Guidance

Certification scheme for the UK digital identity and attributes trust framework

Conformity assessment bodies must follow these processes and requirements when certifying services against the UK digital identity and attributes trust framework.

From:: Office for Digital Identities and Attributes and Department for Science, Innovation and Technology
Published: 26 June 2025
Last updated: 12 January 2026 — See all updates

A certification scheme is a structured and standardised approach to providing third-party assurance that required regulations, standards and criteria are met.

The UK digital identity and attributes trust framework certification scheme (the certification scheme) is a set of documents used by conformity assessment bodies (CABs) when they are certifying products, services, and processes against the UK digital identity and attributes trust framework (the trust framework). The documents contain processes, procedures and requirements that CABs must fulfil to certify a service in a compliant way.

The documents in the certification scheme are ~~aimed~~for at CABs. Digital identity and attribute service providers should refer to the UK digital identity and attributes trust framework and supplementary codes for requirements that they must meet to build a service that can become certified.

Certification scheme owner

The Department for Science, Innovation and Technology (DSIT) is the certification scheme owner for the UK digital identity and attributes trust framework. It publishes, maintains and interprets the trust framework and its associated certification scheme.

On a day-to-day basis, the trust framework and the associated certification scheme are managed by officials working in the Office for Digital Identities and Attributes (OfDIA), which ~~sits~~is inan office within DSIT.

CertificationApproved schemeand pilot

~~The~~accredited ~~certification~~conformity ~~scheme~~assessment is ~~currently~~ ~~operating~~ as a ~~unaccredited~~ ~~pilot.~~

bodies

~~OfDIA~~To iscertify ~~working~~services ~~with~~under the UK ~~Accreditation~~digital ~~Service~~identity (~~UKAS~~)and toattributes ~~implement~~trust anframework ~~accredited~~ certification ~~scheme.~~ ~~OfDIA~~ ~~anticipates~~ ~~that~~ ~~the~~ ~~accredited~~ ~~certification~~ scheme ~~will~~conformity beassessment ~~operational~~bodies ~~from~~(CABs) ~~mid-2025.~~must:

~~The~~

be ~~purpose~~approved ofby ~~the~~DSIT, ~~unaccredited~~ ~~pilot~~ is to ~~allow:~~
1. ~~OfDIA~~either tobe ~~test~~accredited ~~whether~~by the ~~trust~~UK ~~framework~~Accreditation ~~and~~Service ~~certification~~(UKAS) ~~scheme~~or isbe ~~fit-for-purpose~~going ~~and~~through ~~meets~~ the ~~government’s~~accreditation ~~policy~~ ~~objectives~~process
2. ~~UKAS~~

We topublish ~~develop~~ a ~~process~~list ~~for~~of ~~accrediting~~the ~~CABs~~conformity asassessment ~~competent~~bodies tofor ~~conduct~~the ~~conformity~~UK ~~assessment~~digital ~~activity~~identity inand ~~line~~attributes ~~with~~trust ~~the~~framework ~~certification~~on ~~scheme~~ GOV.UK.

~~During~~ ~~the~~ ~~pilot,~~ ~~OfDIA~~CABs ismust ~~exclusively~~apply ~~responsible~~ for ~~governance~~approval ~~and~~from OfDIA before ~~oversight~~they ofcan ~~conformity~~apply ~~assessment~~to ~~activity~~UKAS ~~against~~for ~~the~~accreditation. ~~scheme.~~

Approved conformity assessment bodies

~~Only~~ ~~approved~~ ~~conformity~~ ~~assessment~~ ~~bodies~~ (CABs) ~~may~~will ~~certify~~be ~~services~~unable ~~against~~to ~~the~~obtain UKaccreditation ~~digital~~without ~~identity~~prior ~~and~~approval ~~attributes~~ ~~trust~~ ~~framework.~~ from OfDIA.

Any certificate that is issued by a non-approved CAB is not valid under the certification scheme. It cannot be relied upon as evidence of conformity to the UK digital identity and attributes trust framework.

Accreditation for conformity assessment bodies

~~There~~Only ~~are~~certificates noissued by CABs ~~currently~~ accredited to ~~certify~~ ~~services~~ against the trust ~~framework,~~framework as ~~OfDIA~~ is ~~operating~~ an ~~unaccredited~~ ~~pilot~~ ~~certification~~ ~~scheme.~~

~~Once~~ ~~the~~ ~~certification~~ ~~scheme~~ ~~pilot~~ ~~has~~ ~~concluded,~~ ~~CABs~~ ~~must~~ be ~~both~~ ~~approved~~ by ~~OfDIA~~ ~~and~~ ~~accredited~~ by the UK Accreditation Service (~~UKAS~~)are tovalid ~~certify~~for ~~services~~ ~~against~~ the ~~trust~~purposes ~~framework.~~

~~CABs~~of ~~must~~joining ~~apply~~the ~~for~~Digital ~~approval~~Verification ~~from~~Services ~~OfDIA~~register established under ~~before~~Section ~~they~~32 of ~~can~~the ~~apply~~Data to(Use ~~UKAS~~and ~~for~~Access) ~~accreditation.~~ ~~CABs~~ ~~will~~ be ~~unable~~ to ~~obtain~~ ~~accreditation~~ ~~without~~ ~~prior~~ ~~approval~~ ~~from~~ ~~OfDIA~~.Act.

