Guidance

Join the register of digital identity and attribute services

How to apply to join the register and keep your information up to date.

From:
Office for Digital Identities and Attributes and Department for Science, Innovation and Technology
Published
13 September 2024
Last updated
1 December 2025 — See all updates

Introduction 

The register of digital identity and attribute services (the register) is a list of government-registered organisations who provide digital verification services (DVS providers).

Joining the register helps you, as a DVS provider, to demonstrate that your organisation and the services you provide are safe, secure, and reliable. This is because the register only contains details of services that have been independently certified as meeting government standards.

Making a valid application 

The Secretary of State has a duty to establish and maintain the register under section 32 of the Data (Use and Access) Act 2025 (the Act). The Office for Digital Identities and Attributes (OfDIA) does this on their behalf. 

The Secretary of State has the power to decide how organisations apply to appear on the register, under section 38 of the Act. This is known as the determination, and your application must meet the requirements of the determination (under part C of the Act), to be valid.  

This guidance explains how you can:   

  • apply to appear on the register along with details of the service(s) you provide 
  • update your details once they are published 
  • reapply for your service to remain on the register before an existing entry expires 
  • request removal of details from the register 

Before you apply 

You will need to submit a separate application for each service you want published on the register. 

A. Check that the service meets the rules and standards  

Before you can apply, you must understand the rules and standards that each service you want to publish on the register must meet. These are set out in the UK digital identity and attributes trust framework (trust framework).  

UK digital identity and attributes supplementary codes are also in place for the following use cases: 

  • right to work checks 
  • right to rent checks 
  • Disclosure and Barring Service digital identity checks 

If you intend to provide a service that will be used in one of these use cases, it must also meet these standards.

B. Get the service independently certified  

Once you are satisfied that the service meets the applicable rules and standards, you will need to contact one of the approved conformity assessment bodies for the UK digital identity and attributes trust framework

The conformity assessment body (CAB) will independently evaluate whether the service meets the necessary standards before it issues a certificate of conformity (the certificate).

The CAB will submit the certificate for the service to us, at OfDIA.  

We will check the information on the certificate, and make sure that the CAB has issued it correctly (following the certification rules we provide them with). This process can take up to 1 week.

Check and submit your application 

Once we have checked the certificate issued by the CAB, we will email you a link to an online application for the service. We will have already filled in the application form with details taken from the certificate.  

You do not need to send us any additional information or documentation. 

Step 1: Check the application details  

You must check that the information in the application is correct and matches the wording on the certificate exactly. For example, if the certificate details the service name as ‘My Identity App’, we will publish the service with that name on the register. You cannot use another name instead.

If any information about your company or service is incorrect, or differs from the wording on the certificate, you must contact the CAB directly. They will need to amend the certificate before you can continue with the application. 

Step 2: Submit the application 

The application form will ask you to confirm that you agree to publish the information, exactly as it appears, before you proceed with your application. 

What happens after you apply 

We will review your application and email you the outcome within 3 weeks. 

If we discover an issue which means it may not be successful, we will email you, and if necessary the CAB, to explain what needs to change.

If your application is successful, we’ll automatically publish your details on the register.

Even if your application meets these requirements, the Act allows the Secretary of State to refuse to register you as a DVS provider in certain circumstances (which are set out in the Act).

Remain on the register 

Each certificate contains an expiry date.  

We will automatically remove the service from the register at 11:59pm (UK time) on the date of expiry unless, before this time you: 

  • get a new certificate 
  • complete the reapplication process 

Reapply before your existing certificate expires 

You can recertify the service up to 60 days before the existing certificate expires. Doing this means:

  • we have time to process your application 
  • your service stays on the register without interruption 
  • you can roll over 60 days from the end of the existing certificate onto the expiry date of the new one 

You do not have to use the same approved CAB that issued the existing certificate when reapplying.

Keep your information up to date  

You must contact the CAB if there are any changes to: 

  • the service 
  • information details, which mean they differ to those that appear on the certificate  

If the CAB needs to amend the certificate for the service because of the changes, you will need to reapply for it to be published on the register.

You may also choose to publish information on the register that is not on the certificate, such as a public facing email address or phone number. If these details change, contact the CAB who will update them for you.

Removing details from the register  

You must email correspondence@dsit.gov.uk if you want to remove: 

  • all information about you as a DVS provider and your services 
  • one or more services 
  • details about any supplementary codes a service is certified against 

We will then remove that information from the register.

We can also remove this information from the register, in certain circumstances, using powers and duties set out in the Act.

Updates to this page

Published 13 September 2024
Last updated 1 December 2025 show all updates

  1. Changes have been made in line with publishing the determination under Section 38 of the Data (Use and Access) Act 2025. Changes have been cleared by lawyers.

  2. Updated to include the "determination" under section 38 of the Data (Use and Access) Act 2025, and information about applications to join the statutory digital verification services register.

  3. Amended section 4 of the guidance on the process for how OfDIA publish services to the register of digital identity and attribute services.

  4. First published.

Sign up for emails or print this page

Contents

Related content