Most of Part 2 of the Data (Use and Access) Act 2025 will take effect from 1 December 2025 under the Data (Use and Access) Act 2025 (Commencement No. 4) Regulations 2025. Sections 45 to 48 are excluded at this stage, meaning the new public‑authority information‑sharing gateway is not yet active. The regulations are the fourth commencement instrument made under the Act.
Part 2 creates the statutory structure for digital verification services. The Act defines these services as checks requested by an individual that verify a fact about them using third‑party data, with confirmation provided to another party. The framework comprises a trust framework, supplementary codes, a public register, an information gateway and a trust mark.
The register must be established and made publicly available by the Secretary of State. Registration depends on a certificate from an accredited conformity assessment body confirming that a provider meets the trust framework, alongside a compliant application and any required fee.
A statutory code of practice on disclosures under the gateway is also provided for. The Secretary of State must consult the Information Commissioner and devolved administrations, then lay the code before both Houses for approval before publication.
The gateway itself is not yet commenced. When in force, section 45 will allow public authorities to disclose information to registered providers for an individual’s verification request, while sections 46 to 48 add specific safeguards for HMRC, the Welsh Revenue Authority and Revenue Scotland respectively. Until commencement, those powers cannot be used.
For departments and agencies, the practical effect is that any data sharing with providers must continue to rely on existing legal powers and routes. Ministers have previously indicated that HMRC‑related powers would not be commenced until tax‑confidentiality safeguards and processes are proven.
For providers, the immediate task is operational readiness for registration: obtain certification against the trust framework, prepare applications and fee payments, and plan for the trust mark, which may only be used by registered providers. Providers and accredited bodies can also be required to supply information to the Secretary of State to support oversight of the regime.
DSIT’s published timetable envisaged staged commencement across the Act, with digital verification measures scheduled early in the rollout. The new regulations deliver that step while leaving the gateway provisions to follow via a later instrument.
Key points to watch now are publication of the DVS trust framework, opening of the public register to applications, the laying of the disclosure code before Parliament, and subsequent commencement regulations to bring sections 45 to 48 into force.