**The majority of the measures in Part 2 of the Data (Use and Access) Act 2025 have come into force today, 1 December 2025.** This move brings the digital verification services (DVS) pilot onto a statutory footing, enabling people and businesses to have greater confidence when using DVS to prove who they are or things about them. ## Moving to a statutory framework Since 2020, the government has operated a pilot to enable the secure and reliable use of digital verification services in the UK. The pilot approach included creating the UK digital identity and attributes trust framework (the trust framework), supplementary codes, an independent certification process, and a register of certified DVS providers. We’ve tested, learnt from and improved these interventions over time, in preparation for moving to a statutory regime. For example, in April 2025, we launched a GOV.UK service for the public register, replacing the manual publication of spreadsheets of providers and their services. We’ve continued – and continue – to improve that service over time. In June 2025, we published the final release of the ‘gamma’ (0.4) trust framework and the first publications of the right to work, rent and DBS supplementary codes. Just last month, in November 2025, the UK Accreditation Service granted its first accreditation to an approved conformity assessment body. These were essential elements to have gotten right and to ensure they were operationally ready prior to commencement. They now are, so the DVS measures in the Data (Use and Access) Act – which became law in June – can now come into force as the next step. That means that, from today, many aspects of the pilot have been placed onto a statutory footing. ## Why have we brought this in Taken as a whole, this regime of standards, governance and oversight helps to ensure the public can trust digital verification services offered under it in the UK. Certification against the trust framework is optional, but it enables providers to appear on the new statutory register. This helps the public and businesses across the economy to more easily identify a DVS provider as trustworthy. By strengthening the reliability of the industry through a statutory regime, we pave the way for increased use of trusted digital identities by the public. ## What this means for you Now we have moved to the statutory regime, service providers and conformity assessment bodies should now refer to the most recently republished versions of the trust framework and supplementary codes, which we have updated to reflect that these are the statutory versions. Existing certification against the trust framework or any of the existing supplementary codes remain valid in line with the provisions in section 0 of the most recent republished version of the trust framework (0.4). In addition, 48 DVS providers and their 57 services that had gained certification against the trust framework have applied to join the statutory DVS register. The statutory register is now live and replaces the non-statutory register from today. We have also published new guidance on how providers can apply to appear on the statutory register, which providers should refer to moving forwards. ## What comes next? In line with the duties under the Act passed in June, we must review the supplementary codes and trust framework at least every year, as well as publish a report on the regime’s performance. We intend to publish the 1.0 version of the trust framework in 2026, starting with a pre-release, which we will then work with conformity assessment bodies and the UK Accreditation Service to enable certification against. Certification against the 1.0 publication will allow DVS providers to use the trust mark. This trust mark will enable the public to identify trustworthy reliable DVS providers more readily. Additionally, we intend to bring into force the remaining powers in the Act relating to the information gateway. These powers will allow public authorities to share relevant information about an individual with a registered DVS provider for the purposes of providing digital verification services to that individual at their request. > **Reminder** > > All certificates issued against the beta (0.3) publication of the trust framework will forcibly expire on 31 March 2026. Service providers that wish to maintain their certification must uplift to the gamma (0.4) publication before 31 March 2026.

The GOV.UK register of digital identity and attribute services makes it easy to check and find digital verification services that you can trust. It's a digital service, so we've been making continuous improvements to the register in line with the government's Service Standard. Based on findings from user research, we've made some big changes to how the register is presented this month. Here’s a summary of what we've done. ## The changes we’ve made ### 1. **Choose to view by services or providers** When we first launched the register, you could only browse it as a list of providers. Now, you can also browse the register as a list of services and find more information about each service at first glance. If you need additional information, you can click on the service. Each service now has its own dedicated page with information presented in tabular format for easy perusal. You might not want to view by service. In that case, you can still view the register as a list of providers, using the banner at the top to navigate between different views. Each provider also has a dedicated page with contact information. You can click on a provider to see this. You can also find a list of all registered services connected to that provider on this page and find out more about a service by clicking on ‘View details’. ### 2. **Sort and filter** by your needs We've introduced additional options for sorting information on the register. You can now sort information on the register by: * the most recent updates * alphabetical and reverse alphabetical order * the date a service was originally certified * the date on which a services’ certificate is due to expire We've also added more filters. Before you could filter by role types and supplementary codes. You can now also filter by trust framework version. ### 3. **Use the improved search** bar We've made it easier to find providers and services using keyword searching. You can now get accurate results with just partial input. Now you won’t need to scroll the register if you know what you’re looking for. ### 4. **Download the register** If searching, filtering and sorting on the live register doesn't work for you, you can now download a copy of the register too. This data is presented in CSV format; an open data format that we hope makes it easier to work with offline. This is just a first, very small step in enabling the register to be accessible in machine-readable formats. ### **5. Keep up to date** We've implemented a new updates page telling you when services are published and when there is new information about a service or a provider. You can stay up to date with the latest by clicking 'Updates' on the top banner. ## We’ll keep improving the service We are making continuous improvements to the register and are keen to hear from you. If you have any feedback, either positive or negative, please reach out to us via [email protected].

If a digital verification service (DVS) is user-facing, before it does something with a users’ identity or attribute information, the service must confirm that the user understands what is about to happen. CABs review how a service implements the rules for confirming user understanding from the trust framework as part of the certification process. We’ve been asked what a ‘good’ confirmation that meets the requirements of the trust framework looks like. ## What the rules say The rules for confirming user understanding are found in sections 12.7.3. and 12.7.4. of the gamma (0.4) publication of the trust framework. A similar concept existed in the previous, beta version too – but we called it “user agreement” instead. In broad terms, the rules require that a digital verification service: * explains to a user what is happening to their data in “clear, plain language that is easy to understand” * asks the user to positively confirm they understand * explains what happens if they don’t agree Services must also reconfirm the users’ understanding in certain circumstances. ## It’s not the same as “consent” Confirming user understanding is different from seeking “consent” under UK data protection law. There may be similarities between what we call “confirming understanding” and what UK data protection law calls “consent”, but the trust framework does not require that “consent” is used as the legal basis for a service. Service providers can use any legal basis that is appropriate; it’ll depend on the service and what it’s for. Instead, the rules in the trust framework regarding user confirmation are intended to give users as much understanding and control over how their data is used as possible. These rules are in addition to the transparency requirements under the UK GDPR. ## Lengthy terms and conditions are not the answer Services providers – not just digital verification ones – often have lengthy terms and conditions or “End User License Agreements” (EULAs). Users are often asked to accept these terms and policies before they use a service. We don’t think that asking users to read and accept a complex policy statement is an effective way of confirming user understanding. To get certified against the trust framework, services need to do more than that; they need be as simple as possible for users. Lengthy, legalistic documents are not examples of clear, plain and easily understood language. There is plenty of evidence that they cannot reliably demonstrate that users positively agree to those terms. The rules in the trust framework are intended to make using a digital verification service a genuine choice. Services shouldn’t rely on deceptive design patterns – like making it easier to accept than to decline a choice – to ‘nudge’ users towards accepting terms and conditions they may not fully be aware of or understand. ## Use brief, straightforward prompts When users install an app on a phone or computer, and open it for the first time, they are often asked for permission to access certain features, for example, to send notifications, to access location data, or to use the camera or microphone. Different apps need different permissions at different times, so users are presented with different prompts. Permissions sometimes need to be refreshed, so the user sees the prompt at regular intervals. Often those prompts are customised by the developers of the apps to explain very briefly why they need those permissions, and a user can decide whether to permit the access. The clarity of this model is what we’re trying to encourage for digital verification services. It puts what is happening front and centre for users. Services should provide: * brief, straightforward prompts * transparent explanations and clear choices, and * an ability to find out more information if a user wants to understand what is happening in greater detail ## Some examples There are many ways that you could design an interface that confirms user understanding. As the trust framework is outcome-focused and technology-agnostic, we don’t mandate exactly what it should look like. We would encourage service providers to try different approaches and to test their designs with real users through user research. Here are some examples we came up with, inspired by things we’ve seen so far in real world services. ### 1. Asking permission to take a selfie In this example, a user needs to take a selfie to match it to a passport photo they’ve already provided. They’re presented with a prompt before they take the selfie, so they can confirm their understanding. This approach wouldn’t check off every part of the rules in sections 12.7.3, but it could meet some of them: * the prompt explains what is about to happen in a way that is simple to understand * the user is asked to confirm they want to continue before anything happens * the user knows what will happen if they choose not to continue The prompt itself should summarise everything that is happening with a user’s data. A “find out more” button is provided which could take the user to a more detailed explanation of what is happening; for example, it could link to a privacy notice. A service shouldn’t hide or introduce additional data processing behind that button. ### 2. Sharing data with another service In this example, a user already has an identity service set up and has been asked to share some attributes with an orchestration service acting on behalf of a relying party. It follows a similar pattern to the first example. This example is one way you could attempt to comply rule with 12.7.4.c, which suggests that services could reconfirm a user’s understanding whenever there is a request to share or disclose data to a third-party. ### 3.  Reconfirm user understanding after a period of inactivity Rule 12.7.4.b. requires that a service must reconfirm user understanding if more than 14 months have elapsed since a user last reconfirmed their understanding. This example tries to explain, as plainly as possible, that the user needs to agree to keep their account active or, alternatively, can choose to close their account. ## We want service providers to innovate We should stress that these are only examples; they’re not whole solutions. Service providers don’t have to follow these examples in their services.  These are just ideas that point in the right direction. We want service providers to innovate and find great ways to achieve compliance with the rules. We’d like to start to compile examples of best practice so we can share them with our approved conformity assessment bodies, to support consistent evaluations across the market. If you think your service confirms a users’ understanding well, we’d love to hear from you.

