From 1 July 2025, it is possible to get a service certified against the rules in the gamma (0.4) publication of the UK digital identity and attributes trust framework. This blogpost explains how service providers who are already certified against the trust framework can ‘uplift’ to the new version.
Check if your certification is eligible to uplift
It is possible to uplift your existing certification to the gamma publication if:
- your service is certified against the “beta” (0.3) trust framework
- your certificate is maintained by an approved Conformity Assessment Body and
- you complete your uplift before your existing certificate would otherwise expire
Some of the rules in the gamma trust framework are different to the beta trust framework. Before you start the process to uplift your certification, you should review the gamma trust framework and amend your service so that it meets all of the relevant new rules that apply.
If your service is not currently certified – for any reason – you can’t uplift your certification. Your service will be assessed against the gamma trust framework from scratch. Find out more about the certification process on GOV.UK.
Choose your pathway
If your service is eligible, then there are two ways to uplift your existing certification. You can either:
- use an upcoming surveillance activity, or
- apply for recertification
Your Conformity Assessment Body can help you to understand which pathway is available to you. Regardless of the approach you take, the rules you will be assessed against will be the same.
Surveillance uplifts
Every service certified against the trust framework is subject to an annual process of “surveillance”. Surveillance activities check that your service still conforms to the trust framework and review anything that has changed.
You can use your next surveillance as your uplift pathway if it is due to take place between now and 31 March 2026 (the date that all beta certificates will now expire).
Under the certification rules for beta (0.3), surveillance activities must take place around the anniversary date of your most recent certification. It can take place no earlier than 30 days before that anniversary date, and no later than 30 days after it. For example, if your certificate was issued on 1 December 2024, your surveillance would take place between 1 November 2025 and 31 December 2025.
If you uplift your service’s certification to gamma through surveillance, your existing certificate expiry date will remain the same and your service will stay on a two-yearly cycle with this uplift until your recertification.
Recertification uplifts
You must re-certify against gamma to maintain your certification if you cannot use a surveillance activity. If you would prefer to, you can choose to undertake a recertification instead of using the surveillance pathway.
In this scenario, you will become certified for three years – up from the two-year certification cycle under the previous process.
If you are recertifying before your existing certificate expiry date, you can also “roll over” up to 60 days from your previous certificate. This means that a new certificate for gamma could be issued for up to 3 years and 60 days.
Example: Your service was originally certified against beta on 1 January 2023 and will expire on 31 December 2025. You are certified against gamma on 1 December 2025. Because you had 30 days left of your certification for beta, your gamma certification rolls over 30 days, meaning your new certificate for gamma is for 3 years and 30 days, expiring 31 December 2028.
Uplift before 31 March 2026
All services must uplift their certification before 31 March 2026. If you do not uplift – either through surveillance or through recertification – then your current certificate will be forcibly expired on this date. This means it cannot be relied upon as proof of compliance to the trust framework and – if it is registered – your service will also be removed from the register of digital identity and attribute services. If your certificate is expired, you will need to start certification from scratch to renew it.
Contact an approved CAB to get started
Conformity assessment activities against the UK digital identity and attributes trust framework can only be provided by approved Conformity Assessment Bodies. The Office for Digital Identities and Attributes publishes a list of approved bodies on GOV.UK.
We recommend speaking, as soon as possible, to an approved Conformity Assessment Body about uplifting your existing certification to the gamma version of the trust framework.
Leave a comment