DigiD assessment checklist

IT-audit5 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

DigiD is the Netherlands' electronic identification infrastructure, managed by the Ministry of the Interior. For organisations that offer login options to citizens via DigiD, regular assessments and compliance checks are unavoidable.

A DigiD assessment is fundamentally focused on two core questions: does your environment meet the security and authentication requirements, and does the DigiD integration function correctly? This assessment covers much more than just technical checks; it also includes organisational controls.

Authentication integrity is crucial. The assessment verifies that your organisation correctly identifies citizens via DigiD and that no identity confusion or spoofing is possible. This includes checks on how your application validates DigiD tokens and persists user sessions.

Data handling is a large part of the assessment. Organisations may not store sensitive personal data that they receive via DigiD unless this is necessary for the service. The assessment checks that your data retention policies are correct and that personal data is stored securely.

Logging and monitoring are also essential. DigiD assessments require that all DigiD-related transactions are logged for audit purposes. Your organisation must be able to present these logs and demonstrate that you monitor DigiD traffic for suspicious activity.

Patch management and vulnerability scanning are also part of DigiD assessments. The assessment teams will scan your IT environment for known vulnerabilities. Your organisation must demonstrate that you have a patch management process and that you address known vulnerabilities quickly.

Does your organisation host DigiD integrations? The requirements and assessment frequency can vary based on your specific environment. We have extensive experience preparing organisations for DigiD assessments and navigating feedback from assessors.

Let us help with your DigiD compliance. Get in touch for a compliance scan or preparation for an upcoming assessment.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us