UK digital identity system needs accreditation overhaul, review formally requested

The Age Check Certification Scheme (ACCS) has filed a formal complaint with the continental oversight body for national conformity assessments, stating that the UK’s Digital Identity and Attributes Trust Framework (DIATF) “is not fit for accreditation.”

The organization’s statement, shared on LinkedIn by ACCS Executive Director Tony Allen, argues that the United Kingdom Accreditation Service (UKAS) erred when it approved the UK DIATF as an accreditation scheme in January, 2025. ACCS wants European Accreditation to review that decision.

The problem is not so much with the Trust Framework, according to the statement, as with the Certification Scheme Rules from the Department of Science, Innovation and Technology (DSIT). These rules have not been made public or subject to a public consultation, it says, and were not developed by a competent standards development body. As such, “They are badly written, inconsistent, have whole sections or documents missing and lack the appropriate structure of certification scheme rules.”

The statement contrasts this state of affairs with other recent certification schemes, like for the EU’s Digital Identity Wallets and Australia’s Digital ID Trust Framework.

The process has “fallen into disarray” in the nearly three years since the original deadline for finalization of the accreditation process in November, 2022, ACCS says.

DSIT and the Office for Digital Identities and Attributes (OfDIA) are trying to shepherd the certification scheme to the point where private-sector CABs can take over compliance testing.

5 problems identified

The statement identifies five specific issues that need to be resolved to make the scheme work.

Good Practice Guides 44 and 45 are not normative, and therefore provide ambiguous requirements with measurable outcomes, which “makes it technically impossible for a Conformity Assessment Body (CAB) to meet accreditation requirements.”

Audit documentation requirements that require the inclusion of confidential client data contradicts the requirement to protect client confidentiality, according to the ACCS.

Audit responsibilities under the scheme are based on guidance that suggests they are based on the size of the organization providing the service, which are inconsistent with the product complexity criteria usually used for product certification under ISO/IEC 17067.

Quality scores for authentication and protection are provided in the DVS Register that may not be consistent with what the IDSP is providing, because of DSIT’s rules for showing the highest score achievable.

DSIT also has a conflict of interest from running the governance mechanism and of technology being governed, such as GOV.UK One Login.

The complaint comes on the heels of the ACCS releasing the final report for Australia’s Age Assurance Technology Trial, providing a contrasting between the two national age assurance regimes.

Article Topics

Age Check Certification Scheme (ACCS)  |  DIATF certification  |  digital ID  |  Digital Identity and Attributes Trust Framework (DIATF)  |  OfDIA  |  trust framework  |  United Kingdom Accreditation Service (UKAS)