DigiD is not enough: Why companies in The Netherlands need to adopt digital identity

The Netherlands is one of the most digitised societies in Europe. Most payments are cashless, and government services are widely accessible online through the public digital identity system, DigiD. The country also consistently ranks among the world’s most innovative economies, ranking 8 out of 133 in the Global Innovation Index. 

Despite this digital maturity, there’s a glaring gap: Dutch citizens and residents still do not have access to a high-trust, reusable digital identity for most private sector services. DigiD is mostly limited to government interactions, leaving major businesses relying on outdated and insecure login methods like usernames and passwords. 

Meanwhile, countries like Estonia, Belgium and Sweden have moved ahead, enabling secure and seamless customer identification and authentication across both public and private sectors. The result is stronger compliance, better user experience, lower fraud, and cleaner customer data.  

As the EU moves towards a future of digital identity wallets and standardised trust services, secure digital identity platforms are becoming essential for companies to stay compliant. With tightening regulations, rising fraud, and growing customer expectations, the cost of inaction is rising, and Dutch companies that fail to modernise risk falling behind. 

This blog explores why the private sector in The Netherlands needs to seize the power of digital identity beyond DigiD, and highlights a few notable use cases from other countries. 

When it comes to secure digital identity for online transactions, most Dutch consumers and businesses immediately think of DigiD. But DigiD only goes so far. Firstly, DigiD is mostly limited to public sector use, which means that private companies apart from a few in the healthcare insurance sector still can’t benefit from it to verify customers or authenticate users. 

More importantly, when benchmarked against modern digital identity platforms like itsme^®, DigiD lags in several areas: 

• DigiD by default supports a Level of Assurance (LoA) of up to 'substantial,' which excludes LoA 'High' and limits its use in high-assurance contexts such as sensitive healthcare, financial, or legal transactions.  

• DigiD is not a Qualified Trust Service Provider (QTSP). This also applies to Logius, the official digital government service in The Netherlands that is responsible for managing and developing nationwide ICT systems and standards. 

• DigiD does not support reusable digital identity in the private sector, and offers only limited use in the public sector (requiring an SMS-based one-time password for every login). In contrast, platforms like itsme^® allow users to verify their identity once and then reuse it seamlessly across multiple services, enabling secure and convenient access without repeated verification steps. 

• DigiD doesn’t allow transaction confirmation or qualified e-signing (QES) capabilities. 

• DigiD excludes anyone without a BSN and Dutch ID from being able to digitally verify or authenticate their identity. This effectvely eliminates cross-border applications. 

• DigiD doesn't enable secure data sharing features for streamlined onboarding, KYC/AML or compliance.

In other words, DigiD is not only off-limits to most private-sector use, but also lacks the flexibility and functionality of modern digital identity solutions. As fraud risks grow, onboarding becomes more complex, and compliance requirements tighten, Dutch businesses can no longer afford to treat digital identity as a government-only issue. It’s a strategic priority that they need to own.

Curious about the potential use cases of digital identity in your team?

Legacy methods of authentication, such as username/password and One-Time-Passwords (OTPs) sent to mobile numbers or emails, have their security loopholes. These outdated methods expose both businesses and their users to increased risks of data breaches, phishing, and account takeovers (ATOs). For example:   

• Passwords can be reused, stolen, or guessed.  

• SMS codes can be intercepted, especially as SIM swapping fraud continues growing exponentially. In fact, major players like X and Microsoft are stepping away from using OTP altogether.  

• Email-based login flows often lack the necessary verification steps to ensure the person behind the screen is who they claim to be. This leaves companies susceptible to credential stuffing, a cyberattack where stolen login credentials are automatically tested across multiple sites to exploit password reuse. 

Moreover, phishing, a cyberattack method where criminals attempt to trick individuals into revealing personal, login, or financial information, is a significant and growing problem in The Netherlands. Telcos provider KPN said in 2023 that it blocked every week more than seven million phishing attempts targeting Dutch businesses.

Unfortunately, many companies in The Netherlands still underestimate their risk and the likelihood of becoming victims of cybercrime, and rely on unverified email addresses or mobile numbers to let users access their accounts or approve high-trust transactions. 

The Dutch Data Protection Authority recommends using multi-factor authentication to validate the identity of customers and combat security breaches like phishing. Companies can seamlessly integrate this in their way of working using a secure digital identity solution. 

