DigiD: The Netherlands Digital Identity System and EUDI Wallet Integration

DigiD (Digitale Identiteit, "Digital Identity" in Dutch) is the Netherlands' national digital authentication system, managed by Logius, a division of the Dutch Ministry of the Interior and Kingdom Relations. Operational since 2003, DigiD enables over 13 million Dutch residents to securely log in to more than 900 government organizations, healthcare providers, pension funds, and other public service providers. As one of Europe's most widely adopted national eID systems, DigiD plays a important role in the Dutch implementation of the EUDI Wallet as the primary identity verification pathway for wallet activation and PID issuance.

DigiD has evolved from a simple username/password system to a multi-level authentication platform supporting various assurance levels:

• •DigiD Basis (Basic): Username and password authentication. Suitable for low-risk services like viewing non-sensitive government information. Maps to eIDAS "low" assurance level.
• •DigiD app with SMS: Two-factor authentication using the DigiD mobile app plus SMS verification. Provides the "Midden" (mid) level, still mapping to eIDAS low-to-substantial depending on the service.
• •DigiD app with ID-check: The DigiD app reads the NFC chip in the user's Dutch identity card or passport, performing on-device identity document verification. This achieves the "Substantieel" (substantial) eIDAS assurance level and is the minimum required for EUDI Wallet activation.
• •DigiD Hoog (High): Uses the identity document chip with additional verification steps, achieving the eIDAS "high" assurance level. Required for the most sensitive operations including qualified electronic signatures.

The Netherlands is developing its EUDI Wallet implementation, known as the NL-wallet, as part of the EU-wide Large Scale Pilot programs. DigiD serves as the bridge between the existing Dutch digital identity infrastructure and the new EUDI ecosystem:

Wallet activation flow: When a Dutch citizen downloads the NL-wallet app, the activation process requires them to authenticate via DigiD at the substantial or high assurance level. This proves their identity to the Dutch government's PID provider (RvIG). After successful authentication, the government issues a Person Identification Data (PID) credential containing the citizen's core identity attributes (name, date of birth, nationality) and binds it to the wallet's device keys.

Credential issuance: Beyond the PID, Dutch government agencies use DigiD as the authentication step before issuing additional credentials to the wallet. For example, the RDW (vehicle authority) may require DigiD authentication before issuing a mobile driving license credential, and DUO (education authority) before issuing diploma credentials.

Fallback authentication: For services that have not yet integrated with the EUDI Wallet, DigiD continues to serve as the primary authentication mechanism, ensuring continuity during the transition period. Users are not forced to switch to wallet-based authentication before the ecosystem is ready.

DigiD's two decades of operation provide valuable lessons for EUDI Wallet deployment across Europe. Its phased rollout -- starting with simple username/password and progressively adding stronger authentication methods -- demonstrates that digital identity adoption works best when it meets users where they are and gradually increases security requirements. The Dutch experience also shows the importance of wide relying party adoption: DigiD succeeded because virtually all Dutch government services accepted it.

DigiD also illustrates the challenges. With over 13 million users, it has been a target for phishing attacks, leading to continuous investment in anti-phishing measures, user education, and stronger authentication methods. These security lessons directly inform the EUDI Wallet's approach to verifier authentication, consent transparency, and phishing-resistant presentation protocols. The EUDI Wallet builds on DigiD's foundation while addressing its limitations through device binding, selective disclosure, and cross-border interoperability that DigiD alone cannot provide.