Organizations that connect to DigiD must undergo an annual DigiD assessment (previously known as the ICT security assessment, or ICT-beveiligingsassessment). What many SaaS providers do not initially realize is that this assessment scope extends beyond the organization that directly connects to DigiD. If you provide SaaS services that are part of the DigiD authentication chain, you are in scope too.
Chain responsibility
The DigiD assessment framework operates on the principle of chain responsibility. The organization that connects to DigiD (typically a government agency or a service provider acting on their behalf) is responsible for ensuring that all components in the authentication chain meet the required security standards. When your SaaS platform is part of that chain, either by handling the authentication flow, processing DigiD-authenticated sessions, or storing data accessed through DigiD authentication, you fall within the assessment scope.
In practice, this means the connecting organization will require you to demonstrate compliance with the DigiD security norms. This can be done through inclusion in their assessment scope (meaning the assessor audits your environment directly) or through a Third Party Assurance (TPA) report, also known as a Third Party Memorandum (TPM). A TPA report provides independent assurance about the security of your specific components in the chain.
Technical requirements
The DigiD assessment evaluates compliance against the ICT security norms published by Logius. For SaaS providers, several technical requirements consistently demand attention.
Network segmentation is a fundamental requirement. DigiD-related components must be isolated from other parts of your infrastructure through network-level controls. In a multi-tenant SaaS environment, this means ensuring that DigiD-related traffic and data are properly segmented from other customers' environments.
Encryption requirements apply both in transit and at rest. All communication involving DigiD authentication data must use current, approved cryptographic protocols. Data at rest, including logs containing DigiD-related information, must be encrypted using approved algorithms and key lengths.
Logging and monitoring requirements are extensive. You must log all security-relevant events related to DigiD processing, retain those logs for a defined period, and actively monitor them for security incidents. Log integrity must be protected, and logs themselves must be stored securely.
Vulnerability management requires regular scanning and timely patching of all components in the DigiD chain. Critical vulnerabilities must be addressed within defined timeframes, and the entire vulnerability management process must be documented and auditable.
The multi-tenant challenge
For SaaS providers, the multi-tenant architecture creates specific challenges. The assessment requires you to demonstrate that one customer's DigiD data cannot be accessed by another customer, that shared infrastructure components meet the security norms for all DigiD-connected tenants, and that your change management processes ensure that updates to shared components do not compromise DigiD security.
Demonstrating these controls in a multi-tenant environment requires clear architectural documentation, well-designed access controls, and thorough testing. Organizations that designed their architecture with these requirements in mind from the start find the assessment process significantly smoother than those retrofitting controls onto an existing platform.
Preparing for the assessment
Start preparation early. The DigiD assessment is detailed and technical, and remediating findings takes time. Conduct an internal review against the Logius norms well before the formal assessment. Identify gaps, prioritize remediation, and ensure your documentation is current and complete.
Secure Audit conducts DigiD assessments and helps SaaS providers prepare for them, including the preparation of TPA/TPM reports. Whether you are entering the DigiD chain for the first time or preparing for your annual reassessment, we can guide you through the requirements. Contact us to discuss your DigiD assessment needs.
About the author
Partner | IT Auditor