Most of the UK’s new regime for digital verification services will start on 1 December 2025. Ministers have signed the fourth commencement regulations under the Data (Use and Access) Act 2025, bringing most of Part 2 into force while holding back sections 45 to 48 for now. For fintech, regtech and any firm buying identity checks, the timetable is now clear.

What does Part 2 actually set up? The Act creates a statutory structure built around a trust framework, supplementary codes, a government‑run register of providers and a trust mark, with an information gateway also defined in law. In plain terms, digital verification services move from guidance to a regulated footing.

For providers, registration won’t be a tick‑box. The Act requires a certificate from an accredited conformity assessment body to show services meet the DVS trust framework, with scope for fees set by regulations. The register records which services you’re approved to deliver, and there’s a route to add new services once certified.

One important piece won’t switch on next month: the information gateway. By excluding sections 45 to 48 for now, the order delays provisions on public authorities sharing information with registered DVS providers. Anyone banking on direct taps into government records should plan interim routes.

DSIT’s earlier roadmap said most DVS measures would begin around three to four months after Royal Assent. This order fixes the operational date and the sequencing-DVS registration and the trust framework first, public‑sector data sharing later. That staging should help firms prioritise engineering and compliance work.

On supervision, the ICO has been clear: it continues to regulate the UK GDPR, DPA 2018 and PECR as amended, and applies the law that was in force when any infringement occurred. That steadies enforcement expectations during the transition.

The audit market is already warming up. In September, BSI launched a certification service aligned to the government’s Digital Identity and Attributes Trust Framework. While DIATF predates the Act, in our view many control themes will map closely to the forthcoming DVS trust framework-useful for providers choosing a conformity assessment partner.

Practical next steps for providers over the coming days: confirm your services fall within the Act’s definition of digital verification, map data flows to the trust framework’s expected rules, line up an accredited assessor, and update privacy notices and DPIAs to reflect certification claims and trust‑mark use. Build DSIT fee assumptions into budgets and prepare customer‑facing comms that explain what registration means for reliability and redress.

Buy‑side teams-banks, fintechs, marketplaces, telcos, age‑assurance and gig‑economy platforms-should ask vendors to confirm their plan to appear on the register and to evidence accreditation. Add a contractual requirement to maintain registration, design a fallback if a provider slips, and re‑test onboarding flows so they can accept the trust mark when it arrives without disrupting conversion.

Two things to watch from here. First, the publication of the DVS trust framework and any supplementary codes: the Act requires consultation with the ICO and allows the framework to specify when it takes effect. Second, costs: the instrument carries no new impact assessment because the government published one during the Bill stage-helpful context for boards signing off spend.