DigiD audit

Our organization consists of an enthusiastic team of IT auditors (REs) registered with NOREA. A RE-auditor of 2-Control can check whether your digital counter meets the standards required for a DigiD audit. Our auditors have very extensive experience in conducting security assessments and annually perform the DigiD ICT security assessment for many different municipalities, other (semi-)governmental institutions and service organizations.

We offer suppliers (service organizations) the opportunity to obtain a TPM statement. With a Third Party Memorandum, you as a supplier save on your customers' audit costs because then you do not have to perform the same audit for every customer who uses the same web application or web environment.

DigiD aanpak 2-Control

  1. Support with self-assessment (pre-audit)
    By first verifying the extent to which your systems comply, you will gain insight into measures that you must take in any case. We can perform this pre-audit for you. Our IT auditors map out the extent to which your organization meets certain standards. The outcome of the pre-audit gives a clear picture of the measures you need to take to comply with the applicable DigiD standards. This prevents unnecessary findings from the penetration test and audit, which saves on investment.

  2. Take action
    Following the pre-audit, implement the necessary measures yourself to better protect your systems from outside hacking.

  3. Perform Penetration Test (Pentest)
    If you perform in-house hosting or software development, you must have a penetration test (ethical hacking test) performed on your web environment for your DigiD connection as part of the requirements. This will check your information systems for their vulnerability and you will receive a report with findings. We recommend using Dong-IT for this purpose. View the different offers for penetration testingĀ here.

    Take measures yourself to follow up and resolve the findings from the pen test. If the pen test shows that high risks are present in your environment then these should be resolved prior to the audit.

  4. Perform audit
    Once the previous stages are completed then the final DigiD audit is performed. The audit is performed by one of our RE auditors.
    The reporting involves a prescribed standardized report. This format has been created in consultation with the professional group of auditors(NOREA). The report contains an overview of the actual findings per measure. For each measure, our RE auditors indicate whether it complies.

  5. Send findings to Logius
    The last step is to send the report on the DigiD ICT security assessment to Logius. The report must be signed by one of our RE auditors.

Our experience has shown that having an ICT security assessment carried out is often more involved than people thought beforehand. We therefore advise you to schedule a pre-audit in time to avoid any problems. Go for a personal and pragmatic approach and choose DigiD audit support from our IT auditors registered with NOREA (the professional organization of IT auditors in the Netherlands).

DigiD en ENSIA

Since July 2017, the accountability process has changed for municipalities regarding DigiD. Municipalities now use the ENSIA accountability methodology. The main objective is to ease the audit burden of municipalities and to enable municipalities to hold themselves accountable for information security. Our RE auditors can also help you conduct the ENSIA audit.

Curious about our support for ENSIA, Suwinet or the BIO? Check out the pages on our website.


+31 (0) 76-5019470

Please contact us

Do you have any questions or comments about our IT audit services? We are happy to hear from you. Please enter your details in the form below and we will get back to you as soon as possible. You can also contact us directly at the phone number on the left.

Our dedicated team is ready to assist you with any questions or concerns. We strive to provide you with the best service possible.

Fill in our contact form