DigiD is not enough: Why companies in The Netherlands need to adopt digital identity

The Netherlands is one of the most digitised societies in Europe. Most payments are cashless, and government services are widely accessible online through the public digital identity system, DigiD. The country also consistently ranks among the world’s most innovative economies, ranking 8 out of 133 in the Global Innovation Index. 

Despite this digital maturity, there’s a glaring gap: Dutch citizens and residents still do not have access to a high-trust, reusable digital identity for most private sector services. DigiD is mostly limited to government interactions, leaving major businesses relying on outdated and insecure login methods like usernames and passwords. 

Meanwhile, countries like Belgium, Estonia and Sweden have moved ahead, enabling secure and seamless customer identification and authentication across both public and private sectors. The result is stronger compliance, better user experience, lower fraud, and cleaner customer data.  

As the EU moves towards a future of digital identity wallets and standardised trust services, secure digital identity platforms are becoming essential for companies to stay relevant and compliant. With tightening regulations, rising fraud, and growing customer expectations, the cost of inaction is rising, and Dutch companies that fail to modernise risk falling behind. 

This blog explores why the private sector needs to seize the power of digital identity beyond DigiD, and highlights a few notable use cases from other countries. 

When it comes to secure digital identity for online transactions, most Dutch consumers and businesses immediately think of DigiD. But DigiD only goes so far. Firstly, DigiD is mostly limited to the public sector use, which means that private companies apart from a few in the healthcare insurance sector still can’t benefit from it to verify customers or authenticate users. 

More importantly, when benchmarked against modern digital identity platforms like itsme^®, DigiD lags in several areas: 

• DigiD by default supports a Level of Assurance (LoA) of up to 'substantial,' which excludes LoA High and limits its use in high-assurance contexts such as sensitive healthcare, financial, or legal transactions.  

• DigiD in not a Qualified Trust Service Provider (QTSP). This also applies to Logius, the official digital government service in the Netherlands that is responsible for managing and developing nationwide ICT systems and standards. 

• DigiD does not support reusable digital identity in the private sector, and offers only limited use in the public sector (requiring an SMS-based one-time password for every login). In contrast, platforms like itsme^® allow users to verify their identity once and then reuse it seamlessly across multiple services, enabling secure and convenient access without repeated verification steps. 

• DigiD doesn’t allow transaction confirmation or qualified e-signing (QES) capabilities 

• DigiD excludes anyone without a BSN and Dutch ID from being able to digitally verify or authenticate their identity, effectively eliminating non-Dutch residents or cross-border use. 

• No secure data sharing features for streamlined onboarding, KYC/AML or compliance 

In other words, DigiD is not only off-limits to most private-sector use, but also lacks the flexibility and functionality of modern digital identity solutions. As fraud risks grow, onboarding becomes more complex, and compliance requirements tighten, Dutch businesses can no longer afford to treat digital identity as a government-only issue. It’s a strategic priority that they need to own.

Curious about the potential use cases of digital identity in your team?

Legacy methods of authentication, such as username/password and One-Time-Passwords (OTPs) sent to mobile numbers or emails, have their security loopholes. These outdated methods expose both businesses and their users to increased risks of data breaches, phishing, and account takeovers (ATOs). For example:   

• Passwords can be reused, stolen, or guessed.  

• SMS codes can be intercepted, especially as SIM swapping fraud continues growing exponentially. In fact, major players like X and Microsoft are stepping away from using OTP altogether.  

• Email-based login flows often lack the necessary verification steps to ensure the person behind the screen is who they claim to be. This leaves companies susceptible to credential stuffing, a cyberattack where stolen login credentials are automatically tested across multiple sites to exploit password reuse. 

Unfortunately, many companies in The Netherlands, including major utilities and telcos providers, still rely on unverified email addresses or mobile numbers to let users access their accounts or approve high-trust transactions. 

Moreover, phishing, a cyberattack method where criminals attempt to trick individuals into revealing personal, login, or financial information, is a significant and growing problem in the Netherlands. Telcos provider KPN said in 2023 that it blocked every week more than seven million phishing attempts targeting Dutch businesses. Despite this surge in phishing incidents, however, many small and medium-sized enterprises in the country still underestimate their risk and the likelihood of becoming victims of cybercrime.  

The Dutch Data Protection Authority recommends using multi-factor authentication to validate the identity of customers and combat security breaches like phishing. Companies can seamlessly integrate this in their way of working using a secure digital identity solution with built-in passwordless login capabilities. 

