DigiD assessment: when is it mandatory and what does it involve?

Compliance6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

Every organisation that uses DigiD authentication for its digital services is required to have a DigiD assessment carried out annually. This assessment, prescribed by Logius (part of the Ministry of the Interior and Kingdom Relations), tests whether the ICT environment in which DigiD is processed complies with the NCSC ICT Security Guidelines for Web Applications standard.

The assessment must be performed by an independent, CIP registered assessor. The assessor evaluates both the technical and organisational security measures around the DigiD connection. Consider network security, access management, logging, incident management and vulnerability management.

The assessment results in a report that you submit to Logius. Logius evaluates the report and issues a verdict: compliant, partially compliant, or non compliant. If the outcome is inadequate you may lose your DigiD connection, which means that citizens can no longer log in to your service.

The scope of the assessment covers the entire chain: from the web application that integrates DigiD, through the infrastructure on which it runs, to the management processes around it. Subcontractors and cloud providers involved in the DigiD chain also fall within scope.

Common mistakes in DigiD assessments are incomplete scope definition, missing penetration tests, and insufficient logging of administrative actions. We see that organisations that start their preparations early generally get through the assessment more smoothly.

Our RE certified auditors guide you from scope definition to report delivery. Get in touch for a no obligation intake.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us