To be certified against the UK digital identity and attributes trust framework as a holder service provider (HSP), you need to have a process in place to get in touch with users if: * there’s a change to their holder service account * you've received a request to close the account This is a requirement for all HSPs and is outlined in rule 7.3.1a of the gamma (0.4) publication of the trust framework. The purpose of the rule is to help prevent fraud, as the user can react appropriately if the request has happened without their knowledge. ## Your process must be multi-channel As stated in rule 7.3.1.a, the communication must be “multi-channel”, which means you must make more than one channel available to users. The process you put in place to notify them of changes to their holder service account, or of requests to close it, must take account of this. Some examples of channels you might use to communicate to meet the requirements of 7.3.1 include: * email * SMS text message * physical letter * social media message * push notification to a user’s mobile phone * pop-up messages in an app * inbox message in an app This is not an exhaustive list. User-initiated channels could be considered in your processes too. For example, you may have an email or phone-based helpdesk, a web-based chat, or social channel through which users can initiate contact. ## Proportionate and reasonable processes The decision about which channels you use to notify users of any account changes or closure requests must be appropriate to the: * design of the service you offer * communication channels you have available to you The conformity assessment body (CAB) certifying your service will make a judgement about whether the processes you have in place are proportionate and reasonable in the context of the service you offer.

The United Kingdom Accreditation Service (UKAS) has granted accreditation to Kantara Initiative; making it the first UKAS-accredited conformity assessment body (CAB) certifying under the UK government’s Digital Identity and Attributes Trust Framework. ## A robust quality framework to underpin the digital economy UKAS’s decision to award accreditation to Kantara Initiative is a major milestone in the development of the UK’s digital verification services (DVS) ecosystem. It provides a robust, internationally-recognised basis for building trust in those services. Commenting on the accreditation decision, the Minister for Minister for Digital Government and Data, the Rt Hon Ian Murray MP, said: > “We are determined to build public trust in the technologies that are making our daily lives easier. > > “Thanks to Kantara’s accreditation, people can be reassured that digital IDs offered by private companies to help them prove their identity are safe, secure, and sustainable - in turn helping an industry which is already worth £2 billion.” ## How accreditation is awarded UKAS is the national accreditation body for the United Kingdom. Appointed by government, it independently assesses the technical competence and impartiality of organisations that provide certification, testing, inspection calibration, validation and verification services. UKAS and DSIT have worked together for several years as part of a pilot programme for digital verification services certification. Kantara Initiative is one of two CABs currently participating in the pilot process, alongside BSI Assurance UK which is working towards accreditation. The purpose of the pilot has been to develop a robust set of rules for evaluating digital verification services, and to independently assess whether bodies providing conformity assessment are able to implement those rules in line with international standards. To obtain accreditation, CABs go through a rigorous, three-stage assessment, led by independent assessors with deep technical expertise. The decision to start granting accreditation reflects that: * the UK digital identity and attributes trust framework certification scheme has been developed in a manner consistent with relevant international standards, and * Kantara Initiative has demonstrated that it can competently and consistently assess services in accordance with the scheme’s requirements Commenting on its grant of accreditation, Andrew Fletcher, Executive Director at UKAS, said: > “UKAS’s work is essential to maintaining public trust and confidence in products and services across the economy. Our independent accreditation processes ensure that certification, testing, inspection, and calibration activities are conducted to the highest standards in the UK. > > “Congratulations to Kantara Initiative on achieving accredited status. We look forward to working with other conformity assessment bodies seeking accreditation against this scheme.” ## What this means in practice Now that CABs have started to be accredited, the government can proceed with commencing the DVS measures in the Data (Use and Access) Act. All of Kantara’s clients that are presently listed on the non-statutory register of digital identity and attribute services will now be able to apply to join the statutory register when it is published upon commencement. We have already published details of how to get onto the statutory register on GOV.UK. With the first CAB now accredited, the pilot phase led jointly by DSIT and UKAS will conclude in due course as focus shifts to scheme maintenance and further development. We are looking forward to the next stage, after 4 years of developing a certification scheme that supports delivery of digital verification services that are compliant with the UK DIATF and can command trust of individuals and businesses across the UK.

As a digital verification service (“DVS”) provider, you need to have a valid certificate of conformity (“a certificate”) if you want to: * prove your service conforms with the rules of the UK digital identity and attributes trust framework (“the trust framework”) * apply for your service to be on the GOV.UK register of digital identity and attribute services (“the register”) ## **Standards you, your service and your certificate must meet** A certificate is an official document that confirms a service has been successfully evaluated as meeting the requirements in the trust framework and any relevant supplementary codes. For a certificate to be valid within the trust framework certification scheme (“the scheme”), it must meet specific criteria: ### 1. Issued by an approved and accredited Conformity Assessment Body (CAB) Your service must be evaluated by a CAB that has been approved by the Office for Digital Identities and Attributes (“OfDIA”) and accredited by the UK Accreditation Service (“UKAS”). It’s fine to work with a CAB that’s either: * accredited by UKAS at the time the CAB issues the certificate * going through the UKAS accreditation process at the time the CAB evaluates your service If you choose to work with a CAB that is in the process of seeking accreditation, and they issue a certificate for your service, it will have validity whilst that CAB goes through the accreditation process. Thereafter the certificate they issue will only continue to be valid if the CAB becomes UKAS accredited. You will also have to wait to apply to get onto the register until the CAB is officially accredited. We publish a list of approved conformity assessment bodies for the scheme on GOV.UK. ### 2. Issued in line with the rules CABs must follow Just as there are rules that DVS providers must follow, there are also rules for CABs to follow when conducting an evaluation and deciding whether to certify your service. CABs are solely responsible for making decisions about whether or not to certify a service against the trust framework. However, the certificates they issue are only valid under the scheme if the issuing CAB follows all of the rules about how to certify a service. We have set out these rules that CABs must meet in our certification scheme requirements. This means that there may be occasions when a CAB issues a certificate to a service that meets the requirements under the trust framework and any relevant supplementary codes, but that certificate is not valid because the CAB is not compliant with our certification scheme requirements. ### 3. Certificates contain the required information Each CAB can create their own layout for the certificates they issue, but they must include the information that we specify in the certification scheme requirements: #### Information about the DVS For the trust framework certification scheme, each certificate must contain key information to identify the DVS, which includes: * the name of the service that has been certified * the name of the company that provides the service * the date the certificate was issued and when it is valid until * how the service can be accessed online #### Information about what the DVS can do The certificate must also include other information about what the DVS is allowed to do, such as: * the type of DVS it is (for example, an identity or attribute service) * the identity profiles the service can produce * the quality of protection and authentication the service can achieve * if relevant, the supplementary codes the service supports If a certificate isn’t produced correctly, for example if it’s missing information, it’s not valid. #### Checking certificate validity CABs submit all certificates produced under the certification scheme to OfDIA, and we check they have been produced in accordance with the certification scheme rules. Sometimes, we may need to return a certificate to a CAB; for example, if it has incorrect or missing information. We’ll ask the CAB to investigate and submit a new, corrected certificate if necessary. ## We’ll invite you to publish details about your services Once your service has been issued a valid certificate, we’ll invite you to apply to have your details published on the GOV.UK register of digital identity and attribute services. Once they come into force, provisions in the Data (Use and Access) Act 2025 place a duty on us, acting on behalf of the Secretary of State, to register you and your service in the statutory register if you meet the conditions set out in section 33(1) of the Act (subject to limited exceptions). One of these conditions is that you must hold a certificate confirming compliance with the trust framework issued by a CAB which has been accredited by UKAS. ## What happens if a certificate is not valid If a certificate is not valid, you can’t rely on it to prove your service conforms to the trust framework and you can’t apply to have it shown on the register.

