By Mikkel Hald, 29/06/26
WAYF kicked off this year’s audit season on 19 May with the annual accredited NSIS audit. Then, on 16 June, DNV carried out its annual surveillance audit of WAYF and the Danish Research Network against ISO/IEC 27001 – just as last year, without identifying any non-conformities or issuing any observations.
The ISO certification covers several of the Danish Research Network’s core services: in addition to WAYF, the network itself, the hosting service, DKCERT, and, from this year onwards, also the ScienceData storage service for research data.
Digital sovereignty as this year’s audit theme
Alongside the regular certification follow-up, DNV selected digital sovereignty as this year’s special theme. The auditor assessed the organisation using a dedicated maturity model, in which the Danish Research Network achieved the highest possible score: 5 out of 5.
Digital sovereignty is often associated with reducing dependence on large international – particularly American – technology providers. That perspective naturally plays a prominent role in current discussions. However, digital sovereignty is also about something more fundamental: maintaining control over critical functions and preserving the technological freedom to choose and replace solutions as requirements evolve.
Long-standing principles
Many of the characteristics now associated with digital sovereignty have for many years been an integral part of the Danish Research Network’s and WAYF’s modus operandi.
For WAYF, this is reflected both in its infrastructure and in its architecture. The service is operated on infrastructure located in Denmark, using its own hardware security modules (HSMs) and geo-redundant servers, while the federation software itself is open source and developed specifically for the research and education sector.
At the same time, WAYF is an identity federation – not a centralised login system. WAYF centralises trust, not control. Each institution retains control of its own identity infrastructure and can change its identity solution without having to modify its integrations with the many shared services. This reduces vendor lock-in and gives institutions greater technological freedom.
The shared trust infrastructure is built on open standards developed internationally by the research and education community. The result is a system that supports the core activities of universities and other sector institutions, rather than merely the administrative workflows of commercial enterprises.
A strong foundation
The inclusion of ScienceData within the certification scope marks another step in the ongoing development of the Danish Research Network’s systematic work on information security.
This year’s audit also confirms that the work on information security and digital sovereignty rests on a solid foundation – both for WAYF and for the other services that the Danish Research Network provides to research and higher education.
This gives the Danish Research Network a strong foundation for supporting universities and research institutions seeking to strengthen their digital sovereignty in the years ahead. As the sector seeks greater control over critical digital infrastructure and reduced dependence on individual technology providers, it is a significant advantage to be able to build upon a shared infrastructure in which security, open standards and technological freedom have long been fundamental principles.