Apply to become an approved conformity assessment body

If you are a CAB and want to be approved to certify services against the UK digital identity and attributes trust framework, ~~please~~ ~~contact~~ us at please email correspondence@dsit.gov.uk.

Alignment to international standards

The certification scheme aligns to the international standard: ISO/IEC 17065:2012 – Requirements for bodies certifying products, processes, and services.

When certifying a digital identity service, CABs must follow both the requirements in the certification scheme and the ISO 17065 international standard.

In developing the certification scheme, OfDIA has also referenced other international standards, including but not limited to:

ISO/IEC 17000 – Conformity assessment – and general principles
ISO/IEC 17007 – Conformity assessment – Guidance for drafting normative documents
ISO/IEC 17020 – Conformity assessment – Requirements for the operation of various types of bodies performing inspection

Certification scheme requirements for CABs

The certification scheme requirements for CABs are captured in a number of documents, some of which are recognised by UKAS. Documents included (latest versions) on UKAS schedule for recognition of the scheme are:

UK DIATF Certification Scheme Requirements for Conformity Assessment Bodies v1.10 (PDF, 1.3 MB, 95 pages)

UK DIATF CAB Personnel Skills and Competencies v1.7 (PDF, 133 KB, 13 pages)

List of Supplementary Codes v1.1 (PDF, 90.5 KB, 8 pages)

How we manage the certification scheme

How we created the certification scheme

The certification scheme has been developed by a combination of civil servants, industry specialists, regulators and other groups with specialist knowledge and experience of digital identity and certification.

Stakeholder input has been incorporated into the certification scheme throughout its development.

When we create a new version

A new version of the certification scheme is created when:

a new version of the UK digital identity and attributes trust framework is published
a new version of a supplementary code (for example, the requirements for the Right to Work process) is published
the certification scheme requirements are amended

Each version of the certification scheme is numbered based on the trust framework version it is aligned to, and the number of iterations since that version was published. For example:

version 0.3.1 of the certification scheme is the first iteration of the certification scheme created aligned to version 0.3 of the trust framework
version 0.4.4 of the certification scheme is the fourth iteration aligned to version 0.4 of the trust framework

How changes are brought into effect

When changes are made to the certification scheme they will be brought into force using this process:

1. Periodic review

The trust framework and its associated certification scheme are regularly reviewed to ensure that they are fit-for-purpose.

The Data (Use and Access) Act requires that the trust framework is reviewed at least annually. This review process does not mean that a new version of the trust framework or the certification scheme will always be needed.

2. Development and iteration

When, as part of the review, OfDIA identifies a need to update the trust framework or certification scheme, then it develops the proposed changes and iterates them based on engagement with relevant stakeholders.

3. Pre-release

Once changes to the trust framework and certification scheme are finalised, they are made available as pre-release versions.

Pre-release versions are near-final documents. They are intended to help:

digital identity services providers to consider what changes they might need to make to their services before new versions of the trust framework or supplementary codes comes into effect
CABs prepare changes to their processes and procedures, so they can successfully implement the certification scheme

Pre-release versions of the trust framework or supplementary codes are published on GOV.UK.

Pre-release versions of the certification scheme are provided directly to approved CABs that are participating in the certification scheme.

CABs cannot certify a service using a pre-release version of the certification scheme.

Where documents include fixed implementation or expiry dates, these are included as placeholders in the pre-release version. These dates are replaced with the final dates when they are finally released.

4. Recognition from the UK Accreditation Scheme

In parallel to pre-release of documents, OfDIA submits each version of the certification scheme to the UK Accreditation Scheme (UKAS) for formal recognition that it is fit-for-purpose as a set of documents.

5. Accreditation

Once the certification scheme has been recognised, CABs can start their accreditation or accreditation uplift process. This means they are assessed by UKAS, which checks that CABs comply with the rules of the scheme.

6. Release

Once the certification scheme is recognised and accreditation has started, OfDIA sets a timeline for transition from the current version to the new version. This timeline will include:

the date from which services can be certified against that version of the trust framework or a supplementary code
the date from which CABs must implement the new certification scheme
the date from which previous versions of the trust framework, supplementary codes and certification scheme expire

The pre-release versions of the documentation are replaced at this stage.

The placeholder dates for implementation and expiry in the pre-release versions are replaced in the final version.

Certification scheme versions

These tables record each version of the certification scheme that OfDIA has developed and brought into effect.

Current version

Trust framework version	Scheme version	Status	Released
Gamma (0.4)	0.4.4	Live	1 July 2025

Upcoming versions

Trust framework version	Scheme version	Status	Expected
1.0	1.0.1	Planned	~~2025~~2026

Previous versions

Trust framework version	Scheme version	Released	Expiry
Beta (0.3)	0.3.1		July 2024
Beta (0.3)	0.3.2	July 2024	January 2025
Beta (0.3)	0.3.3	January 2025	31 March 2026

Published of26 ~~the~~June ~~certification~~2025

Last ~~scheme~~updated ~~documents,~~12 ~~please~~January ~~contact~~2026 ~~Digital~~href="#full-history">+ ~~Identities~~show ~~and~~all ~~Attributes~~ at ~~correspondence@dsit.gov.uk~~updates.

~~Published~~recent updates as well as links to the scheme documents have been added.

26 June 2025

First published.

Contents