The Trust Framework legislation is made up of the Digital Identity Services Trust Framework Act, regulations and rules. Providers of digital identity services must show they meet these rules and regulations, and other relevant legislation, to be accredited under the Trust Framework Authority.
Rules for digital identity services
The rules for digital identity services establish the technical and operational requirements that digital identity service providers need to comply with to achieve and maintain accreditation. Listed below are the current Trust Framework Rules along with all earlier versions of the rules.
The Trust Framework Rules
This is the current version of the Trust Framework Rules. All earlier amendments are included in this consolidated version.
Digital Identity Services Trust Framework Rules 2024 – consolidated
Digital Identity Services Trust Framework Rules 2024 – consolidated (web-friendly/HTML version): Update coming soon
Original Rules
The ‘original rules’ below are the very first version of the Trust Framework Rules, as they were when first introduced.
Digital Identity Services Trust Framework Rules 2024 - original
Amendment Rules
The ‘amendment rules’ below are the various amendments made to the Trust Framework Rules. To see a particular earlier version of the rules, click on the links below.
Digital Identity Services Trust Framework Amendment Rules 2025-1
Digital Identity Services Trust Framework Amendment Rules 2026-1
The following table summarises all the earlier versions of the Trust Framework Rules.
|
Rules |
Commencement date |
Description of amendments |
Summary of feedback from consultation |
Gazette notice |
|
Digital Identity Services Trust Framework Rules 2024 – consolidated |
29 June 2026 |
Latest consolidated version |
n/a |
|
|
Digital Identity Services Trust Framework Amendment Rules 2026-1 |
29 June 2026 |
Introduced alternative level of assurance requirements and emerging standards, strengthened privacy protections, differentiating between accredited and non-accredited services, and other minor changes. |
||
|
Digital Identity Services Trust Framework Amendment Rules 2025-1 |
24 July 2025 |
Updated some standards and policies; added and clarified definitions in the Interpretation section and small edits to wording and grammar. |
||
|
8 November 2024 |
Original rules |
n/a |
Rules consultation process
Section 18 of the Digital Identity Services Trust Framework Act empowers the Trust Framework Board to recommend amendments to the rules to the Minister.
The rules are amended regularly to keep up with technical and other rapid changes in the digital ecosystem. Sometimes urgent updates are required. This is to ensure the rules remain relevant for providers of digital identity services. Below is the process for amending the rules.
Considerations for future rules amendments
The table below outlines items we are considering for future rule amendments to ensure the rules stay up-to-date with developments in the digital identity system.
Key:
Analysing
The item is being assessed to understand whether it is in scope for the Trust Framework and its impact, and whether it could be addressed by the rules now or in the future.
Monitoring
The item is being tracked to watch for developments, trends or emerging risks in the digital identity system to understand whether it could be addressed by the rules.
In Discussion
The item is undergoing detailed analysis and stakeholder input to see if it aligns with Trust Framework principles and should be included in the rules.
|
Item |
Status |
|
Add an emerging standard for credential formats to the approved list of standards, pending finalisation of the standard (SD-JWT VC). |
In Discussion |
|
Include standards for verifiable physical credentials and cards to enable the option of physical cards (such as ISO 18013-2 and ICAO 9303). |
Analysing |
|
Add a new standard for credential presentation to the approved list of standards (W3C Digital Credentials API). |
In Discussion |
|
Ban flash pass presentation by facilitation services (i.e. wallets). Currently the TF rules say flash pass “should not” be used. See Rule 9(9). |
Monitoring |
|
Review the approach to conformance testing and certification to ensure credentials and the presentation of credentials correctly apply the standards set out in the rules. |
Analysing |
|
Review the extent to which data minimisation principles are incorporated. |
Analysing |
|
Review whether user pre-consent/pre-authorisation is permissible on facilitation services (i.e. wallets). |
Analysing |
|
Consider the need for requirements for credentials services to only be issued to accredited facilitations services (i.e. wallets). |
Monitoring |
|
Consider the need for requirements for issuance/presentation protocols (i.e. OID4VCI/OID4VP). |
Analysing |
To ensure the rules remain fit-for-purpose, and given the technical nature of the rules, the Trust Framework undertakes targeted consultation with those likely to interact with the rules. If you or your organisation would like to be involved in providing feedback on future amendments to the rules, please email distf@gdda.govt.nz
Regulations for digital identity services
The regulations for digital identity services set out the requirements for the accreditation process, including the types of services that may be accredited.
Digital Identity Services Trust Framework Act
The Digital Identity Services Trust Framework Act 2023 set up the legal framework and supporting governance for ensuring secure and trusted digital identity services for individuals and organisations in New Zealand.
Digital Identity Services Trust Framework Act 2023 — Parliamentary Counsel Office (external link)