The Digital Government Act ( Wet Digitale Overheid or Wdo) ensures that Dutch citizens and businesses can log in safely and reliably when accessing services provided by (semi-)government organisations. To this end, citizens are provided with trustworthy electronic identification methods (eID), offering substantial or high-level assurance of a user’s identity.
These identification methods give public service providers more certainty about someone’s identity. Additionally, this act mandates open standards, achieved by implementing the European directive on the accessibility of government websites and apps in the Netherlands.
The first part of the Wdo concerns safe login to services at (semi-)government organisations and the application of standards, such as information security standards.
Framework law
The regulation is a so-called framework law, regulating general principles, responsibilities, and procedures, but not detailed rules. This allows for flexibility with new developments while ensuring that important values and certainties for citizens, such as user-friendliness, reliability, safety, privacy, and digital inclusion, are always safeguarded. The Wdo:
- Establishes tasks and responsibilities for safe access to the digital government.
- Imposes obligations on co-governments to connect safely and reliably, and to classify their services based on a level of reliability.
- Sets rules for funding.
- Provides certainties for citizens and businesses.
- Offers principles for information security and the processing of personal data.
For (semi-)government entities
This regulation covers safe login to services at (semi-)government institutions. The Wdo specifies which of these institutions will be subject to the new rules for access to their electronic services. These include:
- Administrative bodies as defined in the General Administrative Law Act (AWB), such as municipalities and implementing organisations and agencies (UWV, SVB, Tax and Customs Administration, DUO, RDW, etc.);
- Designated organisations such as the healthcare sector, educational institutions, and pension funds;
- The judiciary.
Implementation of the framework law
The implementation of the Wdo as a framework law takes place in lower-level legislation, such as general administrative orders (AMvB’s) and ministerial decrees. This allows space for innovation, different choices, and new facilities and functionalities.
This proposal enables public and private login methods for digital interactions with, for example, municipalities and healthcare institutions. Only methods checked by the government for safety and reliability are admitted for public use. Although logging into services of commercial/private entities such as online stores is not regulated by this law, citizens can also log in with the approved private methods, delivering a wider effect and giving an advantage for safe login.
Obligations for safety standards
Obligations regarding safety standards will come into effect on July 1. For instance, the HTTPS standard becomes legally mandatory for all publicly accessible government websites and web applications. This standard, also known as ‘the padlock’ in the URL address bar, ensures that the connection between the visitor’s browser and the government organisation’s website is well-secured. This prevents criminals from accessing private data or manipulating requested information.
In addition to HTTPS, government organisations must also use the HSTS standard, making sure that browsers connect directly via HTTPS after a first website visit. Furthermore, the HTTPS configuration must comply with the TLS guidelines and Web Application Guidelines of the National Cyber Security Centre (NCSC). See also the Frequently Asked Questions about the HTTPS and HSTS obligation for government websites (in Dutch).
Digital accessibility
The Temporary Decree on Digital Accessibility of the Government has been converted into the Digital Government Act. Thus, from July 1, the Wdo became the legal basis for the Decree. With the enactment of the Wdo, nothing changes in the legal obligation, the word ‘Temporary’ is omitted, and the Decree on Digital Accessibility of the Government remains in force.
Outcome
After enactment:
- The mentioned (semi-)government organisations must classify their digital services according to the level of reliability;
- They have an acceptance obligation for admitted login methods.
- Their information security must be up to date and properly managed.
- They must financially contribute to login methods used by citizens.
The law aligns with European developments in digital government services and access to digital government services. The admitted public and private login methods must meet the European requirements for login methods (eIDAS Regulation).
Phased implementation
The Wdo will be implemented in phases. It will be applicable to an entity once it is technically and organisationally prepared to comply. The departments, public service providers, and Logius will jointly develop a plan containing a timeline. The timeline will specify when particular sections of the regulation will come into effect for each institution. Service providers are expected to complete their preparatory work for these sections of the law, as well as for the associated implementation regulations in line with the established timeline. For more information, refer to the transitional provisions of the Digital Government Act.
The overall responsibility for managing the Generic Digital Infrastructure (GDI) and the eID provisions lies with the Minister of the Interior and Kingdom Relations (BZK).