
DigiD is not enough: Why companies in The Netherlands need to adopt digital identity
The Netherlands is one of the
Despite this digital maturity, there’s a glaring gap: Dutch citizens and residents still do not have access to a high-trust, reusable digital identity for most private sector services. DigiD is mostly limited to government interactions, leaving major businesses relying on outdated and insecure login methods like usernames and passwords.
Meanwhile, countries like Belgium, Estonia and Sweden have moved ahead, enabling secure and seamless customer identification and authentication across both public and private sectors. The result is stronger compliance, better user experience, lower fraud, and cleaner customer data.
As the EU moves towards a future of digital identity wallets and standardised trust services, secure digital identity platforms are becoming essential for companies to stay relevant and compliant. With tightening regulations, rising fraud, and growing customer expectations, the cost of inaction is rising, and Dutch companies that fail to modernise risk falling behind.
This blog explores why the private sector needs to seize the power of digital identity beyond DigiD, and highlights a few notable use cases from other countries.
1. DigiD is limited and not built for the private sector
When it comes to secure digital identity for online transactions, most Dutch consumers and businesses immediately think of DigiD. But DigiD only goes so far. Firstly, DigiD is mostly limited to the public sector use, which means that private companies apart from a few in the healthcare insurance sector still can’t benefit from it to verify customers or authenticate users.
More importantly, when benchmarked against modern digital identity platforms like itsme®, DigiD lags in several areas:
DigiD by default supports a Level of Assurance (LoA) of up to 'substantial,' which excludes LoA High and limits its use in high-assurance contexts such as sensitive healthcare, financial, or legal transactions.
DigiD in not a
Qualified Trust Service Provider (QTSP). This also applies to Logius, the official digital government service in the Netherlands that is responsible for managing and developing nationwide ICT systems and standards.DigiD does not support reusable digital identity in the private sector, and offers only limited use in the public sector (requiring an SMS-based one-time password for every login). In contrast, platforms like itsme® allow users to verify their identity once and then reuse it seamlessly across multiple services, enabling secure and convenient access without repeated verification steps.
DigiD doesn’t allow transaction confirmation or
qualified e-signing (QES) capabilities DigiD excludes anyone without a BSN and Dutch ID from being able to digitally verify or authenticate their identity, effectively eliminating non-Dutch residents or cross-border use.
No secure
data sharing features for streamlined onboarding, KYC/AML or compliance
In other words, DigiD is not only off-limits to most private-sector use, but also lacks the flexibility and functionality of modern digital identity solutions. As fraud risks grow, onboarding becomes more complex, and compliance requirements tighten, Dutch businesses can no longer afford to treat digital identity as a government-only issue. It’s a strategic priority that they need to own.
2. Username/Password and OTPs are not secure
Legacy methods of authentication, such as username/password and One-Time-Passwords (OTPs) sent to mobile numbers or emails, have their security loopholes. These outdated methods expose both businesses and their users to increased risks of data breaches, phishing, and account takeovers (ATOs). For example:
Passwords can be reused, stolen, or guessed.
SMS codes can be intercepted, especially as
SIM swapping fraud continues growing exponentially. In fact, major players like X andMicrosoft are stepping away from using OTP altogether.Email-based login flows often lack the necessary verification steps to ensure the person behind the screen is who they claim to be. This leaves companies susceptible to credential stuffing, a cyberattack where stolen login credentials are automatically tested across multiple sites to exploit password reuse.
Unfortunately, many companies in The Netherlands, including major utilities and telcos providers, still rely on unverified email addresses or mobile numbers to let users access their accounts or approve high-trust transactions.
Moreover, phishing, a cyberattack method where criminals attempt to trick individuals into revealing personal, login, or financial information, is a significant and growing problem in the Netherlands. Telcos provider KPN said in 2023 that it blocked every week more than
The
Use case from the postal sector: Digital identity significantly boosts postal security and convenience. For instance,
3. Know your user: the first step to combating fraud
Relying on outdated methods for identifying and authenticating customers leaves companies wide open to fraud.
On the identification side, the lack of robust, verified digital identity means companies must rely on slow and manual KYC and AML processes to onboard clients. These are time-consuming, expensive, and increasingly unreliable as AI-generated fake documents and synthetic identities become harder to detect. Fraudsters can slip past manual checks and open accounts under false or duplicate identities, abusing services without the intention of paying or exploiting benefits and bonuses. Poor verification also allows for the creation of “Mickey Mouse” accounts, and enables users to abandon accounts without settling payments.
On the authentication side, weak methods like using username/password and one-time passcodes (OTPs) leave companies exposed to fraud. These credentials are easily phished, leaked, or intercepted, and offer no real identity assurance as they’re vulnerable to SIM swapping and malware. This is because those authentication methods are designed merely to confirm access to information, and not to verify a person’s identity. Once inside, attackers can steal funds, misuse services, or access sensitive data, leading to serious financial and reputational damage.
Meanwhile, in the Netherlands alone, over two-thirds of internet users (65%) reported receiving
Use case from the telecom sector: In Belgium, telecom providers recognised the strategic importance of digital identity years ago. Leading players Proximus, Telenet, and Orange joined forces with major banks to create itsme®, a digital identity tool now widely used for secure identification and authentication across sectors. Advanced digital identity platforms enable telecom companies to streamline onboarding and strengthen security while ensuring GDPR compliance. Integrated KYC capabilities accelerate both online and in-store registration, allowing for instant activation of services like eSIMs and mobile payments.
