The ICT security assessment for DigiD is not a static document. Logius adjusts the requirements regularly on the basis of new threats, incidents and evolving insight. For 2026, changes have again been introduced that have a direct impact on organisations that use DigiD for their digital services to citizens.
The core of the assessment remains unchanged: organisations that offer DigiD as an authentication means must periodically demonstrate that their IT environment complies with the security requirements of Logius. But the implementation of those requirements evolves. In practice, we see that organisations that passed the assessment without problems last year run into new findings this year.
Tightened requirements for API security
One of the most important changes concerns the security of the SAML and OAuth connections with DigiD. Where previously a working integration was sufficient, assessors now look more emphatically at the configuration of the metadata endpoints, the validity and pinning of certificates, and the way in which tokens are validated and stored. Organisations that obtain their DigiD integration through an MSP or SaaS provider must be able to demonstrate that this party provably meets the requirements. A processing agreement alone is no longer sufficient.
Logging and monitoring: from present to demonstrable
The requirements around logging are not new, but the burden of proof has been increased. It is no longer enough to declare that logging has been set up. Assessors increasingly ask for concrete examples: show how a suspicious login attempt is detected, which alerts are triggered, and how the escalation process runs. Organisations that have set up monitoring only on paper get stuck here.
We advise carrying out a test scenario prior to the assessment. Simulate a brute force attack on the DigiD login page and document how your organisation responds. That produces concrete evidence that assessors value and saves discussion during the assessment.
Vulnerability management and patch policy
The patch policy has been tightened. Critical vulnerabilities in the DigiD-related infrastructure must be resolved within a defined period, and organisations must be able to demonstrate that they have an active vulnerability management process. A quarterly scan is no longer sufficient if the assessment shows that critical patches were missed in the interim.
The recommendation is to scan at least monthly and to have a clear process for prioritising and rolling out patches. Document not only what you scan, but also your decision-making when postponing patches. Assessors want to see that you deal with risk consciously and with justification.
Supply chain management and supplier requirements
A growing point of attention is supply chain management. More and more organisations no longer run their DigiD environment entirely in-house. The application runs at a hosting party, the DigiD connection runs via an MSP, and management is outsourced. In that context, the question becomes relevant: who is responsible for which part of the security?
Assessors expect organisations to have an up-to-date overview of all parties in the chain, including the security measures assigned to each party. A TPM or SOC 2 report from your supplier can help, but only if you can demonstrate that you have reviewed the content and verified the relevant controls.
Practical preparation
The most effective preparation for a DigiD assessment is an internal pre-assessment. Go through the standards, gather the evidence, and identify the gaps before the assessor arrives. That sounds obvious, but in practice many organisations only start gathering evidence once the assessment has been scheduled.
We support organisations in preparing for DigiD assessments: from pre-assessment and gap analysis to guiding the actual assessment. Get in touch for a no-obligation conversation about how we can help.
About the author
Partner | IT Auditor