Use case from the postal sector: Digital identity significantly boosts postal security and convenience. For instance, bpost in Belgium uses digital ID platform itsme^® within its My bpost app to authenticate users who receive registered mail without a password. This ensures that only the intended recipient can access legally sensitive items. The result is a noticeable improvement in delivery success rates, reduced need for in-person post office visits, and seamless, legally binding identity validation on every transaction in the app.

Secure your business with Europe's leading digital identity platform

Relying on outdated methods for identifying and authenticating customers leaves companies wide open to fraud.  

On the identification side, the lack of robust, verified digital identity means companies must rely on slow and manual KYC and AML processes to onboard clients. These are time-consuming, expensive, and increasingly unreliable as AI-generated fake documents and synthetic identities become harder to detect. Fraudsters can slip past manual checks and open accounts under false or duplicate identities, abusing services without the intention of paying or exploiting benefits and bonuses. Poor verification also allows for the creation of “Mickey Mouse” accounts, and enables users to abandon accounts without settling payments.  

On the authentication side, weak methods like using username/password and one-time passcodes (OTPs) leave companies exposed to fraud. These credentials are easily phished, leaked, or intercepted, and offer no real identity assurance as they’re vulnerable to SIM swapping and malware. This is because those authentication methods are designed merely to confirm access to information, and not to verify a person’s identity. Once inside, attackers can steal funds, misuse services, or access sensitive data, leading to serious financial and reputational damage. 

Meanwhile, in the Netherlands alone, over two-thirds of internet users (65%) reported receiving phishing messages in 2023, and 1 in 10 people fell victim to online scams in the same year. Without strong digital identity solutions, companies face rising fraud losses, costly disputes, and growing non-compliance with regulations like GDPR and PSD2. 

Use case from the telecom sector: In Belgium, telecom providers recognised the strategic importance of digital identity years ago. Leading players Proximus, Telenet, and Orange joined forces with major banks to create itsme^®, a digital identity tool now widely used for secure identification and authentication across sectors. Advanced digital identity platforms enable telecom companies to streamline onboarding and strengthen security while ensuring GDPR compliance. Integrated KYC capabilities accelerate both online and in-store registration, allowing for instant activation of services like eSIMs and mobile payments.

Continue reading: How digital identity is powering telcos' shift to ecosystems

Usernames and passwords or OTPs sent via SMS or email to authenticate users fall short of what EU digital security laws demand. 

Under the General Data Protection Regulation (GDPR), organisations must implement appropriate technical and organisational measures to safeguard personal data, ensure lawful processing, and demonstrate accountability. When login systems can't reliably confirm a user’s identity, track consent, or offer an auditable trail of actions, these obligations become difficult , if not impossible, to meet. In other words, without a secure and verifiable digital identity layer, organisations struggle to: 

• Ensure that only the rightful individual can access or act on personal data;

• maintain a consistent, accurate, and up-to-date user profile across services;

• prove compliance during audits or breach investigations; and

• detect and prevent identity-based fraud, such as synthetic identities or account takeovers. 

Moreover, data minimisation, a core GDPR principle, is undermined when businesses collect and store excess data just to fill the gaps left by poor identity assurance. Instead of asking users to upload physical documents or repeatedly verify their details, digital identity solutions enable organisations to verify once, use securely, and share only the data necessary for the transaction. 

Additionally, frameworks like eIDAS 2.0 are setting clearer, stricter standards for how digital identities should be issued, authenticated and used across borders. These initiatives aim to create a harmonised, high-trust infrastructure for both public and private sector transactions with strong requirements for user consent, identity proofing, auditability, and data minimisation. 

In practical terms, this means that relying on simple password-based systems or unverified self-registrations will no longer be sufficient, as businesses will soon be expected to accept, or even integrate with, notified eID solutions that meet high levels of assurance (such as “substantial” or “high” under eIDAS). This particularly applies for sectors dealing with sensitive personal data or regulated transactions.

Ensure compliance with future-ready digital identity tools

Digital identity has significant advantages when it comes to user experience. First and foremost, it eliminates the common frustration of forgotten usernames and passwords. Instead of having to reset credentials or contact customer support (often leading to delays and drop-offs), users can log in securely and instantly using a verified digital identity. Passwordless sign-in with integrated multi-factor authentication adds both convenience and security, typically requiring just a few clicks through a mobile app or biometric confirmation. 

