- TRUST FRAMEWORK FOR DIGITAL IDENTITY
- Trust Framework Authority
- Share your information in a digital format
- NZ Verify
- Benefits of using digital identity services
- Trust Framework Authority accreditation mark
- Trust Framework legislation
- Trust Framework Regulatory bodies
- Trust Framework Register
- Accreditation & maintenance
- Forms and guidance
- Independent evaluators
- Resources
- Make a complaint
Maintaining accreditation
Trust Framework Provider obligations following accreditation
October 2025
There are obligations on providers to enable them to keep their accreditation. Providers must ensure that the service(s) they deliver continue to meet the requirements of the:
- Digital Identity Services Trust Framework Act 2023 — New Zealand Legislation website
- Privacy Act 2020
- Digital Identity Services Trust Framework Regulations 2024 — New Zealand Legislation website
- Digital Identity Services Trust Framework Rules in place at the time of their accreditation
- Identification standards - Digital Government website
- Terms of use of the accreditation mark.
In addition to complying with legislated requirements in relation to the accredited services(s), the obligations providers must comply with to maintain accreditation are summarised below:
|
Requirement |
What does this mean for providers? |
|---|---|
|
TF providers must comply with the relevant terms of use when using an accreditation mark. |
Providers must comply with the terms of use once the provider and service(s) they offer are accredited: https://www.dia.govt.nz/Trust-Framework-Authority-accreditation-mark
|
|
Obligation to tell TF authority of changes to key information or specified information |
Providers must inform the Trust Framework Authority if there are any changes to the TF provider or accredited services. This includes any change to information provided during accreditation or renewal, or that may impact on accreditation or delivery of the service. This may be done by emailing tfa@dia.govt.nz. If a provider is unsure as to whether a change should be notified to the Trust Framework Authority, it is recommended that they get in touch to discuss the situation. It is an offence to fail to tell the Trust Framework Authority of a change to key information or specified information. |
|
Record-keeping and reporting by TF providers |
Providers must collect information about their activities and give that information to the Trust Framework Authority as required and on request. This information includes records of transactions, events and actions occurring in the normal course of users starting, progressing and completing their digital transactions. It also includes information defined in reporting templates and information required for incident notifications. In addition to regular reporting by providers, the Trust Framework Authority may request information to assist with compliance monitoring activities or investigations. |
|
Reporting |
Providers are required to submit regular reports to the Trust Framework Authority. Trust Framework Authority six monthly report template [DOCX, 1MB] Trust Framework Authority annual report template [DOCX, 450KB] Trust Framework Authority two yearly report template [DOCX, 448KB] The Trust Framework Authority will communicate with providers prior to reporting being due, will do this in sufficient time to allow providers to respond, and will send the reporting template(s) and confirm the date by which reports are due. |
|
Incident notification |
Providers are required to notify the Trust Framework Authority of any incident related to the provider or the service(s) as soon as practicable. “Incident” means an event that affects or will affect privacy, confidentiality, or the integrity or availability of an accredited service, or may cause serious harm. This may be done by emailing tfa@dia.govt.nz. If a provider is unsure as to whether an incident should be notified to the Trust Framework Authority, it is recommended that they get in touch to discuss the situation. Significant cyber security incidents must also be reported to the National Cyber Security Centre and any other organisation as required by the TF Authority. |
|
Renewal |
Accreditation is for a period of three years. Providers will need to apply to renew their accreditation or the accreditation of an accredited service they provide prior to the expiry of accreditation for accreditation to continue. The Trust Framework Authority will communicate with providers prior to the expiration of accreditation, will do this in sufficient time to allow providers to apply for renewal, and will send the application requirements and confirm the date by which the application for renewal is due. |
