DSP Operational Framework

The growth of our digital wholesale services increases productivity and community connectivity across the digital economy. This connectivity presents a range of service opportunities, business risks and security implications for the organisation and the Australian community.

The Digital service provider (DSP) Operational Framework is part of our response to these risks and establishes how we will provide access to and monitor the digital transfer of data through software.

Through consultation with DSPs, industry associations and across Government a position was established on each of the five issues of the DSP Operational Framework. From these positions we have developed the Requirements for DSPs to use our digital services and have updated the Operational Framework Questionnaire, this is now known as the Digital Service Provider Operational Framework Security Questionnaire (DOCX, 836KB). The Questionnaire is used by DSPs to demonstrate how their product or service meets the requirements.

All DSPs wanting to use our digital services will need to meet the relevant requirements which can include, but is not limited to:

  • Authentication
  • Encryption
  • Supply chain visibility
  • Certification
  • Data hosting
  • Personnel security
  • Encryption key management
  • Security monitoring practices.

A transition period has been established for DSPs who are already using our digital services to allow them time to meet the requirements. After consulting through the DSP Operational Framework working group, timeframes for meeting the DSP requirements have been finalised.

The Digital Partnership Office (DPO) can provide support in meeting the requirements.

 See also:

Latest news

13 December 2018

The DSP Operational Framework Security Questionnaire has been updated to contain new links to the Information Security Manual on the Australian Cyber Security Centre (ACSC) webpages after changes were made to the placement and content of the manual.

8 February 2018

The DSP Operational Framework implementation approach has been finalised. The document, which was developed in consultation with the DSP Operational Framework working group, outlines the timeframes for meeting the Requirements for DSPs. We have also made other key updates including more:

  • Information about who is covered by the DSP Operational Framework, with examples
  • Information on the intent and objectives of the DSP Operational Framework
  • Guidance on multi factor authentication, audit log standards and personnel security procedures
  • Details on the annual re-assessment process.

We are working to update the website accordingly and will notify you when this is completed. If you do not already have an account for the website you can create one to ensure you receive a notification.

We will work with DSPs who are already using our digital services through this transition period, to help them meet the requirements.

Contact the DPO with any questions. Some DSPs have already started working with the DPO to commence the process of meeting the requirements.

05 December 2017

Through consultation with DSPs, industry associations and across government a position has been established for each of the key issues. These positions have been used to develop the Requirements for DSPs to use our digital services. 

The Operational Framework draft implementation approach (PDF, 741KB) is available for your information. We will be consulting on this document through the DSP Operational Framework working group. Note that the information in this document regarding the requirements for DSPs has been endorsed, consultation will focus on establishing the implementation timeframes.

24 October 2017

We have recently updated the ATO Service registry (SR) on sbr.gov.au to include a 'Risk profile' section where services have been allocated to the appropriate risk category.

Categorisation is based on the characteristics and potential fraud that could occur through consumption of each of our services and include:

  • P - pending
  • 1 - no risk
  • 2 - low risk
  • 3 - medium risk
  • 4 - high risk

These risk categories are used as part of our interim assessment for digital service providers wanting to consume our services.

August 2017

Since September 2016, work has been underway to develop the elements of the framework. We are currently working closely with a number of digital service providers, industry associations and across Government to address five issues identified through our interim assessment:

  • Registration and assessment (including transitioning digital service providers to the updated process)
  • Multi-factor authentication
  • Onshore/offshore hosting arrangements
  • Supply chain visibility
  • Encryption in transit.

We are working with ABSIA and other industry associations on ensuring our requirements are practical but sufficiently protect the integrity of the taxation and superannuation system.


Consultation on the DSP Operational Framework has now concluded. Consultation enabled us to collaborate with you in developing the elements of the DSP Operational Framework.

The DSP Operational Framework working group contributed to developing and finalising the DSP Operational Framework implementation approach.

The DSP Operational Framework focus groups assisting in establishing a position on each of the five issues identified during the DSP Operational Framework interim assessment. You can access details on each below:

You can also access an overview of the positions established by the focus groups.

Contact us

For further information and to provide feedback email DPO@ato.gov.au.

Find out more