2. Estonia

The findings from the examination of Estonia's digital PoA frameworks show a nuanced level of maturity in the country's efforts across technical, legal, and social parameters, creating a notable basis for comparison and learning.

Estonia possesses a diverse array of platform solutions to manage PoAs, including specialized systems for handling healthcare, taxation, and business matters. There is a commendable level of technical advancement with the integration of Estonia's ID infrastructure with PoA systems, supporting access, authentication, verification, and cross-border interoperability; though the entire landscape is noted to be fragmented and could benefit from further integration.

In terms of legal frameworks, Estonia operates under a detailed regulatory environment governing PoAs, with a focus on liability based on good and bad faith, and specific constraints ensuring that PoA transactions are limited to individuals with valid eID tools. The country also demonstrates active participation in EU initiatives, with full implementation of Once Only Technical System (OOTS), while other initiatives like eIDAS 2.0, SDGR, and EUDIW are in varying stages of planning and pilot implementation.

Estonia has also made significant strides in promoting social inclusion, with services available in multiple languages, systems tailored for people with impairments, and support mechanisms for those seeking to obtain or act under a PoA.

Nevertheless, Estonia is facing particular challenges with: 1) the establishment of PoAs for non-residents or entities outside of Estonia due to the current system’s requirement for an Estonian personal identification code; and 2) the verification and trust issues concerning international PoAs where no centralized EU registry is present to facilitate seamless cross-border authorization.

This section examines the maturity of technical standards and barriers across access, authentication, verification, and integration of digital PoAs in Estonia.

The following describes the maturity for technical standards and barriers regarding access, authentication, verification, and integration, alongside cross-border interoperability to highlight advantages and disadvantages in Estonia.

Table 12. Estonia’s maturity for technical standards and barriers

In Estonia, the PoAs are handled separately with each service provider (e.g., for an accountant in the e-Tax Board, citizens in the Health Portal). Citizens who possess an Estonian personal identification code can also use the Central Authorization Management System Pääsuke, which is built into the State Portal, eesti.ee. However, this platform solution currently only provides access to handle healthcare related matters. Moreover, the most common practice in Estonia is to issue PoAs via digitally signed documents, which are often sent by e-mail (e.g., in PDF format). Thereby, the PoA landscape is fragmented onto several platform solutions, which currently only enables a few PoA services end-to-end. Thus, the access can be considered between basic access to slightly advanced solutions, to which the maturity level of access to handle PoAs can be considered at the intermediate level.

In the Healthcare sector, patients can log into the Health Portal, terviseportaal.ee, or Pääsuke to grant PoAs.

Companies’ Taxation matters can be performed within the Tax and Customs Board e-services environment (e-Tax Board, eMTA). The legal representative of the company (management board member) or the access rights manager in the e-Tax Board environment can from here grant a person PoA within the scope of e.g., the accountants data package, including individual rights. The Management Board Member can also assign the rights as access rights manager.

For Business matters, generally a board member automatically is granted the right to act on behalf of the company, since this data is publicly available in the business register. To this, PoAs can be granted within separate platform solutions, e.g. to submit annual reports or for mandatory statistical data to state (managed in eSTAT).

For businesses, a solution for authorizing is also under development, which would allow these to grant PoAs to information in public registry related to their company to another company. Although this could reduce administrative tasks for companies, many are reluctant to incorporate such a service into their business processes due to concerns about data leakage. Particularly, when data is related to sensitive business information.

All platform solutions are accessible on various devices, including computers, smartphones, tablets, and other smart devices. They support all major operating systems, including Windows, macOS, Linux, iOS, and Android.

In Estonia, citizens are granted with a personal identification number (from here: ID-code) from the government, representing individuals both physically and digitally. Moreover, they receive a mandatory physical ID card, along with eID carriers such as the mobile ID, Smart-ID and Digi-ID card additionally. These covers all the mandatory attributes of EU-approved eIDs (i.e. Family name, First name, Data of birth, Person identifier). Citizens cannot acquire a digital ID without first having gone through the identification process for the physical ID.

The ID card uses a PKI solution where a private key is generated and stored within a chip, used to sign and authenticate, which is protected with respective pin codes. The eID is used for e-identification, e-signing, and a secure transfer of sensitive data. It allows to securely use a multitude of public and private sector e-services. Using the eID is a qualified electronic signature, which is the equivalent of signing a document physically, hence, the solution is highly mature.

