have market value, and using them internally or for low-margin services must be justified by customer retention and service margin.
The fifth unknown is security liability. Managed cybersecurity can command premium pricing because customers fear incidents, insurance friction and downtime. It also creates reputational risk if the customer is breached. The public material says 1KEY uses tools, training and advice to keep companies safe and offers services such as SOC and endpoint protection. Without contracts, it is unclear how liability is limited, what service levels are promised, how incidents are priced and whether the company can pass supplier costs through.
The result is a balanced conclusion. The public evidence supports the view that 1KEY has a coherent recurring-service thesis. It does not support a strong conclusion about value creation. The company could be a disciplined local provider with sticky customers and premium pricing. It could also be a support-heavy business where reliability promises absorb margin. The missing financial and contract data are not a footnote; they are the hinge of the analysis.
Suppliers and upstreams can transfer risk back to the local provider
1KEY's customer proposition depends on supplier coordination. The company says it manages technology relationships in PowerPack and acts as a single point of contact for vendor issues. The Vught case says it contacted suppliers during a weekend emergency build. The infrastructure page says it contacts suppliers when a redundant connection fails over. That is what customers want. It also means supplier failures become 1KEY's customer-service problem before they become a supplier's financial problem.
Upstream dependence exists at several layers. At the connectivity layer, 1KEY needs access circuits, transit or upstream networks, routing equipment and possibly exchange or facility services. RIPE and PeeringDB records show a network identity and public interconnection references, but not the commercial resilience of those dependencies. It matters whether upstream links are physically diverse, whether access tails share ducts, whether backup links have enough capacity for real workloads, whether failover is tested, and whether supplier service credits are meaningful compared with the customer harm from downtime.
At the cloud and workplace layer, the company depends on major software ecosystems. The modern workplace page refers to Office 365 Business Premium and cloud collaboration. Eurostat's 2026 release on 2025 enterprise cloud use shows how mainstream paid cloud has become in Europe: 52.7% of EU enterprises used paid cloud services in 2025, with email, office software, file storage and security software among the most used categories. That trend helps 1KEY because customers need support around cloud adoption. It also makes cloud platforms a substitute for some local infrastructure and shifts control away from regional providers. If Microsoft has a service disruption, licensing change or security issue, a local provider must help customers cope even though it does not control the platform.
At the security layer, 1KEY likely depends on external tooling for endpoint protection, email filtering, SOC functions, vulnerability scanning and monitoring. These tools can make a small provider look larger by extending capability. They also compress differentiation if competitors can buy the same stack. The durable value sits in configuration quality, customer knowledge, response process and trust, not merely in the logo of a tool.
At the equipment layer, the company's claim that PowerPack customers use 1Key equipment supports control but creates procurement exposure. Hardware availability, vendor firmware quality, warranty terms and replacement cycles all affect margin. A provider that standardises equipment can troubleshoot faster, but it also has to refresh that equipment before it becomes the source of the very outages it promised to prevent.
The supplier picture therefore strengthens the case for careful pricing. 1KEY can capture value by converting supplier complexity into a simple customer experience. But it must charge for that conversion. If customers pay commodity connectivity prices while expecting end-to-end supplier management, the provider carries downside without enough revenue upside.
Customer evidence shows real use cases but not concentration risk
The case-study set is one of the more useful parts of the public record because it shows how 1KEY wants customers to understand its role. It does not disclose revenue, length of relationship, contract margins or current status. It does show the types of problems the company claims to solve.
The Vught municipality case is about urgency and public-service continuity. A Covid emergency location needed connectivity and phone service after a Friday decision, with a Monday deadline. 1KEY says it designed a solution quickly, used a radio link from a nearby school and created a VPN tunnel through a firewall. That case supports the local-accountability thesis. A national carrier may have scale, but a local provider that knows the environment and can coordinate quickly can be valuable in a crisis.
The Soleo case is about integration and distributed operations. Soleo is described as a full-service contact centre with offices in the Netherlands, Belgium and Curacao. After acquiring HMS in 2021, it needed IT environments combined. 1KEY says it centralised firewall, monitoring, Office 365 and server hosting and managed networks across 12 international locations. The customer quote in the case emphasises reachability outside normal hours and short cancellation terms. That is commercially revealing. Reachability is part of the value proposition, but short cancellation terms can shift risk to the provider if equipment and onboarding costs are not recovered quickly.
The Exes case is about international engineering work. Exes Group is described as an engineering company with offices in the Netherlands, India and South America and headquarters at High Tech Campus Eindhoven. 1KEY says it analysed the old environment, implemented a central IT structure, connected offices, set up VPN, cloud workplace and shared file storage, and handled Microsoft 365 optimisation and security. The case supports competence in multi-location workplace connectivity, but again gives no financial scale.