Use case from the postal sector: Digital identity significantly boosts postal security and convenience. For instance, bpost in Belgium uses digital ID platform itsme^® within its My bpost app to authenticate users who receive registered mail without a password. This ensures that only the intended recipient can access legally sensitive items. The result is a noticeable improvement in delivery success rates, reduced need for in-person post office visits, and seamless, legally binding identity validation on every transaction in the app.

Secure your business with Europe's leading digital identity platform

Relying on outdated methods for identifying and authenticating customers leaves companies wide open to fraud.  

On the identification side, the lack of robust, verified digital identity means that companies must rely on slow and manual KYC and AML processes to onboard clients. These are time-consuming, expensive, and increasingly unreliable as AI-generated fake documents and synthetic identities become harder to detect. Fraudsters can slip past manual checks and open accounts under false (e.g. "Mickey Mouse”) or duplicate identities. They abuse services without the intention of paying or exploit benefits and bonuses, abandoning the accounts without settling payments.  

On the authentication side, weak methods like using username/password and one-time passcodes (OTPs) leave companies exposed to fraud. These credentials are easily phished, leaked, or intercepted, and offer no real identity assurance as they’re vulnerable to SIM swapping and malware. This is because those authentication methods are designed merely to confirm access to information, and not to verify a person’s identity. Once inside, attackers can steal funds, misuse services, or access sensitive data, leading to serious financial losses and reputational damage. 

In The Netherlands alone, over two-thirds of internet users (65%) reported receiving phishing messages in 2023, and 1 in 10 people fell victim to online scams in the same year. Without strong digital identity solutions, companies face rising fraud losses, costly disputes, and growing non-compliance with regulations like GDPR and PSD2. 

Use case from the telecom sector: In Belgium, telecom providers recognised the strategic importance of digital identity years ago. Leading players Proximus, Telenet, and Orange joined forces with major banks to create itsme^®, a digital identity tool now widely used for secure identification and authentication across sectors. Advanced digital identity platforms enable telecom companies to streamline onboarding and strengthen security while ensuring GDPR compliance. Integrated KYC capabilities accelerate both online and in-store registration, allowing instant activation of services like eSIMs and mobile payments.

Continue reading: How digital identity is powering telcos' shift to ecosystems

Usernames and passwords or OTPs sent via SMS or email to authenticate users fall short of what EU digital security laws demand. 

Under the General Data Protection Regulation (GDPR), organisations must implement appropriate technical and organisational measures to safeguard personal data, ensure lawful processing, and demonstrate accountability. When login systems can't reliably confirm a user’s identity, track consent, or offer an auditable trail of actions, these obligations become difficult, if not impossible, to meet.

In other words, without a secure and verifiable digital identity layer, organisations struggle to: 

• Ensure that only the rightful individual can access or act on personal data;

• maintain a consistent, accurate, and up-to-date user profile across services;

• prove compliance during audits or breach investigations; and

• detect and prevent identity-based fraud, such as synthetic identities or account takeovers. 

Moreover, data minimisation, a core GDPR principle, is undermined when businesses collect and store excess data just to fill the gaps left by poor identity assurance. Instead of asking users to upload physical documents or repeatedly verify their details, digital identity solutions enable them to verify their identities once, use securely, and share necessary data only. 

Additionally, frameworks like eIDAS 2.0 are setting clearer, stricter standards for how digital identities should be issued, authenticated and used across borders. These initiatives aim to create a harmonised, high-trust infrastructure for both public and private sector transactions in the EU, with strong requirements for user consent, identity proofing, auditability, and data minimisation. 

eIDAS 2.0 makes relying on simple password-based systems or unverified self-registrations no longer sufficient, as businesses will soon be expected to accept, or even integrate with, eID solutions that meet high levels of assurance (such as “substantial” or “high” under eIDAS). As discussed above, DigiD doesn't currently meet this level of assurance.

Ensure compliance with future-ready digital identity tools

Digital identity has significant advantages when it comes to user experience:

• Forgotten credentials that create friction: First and foremost, digital ID eliminates the common frustration of forgotten usernames and passwords. Instead of having to reset credentials or contact customer support (often leading to delays and drop-offs), users can log in securely and instantly using a verified digital identity. Passwordless sign-in with integrated multi-factor authentication adds both convenience and security, typically requiring just a few clicks through a mobile app or biometric confirmation. 

