Over 18 million people use DigiD to access private health and government data and services, or essentially more than the full population of the Netherlands. That standard has gained this trust through strict regulation and security standards imposed on the organizations using it. In fact, every organization using DigiD must complete a mandatory audit, to be delivered no later than May 1st of the year. This includes a full ENSIA audit carried out under NOREA guidelines. 

Who Needs a DigiD Audit? 

Everyone who uses DigiD is required to complete an ENSIA audit. However, in many cases, the large burden of passing a DigiD pentest will fall on developers. For example, if you source infrastructure or software from a developer, they are responsible for passing the DigiD pentest. This means that instead of pentesting those systems yourself, the supplier has to provide you with a TPM statement. 

What’s Included in a DigiD Audit? 

Every DigiD ENSIA audit includes a multi-step audit and review of the full application and services accessed through DigiD. These steps follow Logius’ mandatory security guidelines: 

  • Pre-Audit DigiD to optimally prepare you for the formal DigiD Assessment.
  • An annual ENSIA audit, performed by a Registered EDP auditor (RE)
  • An annual pentest on web applications using DigiD 
  • Periodic vulnerability scans of DigiD infrastructure
  • Periodic tests of web applications made accessible with DigiD
  • A TPM DigiD assessment for third parties involved in the services related to the web application using DigiD

Each of these steps follows specific guidelines, and must be carried out by a third-party, and not conducted within your organization. 

DigiD Compliance Timelines 

DigiD audits must be submitted to NOREA every year, no later than May 1. However, if you haven’t submitted an assessment by May 1st, NOREA will send a reminder. This means there is some room to submit your DigiD audit later. However, you should still attempt to schedule your DigiD audit and pentests in order to submit your assessment on time. 

Here, scheduling is important. With several thousands organizations using DigiD, the demand for DigiD assessments peaks all at once, typically in mid-January to late April. Because you want to complete your full assessment in advance of May 1, you can begin scheduling your assessment from the 1st of January. That gives you plenty of time to ensure the auditor and their pentesters have time for your organization, that you have time to remediate any issues which might show up in the assessment, and that you’re ready to pass well before May 1st

Where Can You Get Started? 

Normally you can request a DigiD ENSIA audit from any RE auditor. In this case, we recommend our partner Inergy, who can supply the full ENSIA audit, as well as any TPM statements you might need to hand to your customers. 

A DigiD Pentest with Cyver 

Cyver delivers DigiD pentests, in line with the Logius Framework requirements, and compatible with RE auditor needs. Our methodology includes: 

  • Standard B0-8: External blackbox/greybox infrastructure and greybox/whitebox application penetration test
  • Standard B3-15: External Blackbox Penetration Test for Vulnerabilities in the web application

Here, we pentest your infrastructure and deliver findings inside our pentest management platform, Cyver Core. Here, you can onboard developers and stakeholders, see vulnerabilities as we push them to the platform, and immediately submit them to relevant teams as tickets. When you remediate, you can immediately request a free retest of the vulnerability, providing the fix is handled within 30 days of the pentest, and then use the retest to generate a clean pentest report for your auditor – to simplify passing the audit. 

If you’d like to learn more, download our free whitepaper. Or, schedule a demo with us to see the platform and to discuss your needs with our lead pentester.