The Corvers case is about professional services and sensitive information. Corvers Procurement Services works on legal and economic procurement advice and handles sensitive documents for government and knowledge institutions. 1KEY says it took over full IT management from laptops and email to Office 365 and network support, with cybersecurity training and simulations. That type of customer may value confidentiality, user training and incident readiness more than lowest access price.
The Lommers case is about field-service continuity. Lommers Installaties is described as a family company with 25 employees. 1KEY says it provides cloud services, SOC and endpoint security, tablets with VPN for technicians, and PowerPack support. The case describes rapid help during a power outage and a generator arrangement. This again supports the value of a local, operational provider whose job is to keep work moving rather than sell a single product.
The HMS case is about scaling and privacy-sensitive contact-centre work during Covid. The company says HMS grew from 10 to 146 users and needed a cloud environment, SOC, endpoint security and VPN for flexible workers. That case supports scalability and security framing, but it also illustrates demand volatility. If a customer scales users up and down, the provider needs licensing, staffing and contract terms that can flex without destroying margin.
Together, the cases show a coherent commercial identity: 1KEY sells continuity to organisations where downtime, privacy risk or support delay has immediate operational consequences. The missing part is concentration. We do not know whether the named cases are representative, old highlights, large current accounts or small examples. We do not know whether one or two customers dominate revenue. We do not know renewal rates. For a local provider, those unknowns matter because customer loss can remove both revenue and reference credibility.
Competition is not only another local MSP
1KEY competes against several categories of substitute, and each attacks a different part of its value proposition.
The first substitute is the national telecom operator. Odido's business site, for example, presents business internet, backup internet, fixed telephony, managed telecom, cloud telephony, SD-WAN, next-generation firewall and business-network services. A buyer that wants a recognised brand, large support organisation and bundled connectivity can choose a national provider. The national provider may not know the customer's wiring closet or emergency constraints as well as a local ICT partner, but it can compete on procurement comfort, brand recognition and product breadth.
The second substitute is the specialist MSP. Many Dutch small and mid-sized businesses can buy Microsoft 365 management, endpoint security, backup, help desk and project work from providers that do not maintain their own public network identity. Those competitors may have lower network overhead. They can focus on cloud and workplace support while leaving circuits to carriers. 1KEY's network-resource layer helps only if customers value end-to-end responsibility enough to pay for it.
The third substitute is direct cloud adoption. Eurostat's cloud data show that paid cloud services are now normal for European enterprises with at least ten people. If email, files, office software and security tools move to large platforms, some customers may think they need less local infrastructure support. In practice, cloud can increase support needs because identity, security, device management, backup, access policy and vendor coordination become more complex. But the sales argument changes. 1KEY has to prove that local orchestration around cloud is valuable, not simply that local servers need maintenance.
The fourth substitute is internal IT. A municipality, contact centre or engineering company may hire its own staff when technical dependence becomes strategic. Internal teams can know the business better and avoid recurring supplier margins. They also struggle with breadth, on-call coverage and specialist security skills. 1KEY's opportunity is strongest where customers are large enough to need professional ICT operations but not large enough to staff every function in-house.
The fifth substitute is buying less reliability. Many SMEs tolerate downtime until a painful incident changes behaviour. They may choose a cheaper broadband line, basic Microsoft support, ad hoc device repair and a cyber-insurance policy. That is the most common competitor in reliability markets: inaction. The provider has to sell the avoided loss before the loss happens. That requires trust, evidence and pricing discipline.
Against these substitutes, 1KEY's differentiation is local accountability plus integrated technical scope. Its risk is that the same integrated scope is expensive to deliver. The company cannot win purely by being cheaper than national carriers, hyperscale cloud platforms or low-touch MSPs. It has to win by being more accountable, more responsive and more able to keep customer operations intact. That is a premium positioning, and premium positioning fails when evidence is thin.
Regulation raises the value of documentation, not just uptime
The regulatory environment makes 1KEY's type of service more relevant, but it also raises the standard of proof. Dutch and European cybersecurity policy increasingly asks organisations to show that they understand risk, continuity, backup, supply-chain exposure and incident response. The NCSC's care-duty guidance for the Cyberbeveiligingswet describes measures around risk analysis, incident handling, business continuity, backup and recovery, supply-chain security, cyber hygiene, secure systems, access control, cryptography and effectiveness assessment.
For 1KEY's customers, those topics map closely to the company's service catalogue. Backup, monitoring, security tooling, awareness training, supplier coordination and business reviews are not just IT conveniences; they are inputs into governance. A customer that has to prove continuity planning may value a provider that can produce reports, document controls and explain dependencies.
