The Digital Government Act (Wet digitale overheid, or Wdo) enables citizens, alongside DigiD, to choose an authentication method from a private provider recognised by the Dutch Government. This reduces dependence on a single login method. Other login methods must meet requirements to ensure security and privacy.
Ministerial regulation regarding additional requirements for identification methods, authentication, and authorisation services under the Wdo.
This regulation (Dutch), together with the Decision regarding identification methods for natural persons under the Wdo (Dutch) and the Decision regarding the business and organisational methods outlined in the Wdo (Dutch), sets out the requirements that public and private login methods must meet to be admitted under the Wdo. The rules apply to providers of both public (such as DigiD) and private login methods.
Publication
The publication of the requirements for public and private login methods is intended to provide interested parties with insight, enabling them to prepare for admission. The regulation will come into force once the necessary technical provisions are in place and the open admission process begins. A commencement order will be published at a later date to mark this.
Supervisory authority
The Dutch Authority for Digital Infrastructure (Rijksinspectie Digitale Infrastructuur, RDI) is the independent supervisory authority for all suppliers of authentication and authorisation services within the system. The RDI also assesses, during the admission process, whether providers meet the requirements for login methods. These requirements stem from the eIDAS Regulation and the provisions of the law.
Admission process for authentication and authorisation services
Step-by-step admission process
The accompanying step-by-step process is based on the requirements set out in the Wdo and the underlying legislation and regulations. It consists of the following phases:
Preparing the recognition application
Carrying out a number of tests is part of the recognition application. A test report must be submitted for each test. The following tests and their corresponding reports are required:
- Connection tests: These demonstrate that the applicant is technically capable of connecting to the Access Framework. The (final) ‘conformance’ test environment must be ready for these tests.
- Penetration test: (conducted by an independent testing company under the applicant’s responsibility) This shows that the applicant’s systems have been tested for vulnerabilities. The test must not be older than 12 months.
- Means assessment: (conducted by an independent party under the applicant’s responsibility) This demonstrates that the applicant’s authentication method and its management are of sufficient quality.
Submitting the recognition application
Authentication and authorisation services must submit a recognition application to the RDI. To do so, they provide the RDI with the reports from the aforementioned tests, along with other documents, as outlined in the relevant Ministerial Regulation. The RDI expects the recognition application to take at least 3 months to process. The RDI advises the Minister of the Interior and Kingdom Relations (BZK) on its recognition decision. If the Minister approves, the login method is admitted. The RDI will inform the applicant of the outcome.
Connecting
Once the recognition application is approved, the applicant has up to 3 months to connect to the system (production environment). This means the expected total processing time, from submitting the application to the RDI to the applicant becoming operational, is approximately 6 months.
Planning
The admission process for recognising private login methods is likely to be ready in 2026. From that point, businesses will be able to submit a request. The expectation is that a detailed description of the process will be available by the end of 2025.
More information (in Dutch) is available on Pleio’s Stelsel Toegang page.
