Legal Insights

What's new in the Digital ID Act framework? Updates to Digital ID and Accreditation Rules

• 26 November 2025 • 7 min read

The Digital ID Act 2024 (Cth) (Digital ID Act) will soon be celebrating the first anniversary of its commencement, and it has been an eventful year; spawning no less than six subordinate instruments, including the Digital ID Rules 2024 (Cth) (Digital ID Rules) and the Digital ID (Accreditation) Rules 2024 (Cth) (Accreditation Rules). In one last hoorah before the Digital ID Act’s first birthday, important amendments have been made to both the Digital ID Rules[1] and the Accreditation Rules[2] – and Maddocks was engaged by the Australian Government Department of Finance to advise on the impacts in developing those amendments, following our earlier work in the development of these instruments as well as the Digital ID Act. In this article, we summarise the key changes to the Digital ID Rules and the Accreditation Rules which came into effect on 19 November 2025.

Digital ID Rules

The Digital ID Rules have been amended to:

  • introduce the redress framework (required by s.88 of the Digital ID Act) for cyber security incidents and digital ID fraud incidents (Incidents) that occur, or are reasonably suspected to have occurred, in relation to the accredited services provided by accredited attribute service providers (ASP) and accredited identity service providers (collectively, Providers) that are or were participating in the Australian Government Digital ID System (AGDIS). The redress framework:
     
    • requires Providers to notify each individual affected by an Incident, in appropriate circumstances (r.4A.2). This new rule compliments existing r.4.2, which requires Providers to notify the System Administrator of such Incidents, including notification of whether the individuals affected have been informed of the Incident. Rule 4.2 has also been amended (as summarised further below);
       
    • requires Providers to refer to the System Administrator unresolved technical issues within the Provider’s control that render an individual’s digital ID unusable as a result of an Incident, and which cannot be resolved without referral to the System Administrator, after the Provider has directed the individual to publicly available resources and helped them to identify any other entity in control of the technical issue (r.4A.3 and r.4A.5). The System Administrator may recommend a resolution to an Incident referred to it by a Provider, including that the Provider provide an explanation or apology to the affected individual (r.4A.4); and
       
    • requires Providers to develop and publish policies addressing the identification, management and resolution of Incidents, as well as the process by which an individual can make a complaint to the Provider, its procedures for dealing with complaints, and timeframes for its resolution of complaints (rr.4A.6 - 8);
       
  • require entities that are or were participating in the AGDIS to investigate an Incident that occurs in relation to their services, if directed to do so by the System Administrator, and to report the findings of that investigation to the System Administrator (rr.4.2(7) – (9)). Rule 4.2(3) already requires participating entities to notify the System Administrator of certain details in such circumstances – this new rule enables the System Administrator to obtain additional information through further investigations, if required;
     
  • create a streamlined application process for government entities seeking approval pursuant to s.61 of the Digital ID Act to provide their services within the AGDIS, following a machinery-of-government change (MoG) through which that service was (or will be) transferred to the applicant from another government entity that held such approval (r.1.5 and r.2.3). This will help ensure continuity of service for individuals when MoGs occur, and reduce the administrative burden for government entities; and
     
  • authorise the Data Standards Chair to use or display the Digital ID Accreditation Trustmark in connection with their statutory functions. The Data Standards Chair is responsible for making and reviewing Digital ID Data Standards, which provide for the technical and operational requirements of the AGDIS and the accreditation scheme. The Digital ID Accreditation Trustmark is a visual indicator signalling that an entity is accredited under that scheme – an unauthorised use of it attracts a civil penalty under s.118 of the Digital ID Act. Accordingly, the Data Standards Chair may now lawfully use or display the Digital ID Accreditation Trustmark in the materials that they develop in the performance of their statutory functions.

Accreditation Rules

The Accreditation Rules have been amended to:

  • incorporate relevant controls of the Protective Security Policy Framework (PSPF) by reference (with which non-corporate Commonwealth entities (NCCE) must comply in respect of their accredited services), instead of replicating those controls (as was previously done in a now deleted schedule). This enables timely adoption of updates to the PSPF, which underwent a major update in July 2025, including new requirements relating to artificial intelligence;
     
  • require accredited entities that are not NCCEs to comply with an international standard for information security management (ISO/IEC 27001) or an alternative framework which includes all the same kinds of controls;
     
  • provide a transition period of 3 months for NCCEs to adopt changes to the PSPF and 12 months for non-NCCEs to adopt changes to an alternative standard. This approach balances the need for timely implementation of changes to protective security frameworks and the practical realities faced by entities in achieving compliance with these obligations in a fast-evolving environment. Notwithstanding these grace periods:
     
    • NCCEs are required as a matter of policy to comply with the PSPF at all times; and
       
    • the Digital ID Regulator may direct accredited entities to protect the integrity or performance of the AGDIS (s.128 of the Digital ID Act), which may be necessary to respond to a rapidly developing security threat that requires urgent attention; and
       
  • specify a period for the expiry of express consent given by an individual in relation to their use of an accredited ASP’s services. An accredited entity cannot disclose certain attributes of an individual to a relying party when verifying that individual’s identity, digital ID, or information about them, without the express consent of that individual (s.45 of the Digital ID Act). New rule 4.41(d) will allow an accredited ASP to rely on such consent for the purposes of the Digital ID Act for a period of 12 months or, if the individual acts on behalf of a business, seven years. This reflects a privacy-protective approach consistent with the guidelines published by the Office of the Australian Information Commissioner, which provide that express consent should not be enduring.

These are major changes to the statutory frameworks governing the AGDIS and other trusted digital ID systems across Australia, requiring participating entities to take immediate action to ensure their compliance with the new rules; including by creating or updating policies, procedures and systems. This is not likely be the last time that the regulatory landscape shifts around digital IDs, as the Digital ID Act heads into its second year of operation and becomes due for an holistic review reportable to the responsible Minister.


[1] Digital ID Amendment (Redress Framework and Other Measures) Rules 2025 (Cth).

[2] Digital ID (Accreditation) Amendment (PSPF and Other Measures) Rules 2025 (Cth).

Please contact our team for further assistance

Our longstanding involvement in the development of this area of law, and expertise in advising clients on their compliance with the applicable laws, puts Maddocks in prime position to support any organisation that relies on a digital ID system to do business.

Katherine Armytage

Katherine has a highly regarded and dynamic practice in information law, with a particular focus on privacy and data protection.

View profile

Patrick Collins

Patrick has been advising Australian Governments on commercial and administrative law matters for over 15 years, and has a deep understanding of the public sector operating environment.

View profile

Indi Prickett

Indi provides high‑quality privacy, FOI, probity and procurement advice to Australian Government clients, including PIAs for complex ICT systems and Privacy Act guidance.

View profile

Recent articles

Online Access