Estonian citizens incl. representatives of businesses (e.g. board members) log into the respective PoA solutions by using one of the eID methods to verify their identity. Here, the attestation of attributes entails the Estonian personal identification number. To be granted a PoA requires name and ID-code (citizens), or name and registry code (companies). For business PoAs in the LHV self-service platform, it is also possible to login using PIN-calculator, password, or biometrics. If citizens have been granted the right to represent a legal entity via PoA, they can perform actions on behalf of the legal entity automatically.

In Estonia, the authentication is done via the eID cards (i.e. Smart-ID, Mobile-ID, etc.). Encryption and data security measures are built in to protect personal information throughout the process. This authentication method, integrated across private and public services, can thus be considered highly secure, demonstrating an advanced level of authentication.

For companies, there is no dedicated eID tool, but authentication certificates are issued, which are primarily used for server-to-server authentication.

The X-Road environment (a secure data exchange between public databases), the state's authentication service TARA, and the LDAP protocol for identity verification work together with the state's Single Sign-On (SSO) service (GovSSO). For end-user interaction, the system utilizes UserNt. The content management of the state portal is handled by the Grav-CMS software, while the data exchange is facilitated by the Ruuter component.

In Estonia, the existing ID infrastructure and databases used by the PoA solutions comprise the Business Register, TARA, X-Road, the Population Register, State Portal, and Pääsuke. The rest of PoAs are handled on a case-by-case basis, as PoAs generally must be granted separately in each database in cases where such possibilities exist.

The PoA platform solutions are not integrated with a central registry from which national databases can pull authorization information. Thus, Estonia currently relies on granting authorizations separately in each database as the only solution. One exception is the central Authorization Management System, Pääsuke which currently only integrates with a few data registries, such as the Health Portal. The only other case is for publicly available data of company board members listed in the Business Register, which integrates with the related platforms using APIs.

All the most frequently used digital PoAs integrates through APIs. For some taxation and business matters, manual entry is necessary if the processes have not yet been automated.

The integration with eID is strongly advanced, as it is applicable across all PoA solutions (alongside most other public services). The eID can identify individuals against the Population Register.

In most cases, PoAs can only be granted to individuals who possess an Estonian personal identification code. This includes PoAs in the Health Platform. However, Estonia is a part of a cross-border initiative, digital prescription, which addresses this limitation to make prescriptions available in certain EU other countries (e.g., Finland). This service allows a patient to buy prescribed medicines in a pharmacy of another EU country that is a part of the service.

Moreover, Estonia takes part in another cross-border initiative that enables the exchange of patients’ health data across borders. In a nutshell, it is possible to forward a summary of the health data allowing the transmission of the most important medical information of a patient to a healthcare professional in some specified EU countries. Lastly, healthcare professionals from the EU automatically have access to the patient’s Health Portal.

For some taxation and business matters, it is possible to grant access rights across borders (e.g. a foreign accounting firm), but this requires the foreign company to register in Estonia as a non-resident, since authorizations cannot be granted to an unregistered person or entity. As for citizens, all company-related operations require an Estonian ID-code. Similarly, a PoA to legally represent the company for tax matters can be granted to a foreign individual, but an account must first be created in the e-Tax/e-Customs system. Use cases related to third countries are not currently resolved.

Countries within the eIDAS framework can gain access through the eIDAS Node to e.g. Pääsuke, but the PoA solution is not supported. According to the data collected, it is practically impossible to verify the validity of international PoAs, as this is a question of trust in the system itself. For Estonian individuals, it is straightforward to validate whether the signature is valid or not. For PDF signed PoAs, this poses a challenge to validate signatures and PoAs. Signatures can only be verified through the DigiDoc solution. Nevertheless, not all signatures are accepted.

The eIDAS Node will be complemented by the upcoming EUDIW solution once it has been implemented. To correctly identify individuals, the eIDAS Node should be accessible, and further steps would depend on a case-by-case basis, determining how and if databases are integrated.

EUDIW would allow a natural person to act on behalf of a company, but in Estonia this is still a technically immature topic, therefore it is too early to make assessments.