We’ve been asked whether all of the rules in the gamma (0.4) trust framework apply in the trust framework or supplementary codes when the rules say “must”. ## Different rules apply to different “roles” The trust framework is written around the concept of “roles”. A service can be certified as a: * identity service provider (IDSP) * holder service provider (HSP) * attribute service provider (ASP) * component service provider (CSP) * orchestration service provider (OSP) Each service must be at least one of these roles but a service might also perform more than one of these roles. All certified services must comply with the rules in Part 3 of the 0.4 trust framework regardless of what role they perform and even if there are no other rules specific to that role. These rules set the baseline level of quality for every service. Additional rules might apply depending on the role your service plays in the ecosystem. The rules are in Part 2 of the 0.4 trust framework. As an example, if you are an IDSP only, under 0.4 of the trust framework, you must conform to the rules in Section 5 and Section 10, but not the rules in Sections 6, 7, 8 or 9. ## All the rules apply in relevant sections All of the rules in the trust framework and supplementary codes are described using the terms: * “**must** ” – which indicates that a rule is a mandatory requirement * “**could** ” – which indicates that a rule is a recommendation and not a mandatory requirement If a Part or Section in the trust framework applies to your role, then all of the rules in that Part or Section apply to your service. Your service must conform with all of the “must” rules, and service providers can choose whether or not to implement any “could” rules. ## There are no opt-outs All the rules apply if they include the word “must”. As a service provider, you cannot opt-out or descope a rule that includes the word “must”. As the trust framework is outcome-focused and technology-agnostic, you can seek to conform to these rules in any appropriate way; but your service is, nonetheless, required to conform. If you cannot demonstrate that your service conforms, it cannot be certified against the gamma (0.4) trust framework. Of course, if you disagree with the existence of a rule, we review the trust framework regularly and we welcome your feedback! Where we believe a rule is unclear – whether it is a “must” or “could” rule – we may publish additional guidance to clarify it for providers and CABs (for example, in a blog post), and may revise it in future versions of the framework.

Whether applying for a credit card or starting a new job, digital verification services (DVS) are already saving people and businesses time and money. But to make sure the benefits of DVS are realised in sectors right across the economy, OfDIA is working to unlock new opportunities. ## **How we prioritise use cases** How many times have you wished you could prove something about yourself without digging out your old documents or standing in a queue? We know there are hundreds of use cases that could benefit from adopting DVS, but without unlimited resources, we had to figure out where to focus our effort to remove barriers and boost adoption. We consider three main factors: * whether there is an existing regulatory framework that requires identity or attribute verification * whether there is scope for rapid progress to be made * the potential benefits to people and businesses that digital identities could bring compared to the status quo. ## **What we have done so far** We’ve already taken some big steps towards our goal of widespread adoption of digital identities, for example in the employment sector. If you've started a new job recently, you might have noticed that you didn't need to turn up to your new workplace with your passport, and instead, you might have completed a quick and simple digital ID check through a certified DVS. Hiring and onboarding new employees is an area of the economy where secure use of DVS is already speeding things up, saving people and businesses time and money. When the Covid-19 pandemic caused a rapid rise in remote working, increasing the demand for digital checks, we worked closely with the Home Office to change UK legislation, allowing digital verification for Right to Work (RTW) and Disclosure and Barring Service (DBS) checks. Now, we see millions of secure and privacy preserving digital RTW and DBS checks taking place each month, reducing time spent on these from days to just minutes, and getting new employees into new jobs much sooner. ## **Keeping focused on the top priorities** Beyond employment, there are two other use cases which we are currently prioritising: age verification and financial services. Age-restricted products and services have a clear regulatory driver for age checks, with digital verification offering potentially huge efficiency savings for businesses as well as a better experience for customers. It’s also a sector where both relying parties and DVS have clamoured for change and demonstrated solutions which, once barriers are removed, could be implemented quickly. Earlier this year, the Home Office announced they would be updating the law to allow for the use of DVS for alcohol purchases in England and Wales. We expect changes to be in place by the end of the year, and are currently focusing our efforts on the requirements, to keep these checks safe and secure. You can read our blog post on using a digital identity to buy alcohol safely and securely to find out more. But we are not stopping with alcohol. The upcoming legal changes provide an ideal opportunity to drive the adoption of DVS for other age restricted goods. After all, once people can use their digital ID to buy a bottle of wine, they’ll expect it to have the same purchasing power for things like tobacco and vapes, fireworks or gambling. That’s why we are working across government to promote consistency across in the rules for the sale of other age restricted products. In parallel, we are also working hard to progress the adoption of DVS in financial services. This is also a highly regulated sector, with financial institutions required to undertake Know Your Customer (KYC) checks when onboarding new customers. There are also clear benefits to being able to ensure that payments have been authorised by the right person, without that person needing to visit their bank in person. To date, there has been a lack of clarity in the financial services industry as to how digital identities can be used to meet obligations under the Money Laundering Regulations (MLRs).  The government has committed to produce bespoke GOV.UK guidance on using DVS for MLRs identity verification checks. This guidance will provide clarity on the definition of a digital identity and give further detail on how trust framework certified DVS can be used in line with the MLRs’ risk-based approach. You can read more about this work in our previous blog post on trusted DVS in financial services. ## **Keeping up momentum elsewhere** There are numerous other areas of the economy where DVS can play a transformative role. While our highest priority sectors are employment, age restricted products and financial services, we are also working to drive adoption across other areas of the economy, such as property and travel. We are continuing to work with government departments, regulators and sector representatives to remove barriers, and enable secure and robust checks. If there are other areas which you think OfDIA should prioritise to help unlock progress, then let us know.

As part of performing an identity check, digital verification services (DVS) need to verify information that represents the attributes of the person being checked. Often, this is done with reference to an “authoritative source”. Digital verification services sometimes want to use “data brokers” for this purpose and we’ve been asked how they should be treated. ## What we mean by data broker A data broker is an intermediary that aggregates data from multiple sources, often including public records, commercial databases, and online activity. In the context of digital identity, data brokers may be used to verify attributes about individuals – like their name, address, or financial history – by providing access to datasets that support identity checks. Credit reference agencies, identity and fraud analytics companies, and digital verification services themselves are some of the types of companies that can act as data brokers. Data brokers must, of course, comply with UK data protection legislation and so must DVS providers when using them. ## A data broker can be used an authoritative source Whilst lots of organisations could act as a data broker, not all data brokers are authoritative sources. Good Practice Guide (GPG) 45 – which describes how to prove and verify someone's identity – defines what an authoritative source is. It says: > To be authoritative for a particular piece of information, the source must make sure: > > * the integrity of the information is protected > * the information is up to date > > > The source must also do one of the following: > > * issue evidence, for example the Driver and Vehicle Licensing Agency (DVLA) issues evidence such as driving licences > * get information from an organisation that issues evidence, for example credit reference agencies can have authoritative information about bank accounts > * get information from another authoritative source, for example from another identity scheme > There is nothing in GPG 45 – or in the trust framework – that prohibits the use of data brokers as an authoritative source. If a data broker meets the requirements set out in GPG 45, it can be used as an authoritative source. ## A single data broker can verify multiple pieces of evidence Data brokers can usually provide data from multiple places and so a single data broker can act as multiple authoritative sources. For example, a credit reference agency will often have an ability to connect to multiple banks and building societies. If a user had a mortgage with one bank and a credit card with another, and the broker can access that data in a manner that ensures its accuracy and recency, there is no reason why that single broker can’t be used to verify both pieces of information. Additionally, there is no need to make two separate requests of the broker for it to count as multiple authoritative sources. As long as the information is distinct and able to be verified, a broker can provide one, two or dozens of pieces of evidence as part of a single request from an identity service. Whilst data brokers can provide all sorts of data, it’s important for service providers to ensure that only data that is within the scope of GPG 45 is being used for identity checks within a certified service. For example, data brokers can often provide profiling about people based on their internet browsing history; that data can’t be scored as part of GPG 45, so it mustn’t be used for an identity check. ## Prepare to justify your approach When conformity assessment bodies audit services against the UK digital identity and attributes trust framework, they will ask service providers to justify how their service achieves the outcomes it purports to be able to achieve. If they use a data broker, service providers must justify that approach and why they think it’s right. In particular, they’ll need to demonstrate that the information the broker can provide is both accurate and up-to-date.

