- TRUST FRAMEWORK FOR DIGITAL IDENTITY
- Trust Framework Authority
- Share your information in a digital format
- NZ Verify
- Benefits of using digital identity services
- Trust Framework Authority accreditation mark
- Trust Framework legislation
- Trust Framework Regulatory bodies
- Trust Framework Register
- Accreditation & maintenance
- Forms and guidance
- Independent evaluators
- Resources
- Make a complaint
Trust Framework legislation
Find out more about the rules and regulations used to regulate digital identity services in New Zealand and ensure they are secure and trusted.
The Trust Framework legislation is made up of the Digital Identity Services Trust Framework Act, regulations and rules. Providers of digital identity services must show they meet these rules and regulations, and other relevant legislation, to be accredited under the Trust Framework Authority.
-
The rules for digital identity services establish the technical and operational requirements that providers need to meet to be accredited.
- Regulations for digital identity services
The regulations for digital identity services set out the requirements for the accreditation process, including the types of services that may be accredited.
- Digital Identity Services Trust Framework Act
The Digital Identity Services Trust Framework Act 2023 set up the legal framework and supporting governance for ensuring secure and trusted digital identity services for individuals and organisations in New Zealand.
Rules for digital identity services
The rules for digital identity services establish the technical and operational requirements that digital identity service providers need to comply with to achieve and maintain accreditation. Listed below are the current Trust Framework Rules along with all earlier versions of the rules.
The Trust Framework Rules
This is the current version of the Trust Framework Rules. All earlier amendments are included in this consolidated version.
Original Rules
The ‘original rules’ below are the very first version of the Trust Framework Rules, as they were when first introduced.
Amendment Rules
The ‘amendment rules’ below are the various amendments made to the Trust Framework Rules. To see a particular earlier version of the rules, click on the links below.
The following table summarises all the earlier versions of the Trust Framework Rules.
Rules |
Commencement date |
Description of amendments |
Summary of feedback from consultation |
Gazette notice |
---|---|---|---|---|
Digital Identity Services Trust Framework Rules 2024 – consolidated (PDF, 243KB) |
24 July 2024 |
Latest consolidated version |
n/a |
|
Digital Identity Services Trust Framework Amendment Rules 2025-1 (PDF, 172KB) |
24 July 2025 |
Updated some standards and policies; added and clarified definitions in the Interpretation section and small edits to wording and grammar. |
||
Digital Identity Services Trust Framework Rules 2024 (PDF, 274KB) |
8 November 2024 | Original rules | n/a | https://gazette.govt.nz/notice/id/2024-sl4900 |
Rules consultation process
Section 18 of the Digital Identity Services Trust Framework Act empowers the Trust Framework Board to recommend amendments to the rules to the Minister.
The rules are amended approximately twice-yearly to keep up with technical and other rapid changes in the digital ecosystem. This is to ensure the rules remain relevant for providers of digital identity services. Below are indicative timelines for amending the rules, although sometimes urgent updates are required outside of these timelines.
Considerations for future rules amendments
The table below outlines items we are considering for future rule amendments to ensure the rules stay up-to-date with developments in the digital identity system.
Key:
Analysing
The item is being assessed to understand whether it is in scope for the Trust Framework and its impact, and whether it could be addressed by the rules now or in the future.
Monitoring
The item is being tracked to watch for developments, trends or emerging risks in the digital identity system to understand whether it could be addressed by the rules.
In Discussion
The item is undergoing detailed analysis and stakeholder input to see if it aligns with Trust Framework principles and should be included in the rules.
Item |
Status |
---|---|
Add an emerging standard for credential formats to the approved list of standards, pending finalisation of the standard (SD-JWT VC). |
In Discussion |
Include standards for verifiable physical credentials and cards to enable the option of physical cards (such as ISO 18013-2 and ICAO 9303). |
Analysing |
Add a new standard for credential presentation to the approved list of standards (W3C Digital Credentials API). |
In Discussion |
Review the requirements on portability of credentials across facilitation services |
Monitoring |
Ban flash pass presentation by facilitation services (i.e. wallets). Currently the TF rules say flash pass “should not” be used. See Rule 9(9). |
Monitoring |
Consider changing the review requirements for Information and Data Management Plan Reviews and Privacy Impact Assessment Reviews from two yearly to one yearly to align with Security Management Plan Review. |
Analysing |
Review the current approach to requirements for cryptographic methods. |
Analysing |
Review the approach to conformance testing and certification to ensure credentials and the presentation of credentials correctly apply the standards set out in the rules. |
Analysing |
Review the extent to which data minimisation principles are incorporated. |
Analysing |
Consider a requirement for facilitation services (i.e. wallets) to display whether the relying party intends to retain the information they are requesting. |
In Discussion |
Review whether user pre-consent/pre-authorisation is permissible on facilitation services (i.e. wallets). |
Analysing |
Consider the need for requirements for credentials services to only be issued to accredited facilitations services (i.e. wallets). |
Monitoring |
Consider extending server retrieval prohibition so that credential services can not accept server retrieval requests. |
Analysing |
Consider whether presentations (in addition to credentials) need to be verified. |
Analysing |
Consider the need for requirements for issuance/presentation protocols (i.e. OID4VCI/OID4VP). |
Analysing |
To ensure the rules remain fit-for-purpose, and given the technical nature of the rules, the Trust Framework undertakes targeted consultation with those likely to interact with the rules. If you or your organisation would like to be involved in providing feedback on future amendments to the rules, please email distf@dia.govt.nz
Regulations for digital identity services
The regulations for digital identity services set out the requirements for the accreditation process, including the types of services that may be accredited.
Digital Identity Services Trust Framework Regulations 2024 (SL 2024/197) – New Zealand Legislation website
Digital Identity Services Trust Framework Act
The Digital Identity Services Trust Framework Act 2023 set up the legal framework and supporting governance for ensuring secure and trusted digital identity services for individuals and organisations in New Zealand.
Digital Identity Services Trust Framework Act 2023 — Parliamentary Counsel Office