The eIDAS 2.0 initiative is considered necessary infrastructure to enable cross-border PoAs. However, to distribute a digital PoA within information systems or Wallets, a system or registry for validating and defining authorization rights is paramount. Such a system could generate an attestation of attributes. However, there is also a challenge regarding how the individual would use the PoA from a Wallet solution. If the individual upload their data into a Wallet solution to be shared with other systems, this would either require a registry, alongside an API integration for service providers to e.g. generate the attestation of attributes and distribute the PoA.

Further, the primary challenge is currently establishing a PoA. Since there is no central EU registry recording authorization data, it is complex to verify the identities of the assignor or assignee. Moreover, data protection comes into play, as the sensitivity of information varies across different systems and countries. It needs to be considered how the authorization is presented, or whether there is simply a hint that Person A can, for example, retrieve a prescription on behalf of Person B with a specific number (from the pharmacy). There is a need to evaluate how data sensitivity is currently protected and how it could be handled in the future when, for example, a Wallet is implemented.

Citizens and businesses log into the platform solution needed, e.g., Pääsuke, terviseportaal.ee, e-Tax, LHV, or eSTAT, e-Äriregister. When entering the platform, they are prompted to use an eID mean, such as Smart-ID, Mobile-ID, or an ID card. For business PoAs in the LHV self-service platform, it is also possible to login using PIN-calculator, password, or biometry.

In most cases, the assignor can set the scope of rights within a given PoA (e.g., which health data the assignee can view, or which specific tasks one can perform related to tax matters).

Citizens create PoAs in the separate platform solutions, e.g. a patient can authorize trusted representatives to act on their behalf, e.g. pick up medicine or view health data, in the Health Portal, terviseportaal.ee. However, it is not possible to request a PoA (by the assignee’s initiative). The rights of the assignee (such as document viewing permissions) can be restricted on a case-by-case basis for individual documents). Notifications are not provided in the health portal.

Company board members listed on the company registration card automatically has access and may grant PoAs in the State Portal. It is not possible to request authorizations or add rights to oneself. For LHV, the board members receive notifications to the company account, meaning the bank's self-service portal inbox, or to the board member's email.

Since none of the PoAs are notarized, no fees apply.

For most of the solutions, the process for refusing or accepting consent to the PoA does not exist. For instance, if the assignor has granted the PoA to an assignee, the assignor's data automatically appears in the assignee's view in the Health Portal.

Assignees of PoAs related to viewing health data will be able to view the assignor’s health data in the Health Portal.

To pick up medicine at pharmacies, the pharmacist checks the data's accuracy based on the personal identification code through the prescription centre. For online pharmacy matters, the PoA is proved upon logging in with an eID method to verify the identity of the assignee.

For businesses, upon first use the legal representative of the company must register as a user in eSTAT. After that, the user with the CEO profile can submit data and manage (add, modify, block) data submitters. The CEO can create and delete main user, data submitter, and password-protected data submitter rights in eSTAT. The PoA acceptance/rejection process does not exist.

The assignor can revoke health PoAs in the authorization management information system. Some PoAs, e.g. pick up medicine or view health data is per default without expiration date, however, the patient or their fully authorized representative in the Health Portal can revoke the PoA at any time.

For business purposes, PoAs can be granted indefinitely or for a specified period (with a start and end date). Management board members of access right managers can modify or revoke these PoAs.

A management board member's PoA (automatically granted by the e-Business Register) remains valid as long as the company is registered in the Business Register. When actions related to a PoA (granting, revocation, renunciation, delegation of PoA) are performed, the system sends notifications about the changes to the relevant parties (legal entities or individuals) through the national mailbox. The national mailbox forwards all messages to the email addresses that the individual or legal entity has designated for their national mailbox.

The following section will first present an overview of legal topics, followed by a review of EU initiatives.

