Summing Up Summer 2025: Hottest ID Verification News Worldwide

The UK had not one, but two major IDV milestones this summer. 

First, on June 19th, the Data (Use and Access) Act 2025 received Royal Assent. The Act has created a statutory framework for:

• Digital verification services.

• A government-run register.

• A trust mark for services that pass certification.

• An information gateway that will let public bodies share specific data with registered providers for identity or eligibility checks. 

Government documents and legal briefs all point in the same direction, and the Information Commissioner's Office (ICO) began commencement steps in August. With this law, IDV vendors operating in the UK now need to be certified against the trust framework and appear on the register before they can claim compliance. At the same time, buyers should add a hard requirement for “on-register” status for anything that touches right-to-work, right-to-rent, or DBS checks, then verify the entry on the government list.

Second, as of July 25th, the Online Safety Act came into force, requiring services that host or publish pornographic material to run highly effective age checks for UK users. The regulator, Ofcom, laid out what exactly that means, set up an enforcement program, and reminded providers that courts can order sites to be blocked for refusal to comply.

The ripple effect was immediate, as network watchers recorded a spike in VPN sign-ups in the UK the day the rules hit, including a Proton VPN claim of a 1,400 percent jump over baseline. 

And it’s not only pornography websites that were forced to transition: for example, social media platform Bluesky also publicly rolled out UK-specific age verification choices, with options that include ID upload, card check, or facial age estimation. These measures are a mix Ofcom calls “highly effective” when configured correctly, and we should expect other mainstream services to take similar routes.

On July 15, measures from the Cyberspace Administration of China (co-issued with other ministries) took effect, launching a state-run online identity service. The National Online Identity Authentication Public Service, often referred to as Cyberspace ID, will provide registered users  with a digital certificate that can be presented to sites and apps. 

Importantly, platforms that accept this verification method are not supposed to store the user’s real identity data when that certificate is used. The sites only get a yes/no check rather than raw ID attributes unless the law says otherwise and the user agrees. The law also contains a voluntary-use principle: platforms are encouraged to connect and users can opt in, with the expectation that current registration methods remain available.

The government’s framing is that this reduces repeated ID uploads and shrinks the amount of personal data scattered across private databases. However, the system’s critics argue that centralization raises the risk of over-broad monitoring and gives authorities a single switch that could cut access across many services if credentials are restricted.

Companies willing to be part of that program should now plan a new login option that calls the national service, verifies the token, and maps it to a local account. Moreover, some global apps will want a modular integration that is only active for China users and lives inside their China stack for localization reasons.

The European Commission pushed key legal and technical pieces for the European Digital Identity Wallet (EUDI Wallet), then capped it with May-adopted acts entering into force. On top of that, the eIDAS Regulation (EU) 2024/1183 has been amended to add the Wallet, set relying-party registration and security rules, and require each Member State to offer at least one Wallet.

Brussels spent the summer turning the wallet program into something implementers can build against, and these acts are now in the Official Journal, which means they are now binding. In practice, that means wallet providers and national authorities can start planning integrations instead of guessing which spec to follow. 

A particularly important text is the Commission Implementing Regulation (EU) 2025/849, which sets the mechanics for Member States to feed the Commission with the data needed to populate a public list of certified wallets. This means that, as of September 2025, there is no “final list” of certified wallets to speak of, and the application process is still ongoing. 

Alongside the legal text, the Commission released a white-label age-verification (AV) “blueprint” with a reference code for Android and iOS. It is designed to bridge the period before wallets are everywhere, and to slot into the wallet architecture once national wallets are issued. The regulations show how to issue and verify a privacy-preserving “over 18” claim, without sending a date of birth. That gives sites with age gates a way to cut the amount of personal data they touch.

The Commission also opened three more implementing acts for feedback on 23 June. These focus on the trust fabric under the wallet—accreditation for conformity assessment bodies, risk handling expectations, and how qualified trust services sit in the model. That consultation window ran through July and is archived on the official wallet pages. 

In the end, it’s safe to say that procurement is moving from “wait and see” to “build to fit the regs.” However, it is expected that wallet usage will ramp unevenly by Member State, as many organizations remain skeptical. Thus, we will still see plastic documents and national eID logins for a while.

Similar to the EU, Summer 2025 gave implementers in the US something solid to work with: a final reference for digital identity from NIST, live acceptance of mobile IDs at TSA checkpoints, and a series of state laws on age checks that are now backed by a Supreme Court decision. Let’s go through them one by one.

First, NIST published the SP 800-63-4 Digital Identity Guidelines in early August 2025, with all four volumes (63-0 overview, 63-A identity proofing, 63-B authentication, 63-C federation) live on the CSRC and Publications pages. The release closes an eight-year gap since the last full revision and folds in current realities like mobile driver’s licenses, passkeys, spoofed media, and injection attacks. 

IDV vendors can now map their control set to a final federal document, and their compliance teams can point examiners to the exact sections they implemented, then show test evidence. Moreover, remote identity proofing now has to treat presentation attacks as first-class problems, employing advanced liveness detection to counter them. To claim that a solution is mapped to SP 800-63-4, the evidence should link to the relevant 63-A and 63-B sections, the specific anti-spoof methods used, and lab test results.

Second, the TSA continued rolling out mobile ID acceptance at US airports. For example, on August 19th, the TSA announced that residents with Montana IDs can add them to Apple Wallet and present them at TSA security. TSA statements describe the verification goal and keep a running list of where these procedures are live.

Third, on June 27th, the US Supreme Court allowed Texas to enforce its age-verification law for pornographic websites. This case has implications for the entire country, as more states are likely to adopt the same measures, following Texas’s example. However, it must be mentioned that not every law survives first contact with a federal judge, as Georgia’s social-media proof-of-age law was blocked before it took effect, citing free speech concerns and granting a preliminary injunction.

In June, iBeta announced a new Level 3 tier for presentation attack detection (PAD) evaluations built on ISO/IEC 30107-3. Level 3 extends beyond the familiar Level 1 and Level 2 test sets with harder spoofs, including custom-made masks and more sophisticated artefacts. iBeta’s own criteria also tighten error tolerances: systems seeking Level 3 must keep bona fide errors (BPCER) or matching errors (FNMR) at or below 10 percent during testing, in addition to blocking every presentation attack used in the evaluation.

Practically, passing Level 3 will demand better artefact detection, stronger camera integrity checks, and careful handling of edge cases.

With legal frameworks getting more and more complex, it’s critical to have an identity verification tool that is not only powerful, but also compliant with all relevant laws. 

For example, solutions like Regula Document Reader SDK and Regula Face SDK are certified by many industry leading organizations and have been successfully deployed in many strict regulatory environments.

Regula Document Reader SDK is a robust solution for ID document verification, backed by the biggest template database in the world, with 15,000+ documents from 254 countries and territories.

With Regula Document Reader SDK, you will be able to:

• Authenticate thousands of ID documents from all over the world.

• Read machine-readable zones (MRZs) and barcodes.

• Read and authenticate RFID chips in line with ICAO Doc 9303 standards. 

• Verify digital signatures embedded in barcodes (Visible Digital Seals, VDS) as defined by ICAO.

• Check document liveness by verifying dynamic security features, including holograms and optically variable ink (OVI).

• And more.

Meanwhile, Regula Face SDK conducts instant facial recognition with liveness with both passive and active detection, and prevents fraudulent presentation attacks such as the use of static face images, printed photos, video replays, video injections, or masks.

Let’s drive the future—together. Book a call to learn more about our solutions!