• Clunky onboarding and lengthy KYC: Looking earlier in the customer journey, digital identity platforms also dramatically improve onboarding. Instead of asking users to scan and upload documents, wait for manual checks, or complete lengthy registration forms, companies can verify a customer’s identity in minutes through automated and certified processes. This reduces friction, speeds up conversion, reduces dropout rate and improves overall satisfaction.

Use case from online gaming: Gaming platforms face challenges with user reactivation, as many dormant players cannot return due to forgotten credentials or outdated account recovery methods. While platforms invest significant resources into acquiring each new player, around 70% of these players abandon their accounts within 6 to 12 months. Complicated or frustrating login processes can contribute to this abandonment, resulting in lost revenue and an underutilised player base.  

Re-usable, digital identity platforms streamline the login experience on gaming platforms by eliminating the need for users to remember complex passwords with seamless, passwordless authentication. Most importantly, by automating identity verification, customers can enjoy immediate payouts without delays. This is why major gaming and gambling players in Belgium trust itsme^® to onboard their clients, sign them in, and authenticate them for instant payouts. 

Read further: Bingoal transforms UX and strengthens compliance with itsme^®

• Analogue and manual processes: The lack of a widely adopted, high-trust digital identity solution in The Netherlands is holding back the digital transformation of many private-sector services. In sectors such as logistics, real estate, legal, healthcare, telcos, and finance, companies are still forced to rely on paper documents, in-person verification, handwritten signatures, and manual compliance checks. These analogue processes not only slow processes down but also increase operational costs and reduce scalability. 

• Restricted digitisation and automation: Without a secure, reusable digital identity framework, many high-value use cases remain out of reach. This includes instant contract signing, automated onboarding, instantaneous KYC/AML checks or secure data sharing. This limits opportunities for automation and innovation, forcing organisations to stick to outdated processes or to spend many resources to develop solutions in siloes.

• Fragmented identity landscape: The ecosystem of digital identity tools in The Netherlands remains fragmented. iDIN, for example, is limited to authentication through banks, but lacks capabilities like qualified digital signing, attribute sharing, or cross-border usability. eHerkenning is focused on business-to-government and business-to-business interactions, which doesn’t translate well to consumer contexts. This forces organisations to juggle niche integrations instead of benefiting from a single, secure identity layer. 

“Industries and organisations in The Netherlands are attempting to fill the gaps in digital identity on their own, resulting in fragmented solutions that address only specific use cases or provide partial coverage,” explains Jimmy Dirksen, Account Executive at itsme^®. “A fragmented identity ecosystem increases the risk of fraud and cyberattacks due to a lack of standardisation, leads to poor customer experiences due to the need to use multiple identity tools, and drives up costs due to limited scalability for each solution.” 

• Undermining insight generation: Additionally, the absence of a unified digital identity solution for Dutch companies prevents fully leveraging data insights. Fragmented and inconsistent user identification leads to siloed data, duplicate records, and incomplete profiles, making it difficult to build a clean, trusted database. A single customer may appear under multiple accounts with slight variations (e.g. name formats, email addresses), causing confusion in CRM systems and undermining personalisation, customer support, and fraud detection. 

In a nutshell, this patchwork approach not only increases operational complexity and vendor lock-in, but also hinders innovation.

The lack of a unified, high-trust digital identity solution is not just a technical inconvenience, but a source of significant financial leakage. Companies in The Netherlands lose money on multiple fronts by not integrating a verified digital identity platform into their operations. Fraud from phishing, account takeovers, identity theft, and duplicate or fake (“Mickey Mouse”) accounts leads to direct financial theft, reputational damage, and regulatory penalties. Criminals can steal login credentials to hijack accounts and make unauthorised transactions or exploit refund and promotional systems. 

Operational inefficiencies also compound the issue. Manual KYC checks drain valuable time and resources, as they involve multiple uploads, repeated identity verifications, and poor data hygiene caused by siloed systems and duplicate records.  

Last but not least, in today’s market, users expect seamless, secure experiences, especially during sign-up and login. Relying on usernames and passwords for authentication creates friction that challenges user retention and loyalty, and costs customer service departments long hours to help users recover forgotten passwords. Naturally, competitors that offer smooth onboarding that can be completed in minutes, combined with passwordless authentication, are more likely to attract and retain users.

Solutions like DigiD fall short in meeting all these expectations. This especially applies in the private sector, where its limited reusability and lack of support for high-assurance identity hold businesses back from modernising and delivering frictionless experiences.

Request a consultation with a digital identity expert