You can avoid your service falling off the GOV.UK register of digital identity and attribute services by asking your conformity assessment body (CAB) to complete your recertification process up to 60 days early. You won't lose the remaining time on your current certificate if you do this, and it will help you to avoid any unnecessary disruption. ## Certificate life cycles can vary Every service provider has a slightly different cycle for its certification. That cycle might also change whenever we introduce a new version of the trust framework or supplementary codes, as we might set a fixed expiry date for certificates issued against previous versions. Our advice in this blog post should therefore be taken as a general rule of thumb – not an absolute timetable. You should speak to your CAB for bespoke advice in relation to your service. ## You can roll over 60 days from a previous certificate You might think that the sensible thing to do is to run down the clock on every certificate so that you recertify at the last possible moment; but you shouldn’t do that! That approach will almost certainly lead to gaps in your certification. The rules in our certification scheme have been deliberately designed to avoid those gaps. Every time you get a service recertified, you can roll over 60 days from the end of your existing certificate onto your new certificate. You don’t lose time on your certificate by recertifying a little early. As an illustrative example: > Your service was certified on 1 April 2026 and is due to expire on 31 March 2029. > > You get recertified on 30 January 2029; 60 days before your previous certificate would expire. > > Your next certificate will be for 3 years, plus the 60 days roll over; so your certificate will expire on 31 March 2032. ## Leaving certification too late might mean your service is not registered The other reason to recertify ahead of your existing certificate expiry is so that it remains published on the GOV.UK register of digital identity and attribute services. Maintaining your registration will become increasingly important as digital identity services become more widely adopted. Services can only appear on the register if they are certified. The Data (Use and Access) Act 2025 requires that any service that is no longer certified is removed from the register. If your service is not on the register in future, you won’t be providing compliant services in certain regulated environments and you won’t be able to connect to the GOV.UK Wallet. Registration and certification are not the same thing. Certification is a pre-requisite but service providers must apply separately if they want to appear on the register. Whilst it’s often very quick, applications can take a little while to process (we’ve explained what happens when you apply to join the register in a separate post). Our general advice is that it can take up to 20 working days for an application to complete. Aiming to complete your recertification 60 calendar days in advance of your existing certificate expiry will ensure that we at OfDIA have plenty of time to process any application to remain on the register and help to avoid your service temporarily being removed. ## Book your recertification evaluations early There are no downsides to recertifying slightly early. Doing so will help your organisation to ensure there are no gaps in your certification and that your services stay on the register. Our advice is to engage your CAB early and book your recertification process in as soon as possible. Aim to complete your recertification 60 days in advance of your existing certificate expiry; your CAB will advise on how best to make all this work in practice.

Getting onto the GOV.UK register of digital identity and attribute services is not an automatic process. It can take up to 20 working days for your service to appear on the register. That’s because there are important, human-led review processes that take place after your service is certified. Often those processes aren’t visible to providers who’ve applied to join the register, and that leads to one question: > “Why isn’t my service on the register yet?” In this blog post, we’re going to explain how those processes work in practice, why we have them, and how long they take to complete. ## Step 1: You get your service certified Before you join the register, you need to get certified by a conformity assessment body (CAB). We have published a list of approved CABs that are able to help with that. Your service will be evaluated – through audits and other testing methods – by your CAB against the rules in the UK digital identity and attributes trust framework and any relevant supplementary codes. This process commonly takes around one to two weeks – though it can be more or less depending on the specifics of your service. After the evaluation is concluded, your CAB will have an internal process to decide whether or not to certify your service. If it decides “yes”, you will be issued with a certificate. You should ask your CAB for an estimate of how long this internal process might take for your service. ## Step 2: We validate your certificate After your CAB has decided to certify your service, it is required to provide a copy of the certificate to OfDIA. It also provides a Certification Feedback Report – a more detailed record of what is certified and a log of the evidence the CAB used to inform the decision. OfDIA uses this information to validate that the certificate is valid under the certification procedures and to enable you to make an application. If anything looks out of place, OfDIA asks the CAB to double check the certificate and to correct any errors that might have slipped through. This process takes around 5 working days. ## Step 3: You make an application After your certificate has been validated, OfDIA sends an automated email inviting you to apply to have your organisation and service appear on the register. Making an application is fast. You don’t need to input any information: everything is provided to us by your CAB directly when they give us your certificate. All you need to do is review the information that will be published if your application is successful. It takes as little as 60 seconds to review the information and submit the application. If any of your information is wrong, you usually need to contact your CAB, who will update your certificate and resubmit it to us (and we’ll need to review it in OfDIA again). ## Step 4: We review your application After you have made an application, we in OfDIA review it before you get onto the register. This review is designed to ensure a bad actor doesn’t slip through net and onto the register; jeopardising trust in the ecosystem as a whole. For that reason, two separate members of the OfDIA team are involved in every decision: one to do the initial review and the other to validate it. The review is often very quick – a matter of hours – but we have an internal target of 15 working days within which to complete it. ## Step 5: Your service is published on the register If your application is successful, you will receive an email confirming this. Your service will then be published on the register automatically. ## We move as fast as we can We move as fast as we can once a CAB has issued a certificate for a service and OfDIA has received it, but please allow up to 20 working days before a service is published on the register. If you have any questions about the process, please contact us or your CAB, who will be happy to provide any advice you need.

Every day, people use official government documents like passports or driving licences to prove things about themselves in the economy. However, these physical documents weren’t designed for the digital age. This is why, through the Data (Use and Access) Act, we are making it easier for people to digitally share information that the government holds about them to prove who they are, if they wish to. The ‘information gateway’ powers established by the Data Act set out the conditions under which information sharing can take place. Public authorities will only be able to rely on this power to share information if the individual chooses.  Data must only be shared with registered digital verification services who are following government rules, and only for the purposes of identity or eligibility verification. ## **The GOV.UK Wallet will help people manage and share their data** The GOV.UK Wallet will be one of the first ways this information gateway moves from policy to reality, bringing many public authorities together to digitise their credentials and make them available to users. Using the GOV.UK Wallet, people will be able to instigate the sharing of their data with registered private sector digital verification services to securely prove things about themselves for uses across the economy, like proving their age to buy an age-restricted product. These registered services will be critical intermediaries to ensure information is shared safely from the GOV.UK Wallet. People can also use the digital versions of their documents in their GOV.UK Wallet as source documents for a whole range of identity and attribute proofing. This includes creating ‘derived credentials’ with a registered provider. This is currently done using physical documents. GOV.UK Wallet will make this process much more seamless. These credentials can then be reused across the economy without the user needing to return to the GOV.UK Wallet each time. Privacy, control and choice will be integral to this process. No data will be shared without the user instigating the process and giving their permission first. You can read more about the critical role for digital verification services in enabling the GOV.UK Wallet over on the GDS blog.

