Technology

DigiD outage knocks Dutch users offline

DDoS attack suspends national login used by government and health insurers, centralised identity turns availability into a single point of failure

Images

DigiD is used to access government and social services. Photo: Ifeelstock via Depositphotos.com DigiD is used to access government and social services. Photo: Ifeelstock via Depositphotos.com Ifeelstock via Depositphotos.com

DigiD, the Netherlands’ national login system for government and affiliated services, was taken offline for around two hours on Monday after a denial-of-service attack. DutchNews.nl reports that users were unable to log in from about 11am, with service gradually returning from around 1pm; outage reports also mentioned problems receiving the SMS codes used for two-factor authentication.

The incident matters less for its technical novelty than for what DigiD has become: a default identity API for daily life. DigiD is used not only for central government portals but also for access to services that sit at the edge of the state—health insurers and other “personal services” cited in the report. When one authentication gateway is treated as the front door to everything, availability stops being a convenience metric and starts looking like a civil contingency issue. A two-hour outage is tolerable when it blocks a single website; it is a different proposition when it blocks tax filings, benefit administration, municipal workflows, and any private service that has decided DigiD is the cheapest way to outsource identity.

This is the classic trade-off of centralisation. A single login reduces duplication and support costs, and it makes compliance easier for agencies that would rather not run authentication themselves. But it also creates a single point of failure that attackers can probe cheaply and repeatedly. DutchNews.nl notes this is at least the second DDoS incident in four months, suggesting the system is already being treated as a predictable choke point.

Private platforms that depend on logins at scale typically design for partial failure: multiple authentication methods, backup identity providers, and “offline” fallbacks that let critical tasks proceed when the identity layer is degraded. Governments rarely build those escape hatches with the same urgency, partly because the costs are dispersed. When DigiD is down, the immediate pain is borne by citizens stuck outside their accounts and by organisations whose customer support lines fill up—costs that do not always show up as a budget line item for the operator.

The outage also lands amid a separate political dispute about who controls the infrastructure behind DigiD. MPs have raised concerns about the takeover of Solvinity, the cloud company that manages DigiD, by US-based Kyndryl. DutchNews.nl notes that critics point to the US Cloud Act, under which US-based providers can be compelled to hand over data even if it is stored in Europe. The fear expressed in parliament is not only about confidentiality, but also about leverage: if critical digital government runs through a vendor chain subject to foreign jurisdiction, operational risk becomes entangled with geopolitics.

On Monday, the immediate problem was simpler: a login system that millions treat as essential could not be reached.

DigiD came back online around 1pm. The dependency graph it sits at the centre of did not change.