Trust Framework legislation

Find out more about the rules and regulations used to regulate digital identity services in New Zealand and ensure they are secure and trusted.

The Trust Framework legislation is made up of the Digital Identity Services Trust Framework Act, regulations and rules. Providers of digital identity services must show they meet these rules and regulations, and other relevant legislation, to be accredited under the Trust Framework Authority.

Rules for digital identity services

The rules for digital identity services establish the technical and operational requirements that digital identity service providers need to comply with to achieve and maintain accreditation. Listed below are the current Trust Framework Rules along with all earlier versions of the rules.

The Trust Framework Rules

This is the current version of the Trust Framework Rules. All earlier amendments are included in this consolidated version.

Original Rules

The ‘original rules’ below are the very first version of the Trust Framework Rules, as they were when first introduced.

Amendment Rules

The ‘amendment rules’ below are the various amendments made to the Trust Framework Rules. To see a particular earlier version of the rules, click on the links below.

The following table summarises all the earlier versions of the Trust Framework Rules.

Rules

Commencement date

Description of amendments

Summary of feedback from consultation

Gazette notice

Digital Identity Services Trust Framework Rules 2024 – consolidated (PDF, 243KB) 

24 July 2024 

Latest consolidated version

n/a

 

Digital Identity Services Trust Framework Amendment Rules 2025-1 (PDF, 172KB)

24 July 2025

Updated some standards and policies; added and clarified definitions in the Interpretation section and small edits to wording and grammar. 

Summary of Feedback

Rules Amendments 2025-1 Gazette Notice

Digital Identity Services Trust Framework Rules 2024  (PDF, 274KB)

 8 November 2024  Original rules  n/a https://gazette.govt.nz/notice/id/2024-sl4900

 

Rules consultation process

Section 18 of the Digital Identity Services Trust Framework Act empowers the Trust Framework Board to recommend amendments to the rules to the Minister.

The rules are amended approximately twice-yearly to keep up with technical and other rapid changes in the digital ecosystem. This is to ensure the rules remain relevant for providers of digital identity services. Below are indicative timelines for amending the rules, although sometimes urgent updates are required outside of these timelines.

Indicative timelines for rules amendments: Diagram shows Indicative timelines for rules amendments. Bi-annual Amendment One has the following timelines: Scoping and drafting – November to February, Rules consultation – March, Approved by Minister – May, In force – June. Bi-annual Amendment Two has the following timelines: Scoping and drafting – May to August, Rules consultation – September, Approved by Minister – November, In force – December.

Considerations for future rules amendments

The table below outlines items we are considering for future rule amendments to ensure the rules stay up-to-date with developments in the digital identity system.

Key:

Analysing

The item is being assessed to understand whether it is in scope for the Trust Framework and its impact, and whether it could be addressed by the rules now or in the future.

Monitoring

The item is being tracked to watch for developments, trends or emerging risks in the digital identity system to understand whether it could be addressed by the rules.

In Discussion

The item is undergoing detailed analysis and stakeholder input to see if it aligns with Trust Framework principles and should be included in the rules.

Item

Status

Add an emerging standard for credential formats to the approved list of standards, pending finalisation of the standard (SD-JWT VC).

In Discussion

Include standards for verifiable physical credentials and cards to enable the option of physical cards (such as ISO 18013-2 and ICAO 9303).

Analysing

Add a new standard for credential presentation to the approved list of standards (W3C Digital Credentials API).

In Discussion

Review the requirements on portability of credentials across facilitation services
(i.e. wallets).

Monitoring

Ban flash pass presentation by facilitation services (i.e. wallets). Currently the TF rules say flash pass “should not” be used. See Rule 9(9).

Monitoring

Consider changing the review requirements for Information and Data Management Plan Reviews and Privacy Impact Assessment Reviews from two yearly to one yearly to align with Security Management Plan Review.

Analysing

Review the current approach to requirements for cryptographic methods.

Analysing

Review the approach to conformance testing and certification to ensure credentials and the presentation of credentials correctly apply the standards set out in the rules.

Analysing

Review the extent to which data minimisation principles are incorporated.

Analysing

Consider a requirement for facilitation services (i.e. wallets) to display whether the relying party intends to retain the information they are requesting.

In Discussion

Review whether user pre-consent/pre-authorisation is permissible on facilitation services (i.e. wallets).

Analysing

Consider the need for requirements for credentials services to only be issued to accredited facilitations services (i.e. wallets).

Monitoring

Consider extending server retrieval prohibition so that credential services can not accept server retrieval requests.

Analysing

Consider whether presentations (in addition to credentials) need to be verified.

Analysing

Consider the need for requirements for issuance/presentation protocols (i.e. OID4VCI/OID4VP).

Analysing

To ensure the rules remain fit-for-purpose, and given the technical nature of the rules, the Trust Framework undertakes targeted consultation with those likely to interact with the rules. If you or your organisation would like to be involved in providing feedback on future amendments to the rules, please email distf@dia.govt.nz

Regulations for digital identity services

The regulations for digital identity services set out the requirements for the accreditation process, including the types of services that may be accredited.

Digital Identity Services Trust Framework Regulations 2024 (SL 2024/197) – New Zealand Legislation website

Digital Identity Services Trust Framework Act

The Digital Identity Services Trust Framework Act 2023 set up the legal framework and supporting governance for ensuring secure and trusted digital identity services for individuals and organisations in New Zealand.

Digital Identity Services Trust Framework Act 2023 — Parliamentary Counsel Office

Back to Top