Today we’ve published a call for views on the adoption of trust services. You can respond to the call for views on GOV.UK until the **20 th of September 2025**. ## What are trust services? Trust services are digital tools, such as e-signatures, that make online transactions more secure and reliable. We wrote previously on this blog about the different types of trust services, and on the changes that the Data (Use and Access) Act is making to the UK’s trust services regulatory framework. A sectoral analysis which DSIT conducted in 2024 of identified digital identity service providers in the UK found that 34% offer trust services (including electronic seals, signatures, and certificates), and that those providers which offer trust services generated an estimated revenue of £136 million in 2023-2024. ## Why we’ve published a call for views The evidence we hold about the trust services market in the UK is limited. This call for views will help us understand what interventions might be useful to support this market to grow further as part of the UK’s digital economy. The call for views seeks responses from organisations who offer trust services in the UK, and from those that use these products. If the responses suggest government action is needed, we will consult again and seek to gather information more widely, including from individuals. ## We look forward to hearing from you! > Read the call for views on trust services and submit a response before **20 th September 2025**.

Providers with services that have been certified against the beta (0.3) of the trust framework need to prepare to uplift their certification to align with the gamma (0.4) publication. To do that, service providers naturally want to know what’s different between the two publications. To help with this, we’ve been asked variously for some kind of document with a gap analysis or assimilation matrix. A quick guide that says “in beta we said _this_ and in gamma we say _that_ now instead”. ## There are no shortcuts to gamma uplift That guide doesn’t exist. We don’t have one internally. The conformity assessment bodies haven’t been given one. We won’t be publishing one for providers either. We’ve intentionally decided not to create that kind of document. We called the beta, “beta” because that’s exactly what it was. Something in development, with some rough edges that we knew needed to be smoothed out. We spent a long time speaking to businesses and members of the public about how it could be improved. The result is that, in the gamma publication, the entirety of the trust framework and the new supplementary codes were redesigned, restructured, and often completely rewritten. Nearly every section and paragraph is at least slightly different – and in some cases very different – from the content that was in the previous publication. So much has changed or moved that, on a practical level, to explain what’s different would mean creating a document almost as lengthy as the trust framework itself. It’s also been three years since we originally published the beta trust framework. With such extensive changes and with that period of time, we think it’s a good idea for service providers to take the opportunity to review their services top-to-bottom and end-to-end against these new rules. Creating a “cheat sheet” for gamma could encourage providers to only focus on the most significant changes and not on the rest of the rules. If you’re a service provider, we think your time could be better spent considering the current trust framework document and whether your service is compliant; not on an adjunct guidance document that has the potential to make things more confusing. So we deliberately haven’t created it. ## The next uplift will be smaller We’ve taken this approach on this occasion because of the context of this uplift. For the next iteration of the trust framework – what we’re calling 1.0 – we expect the changes to be smaller. That will enable us to take a more nuanced approach next time. For now, our advice to service providers is to get into the weeds of gamma. Treat this as an opportunity for a spring clean; do a review of your whole service and check your service meets all the rules, not just the new ones. > **Reminder** > > All services certified against the beta (0.3) trust framework will expire on 31 March 2026. Service providers must uplift their certification to align with the gamma (0.4) trust framework and relevant supplementary codes before this date, or their services will no longer be certified and those services will be removed from the GOV.UK register.

Trusted and secure digital identity services have a vital role in enabling productivity and growth within the financial services sector, offering process efficiencies and helping to combat identity fraud. Over the past few years, we’ve heard from sector firms about a lack of clarity on how digital identities can be used to comply with Money Laundering Regulations (MLRs). This uncertainty has limited adoption. We are therefore hugely pleased to announce a significant step towards removing this uncertainty: that we’ll be working with HM Treasury to produce new MLR guidance that recognises the role of reliable digital identities. This commitment comes after the role of digital identities to support growth was made clear in the Industrial Strategy. ## **Improving the effectiveness of Money Laundering Regulations: the role of digital identities** The announcement of new guidance on use of digital identities came as part of HM Treasury’s wider consultation response on Money Laundering Regulations on 17 July 2025. The consultation response, which covers a package of changes that will be made to the MLRs to close loopholes, clarify requirements and ensure customer due diligence, was informed by more than 200 submissions from across industry. In recognising sector asks to set up government accreditation and standards for digital identity technologies, the consultation response highlights that these needs are met through the Data (Use and Access) Act. The Data (Use and Access) Act, passed earlier this year, places digital identity standards on a statutory footing. This includes establishing a legal basis for the UK digital identity and attributes trust framework. The trust framework is supported by a certification process that is recognised by the UK Accreditation Service (UKAS), meaning that certified digital identity services are subject to regular audits. The announced joint guidance will provide clarity on the definition of a digital identity and give further detail on how digital identities can be used in line with the MLRs’ risk-based approach. It will also seek to clarify how MLR requirements interact with the digital identity trust framework set up under the Data (Use and Access) Act. ## **Financial services in the Industrial Strategy** The MLR consultation shows the increasing commitment across government to enabling the use of trusted and secure digital identities in the financial services sector.  This commitment is also clear in the recently published Modern Industrial Strategy. The Financial Services Growth and Competitiveness Strategy, highlights the role of digital identities in reducing the costs of fraud and compliance, and indicates that the financial services sector could be one of the biggest beneficiaries of the £4.3 billion in economic efficiencies unlocked by the Data (Use and Access) Act. The Professional and Business Services Sector Plan published earlier in July recognises the role that digital identities can play in streamlining checks and processes for firms and customers. It highlights how digital identities can help to meet government’s commitment to reduce the costs of regulation for businesses by the end of this Parliament. Both strategies highlight the role of digital identities within MLRs, and set out that government will take steps to inform, encourage and reassure financial institutions seeking to use trustworthy digital identities. The support for digital identities in the Industrial Strategy follows calls for increased use of digital identities from financial sector bodies, including FCA , CFIT and UK Finance. Similar views are reflected in the recent Technology Adoption Review, published in parallel with the Industrial Strategy, which calls on government to work with the financial services sector to demonstrate best practice on digital identity compliance. ## **Moving forward** Digital identities are already being used in the financial services sector, with around 27% of people surveyed in our recent Digital Identity Sectoral Analysis saying they had used a digital identity check to help them open a bank account. And consumers are already reporting benefits from this switch to digital, with 75% of individuals in our survey saying that it was a quicker process than verifying identity with a physical document. Through building trust in digital identities via our framework of standards and governance, and working across government to produce guidance where needed, OfDIA is working to build the industry confidence that will accelerate the adoption of digital identities, and the realisation of the security and efficiency benefits they offer. We’re excited to see how the sector develops and implements digital identity solutions, and will continue to use this blog to update you on our work with HM Treasury and across government.

Your service has been certified by an approved Conformity Assessment Body (CAB) and is listed on the GOV.UK register of digital identity and attribute services. You want to tell people about that. How should you do that? What should you say and what shouldn’t you? ## What the rules say The trust framework and its certification processes require that service providers take steps to represent accurately the certified or registered status of their services. Failure to do this can risk losing your certification and appearance on the GOV.UK register. These rules apply to you as a service provider in all of your activities. In your service. In your marketing materials. Everywhere. They also apply to any other parties that you have partnered with; you must manage your relationship with them to protect trust in the ecosystem as a whole. ## Say things like this What does that look like in practice? When you are talking about your certification, you could say things like: > “Our service is certified against the UK digital identity and attributes trust framework.” > “We are independently certified against government rules for digital identity services.” > “We are trust framework certified.” When you are talking about your service being on the GOV.UK register, you could say things like: > “Our service is on the GOV.UK register of digital identity services.” > “We are registered with government as a digital identity service provider.” ## Don’t say things like this ### Don’t say you’re “certified by government” Certification of digital identity services is independent from government. We set the rules and independent conformity assessment bodies decide whether your service meets them. ### Don’t say that your service is “government approved” Being on the GOV.UK register does not mean government has approved or endorsed a service: it means you meet the rules and criteria for being on the list. ### Don’t use Crown or Government logos, or anything like it Use of government logos and the Crown are reserved and must not be used without prior permission. Don’t create your own versions that could give a false impression either. In the near future, digital identity services on the GOV.UK register will be permitted to use an official ‘trust mark’ on their services instead. ## Don’t misrepresent your status Maintaining trust in the digital identity services is a shared responsibility across OfDIA, CABs and providers. You must avoid doing anything that might be considered misleading in relation to your certification or appearance on the GOV.UK register, or that might damage trust in the ecosystem. If we identify service providers using marketing that could be misleading in these ways, we will ordinarily write to the provider to ask them to stop. We will also refer the issue to the relevant CAB. Failure to take appropriate action may result in certification being suspended or withdrawn by your CAB, and a provider being removed from the register.

