Digital Government Act (Wdo)

The Digital Government Act (Wet digitale overheid, Wdo) ensures that Dutch citizens and entrepreneurs can safely and reliably log in to (semi-)government services. But what exactly does this entail, and what’s changing? Below is a summary of the key points.

1. What does the Wdo do?
2. Which organisations are affected by the Wdo?
3. What’s changing?
4. What is already in effect, and what is still pending?
5. What kind of law is the Wdo?
6. Who oversees compliance?
7. What does the Wdo mean for public service providers?

1. What does the Wdo do?

The Wdo allows citizens and entrepreneurs to use recognised login methods to access various government services, in addition to DigiD or eHerkenning. This provides users greater flexibility in their login options. By connecting to the Access Framework (Stelsel Toegang), government organisations gain easy access to all recognised login methods, along with authorisation and representation capabilities, all with high reliability. More information is available on the Access Framework page (Dutch).

The Wdo introduces electronic identification (eID) tools with high reliability, giving public service providers greater certainty about a user’s identity. Additionally, the law mandates open standards, aligning with the EU directive on the accessibility of government websites and applications. The Temporary Decree on Digital Accessibility for Government has been incorporated into the Wdo.

The law also aligns with European developments in digital government services and login methods. All permitted public and private login tools must comply with EU eIDAS requirements. Learn more about Electronic Identification and Trust Services (eIDAS) on our dedicated page.

2. Which organisations are affected by the Wdo?

The Wdo specifies which organisations must comply with the new rules for accessing their electronic services, including:

• Administrative bodies under the General Administrative Law Act (Awb), such as municipalities and executive agencies (e.g., UWV, the Dutch Tax and Customs Administration, and DUO).
• Designated organisations, such as the healthcare sector, educational institutions, and pension funds.
• The judiciary.

3. What’s changing?

With the Wdo now in effect:

• The listed (semi-)government organisations must classify their digital services by reliability level.
• They have an obligation to accept approved login methods.
• They must ensure their information security is in order.
• They are required to share the expenses faced by citizens when using login methods.

The Access Framework makes it easier for service providers to connect to all recognised login methods.

4. What is already in effect, and what is still pending?

The Wdo has been phased in since 1 July 2023. Since then, new rules have been in place to classify digital services at the appropriate reliability level.

Government organisations are also required to use recognised open standards. For example, HTTPS is now legally mandatory for publicly accessible government websites and web applications. This standard, the ‘padlock’ in the URL bar, ensures a secure connection between the user’s browser and the government website, preventing criminals from intercepting private data or manipulating the information requested.

In addition to HTTPS, government organisations must implement the HSTS standard, which ensures that browsers automatically use HTTPS on subsequent visits. The HTTPS configuration must also comply with the National Cyber Security Centre’s (NCSC) TLS guidelines and Web Application Guidelines.

Since 1 July 2023, government websites and applications must also comply with the legal requirements for digital accessibility (WCAG 2.1). Government organisations must publish an accessibility statement.

The following aspects are still under development or subject to transitional arrangements:

• The Wdo requires that many government digital services be offered at least at a substantial level of reliability. The transition period, during which governments could offer online services at a lower level of reliability, has been extended by 3 years to 1 July 2028. This provides extra time to make higher login levels (substantial and high) more widely available. Read the news article on extended lower-level logins.
• Admission of private login methods: While the Wdo provides the legal basis, the actual use of such methods is not yet permitted. Further lower-level regulations need to be developed, such as general administrative orders (AMvB’s), and the recognition process for providers must be established. This includes assessing private providers on reliability and security.
• Full compliance with accessibility requirements: Although the obligation already applies, only 49% of government websites and applications met the requirements by the end of 2024.

5. What kind of law is the Wdo?

The Wdo is a framework law. This means it sets out general principles, responsibilities, and procedures, but does not include detailed rules. This allows for flexibility in adapting to new developments while safeguarding core values and guarantees, such as user-friendliness, reliability, security, privacy, and digital inclusion.

6. Who oversees compliance?

The Rijksinspectie Digitale Infrastructuur (RDI, Dutch Digital Infrastructure Inspectorate) is the designated supervisor for authentication and authorisation services. The RDI monitors compliance with the requirements set out in the Wdo and its underlying regulations. Logius oversees information security compliance.

7. What does the Wdo mean for public service providers?

If you are a public service provider and want to know what the Wdo means for you, we’ve compiled answers to key legal and policy questions on our FAQ page on the Wdo’s implementation for public service providers (Dutch).

For more information about the Wdo and the Access Framework, visit the Pleio environment of the Access Framework Programme (Dutch).