Guidance

Join the register of digital identity and attribute services

This guidance sets out how to join the register of digital identity and attribute services.

From:
Office for Digital Identities and Attributes and Department for Science, Innovation and Technology
Published
13 September 2024
Last updated
24 October 2025 — See all updates

A. Introduction 

The statutory register of digital identity and attribute services (“the statutory register”) is a list of government-registered organisations who provide digital verification services (for the purpose of this document referred to as “digital identity services”), published and maintained using the power under section 32 of the Data (Use and Access) Act 2025 (“the Act”). The statutory register will replace the non-statutory register once the relevant provision in the Act commences later this year.  

This guidance sets out how digital identity service providers:  

  • on the non-statutory register, or making applications to appear on that register, are affected by the Act;  
  • can apply to have their services appear on the statutory register;  
  • can update their service or company details on the statutory register;  
  • can remove their details from the statutory register. 

Joining the statutory register will help digital identity service providers demonstrate that their services are safe, secure and reliable. 

B. Data (Use and Access) Act 2025 

1. What does it do? 

The government has, since 2021, been operating a non-statutory pilot register of digital identity and attribute services (“the non-statutory register”) listing services certified against the non-statutory versions of the UK digital identity and attributes trust framework. This non-statutory register will be replaced with the statutory register once the relevant provisions in the Act are commenced. 

The statutory register is to be maintained in line with the requirements of the Act. The statutory register is referred to as the “DVS register” within the Act.  

Section 38 of the Act gives the Secretary of State the power to issue a determination regarding how an application to appear on the statutory register must be made. In order for an application to be valid it must comply with the requirements set out in this determination under part D below. Applications submitted meeting the requirements in the determination are still subject to the powers of refusal given to the Secretary of State in section 34 of the Act. 

2. When will the relevant provisions in the Act be commenced? 

The relevant provisions in the Act have not yet been commenced. Further information will be published on GOV.UK regarding commencement plans. 

3. How does this affect you if you are already on the non-statutory register? 

If you are already on the non-statutory register and wish to appear on the statutory register when it comes into force, you will need to submit an application to appear on the statutory register. Please refer to part D below for the details on how to submit your application. 

4. What happens to the applications to appear on the non-statutory register? 

At present, and until the relevant provisions in the Act commence, the non-statutory register remains effective. However, for us to prepare for the establishment of the statutory register under section 32 of the Act, applications made after the publication of this guidance will be applications to both the non-statutory register and the statutory register.  

Future versions of the trust framework and supplementary codes will include further information for service providers about how to transition from the non-statutory regime to the statutory regime. 

5. What happens upon the commencement of the relevant provisions in the Act? 

Once section 32 of the Act has been commenced, the statutory register will be established and will replace the non-statutory register, meaning that the non-statutory register will cease to exist from that point onwards. 

If you want your service(s) to appear on the statutory register, you must apply to appear on the statutory register by following the steps in part D below. It is important to note that this applies even when your service(s) has already appeared on the non-statutory register. 

C. How to prepare for making an application for the first time 

1. Build a service that meets the requirements of the UK digital identity and attributes trust framework 

Before you can apply to join the statutory register, your service must meet the requirements of one of the versions of the UK digital identity and attributes trust framework. The versions of the UK digital identity and attributes trust framework that are valid for registration are listed in the ‘determination’ in part D. 

If your service is intended to be used for regulatory use cases for which there exists a supplementary code, it must also meet the requirements of the corresponding supplementary code and the applicable guidance. 

2. Get certified by a Conformity Assessment Body (“CAB”) 

After you have developed your service to meet the relevant requirements, you will need to contact an approved Conformity Assessment Body (“CAB”) to certify each service you would like to register. They will check that your service meets the requirements in the trust framework and of any applicable supplementary codes. 

Once your service is certified, your CAB will submit your certificate to the Office for Digital Identities & Attributes (“OfDIA”), along with additional company and contact information. 

OfDIA will check that your certificate is valid and has been issued correctly by your CAB. This process usually takes no more than 1 week. 