Looking earlier in the customer journey, digital identity platforms also dramatically improve onboarding. Instead of asking users to scan and upload documents, wait for manual checks, or complete lengthy registration forms, companies can verify a customer’s identity in minutes through automated and certified processes. This reduces friction, speeds up conversion, reduces dropout rate and improves overall satisfaction.

Use case from online gaming: Gaming platforms face challenges with user reactivation, as many dormant players cannot return due to forgotten credentials or outdated account recovery methods. While platforms invest significant resources into acquiring each new player, around 70% of these players abandon their accounts within 6 to 12 months. Complicated or frustrating login processes can contribute to this abandonment, resulting in lost revenue and an underutilised player base, despite the initial investment.  

Re-usable, digital identity platforms streamline the login experience on gaming platforms by eliminating the need for users to remember complex passwords and enabling seamless, passwordless authentication. Most importantly, by automating identity verification, customers can enjoy immediate payouts without delays. This is why major gaming and gambling players in Belgium trust itsme^® to onboard their clients, sign them in, and authenticate them for instant payouts. 

Read further: Bingoal transforms UX and strengthens compliance with itsme^®

The lack of a widely adopted, high-trust digital identity solution in the Netherlands is holding back the digital transformation of many private-sector services. In sectors such as logistics, real estate, legal, healthcare, telcos, and finance, companies are still forced to rely on paper documents, in-person verification, handwritten signatures, and manual compliance checks. These analogue processes not only slow processes down but also increase operational costs and reduce scalability. 

Without a secure, reusable digital identity framework, many high-value use cases such as instant contract signing, automated onboarding, instantaneous KYC/AML checks, or secure data sharing remain out of reach. This creates friction both for the customer and the company and limits opportunities for automation and innovation. It forces organisations to stick to outdated processes or spend many resources to develop solutions in siloes.  

The ecosystem of digital identity tools in the Netherlands remains fragmented. iDIN, for example, is limited to authentication through banks, but lacks capabilities like qualified digital signing, attribute sharing, or cross-border usability. eHerkenning is focused on business-to-government and business-to-business interactions, which doesn’t translate well to consumer contexts. This forces organisations to juggle niche integrations instead of benefiting from a single, secure identity layer. 

“Industries and organisations in the Netherlands are attempting to fill the gaps in digital identity on their own, resulting in fragmented solutions that address only specific use cases or provide partial coverage,” explains Jimmy Dirksen, Account Executive at itsme^®. “A fragmented identity ecosystem increases the risk of fraud and cyberattacks due to a lack of standardisation, leads to poor customer experiences due to the need to use multiple identity tools, and drives up costs due to limited scalability for each solution.” 

Additionally, the absence of a unified digital identity solution in the Netherlands prevents companies from fully leveraging data insights. Fragmented and inconsistent user identification leads to siloed data, duplicate records, and incomplete profiles making it difficult to build a clean, trusted database. A single customer may appear under multiple accounts with slight variations (e.g. name formats, email addresses), causing confusion in CRM systems and undermining personalisation, customer support, and fraud detection. 

In a nutshell, this patchwork approach not only increases operational complexity and vendor lock-in, but also hinders innovation.

Taken together, the lack of a unified, high-trust digital identity solution is not just a technical inconvenience it’s a source of significant financial leakage. Companies in The Netherlands are losing money on multiple fronts by not integrating a verified digital identity platform into their operations. Fraud from phishing, account takeovers, identity theft, and duplicate or fake (“Mickey Mouse”) accounts leads to direct financial theft, reputational damage, and regulatory penalties. Criminals can steal login credentials to hijack accounts and make unauthorised transactions or exploit refund and promotional systems. 

Operational inefficiencies also compound the issue. Manual KYC checks involving multiple uploads, repeated identity verifications, and poor data hygiene caused by siloed systems and duplicate records drain valuable time and resources. Customer service departments spend countless hours helping users recover forgotten passwords, a process that frustrates users and drives up support costs.  

Last but not least, in today’s market, users expect seamless, secure experiences, especially during sign-up, login, and verification. Competitors that offer smooth onboarding and secure digital identification with passwordless authentication are more likely to attract and retain users.

Solutions like DigiD fall short in meeting these expectations, especially in the private sector, where its limited reusability and lack of support for high-assurance identity hold businesses back from modernising their way of working and delivering frictionless experiences.

Request a consultation with a digital identity expert