In Estonia, specific, limited and general powers of attorney (PoAs) are used across the health, taxation and business sectors. There are several regulations that governs the different sectors, but generally PoA matters are regulated by the General Part of Civil Code Act (Tsiviilseadustikuüldosa seadus, TsÜS) or the Law of Obligations. Liability in Estonia is assessed based on good and bad faith, where it is e.g. assessed if the assignee has made a human error or exceeded to scope of the PoA. Generally regarding barriers within the health, taxation and business sectors, the individual must have a valid Estonia eID tool, and not being underage or of limited legal capacity. Overall Estonia is doing well with the implementation of the different EU initiatives and seems to be among the countries that have reached the furthest with the implementation. Estonia is currently in the process of implementing key EU initiatives, having already implemented the OOTS, while being in the planning phase or participating in a pilot project for the others.

This section covers the legal topics also included in the main report: semantics, types of PoAs, legal basis, liability, and legal barriers.

Table 13. Role descriptions of various sectors

Regarding prescription rights, rights to view or a combination within the health sector, the PoA can both be limited and specific. It can also be a general PoA when the assignor grants the assignee full representation rights. When viewing and updating data related to the incapacity for work certificate or viewing the patient’s health data in the health portal the PoA used is either limited or specific.

For taxation matters, the PoAs used for the accountant’s access rights for performing operations in the e-services environment are limited or specific PoAs. A general PoA is used for access rights for board members within the e-services environment. With regards to the business sector the general PoA is used for PoAs for performing actions in a bank or submitting statistical reports in the Statistics Office, when operations are performed by a company’s authorized representative (such as a CEO or system main user). A specific or limited PoA are used when a board member authorizes someone to perform company-related operations in the self-service environment. The PoA for entering and submitting the annual report is general if it concerns a PoA valid for the CEO and limited or specific if it concerns a data submitter and/or data entry person or in case of another role.   

Within the health sector, the collected data mentions several relevant regulations such as the General terms of the Central Authorization Management Information System Pääsuke, Regulation of the Central Authorization Management System's Database, Public Information Act.4, Health Information System Regulation, for guardianship-related topics. These are governed by the Family Law Act (Perekonnaseadus, PKS) and the Code of Civil Procedure (Tsiviilkohtumenetluse seadustik, TsMS), cross-border service data structure. The data sets agreed upon for the cross-border service are defined in the regulation "Piiriülese andmevahetusplatvormi vahendusel töödeldavate andmete koosseis, andmevahetuse korraldus ja logide säilitamise tähtaeg". Generally, PoA matters are regulated by the General Part of the Civil Code Act (Tsiviilseadustiku üldosa seadus, TsÜS).

For taxation matters, the collected data mention a combination of specified legal references, such as the TsÜS § 118, subsection 2. Taxation Act (Maksukorralduse seadus) § 26 and § 48, subsections 3 and 4. Taxpayers Register Regulations (Maksukohustuslaste registri põhimäärus) § 62, subsections 1, paragraph 2, and subsection 2. Advocacy Act (Advokatuuriseadus) § 41, subsection 1, paragraph 5, and subsection 2.

For the business sector, the collected data show legal obligations arising from the anti-money laundering and counter-terrorism financing law. There is a legitimate interest in verifying the accuracy of the customer-provided data and mitigating risks. Generally, the legal regulation to PoAs is regulated in the Law of Obligations Act/Civil Code Act (TsÜS), but specific PoAs can also be regulated by the National Statistics Act.

It seems that the legal basis Estonia is very regulated by the legislation. On one hand this gives clear guidelines, but on the other hand it also limits the flexibility within PoAs. In this report it is assumed that the law in Estonia is based on old contractual customs, however this cannot be determined on the data provided.   

The data collected by the country experts show the assessment of liability in Estonia depending on the relevant mistake and whether returning to the pre-contractual situation (i.e., reversal) is possible. If returning to the pre-contractual situation is not easily possible, but the assignee has made a human error and exceeded the scope of the PoA, the exceeding of the PoA falls under civil liability. If the person has acted in bad faith and committed fraud, the action will be processed under criminal proceedings. The legal framework in Estonia uses the assessment "good faith" and "bad faith" to determine the concrete case.

If this issue goes to court, the court may compare how a "normal" person would have acted in the assignor's position. The assignor should also exercise due diligence in such cases: they should trust the person to whom they grant the PoA and have an overview of how the power is being used. Naturally it is difficult to limit all instructions to the scope of the PoA.

For PoAs within the health sector the assignor is a representative of an Estonia registered company with a valid eID tool. The assignee is an individual with an Estonia personal identification code and a valid eID tool. The system automatically checks the person register and denies individuals who are underage or deceased.