D. How to join the statutory register 

This section is published pursuant to section 38 of the Act and is the ‘determination’ to which it refers:  

1. Non-transfer applications 

This section applies to those making an application where their services are not currently listed on the non-statutory register.  

If you hold a certificate from an accredited CAB certifying that services provided by you are provided in accordance with either the:  

  • non-statutory version of the 0.3 publication of the trust framework; 
  • non-statutory version of the 0.4 publication of the trust framework; or 
  • statutory version of the 0.4 publication of the trust framework, 

you may make an application in accordance with the requirements in sections 1.1. to 1.3. below. 

1.1. The form of an application to join the statutory register 

After your CAB has sent your certificate to OfDIA and this has been accepted as valid, you will receive an email from OfDIA with a hyperlink to the online application form to be used to confirm you wish to join the statutory register. 

When completing the online application form you will be able to review the information we hold about you before your application is submitted. 

1.2. The information and documents to be contained in or provided with an application 

You will not need to submit any additional information. Instead, information about your organisation and services will be drawn directly from your certificate(s).  

You must check that the information in your application is correct and matches your certificate. For example, if the certificate says your service is called “My Identity App”, your service will be listed in the statutory register with that name. You cannot ask for the service to be called “My Identity” instead. 

If any information about your company or service(s) is not correct, you should contact your CAB as they may need to amend your certificate before you make your application. 

1.3. The manner in which the application is to be submitted 

You will need to submit your application using the online form provided to you by OfDIA. 

 2. Transfer applications  

If you currently hold a certificate from an accredited CAB certifying that services provided by you are provided in accordance with either the:  

  • non-statutory version of the 0.3 publication of the trust framework; or 
  • non-statutory version of the 0.4 publication of the trust framework; 

and you both: 

  • appear on the non-statutory register; and 
  • wish to appear on the statutory register; 

OfDIA will send you an email and ask you to confirm that you want information about your certified service(s) to appear on the statutory register.  

Once you have replied to this email, you will not need to take any further action and this will be treated as your application to appear on the statutory register. OfDIA will process your application and notify you of its outcome by email. You will not need to submit any additional information. 

3. When you need to apply to remain on the statutory register 

Your CAB will notify OfDIA each time a new certificate is issued by them for your service(s). When you receive a new certificate, you must apply to remain on the statutory register on the basis of your new certificate. The process for doing so is the same as that set out under section 1 of this Part. 

E. Outcome of your application 

OfDIA will review your application within 3 weeks. You will receive an email with the outcome. 

If your application is successful, your organisation and its service(s) will automatically be published on the statutory register or, where applicable, the non-statutory register. 

If we discover an issue with your application or have concerns which mean it may not be successful, we will write to you and, if relevant, your CAB.  

F. What to do if your information changes   

If there are any changes to your service(s) or information that appears on the certificate for your service(s) for which you are currently registered, you must contact your CAB. They will manage changes on your behalf. If your certificate is amended, you will need to reapply following the same process outlined above (see section 1 of part D above). 

If your public contact information for your organisation or service changes, you should contact OfDIA directly to update the details on the statutory register, or the non-statutory register, where applicable.  

G. Removing your details from the register  

In order to request removal of your entry, particular services or notes recording certification against a supplementary code from the statutory register, or non-statutory register where applicable, you should contact OfDIA who will send you a removal request by email. 

You can contact OfDIA by email at: 

correspondence@dsit.gov.uk 

It is important to note that apart from voluntary removal, your details (or services) can be removed by OfDIA from the statutory register pursuant to sections 40 to 44 of the Act.

Updates to this page

Published 13 September 2024
Last updated 24 October 2025 show all updates

  1. Updated to include the "determination" under section 38 of the Data (Use and Access) Act 2025, and information about applications to join the statutory digital verification services register.

  2. Amended section 4 of the guidance on the process for how OfDIA publish services to the register of digital identity and attribute services.

  3. First published.

Sign up for emails or print this page

Contents

Related content