Companies House is forging ahead with plans to introduce legal identity verification requirements for directors and people with significant control (PSCs) of companies, with enforcement to begin in a few months on Tuesday 18 November 2025.
The measures will mean new directors must verify they are who they claim to be in order to incorporate a new company or be appointed to an existing one, while existing directors will be made to confirm they have verified their identity concurrent with the filing of their annual confirmation statement during a 12 month transition period from November. Additionally, PSCs will need to verify their identity in line with an appointed day within the same period
Companies House claims the roll-out of identity verification will not only support business growth by giving more assurance about who is establishing and running UK companies, but also help organisations benefit from more trustworthy registry data and prevent fraud.
“Identity verification will play a key role in improving the quality and reliability of our data and tackling misuse of the companies register,” said Companies House CEO Louise Smyth.
“To support business and help people verify their identities, Companies House is contacting all companies with advice and guidance.
“This is part of a coordinated effort to help companies to comply [and] we encourage people to verify as early as possible,” said Smyth
“More than 300,000 individuals have already done so during the current voluntary period, which started in April,” she said.
The measures are being introduced after Companies House was granted increased powers under the Economic Crime and Corporate Transparency Act of 2023, which received Royal Assent in October 2023. These powers also give Companies House the ability to challenge information submitted to it.
Companies House said it was phasing in the identity verification process over the period through November 2026 in order to provide companies and individuals in scope with the best possible support. It believes that about six or seven million people will need to participate, although for most this should be a one-off process that takes a few minutes to complete.
After 18 November people will commit an offence if they act as a company director without being verified once their duties commence, so existing directors should verify before their company’s next confirmation statement comes due. Companies House said it would be providing help and support for businesses as they work towards compliance, and said its enforcement approach would be “proportionate”.
One Login worries
Directors and PSCs will be able to verify their identity either via the Gov.uk One Login digital identity service, or via an authorised corporate service provider (ACSP).
However, the intended use of the One Login digital identity service to conduct identity verification has sparked concerns among security experts. As first reported by Computer Weekly, the Government Digital Service (GDS) was warned by the Cabinet Office and the National Cyber Security Centre (NCSC) in April 2025 about significant data protection failings and other shortcomings.
A whistleblower described a litany of problems including insufficient security staffing, a lack of risk or threat assessments, or information security management systems. They also described insufficient monitoring processes and concerns about the number of people with privileged access to live data.
As of the end of April, One Login had yet to achieve compliance with key national cyber security standards – a full three years after such concerns were first raised.
Then, in May, the service lost its certification against the government’s own trust framework for digital identity systems, and an independent red teaming exercises found evidence of a significant vulnerability in One Login, which already has six million users.
Michael Perez, director at Dublin and Milton Keynes-based managed security services provider (MSSP) Ecko, said that while mandatory identity verification was a worthy aim in that it sought to address challenges around trust, fraud, and managing digital complexity, the well-documented problems with One Login raised valid concerns over Companies House’s plans.
“Requesting millions of individuals to submit sensitive identity documents via a platform that hasn’t fully adopted secure-by-design principles introduces significant risk. It concentrates vulnerability and could expose users to breaches at a time when public confidence in digital systems is already under pressure,” said Perez.
“While the ambition behind One Login is commendable, robust protections must underpin any system handling identity data. At present, the platform is asking individuals and businesses to share critical information without the necessary safeguards in place, setting a concerning precedent.”
He added: “What’s needed now is greater assurance. The public deserves systems that are thoroughly tested and secure by design. Without that, expanding One Login’s use risks eroding trust not only in this platform, but in the broader vision for digital government.”