4. From GDPR to eIDAS 2.0: Insecure logins expose businesses to compliance risks
Usernames and passwords or OTPs sent via SMS or email to authenticate users fall short of what EU digital security laws demand.
Under the General Data Protection Regulation (GDPR), organisations must implement appropriate technical and organisational measures to safeguard personal data, ensure lawful processing, and demonstrate accountability. When login systems can't
Ensure that only the rightful individual can access or act on personal data;
maintain a consistent, accurate, and up-to-date user profile across services;
prove compliance during audits or breach investigations; and
detect and prevent identity-based fraud, such as synthetic identities or account takeovers.
Moreover, data minimisation, a core GDPR principle, is undermined when businesses collect and store excess data just to fill the gaps left by poor identity assurance. Instead of asking users to upload physical documents or repeatedly verify their details, digital identity solutions enable organisations to
Additionally, frameworks like eIDAS 2.0 are setting clearer, stricter standards for how digital identities should be issued, authenticated and used across borders. These initiatives aim to create a harmonised, high-trust infrastructure for both public and private sector transactions with strong requirements for user consent, identity proofing, auditability, and data minimisation.
In practical terms, this means that relying on simple password-based systems or unverified self-registrations
5. Legacy identification and authentication harm customer experience and UX
Digital identity has significant advantages when it comes to user experience. First and foremost, it eliminates the common frustration of forgotten usernames and passwords. Instead of having to reset credentials or contact customer support (often leading to delays and drop-offs), users can log in securely and instantly using a verified digital identity. Passwordless sign-in with integrated multi-factor authentication adds both convenience and security, typically requiring just a few clicks through a mobile app or biometric confirmation.
Looking earlier in the customer journey, digital identity platforms also dramatically improve onboarding. Instead of asking users to scan and upload documents, wait for manual checks, or complete lengthy registration forms, companies can verify a customer’s identity in minutes through automated and certified processes. This reduces friction, speeds up conversion, reduces dropout rate and improves overall satisfaction.
Use case from online gaming: Gaming platforms face challenges with user reactivation, as many dormant players cannot return due to forgotten credentials or outdated account recovery methods. While platforms invest significant resources into acquiring each new player,
Re-usable, digital identity platforms
6. Missed economic opportunity, innovation barrier and a fragmented data landscape
The lack of a widely adopted, high-trust digital identity solution in the Netherlands is holding back the digital transformation of many private-sector services. In sectors such as logistics, real estate, legal, healthcare, telcos, and finance, companies are still forced to rely on paper documents, in-person verification, handwritten signatures, and manual compliance checks. These analogue processes not only slow processes down but also increase operational costs and reduce scalability.
Without a secure, reusable digital identity framework, many high-value use cases such as instant contract signing, automated onboarding, instantaneous KYC/AML checks, or secure data sharing remain out of reach. This creates friction both for the customer and the company and limits opportunities for automation and innovation. It forces organisations to stick to outdated processes or spend many resources to develop solutions in siloes.
The ecosystem of digital identity tools in the Netherlands remains fragmented. iDIN, for example, is limited to authentication through banks, but lacks capabilities like qualified digital signing, attribute sharing, or cross-border usability. eHerkenning is focused on business-to-government and business-to-business interactions, which doesn’t translate well to consumer contexts. This forces organisations to juggle niche integrations instead of benefiting from a single, secure identity layer.
“Industries and organisations in the Netherlands are attempting to fill the gaps in digital identity on their own, resulting in fragmented solutions that address only specific use cases or provide partial coverage,” explains Jimmy Dirksen, Account Executive at itsme®. “A fragmented identity ecosystem increases the risk of fraud and cyberattacks due to a lack of standardisation, leads to poor customer experiences due to the need to use multiple identity tools, and drives up costs due to limited scalability for each solution.”
Additionally, the absence of a unified digital identity solution in the Netherlands prevents companies from fully leveraging data insights. Fragmented and inconsistent user identification leads to siloed data, duplicate records, and incomplete profiles making it difficult to build a clean, trusted database. A single customer may appear under multiple accounts with slight variations (e.g. name formats, email addresses), causing confusion in CRM systems and undermining personalisation, customer support, and fraud detection.
In a nutshell, this patchwork approach not only increases operational complexity and vendor lock-in, but also hinders innovation.
Conclusion: In a digital-first world, verified identity comes first
Taken together, the lack of a unified, high-trust digital identity solution is not just a technical inconvenience it’s a source of significant financial leakage. Companies in The Netherlands are losing money on multiple fronts by not integrating a
Operational inefficiencies also compound the issue. Manual KYC checks involving multiple uploads, repeated identity verifications, and poor data hygiene caused by siloed systems and duplicate records drain valuable time and resources. Customer service departments spend countless hours helping users recover forgotten passwords, a process that frustrates users and drives up support costs.
Last but not least, in today’s market, users expect seamless, secure experiences, especially during sign-up, login, and verification. Competitors that offer smooth onboarding and secure digital identification with passwordless authentication are more likely to attract and retain users.
Solutions like DigiD fall short in meeting these expectations, especially in the private sector, where its limited reusability and lack of support for high-assurance identity hold businesses back from modernising their way of working and delivering frictionless experiences.