Digital verification measures in UK law move into operation on 1 December 2025. The Data (Use and Access) Act 2025 (Commencement No. 4) Regulations 2025 (SI 2025/1213), made on 19 November and signed by DSIT Minister of State Ian Murray, bring most of Part 2 into force.
Part 2 establishes the statutory model for digital verification services: a trust framework, supplementary codes, a public register of providers and a trust mark. The Act defines these services as internet‑based verification that confirms facts about an individual using information from sources other than the individual and communicates the result to another party.
The Secretary of State must establish and maintain the Digital Verification Services (DVS) register and make it publicly available. Registration rests on holding a conformity assessment certificate showing the service complies with the DVS trust framework, meeting application requirements set by determination, and paying any prescribed fee.
An “accredited conformity assessment body” is one accredited by the UK national accreditation body under Regulation (EC) 765/2008; certificates must attest compliance with the DVS trust framework. The Secretary of State will publish the application format and required information by determination (section 38) and may set fees by regulations (section 39).
Sections 45 to 48 are not commenced by this instrument. Those provisions create an information gateway for public authorities to disclose information to registered providers, with specific safeguards for HMRC, the Welsh Revenue Authority and Revenue Scotland. Until they commence, no new disclosure power arises.
Section 49-requiring a statutory code of practice governing disclosure under section 45 and subjecting the first version to affirmative resolution-is commenced. Public bodies will need to have regard to that code once the gateway provisions themselves take effect.
DSIT’s published plan indicated most digital verification measures would follow Royal Assent by three to four months; the 1 December start confirms the timing. Earlier commencement regulations (SI 2025/996) brought into force selected Data Protection Act 2018 amendments on 17 November.
For public authorities, the near‑term effect is preparatory. Teams can align procurement and assurance documentation to the trust framework and plan for the forthcoming code, but must continue to use existing legal routes for any data sharing until sections 45 to 48 are commenced.
For providers, the route to registration opens against a government trust framework now live in “gamma 0.4” with an accompanying certification scheme run by DSIT’s Office for Digital Identities and Attributes. Providers should secure certification from an accredited body and prepare application materials once the Secretary of State’s determination is issued.
Once the register is operating, the Secretary of State may designate a trust mark usable only by registered providers, enforceable through civil proceedings. The Act also allows removal from the register for non‑compliance and gives the Secretary of State information‑gathering powers over accredited bodies and registrants.
DSIT confirms that no separate impact assessment accompanies this instrument; the analysis published alongside the Bill remains the reference point, and the department’s collection page sets out commencement plans and factsheets.