Today, we’ve published the findings from the second annual digital identity inclusion monitoring report. The report helps to monitor inclusion and accessibility in the certified digital identity market over time. You can read the full report on GOV.UK. The government wants to ensure that anyone who chooses to use a digital identity can use one. This means that digital identities should be inclusive and accessible to as many people as possible. To achieve this, we need to understand how inclusive services are and whether intervention may be useful. ## **How we collect information on inclusion** The government’s rules for digital verification services, the UK digital identity and attributes trust framework, outlines how organisations can ensure that their services are inclusive by encouraging them to adopt inclusive and accessible practices. Services that are certified against the trust framework must also complete an inclusion monitoring survey. The inclusion monitoring survey consists of around 40 questions covering topics such as documentation and evidence, accessibility, data collection, and biometrics. The survey responses are anonymous and individual services are not assessed. Instead, the results are aggregated to gain insights on the extent to which services in the certified market are inclusive and accessible. The survey captures data from a fixed point in the year. ## **Key findings** The findings of the report suggest modest improvements from last year’s results in several areas. For example: * 60% of organisations surveyed adhere to the Web Content Accessibility Guidelines (WCAG) 2.0 (AA) or higher, up from 54% in 2024. * 73% of organisations surveyed offer at least one accessibility feature, such as text magnification or compatibility with assistive technologies, up from 65% in 2024. * Around half of organisations offer their service in more than 1 language, with 40% offering their service in more than 5 languages (up from 33% in 2024) and 30% offering more than 10 languages (up from 19% in 2024). We also added a few new questions to the survey, which provide further insight on the types of services offered: * 66% of organisations offer single use identity or attributes only, 15% offer reusable identities or attributes only, and 19% offer both. * 54% of organisations offer white labelled services to other businesses. ## **Limitations of the survey** The survey is completed by certified services, so the results don’t reflect the whole market. As the survey is completed by organisations, the survey doesn’t collect information from the perspective of users. There are also broader factors that can affect people’s ability to access digital identity services, such as lack of connectivity, lack of access to devices, or low digital skills. Monitoring these factors is not in scope of this survey. However, tackling these wider digital inclusion issues is a priority for the Government and information on this can be found in the Digital Inclusion Action Plan. ## **What’s next?** It’s encouraging to see small improvements have been made since the findings from last year, and we hope this trend will continue. By the time of the next survey, some services will be certified against the latest version of the trust framework, which includes increased requirements in areas such as accessibility and biometric testing. In the meantime, we will continue to use the findings to inform our development of the trust framework and inclusion policy more broadly.

Digital identity services are often made up of many different constituent parts and have complex supply chains. Whilst an identity service might build its own app, it might use another company’s service to do things like biometric liveness detection. We call those parts of services “component services”, and they can be certified under the gamma (0.4) publication of the UK digital identities and attributes trust framework. If you are seeking certification and your service includes component services from other companies, you might be wondering: > Do I have to use a certified component? And the answer is no, you don’t – but you will probably want to. ## Using certified components can make your certification easier We want people to trust digital identity services, and so we set a high bar for quality through the trust framework. Whilst meeting the rules should be challenging, we don’t want the process of getting certified itself to be difficult. To that end, the certification process that our approved Conformity Assessment Bodies (CABs) follow discourages auditors from re-evaluating things that have already been recently evaluated. If you have a certified component service within your own service, your CAB can rely on the pre-existing certification for that component service as part of the evaluation. This means the CAB may be able to reduce or, in some cases, completely avoid the effort involved in looking at that part of the service; they don’t necessarily need to do a full evaluation, because those parts have already been looked at. **For service providers that use components** , using a certified component might enable you to reduce the cost and time it takes to obtain certification against the trust framework. **For component service providers themselves** , you can offer a benefit to your own clients, and avoid the repetitive poking and prodding that comes with being audited as part of the supply chain. ## Pick the easier path The beta and gamma trust frameworks do not require that you exclusively use certified components in your supply chain. There’s nothing stopping you from using any component services from any providers, provided those components meet the rules. Your CAB will check any non-certified components meet the rules as part of your audit. So it isn’t mandatory, but it is smart! Using certified services as part of your supply chain means you can take a smoother path to certification.

From 1 July 2025, it is possible to get a service certified against the rules in the gamma (0.4) publication of the UK digital identity and attributes trust framework. This blogpost explains how service providers who are already certified against the trust framework can ‘uplift’ to the new version. ## Check if your certification is eligible to uplift It is possible to uplift your existing certification to the gamma publication if: * your service is certified against the “beta” (0.3) trust framework * your certificate is maintained by an approved Conformity Assessment Body and * you complete your uplift before your existing certificate would otherwise expire Some of the rules in the gamma trust framework are different to the beta trust framework. Before you start the process to uplift your certification, you should review the gamma trust framework and amend your service so that it meets all of the relevant new rules that apply. If your service is not currently certified – for any reason – you can’t uplift your certification. Your service will be assessed against the gamma trust framework from scratch. Find out more about the certification process on GOV.UK. ## Choose your pathway If your service is eligible, then there are two ways to uplift your existing certification. You can either: * use an upcoming surveillance activity, or * apply for recertification Your Conformity Assessment Body can help you to understand which pathway is available to you. Regardless of the approach you take, the rules you will be assessed against will be the same. ## Surveillance uplifts Every service certified against the trust framework is subject to an annual process of “surveillance”. Surveillance activities check that your service still conforms to the trust framework and review anything that has changed. You can use your next surveillance as your uplift pathway if it is due to take place between now and 31 March 2026 (the date that all beta certificates will now expire). Under the certification rules for beta (0.3), surveillance activities must take place around the anniversary date of your most recent certification. It can take place no earlier than 30 days before that anniversary date, and no later than 30 days after it. For example, if your certificate was issued on 1 December 2024, your surveillance would take place between 1 November 2025 and 31 December 2025. If you uplift your service’s certification to gamma through surveillance, your existing certificate expiry date will remain the same and your service will stay on a two-yearly cycle with this uplift until your recertification. ## Recertification uplifts You must re-certify against gamma to maintain your certification if you cannot use a surveillance activity. If you would prefer to, you can choose to undertake a recertification instead of using the surveillance pathway. In this scenario, you will become certified for three years – up from the two-year certification cycle under the previous process. If you are recertifying before your existing certificate expiry date, you can also “roll over” up to 60 days from your previous certificate. This means that a new certificate for gamma could be issued for up to 3 years and 60 days. > **Example:  **Your service was originally certified against beta on 1 January 2023 and will expire on 31 December 2025. You are certified against gamma on 1 December 2025. Because you had 30 days left of your certification for beta, your gamma certification rolls over 30 days, meaning your new certificate for gamma is for 3 years and 30 days, expiring 31 December 2028. ## Uplift before 31 March 2026 All services must uplift their certification before 31 March 2026. If you do not uplift – either through surveillance or through recertification – then your current certificate will be forcibly expired on this date. This means it cannot be relied upon as proof of compliance to the trust framework and – if it is registered – your service will also be removed from the register of digital identity and attribute services. If your certificate is expired, you will need to start certification from scratch to renew it. ## Contact an approved CAB to get started Conformity assessment activities against the UK digital identity and attributes trust framework can only be provided by approved Conformity Assessment Bodies. The Office for Digital Identities and Attributes publishes a list of approved bodies on GOV.UK. We recommend speaking, as soon as possible, to an approved Conformity Assessment Body about uplifting your existing certification to the gamma version of the trust framework.

