If your organization has a DigiD login, you’re required under Dutch law to meet the Logius DigiD Standards Framework V2.0. This includes a DigiD audit and pentest, to be completed and turned in no later than May 1 of 2023. That’s been the case every year since 2017 and effectively means you need an ICT security assessment comprising an IT audit and a pentest. Here, you’ll submit the results of both to Logius, at any point between January 1st and May 1st. If you don’t, Logius can deactivate your DigiD connection.
At the same time, with the largest part of passing the DigiD audit falling on developers – it’s important to take steps to ensure you can pass the audit well in advance. At Cyver, we work with our compliance partner Inergy to help Dutch organizations meet their DigiD compliance requirements every year.
The following tips will help ensure you’re DigiD compliance ready.
Don’t Wait Too Long
It’s true that you can submit your ENSIA Audit and DigiD Pentest results anytime between January 1 and May 1 of 2023. However, it’s still important that you start on time. Here, there are two factors to keep in mind. The first is that, with a limited number of pentesters and Registered EDP Auditors, the longer you wait, the fewer experts will be available to do the testing for you.
This means that even if you’re planning to submit at the last possible moment, you should ensure that you book your auditors and your pentesters upfront. Otherwise, you could be stuck finishing pentesting so late that you don’t have time to remediate issues. Or, you could be paying more for your audit and pentest than you would if you’d booked earlier.
So, simply reaching out, committing to a pentest and audit upfront, and locking in rates can save you a lot on your full DigiD compliance.
Retest Remediated Vulnerability Findings
The second is that your DigiD pentest will likely find vulnerabilities, some of which may impact your ability to pass the audit. Doing your pentest upfront, with enough time to remediate any found issues and to test again will ensure you can pass that audit as smoothly as possible.
With Cyver, that’s built into our platform. When we deliver the pentest report to you, it’s with findings as tickets. You can export those to your work management platforms like Jira via the connector. Then, your developers can easily see what needs to be fixed, and why. If you have questions, they or your compliance officer can log into the Cyver Portal directly to talk to the pentesters involved with their DigiD pentest.
Once the vulnerability is resolved, you can mark it as remediated in the platform and request a retest. We’ll perform that retest for free up to 30 days after our last pentest. And, if we verify it’s been removed, we’ll update the report accordingly. Then, when you generate your report to submit to your auditor, the vulnerabilities you fixed won’t be there. That will simplify and speed up your audit.
Eventually, DigiD is a yearly process. It should be on your agenda every year, and the sooner you know what vulnerabilities you have to check, the better you can ensure ongoing compliance and security. That’s why Cyver delivers pentest-as-a-service, switching the focus from one-off pentests to cyclical, repeated pentests, checking your environments for vulnerabilities each time you complete a major update. That allows us to dig deeper, to get to know your security environment, and to collaborate with your developers to help you harden your environment over time.
Then, when your DigiD pentest is due, you’ll already know you can pass.
For this year’s DigiD pentest, contact us now to discuss your needs or to book your pentest.