For the taxation sector minors cannot perform actions themselves, they only have viewing rights. This also applies to persons of limited legal capacity, where rights have been revoked (can however be restored). If a legal entity goes bankrupt, the board member loses their rights and a ruling is sent to the EMTA, which restricts the board member’s rights. Death or termination of access rights automatically ends the access rights.

Regarding the business sector, the assignor is a representative of an Estonia registered company with a valid eID tool. The assignee is an individual with an Estonia personal identification code and a valid eID tool. In order to verify their identity, the user needs a valid Estonian ID (such as mobile ID or Smart-ID). If a foreign board member is listed in the commercial register, they cannot assign a data entry person. As an example, if an accountant submits a report on behalf of a foreign board member, it is not possible for the board to sign it digitally.       

The table below summarises the implementation status for each regulative in the Estonian context. The content is unfolded in the section below.

Table 14. The implementation status for each regulative in Estonia

The score of eIDAS 2.0 for Estonia is fairly uncertain. There is no information regarding this in the data collection. However, according to the webpage of The Information System Authority (RIA), who manages the development of the digital wallet. The revised version of eIDAS is being implemented towards 2026. Therefore, it is assumed that Estonia must be at least in the planning implementation stage, because the full implementation is time consuming. The score is therefore set at 2, but this is an assumption and with a level of uncertainty.

According to the data collected by the country experts, the OOTS is fully implemented in Estonia. However currently the PoA ecosystem does not benefit from this, as there is no central registry to view or pull PoA-related information into other databases. Most PoAs are still in physical form or sent as a PDF. 

According to the RIA, who handles developing central technical solutions for the Estonian network; the current situation of the SDG is that the analytics and feedback of eesti.ee, to ease to communication towards the European Commission, has been improved. An Article Repository is being developed (simplifies meeting the requirements for new networks). SDG technical system solutions are currently being planned.

Estonia is participating in the pilot project POTENTIAL for the development of a technical solution for testing digital driver’s license. Estonia is participating in the project together with, among others, Germany, France and Lithuania. The RIA manages the development of the Estonian digital wallet, and the solution should be completed no later than 21 November 2026.

Grades for the implementation of EHDS and UDCL are not included, cf. paragraph Error! Reference source not found. above.

In the table below, the status of Estonia's efforts to ensure digital inclusion is visualized. The following text details the measures Estonia has put in place. The table indicates whether these measures are fully or partly implemented. Overall, Estonia has taken significant steps to implement most of the identified measures in the public sector.

Table 15. Estonia’s efforts to ensure digital inclusion

Estonia allows for the use of both digital and physical processes in most situations. For instance, individuals without digital skills can submit in physical form. Additionally, a representative of a vulnerable group can seek help from a local government social worker to ensure they can take necessary actions. Furthermore, beyond digital processes, physical methods can be used, such as submitting a physical PoA to validate authorizations for actions in a non-digital setting.

Public services in Estonia are provided through the platform www.eesti.ee. The platform can also facilitate collaboration between the public, private, and third (non-profit) sectors within the framework of providing public services[1]. The platform and its services are available in both Estonian, English and Russian.

The e-Tax/e-Customs system has been designed and developed to comply with the European Union digital accessibility standard EN 301 549 and WCAG 2.1. Consequently, public digital environments must offer opportunities for vulnerable target groups. This means that certain technical tools and content creation principles have been used to help users with visual, hearing, physical, speech, cognitive, language, learning, and neurological disabilities consume website content. For example, changing website colours, increasing content size, screen readers (audio), etc.

No grade included above, as sufficient data was not available to the country expert.

In the context of a PoA, a representative for a vulnerable person can be appointed if a court order limits the individual's legal capacity. This information is available in the Business Register if the system is connected to it. For health-related matters, the process is more complex when the guardian is a local government entity, as legal entities lack ID codes, preventing data from moving between registers. A person with limited legal capacity, due to mental illness or intellectual disability, can only make limited transactions, with their guardian (appointed by the court) handling contracts. Local government social workers can also assist, especially if family members are unavailable, such as when children live abroad.

No grade included above, as sufficient data was not available to the country expert.