**The Government is working to ensure that people and businesses can access trusted and secure digital identities for all their needs across the UK economy.** On 19 June, the Data (Use and Access) Act received Royal Assent. As well as putting the National Underground Asset Register on a statutory footing and supporting the future of smart data schemes, this is a major milestone for the government’s work to make sure individuals and businesses across the UK have access to trusted digital identity services when they want to use them. Trustworthy digital identities can improve people’s lives by making transactions more simple and secure; from accessing age-restricted products, to renting a flat or starting a new job. You can already use a digital identity in some places because the framework of standards, governance and oversight for digital identities has been running as a pre-legislative pilot since April 2021. Part 2 of the new Data (Use and Access) Act creates a legislative foundation for Digital Verification Services (DVS). Standards, governance and oversight of digital identity services in the UK is now grounded in law, ensuring they are trusted and secure. The new UK legislation formalises the system that is currently operating as a pilot. This will pave the way for trusted digital identities to be used in more places. ## What happens next? When the King formally approves a Bill that has passed all stages in the UK Parliament and gives Royal Assent, it becomes law and an Act of Parliament. Now the clauses in the Act must be formally ‘commenced’ _ _ to come into legal force. This requires another bit of parliamentary procedure – some secondary legislation called a Commencement Order or regulation. When the legislation is commenced, the government will have new powers and responsibilities, such as: * maintaining a statutory register of digital verification service providers on GOV.UK * consultation requirements on the trust framework * issuing an official UK digital identity trust mark (like a kitemark) so that people can easily see which services are secure and can be trusted * enabling public authorities to share information with providers of registered services * producing annual reports on the operation of Part 2 of the Data (Use and Access) Act We plan to commence most of the measures relating to Digital Verification Services later this year. This will allow a smooth transition for providers onto the new statutory register, following certification against the trust framework. > Sign up to email alerts to receive an update whenever we publish a new blog post.

Earlier this month I had the pleasure of hosting digital identity specialists from the tech sector to tell them more about our ambition for the GOV.UK Wallet. They represented the UK’s Digital Verification Services (DVS) sector, that provide the digital identity services millions of us have already used to prove our Right to Work, Right to Rent and more. ### **A booming UK digital identity sector** I could not be prouder or more supportive of the contribution that this sector has made in helping to establish one of the cornerstones of a modern digital economy: a trusted system of digital identity. As our recent report reveals, the sector is already a significant driver of economic growth, generating more than £2 billion in revenue each year and supporting over 10,000 jobs across the country. Measures in our Data Bill look to compound this further, supporting the sector to contribute a further £4.3 billion to the economy over the next decade. The introduction of the GOV.UK Wallet, which I announced in January, presents an opportunity to take these benefits to another level entirely. With this technology, people will for the first time be able to use digital versions of everyday government credentials such as driving licences or veteran cards. And over time, digital credentials will be usable for everything physical documents are used for now. ### **Increasing choice through the GOV.UK Wallet** One of the key principles for this new system is maintaining choice for consumers and businesses. We want people to be able to choose between – or use both – their GOV.UK Wallet or a private sector provider for different use cases across the economy. Or, they can choose to continue using the same physical documents they’ve relied on for decades. This is about building a modern digital government, not stifling the brilliant growth and innovation in the private sector.  People in Britain are right to expect that their government will be able to issue them with key documents securely and digitally. ### **The private sector as intermediary partners** There is also no doubt that the private sector, such as the providers I met earlier this month, will have a critical role in realising the benefits of the GOV.UK Wallet. If an individual wants to use GOV.UK Wallet in the private sector – for example in a shop or a pub – businesses will want to be confident that they can trust the information they’re seeing. That’s where trusted, registered DVS providers come in as critical intermediaries. They will be able to innovate and enable the safe and convenient disclosure of relevant information from the GOV.UK Wallet to businesses like pubs, shops or websites. They share the relevant data and provide reassurance that it is trustworthy and reliable. The GOV.UK Wallet will only share information with DVS providers in the private sector where the recipient has been independently certified as meeting our high standards on security and privacy, and where they appear on the DVS register. And importantly, the user has full control over what data is shared, and who it’s shared with. We have released initial information on how we see this working in line with the principles of the digital identity trust framework, including initial technical documents. Registered DVS providers can take on different roles to meet their customer's needs - as orchestration, identity or holder service providers. My department is now kicking off in-depth technical engagement with sector stakeholders to develop the detail of this system, and I would encourage anyone with an interest to participate. ### **Grasping the opportunity through collaboration and innovation** Through the Data Bill we are putting the UK’s digital identity trust framework on a statutory footing. We are changing other laws – for example alcohol licensing requirements – to increase the adoption of these secure and trusted technologies. Through the GOV.UK Wallet we are making it easier for consumers to use their own government-held data within this ecosystem, if they so choose. But we can only realise this huge potential through collaboration between government, digital verification services, and businesses like pubs and supermarkets. We’re ready to innovate and realise the benefits for people and businesses. Let’s move forward together.

Today, we publish our first full sectoral analysis of the UK’s digital identity ecosystem. The aim of the report – which was produced by an independent research consortium – is to establish a baseline of measures of the digital identity sector so that we can capture trends, tracking these on a regular basis to understand how the market is performing. In this blog post, we’ll try to give a snapshot of a few of the key findings – but for full details, head over to GOV.UK to read the full report. ### **Consumer attitudes and use of digital identity products** The most significant change to the interim report published last year is the inclusion of findings from an online and telephone survey of 3,561 consumers across the UK, including people from a range of backgrounds and levels of digital access and skill. Through our survey questions, we wanted to explore peoples’ understanding of digital identity, usage of products, benefits derived, and barriers to adoption. Among the key findings were that that: * **Almost half (44%) of respondents had used a digital identity service at some point in their lives.** Most of these involved one-off identity checks – only a minority (20%) of those who had used any digital identity service said that they’d presented a reusable digital identity. In general, understanding of digital identity was high, with more than 70% of all respondents saying they had at least some understanding of what a digital identity was. * **Digital identity services are helping people meet a broad spectrum of common needs,** from accessing online games (38% of those using any digital verification service), to applying for a credit card or loan (36%), opening a bank account (27%), performing a DBS check (26%), proving right to work (21%) and renting a property (18%). * **Timesaving and convenience** **are top of the list of benefits** , with **75%** of users saying these were advantages of digital identities compared to physical IDs. * **Privacy and security are of paramount importance to users,** with **79%** of people saying these were their top considerations when deciding to use a digital identity service. Around **8%** said they actively chose not to use a digital identity service specifically due to privacy or security concerns. The report also includes new analysis of understanding, attitudes and adoption of digital identity based on different demographics (age, ethnicity, household income), varying forms of existing ID, and levels of digital access and skill. And it highlights the important role of government, with **75%** of respondents saying it was important to them that a service was **tested against government standards**. ### **A £2.1 billion UK digital identity provider market** The full report updates core figures on UK digital identity sector size and scale, with findings including: * **£2.1 billion** sector revenue (2023/24), with **£888 million** Gross Value Added (GVA) * **266 firms** based across the UK, with **10,246 full-time equivalent (FTE) employees.** Three-quarters of firms are headquartered in the UK. * Sector employment has **grown an average of** **11.7% per annum** since 2020, and GVA per employee is £86,600, which is 56% higher than average UK employee estimates * Core **use cases** for products include onboarding (42% of providers), fraud prevention (37%), supporting Know Your Customer / Anti-Money Laundering (32%), and identity verification for account opening (20%). The report takes a deeper dive than previously into the global perspective, finding that the UK sector is**highly internationalised**. For example, 1 in 4 firms based in the UK are headquartered internationally, suggesting the UK is an attractive place for Foreign Direct Investment (FDI). It also finds that: * **34%** of UK headquartered firms have a **presence in international markets** * **57% of the revenue** of the 20 largest firms is **generated from international markets** Looking into the wider **innovation and research & development ecosystem **in the UK, the report finds **that 1 in 20 firms**(6%) have received **publicly-funded investment** for research. Innovative solutions produced by the sector are exported globally, for example to support social vouching. ### A few initial reflections We’ve found the results of this work fascinating, and there’s still much to chew through from our published report. But for us, a few key things are emerging from the findings: * **Are digital identities finally entering the mainstream?** With almost half of those surveyed having used a digital identity service, and the vast majority benefitting from increased speed and convenience, are we reaching the much-discussed ‘tipping point’ at which digital identity products are becoming ubiquitous? Like contactless payments or self-service checkouts, what was only recently a novel invention may be swiftly becoming the norm. * **Ensuring high standards of privacy and security remains fundamental to our mission.** An overwhelming majority of people (79%) are looking for digital identities to be secure and privacy-protecting, with 75% looking for government to play an active role in ensuring these standards are met. To some extent, that’s no surprise given our previous research. But it helps remind us that OfDIA’s mission to establish a trusted, secure market for digital identity in the UK is as relevant and vital as ever. * **The UK digital identity sector is operating on a global scale.** The report reveals that the UK’s digital identity sector has more than £2 billion revenue. High productivity. High export volumes. More than 10,000 FTE employees. Employment growing 12% year on year. It’s a sector that seems poised for further success, in the UK and globally. * **Access and inclusion remain areas of particular focus.** The data shows that some people (9%) just prefer to use non-digital methods – and that’s fine with us, our goal is always for people to have a choice. The report does however suggest varying levels of digital identity use according to demographic, which we will reflect on further in the context of our ongoing inclusion monitoring work. * **Moving to reusable digital identities.** Single use checks remain dominant, but we know they’re normally less financially and time efficient for people and businesses.  There is a long way to go in uplifting adoption of reusable products from the current 20%. ### Towards the next report Producing this report has been no small task, and we’re really grateful to our consortium of providers – Oliver Wyman, Perspective Economics and Projects by If – for providing expert insight and challenge through the process. We’re also grateful to all the digital identity providers who commented on the methodology and approach. We’ll be repeating this research on an annual basis, to help us track market trends and consumer attitudes – in part, helping to inform the annual report that OfDIA will produce as required by the Data Bill.  We’ll be coming back out to stakeholders in due course to help guide priorities for future research, based on this year’s findings. > Sign up to email alerts to receive an update whenever we publish a new blog post.

