Certification scheme for the UK digital identity and attributes trust framework
Conformity Assessment Bodies must follow these processes and requirements when certifying services against the UK digital identity and attributes trust framework.
A certification scheme is a structured and standardised approach to providing third-party assurance that required regulations, standards and criteria are met.
The UK digital identity and attributes trust framework certification scheme (the certification scheme) is a set of documents used by Conformity Assessment Bodies (CABs) when they are certifying products, services, and processes against the UK digital identity and attributes trust framework (the trust framework). The documents contain processes, procedures and requirements that CABs must fulfil to certify a service in a compliant way.
The documents in the certification scheme are aimed at CABs. Digital identity and attribute service providers should refer to the UK digital identity and attributes trust framework and supplementary codes for requirements that they must meet to build a service that can become certified.
Certification scheme owner
The Department for Science, Innovation and Technology (DSIT) is the certification scheme owner for the UK digital identity and attributes trust framework. It publishes, maintains and interprets the trust framework and its associated certification scheme.
On a day-to-day basis, the trust framework and the associated certification scheme are managed by officials working in the Office for Digital Identities and Attributes (OfDIA), which sits in DSIT.
Certification scheme pilot
The certification scheme is currently operating as a unaccredited pilot.
OfDIA is working with the UK Accreditation Service (UKAS) to implement an accredited certification scheme. OfDIA anticipates that the accredited certification scheme will be operational from mid-2025.
The purpose of the unaccredited pilot is to allow:
- OfDIA to test whether the trust framework and certification scheme is fit-for-purpose and meets the government’s policy objectives
- UKAS to develop a process for accrediting CABs as competent to conduct conformity assessment activity in line with the certification scheme
During the pilot, OfDIA is exclusively responsible for governance and oversight of conformity assessment activity against the scheme.
Approved Conformity Assessment Bodies
Only approved Conformity Assessment Bodies (CABs) may certify services against the UK digital identity and attributes trust framework.
Any certificate that is issued by a non-approved CAB is not valid under the certification scheme. It cannot be relied upon as evidence of conformity to the UK digital identity and attributes trust framework.
Accreditation for Conformity Assessment Bodies
There are no CABs currently accredited to certify services against the trust framework, as OfDIA is operating an unaccredited pilot certification scheme.
Once the certification scheme pilot has concluded, CABs must be both approved by OfDIA and accredited by the UK Accreditation Service (UKAS) to certify services against the trust framework.
CABs must apply for approval from OfDIA before they can apply to UKAS for accreditation. CABs will be unable to obtain accreditation without prior approval from OfDIA.
How to apply to become an approved Conformity Assessment Body
If you are a CAB and want to be approved to certify services against the UK digital identity and attributes trust framework, please contact us at correspondence@dsit.gov.uk.
Alignment to international standards
The certification scheme aligns to the international standard: ISO/IEC 17065:2012 – Requirements for bodies certifying products, processes, and services.
When certifying a digital identity service, CABs must follow both the requirements in the certification scheme and the ISO 17065 international standard.
In developing the certification scheme, OfDIA has also referenced other international standards, including but not limited to:
- ISO/IEC 17000 – Conformity assessment — Vocabulary and general principles
- ISO/IEC 17007 – Conformity Assessment – Guidance for drafting normative documents
- ISO/IEC 17020 – Conformity assessment — Requirements for the operation of various types of bodies performing inspection
How we manage the certification scheme
How we created the certification scheme
The certification scheme has been developed by a combination of civil servants, industry specialists, regulators and other groups with specialist knowledge and experience of digital identity and certification.
Stakeholder input has been incorporated into the certification scheme throughout its development.
When we create a new version
A new version of the certification scheme is created when:
- a new version of the UK digital identity and attributes trust framework is published
- a new version of a supplementary code (for example, the requirements for the Right to Work process) is published
- the certification scheme requirements are amended
Each version of the certification scheme is numbered based on the trust framework version it is aligned to, and the number of iterations since that version was published. For example:
- version 0.3.1 of the certification scheme is the first iteration of the certification scheme created aligned to version 0.3 of the trust framework
- version 0.4.4 of the certification scheme is the fourth iteration aligned to version 0.4 of the trust framework
How changes are brought into effect
When changes are made to the certification scheme they will be brought into force using this process:
1. Periodic review
The trust framework and its associated certification scheme are regularly reviewed to ensure that they are fit-for-purpose.
The Data (Use and Access) Act requires that the trust framework is reviewed at least annually. This review process does not mean that a new version of the trust framework or the certification scheme will always be needed.
2. Development and iteration
When, as part of the review, OfDIA identifies a need to update the trust framework or certification scheme, then it develops the proposed changes and iterates them based on engagement with relevant stakeholders.
3. Pre-release
Once changes to the trust framework and certification scheme are finalised, they are made available as pre-release versions.
Pre-release versions are near-final documents. They are intended to help:
- digital identity services providers to consider what changes they might need to make to their services before new versions of the trust framework or supplementary codes comes into effect
- CABs prepare changes to their processes and procedures, so they can successfully implement the certification scheme
Pre-release versions of the trust framework or supplementary codes are published on GOV.UK.
Pre-release versions of the certification scheme are provided directly to approved CABs that are participating in the certification scheme.
CABs cannot certify a service using a pre-release version of the certification scheme.
Where documents include fixed implementation or expiry dates, these are included as placeholders in the pre-release version. These dates are replaced with the final dates when they are finally released.
4. Recognition from the UK Accreditation Scheme
In parallel to pre-release of documents, OfDIA submits each version of the certification scheme to the UK Accreditation Scheme (UKAS) for formal recognition that it is fit-for-purpose as a set of documents.
5. Accreditation
Once the certification scheme has been recognised, CABs can start their accreditation process. This means they are assessed by UKAS, which checks that CABs comply with the rules of the scheme.
6. Release
Once the certification scheme is recognised and accreditation has started, OfDIA sets a timeline for transition from the current version to the new version. This timeline will include:
- the date from which services can be certified against that version of the trust framework or a supplementary code
- the date from which CABs must implement the new certification scheme
- the date from which previous versions of the trust framework, supplementary codes and certification scheme expire
The pre-release versions of the documentation are replaced at this stage.
The placeholder dates for implementation and expiry in the pre-release versions are replaced in the final version.
Certification scheme versions
These tables record each version of the certification scheme that OfDIA has developed and brought into effect.
Current version
| Trust framework version | Scheme version | Status | Released |
|---|---|---|---|
| Gamma (0.4) | 0.4.4 | Live | 1 July 2025 |
Upcoming versions
| Trust framework version | Scheme version | Status | Expected |
|---|---|---|---|
| 1.0 | 1.0.0 | Planned | 2025 |
Previous versions
| Trust framework version | Scheme version | Released | Expiry |
|---|---|---|---|
| Beta (0.3) | 0.3.1 | July 2024 | |
| Beta (0.3) | 0.3.2 | July 2024 | January 2025 |
| Beta (0.3) | 0.3.3 | January 2025 | 31 March 2026 |
To obtain a version of the certification scheme documents, please contact the Office for Digital Identities and Attributes at correspondence@dsit.gov.uk.