Every business that supports DigiD login or access to its systems and infrastructure is required to complete a DigiD audit following NOREA and VNG (ENSIA for DigiD) guidelines. This often means thousands of businesses approaching auditors, with the goal to submit the audit for DigiD compliance before May 1st of the year. The pentest must be completed before that, and with enough time to ensure the auditor has time to review. At Cyver, we complete 35+ DigiD pentests per year, in collaboration with our audit partners. 

As part of that report, we deliver a pentest report designed to ensure our clients and the DigiD auditor can easily see how the pentest results align with the norm, so that you can take steps to ensure you pass the audit, and so your auditor can more easily see whether you pass/fail those requirements. 

At Cyver, we also work to ensure that our DigiD pentest is focused on helping your organization remediate vulnerabilities so you can pass the audit. We achieve this with a pentest-as-a-service portal, delivering vulnerabilities as findings – retesting remediation for free – and then delivering a report based on those retests. 

Why Pentest-as-a-Service for DigiD? 

Pentest-as-a-Service leverages a portal to enable digital pentest delivery, with vulnerability findings as tickets, recurring pentests matched to development and compliance needs, and direct collaboration with your pentester. That helps you pass compliance audits like DigiD in several ways. 

Pentest On Demand 

Cyver clients have access to our pentest-as-a-service portal, which means you can request a pentest at any point. The system will set up a new pentest, with the same scope as your previous pentest, which you can also update right in the platform. 

“Many of our clients request pentests via the portal. That means they request a new pentest based on the old scope, so they don’t have to spend time setting up the pentest every year – which is great because most clients need the same scope and test every year”

Then, the pentesters at Cyver can let you know when we can fit it into our schedule. Our flat-rate pricing means that you’ll have the same costs associated with your DigiD pentest each time you schedule it – unless you majorly change the scope. 

We also offer pentest scheduling, meaning you can determine when you want us to set aside time for next year’s DigiD pentest. This helps to ensure you don’t have to wait for your compliance check, and that you’ll have plenty of time to remediate vulnerabilities for the next assessment. 

Both will save you time looking for, assessing, and setting up scope and other details with your pentester. If the pentest is the same, we can reduce the overhead involved with the job, saving us time and you money. 

Vulnerability Findings as Tickets 

Cyver delivers our vulnerability findings as individual tickets inside of our secure cloud portal. Your stakeholders, including compliance officers, developers, and CSOs can log in to see vulnerabilities as they’re reported. In addition, with integration to popular work tooling like Jira, you can directly export those vulnerability findings as tickets to the work management platforms you already use. 

Those tickets include the finding, our severity rating, how it maps to DigiD, and our proof of findings. Where possible, one of our pentesters will also write up recommendations on how to fix the issue – giving your teams a head start on the fix. 

“Our clients have the opportunity to review vulnerability findings before the report is presented”, says Mike Terhaar, Chief Pentester at Cyver, “With the findings mapped to the DigiD framework, you don’t have to wait for the report to see how you’re doing, or what you have to fix. You make sure you’re ready to go before the audit happens, major findings can be solved in advance, and you don’t risk complications or having to solve those vulnerabilities on a timeframe set by an auditor”.

Pentester Communication and Collaboration 

In any case where you or your team have questions, want help, or are concerned about a false positive finding, you have the option to directly talk to the relevant pentester. Cyver’s pentest portal includes a chat and comment feature, meaning you can ask questions directly on the relevant finding and get relevant answers directly from the pentester. 

That combines with metrics and dashboards in the platform, showing compliance officers at a glance what has to be fixed before you’re DigiD ready. 

“You can already see how the findings map to the DigiD audit, that’s an advantage if you want to see how you’re doing. In addition, the portal means everything is in one place. We upload proof of findings, screenshots, and information to the same place. That ensures it’s as easy as possible for teams to access everything they need to actually make the fix – and if they can’t, they can always ask us for more information” 


Once your IT, compliance officers, and developers mark a finding as remediated, you can request retesting. If you make the request within the first 30 days after the pentest, we’ll do that check for free.

Receive the Report 

Once you’re finished remediating vulnerabilities and requesting retests, you can request the report at any time. We’ll send you a report, mapped to the DigiD compliance framework, and in alignment with the auditor’s needs for the framework. 

Cyver Core’s platform also allows you to deliver the pentest report directly to the Auditor, with the information they need and none of your private data. Our external report feature means you can share a report generated for the auditor, with everything they need for the DigiD audit and nothing else. That makes it even easier for auditors to ensure you’re compliant. 

If you’d like to learn more about how Cyver Core handles pentesting for DigiD, contact us or schedule a demo.