The register of digital identity and attribute services is now in public beta. This means it’s easier for businesses and the public to check and find trusted digital identity products across the UK. The register of digital identity and attribute services is now in public beta and accessible via GOV.UK ### Faster and easier The new register will make it: 1. **Faster to find services:** it’s now easier and quicker to find specific services and information about their certification, including which services are certified against specific requirements like Right to Work, Right to Rent or Disclosure and Barring Service (DBS). These new search and filtering tools will also allow users to more quickly find suitable services for their needs. No more downloading complicated spreadsheets! 2. **Easier for service providers to join and maintain information about their service:** once a digital identity service is certified against the UK digital identity and attributes trust framework, providers can apply to join the new register. The new digital-by-default application process means providers and Conformity Assessment Bodies will be proactively notified about the status of their applications. ### The start, not the end Being in public beta means the register is ready to operate at scale and it does many of the things we need it to do. But we’re not done! Up to now we’ve been focused on building a ‘minimum viable product’. Now we’ll be shifting our focus to rapidly iterate and improve upon what we’ve built, so that it can meet more user needs. For example, we’ll be integrating our new trust mark into the register and we’re looking at ways users can be notified when things on the register change. We’ll also be retiring the old spreadsheet-format list very soon, now that providers have had the opportunity to transfer to this new digital service. ### Join the register If you are a service provider who would like to join the new register, we’ve created guidance on how to join the register of digital identity and attribute services. ### Tell us what you think We think that this new digital service is an improvement over what we had before but we know there is more to do to make it great. We’d welcome any feedback on what you think we should do to make the register better for you.

We recently launched the second year of the inclusion monitoring report survey for certified digital verification services. It is compulsory for services certified against the UK digital identity and attributes trust framework to complete the survey. The purpose of the inclusion monitoring report is to build a picture of how inclusive the digital identity market in the UK is. The data gathered is anonymised and used to tell us in OfDIA what changes might need to be made to increase inclusion – for example by changing the trust framework. ## **2024 results: what changes have we made to the trust framework** You can read our blog post that summarises the key findings from the 2024 report or read the full report on GOV.UK. The data from the 2024 surveys informed our approach to a few key areas: 1. **Strengthening accessibility rules in the trust framework** 54% of certified services reported that they adhered to the Web Content Accessibility Guidelines (WCAG) 2.0 (AA) or higher. However, 27% of services answered that they did not know if their service met this standard. Along with other feedback gathered by the team, this finding informed the decision to strengthen accessibility requirements in the latest version of the trust framework (0.4) to ensure that more certified services are meeting these, or equivalent, standards. 2. **Making it easier for services to accommodate vouching** Vouching is when a person confirms the identity of another person in a formal declaration. This is typically used as a method for proving identity when the person doesn’t have traditional identity documents (e.g. for a child getting their first passport). Vouching can therefore offer an important potential route to improve identity inclusion for those without these documents. Two certified services reported that they currently support vouching as a means of proving identity. We are reviewing the vouching guidance to look at how it can better accommodate digital identity verification with the aim that more services may be able to offer this route in future. 3. **Adding trust framework rules on testing biometric technologies** The 2024 data showed that certified services are inconsistent in how they assess potential bias in the biometric technologies they use. To address this, we have introduced more specific requirements about the types of testing for biometric technologies in the latest trust framework (0.4) to ensure that all certified services undergo robust testing. This decision was also supported by feedback on the trust framework 0.3. ## **Improving the survey for 2025** Last year we made some changes to the inclusion monitoring report survey to improve the range and quality of data collected and we are continuing with this new format. This year’s survey is broadly similar to last year’s to ensure we have consistent data points to compare year on year. However, based on feedback from services and our analysis of last year's results we’ve made a number of small improvements: * New questions to understand more about the service to improve the detail of our analysis. For example, are services offering reusable and/or single-use digital identities or attributes and is the service cloud- or device-based * New questions on the average number of customers and average number of checks conducted each month * New questions on _how_ any data on the reasons for drop-outs or unsuccessful checks is collected * Removal of a small number of questions from the technology section that did not produce useful results, such as a question on the oldest operating system a service would be compatible with on a user's device We’ve also introduced a way for providers to download a copy of their answers to enable better record-keeping if providers wish to review or track their own performance each year. The 2025 inclusion monitoring report survey has been sent to certified providers and the deadline for completing is 3 March. We will publish a report on the results once the analysis is complete.

As part of our series of short updates on the Government’s plans to create a legislative framework for secure and trusted digital verification services in the UK, I can now report that the draft legislation has passed an important milestone in its progress through Parliament, as the Data (Use and Access) Bill has finished its passage through the House of Lords. ### **The story so far** The Data Bill was introduced in Parliament in October 2024, beginning its journey in the House of Lords. Part 2 of the Bill underpins the government’s plans to ensure that digital identity products and services offered in the UK can be trusted by those that want to use them.  The legislation was debated by the House of Lords Grand Committee in December 2024. Since then, the draft legislation has been debated further in Report Stage and completed its passage through the House of Lords. Earlier this month, it reached the House of Commons where it was subject to initial scrutiny. ### **What do the debates so far tell us about Parliament’s views on digital identity?    ** House of Lords debates frequently explore the technical details of new laws. While reviewing the digital identity elements of the Data Bill on 21 January, peers were particularly interested in data accuracy, how Parliament should be involved in scrutinising the trust framework rules, and digital identity theft. They laid amendments to the Bill against these topics and three amendments relating to data accuracy (in Clauses 28, 45, and 140) were voted into the Bill. When the Bill had its second reading in the House of Commons on February 12, 2025, the UK digital identity clauses were generally well received. ### **Next steps for digital identity legislation** The Data Bill has now moved on to the House of Commons Committee stage. During this stage, every clause in the Bill will be debated in detail and the Committee decides whether to keep in, change or remove each clause. It is a rigorous process which takes many hours to complete. Committee stage is set to conclude by March 18, after which the Bill will be reprinted and will return to the floor of the House to a further, final debate in what is called the Commons Report stage. The House of Commons scrutiny then finishes with a ‘Third Reading’ of the Bill when MPs vote on whether they are content with it in its latest form. But that’s not the end of the story! Before the Bill can become an Act, any amendments that have been made by the House of Commons to the version of the Bill that was passed by the House of Lords must be agreed between the two Houses through a process called ‘Ping-Pong’. As the name suggests, this is where amendments bounce between both Houses until MPs and peers agree on one version of the Bill. Only at that point is the parliamentary scrutiny complete and the Bill can receive Royal Assent (from HM The King) and become an Act. We’ll bring you further updates on the digital identity parts of the Data Bill, and our plans for implementation, as it moves through these stages. > Sign up to email alerts to receive an update whenever we publish a new blog post.