As a digital verification service (“DVS”) provider, you need to have a valid certificate of conformity (“a certificate”) if you want to:
- prove your service conforms with the rules of the UK digital identity and attributes trust framework (“the trust framework”)
- apply for your service to be on the GOV.UK register of digital identity and attribute services (“the register”)
Standards you, your service and your certificate must meet
A certificate is an official document that confirms a service has been successfully evaluated as meeting the requirements in the trust framework and any relevant supplementary codes.
For a certificate to be valid within the trust framework certification scheme (“the scheme”), it must meet specific criteria:
1. Issued by an approved and accredited Conformity Assessment Body (CAB)
Your service must be evaluated by a CAB that has been approved by the Office for Digital Identities and Attributes (“OfDIA”) and accredited by the UK Accreditation Service (“UKAS”). It’s fine to work with a CAB that’s either:
- accredited by UKAS at the time the CAB issues the certificate
- going through the UKAS accreditation process at the time the CAB evaluates your service
If you choose to work with a CAB that is in the process of seeking accreditation, and they issue a certificate for your service, it will have validity whilst that CAB goes through the accreditation process. Thereafter the certificate they issue will only continue to be valid if the CAB becomes UKAS accredited. You will also have to wait to apply to get onto the register until the CAB is officially accredited.
We publish a list of approved conformity assessment bodies for the scheme on GOV.UK.
2. Issued in line with the rules CABs must follow
Just as there are rules that DVS providers must follow, there are also rules for CABs to follow when conducting an evaluation and deciding whether to certify your service.
CABs are solely responsible for making decisions about whether or not to certify a service against the trust framework. However, the certificates they issue are only valid under the scheme if the issuing CAB follows all of the rules about how to certify a service. We have set out these rules that CABs must meet in our certification scheme requirements.
This means that there may be occasions when a CAB issues a certificate to a service that meets the requirements under the trust framework and any relevant supplementary codes, but that certificate is not valid because the CAB is not compliant with our certification scheme requirements.
3. Certificates contain the required information
Each CAB can create their own layout for the certificates they issue, but they must include the information that we specify in the certification scheme requirements:
Information about the DVS
For the trust framework certification scheme, each certificate must contain key information to identify the DVS, which includes:
- the name of the service that has been certified
- the name of the company that provides the service
- the date the certificate was issued and when it is valid until
- how the service can be accessed online
Information about what the DVS can do
The certificate must also include other information about what the DVS is allowed to do, such as:
- the type of DVS it is (for example, an identity or attribute service)
- the identity profiles the service can produce
- the quality of protection and authentication the service can achieve
- if relevant, the supplementary codes the service supports
If a certificate isn’t produced correctly, for example if it’s missing information, it’s not valid.
Checking certificate validity
CABs submit all certificates produced under the certification scheme to OfDIA, and we check they have been produced in accordance with the certification scheme rules.
Sometimes, we may need to return a certificate to a CAB; for example, if it has incorrect or missing information. We’ll ask the CAB to investigate and submit a new, corrected certificate if necessary.
We’ll invite you to publish details about your services
Once your service has been issued a valid certificate, we’ll invite you to apply to have your details published on the GOV.UK register of digital identity and attribute services.
Once they come into force, provisions in the Data (Use and Access) Act 2025 place a duty on us, acting on behalf of the Secretary of State, to register you and your service in the statutory register if you meet the conditions set out in section 33(1) of the Act (subject to limited exceptions). One of these conditions is that you must hold a certificate confirming compliance with the trust framework issued by a CAB which has been accredited by UKAS.
What happens if a certificate is not valid
If a certificate is not valid, you can’t rely on it to prove your service conforms to the trust framework and you can’t apply to have it shown on the register.
Leave a comment