For 1KEY, however, regulation is a double-edged asset. It can increase willingness to pay for managed security and continuity. It also demands better internal process, evidence retention and supplier oversight. If the company wants to serve customers that fall under stricter cyber or operational-resilience rules, it may need formal assurance, documented incident handling, tested recovery procedures, contractual clarity and staff training. The public website's ISO 27001 certification-progress reference suggests the company recognises the assurance need, but the public material reviewed here does not establish completed certification.
The geopolitical risk is less about direct exposure to a sanctions-heavy region and more about dependence on global digital supply chains. Cloud platforms, security tools, endpoint software, network equipment and upstream connectivity all sit in international supply chains. A local provider can reduce customer complexity, but it cannot make those dependencies disappear. Its job is to map them, monitor them and design practical fallback paths.
Operational risk is more immediate. The public routing data showed valid RPKI status for the 185.91.12.0/22 route originated by AS39114. That is positive hygiene. But broader resilience depends on factors not visible in the public record: route filtering, upstream diversity, physical access diversity, tested failover, backup restoration success, staffing coverage, incident communications and customer-specific runbooks. A valid route object cannot answer those questions.
Unofficial market signals are sparse and should stay low in the weighting
The open public file did not produce enough independent market chatter to support strong claims about 1KEY's reputation, churn, service quality or pricing power. The visible customer evidence is mainly company-selected case material. That material is useful for understanding positioning and service scope, but it is not independent diligence.
This matters because managed-service businesses often live or die by reputation. A provider can look technically credible on paper while losing customers because of slow responses, poor documentation or inconsistent technicians. It can also have a loyal customer base that does not leave many public traces because the service is local, business-to-business and relationship-driven. Absence of online noise is therefore ambiguous. It is neither proof of weakness nor proof of hidden strength.
The available signals that do carry weight are operational rather than social. RIPE membership, a maintained RIPE Database organisation record, routed IPv4 space, RPKI validity and named customer cases all show more substance than a generic IT consultancy site. PeeringDB's self-published data adds context but must be treated cautiously, especially where an exchange entry is not marked operational. Website claims about response time and managed workplaces should be treated as marketing statistics unless supported by underlying ticket and billing data.
The right weighting is therefore conservative. Unofficial signals do not change the central thesis. They leave the company in a middle category: credible enough to warrant attention, but not transparent enough to underwrite a strong financial conclusion.
What would change the judgment
The most important facts that would change the judgment are straightforward.
First, contract economics. A schedule showing recurring revenue by service line, average revenue per workplace, average revenue per location, gross margin by product, project revenue share, hardware recovery terms, price escalation clauses and churn would reveal whether local accountability is priced as a premium service or given away to win accounts. The difference is decisive.
Second, support intensity. Ticket volumes, response times, resolution times, onsite visit rates, after-hours incidents, escalations per customer and engineering hours per contract would show whether the fixed monthly model scales. A claim of rapid phone response is useful only if it does not depend on staff overload.
Third, customer concentration. The named cases are interesting, but concentration data would show downside risk. A provider with many small sticky accounts is different from a provider whose economics depend on two demanding customers. Contract term, cancellation rights and renewal history matter as much as customer names.
Fourth, network resilience. Evidence of physically diverse upstreams, tested failover, data-centre architecture, current exchange status, route filtering, IPv6 plans, backup-link capacity and incident history would help separate genuine reliability from optimistic design. The current public record proves resource control more than it proves resilience under stress.
Fifth, supplier economics. Transit commits, access supplier terms, cloud and security tooling margins, equipment financing, warranty coverage and service-credit pass-through would show who carries the downside when suppliers fail. A local provider can be valuable by shielding customers from supplier complexity, but it must be paid for that shield.
Sixth, compliance evidence. Completed ISO certification, audited controls, incident-response exercises, restore-test results, supply-chain assessment processes and customer-ready assurance packs would support premium pricing in regulated segments. Without that evidence, compliance remains a sales theme rather than a proven moat.
Seventh, people and retention. Staff tenure, certifications, utilisation, hiring flow and escalation coverage would show whether the company can maintain service quality as it grows. In a local managed-service business, human capability is the product.
On today's public evidence, the judgment is deliberately restrained. 1KEY BV appears to have a real operating footprint, a coherent recurring-service offer and enough network-resource evidence to distinguish it from a purely brochure-led consultancy. Its value proposition is economically sensible: customers pay a local specialist to own the messy boundary between connectivity, workplace, security, backup and suppliers. But the same promise creates the risk. Reliability is costly before it is visible, and the provider carries that cost whether or not the customer appreciates it in a quiet month.
The investable question is therefore not whether 1KEY can describe reliability well. It can. The question is whether it charges for reliability with enough precision and discipline. If the answer is yes, the company has the ingredients of a resilient regional ICT operator: recurring revenue, trusted local relationships, resource control and growing customer need for continuity evidence. If the answer is no, the company may be doing valuable work while allowing customers to underpay for the risk it absorbs.

