3. Finland

The as-is analysis of Finland's digital PoA landscape reveals a strong foundation across legal, digital, and social dimensions, highlighting a relatively advanced level of maturity that positions Finland as a model for best practices. While Finland’s PoA solutions provide substantial support across public and private sectors, further progress is anticipated as the country refines and broadens its digital PoA framework, including strengthening its verification and authentication processes.

Finland has implemented a central platform supporting various PoA uses, with sector-specific solutions in areas such as healthcare, taxation, and business, creating a cohesive structure for the domestic administration of PoAs. In Finland sector specific PoAs are common in health, tax and business, and the Contracts Act seems to provide the legal framework for PoAs. The country is also aligning with key EU regulations and initiatives, such as eIDAS 2.0 and OOTS, while progressing towards full implementation of the EUDIW. Finland has made significant advancements in social inclusion across its digital PoA systems, with essential parameters either fully or partially integrated.

Despite Finland’s robust digital infrastructure, challenges remain in addressing cross-border PoAs, particularly in simplifying access for foreign nationals and supporting Finnish non-residents with tax-related PoAs.

This section examines the maturity of technical standards and barriers across access, authentication, verification, and integration of digital PoAs in Finland.

The following describes the maturity for technical standards and barriers regarding access, authentication, verification, and integration, alongside cross-border interoperability to highlight advantages and disadvantages in Finland.  

Table 16. Finland’s maturity for technical standards and barriers

In Finland, all handling of digital PoAs across sectors are compiled into a single platform solution, Suomi.fi-valtuudet (from here, Suomi.fi e-Authorizations), which is developed by Digi-ja Väestötietovirasto (DVV), the Finnish Digital and Population Data Services Agency. The solution allows to verify a person’s or organization’s authorisation, to mandate the right to use digital services on behalf of another person or organisation. This provides a single interface for Finnish citizens and businesses, and the solution is generally considered to be strongly well-functioning by specialists and end-users. The Suomi.fi e-Authorizations solution is web-based and is thereby widely available if the device is connected to the internet. There are no competing solutions currently.

Within the platform solution, Finnish citizens and businesses (assignors and assignees), can create, request, and grant a PoA by setting the scope of PoA, time duration and assignee/assignor. The PoA is established in from a list of pre-set PoA themes (e.g. Conduct pharmacy business or View health information in OmaKanta.fi).

The solution is mandatory by law to use by all public sector organisations in Finland. In the healthcare district of Pirkanmaa, it is mandatory to use Suomi.fi for digital PoAs and authorizations. The location of all PoAs in one digital platform indicates a fully integrated level of maturity for access in PoA.

In Finland, there is not yet a central EU approved eID. Instead, citizens log into Suomi.fi using their bank credentials, mobiilivarmenne (Mobile ID certificate) or an ID-card issued by the police. Further, the digital identity is then verified through API integration with the Finnish Population Information system, where everyone has been assigned a personal identity number (Henkilötunnus).

When requesting or creating a PoA, the suomi.fi e-Authorization platform draws upon data from several national databases and registers to verify credentials. Examples of credentials in the registers include age, family relations (e.g. child & parent), date of death (to ensure the person is still alive), legal capacity, whether a company is registered into the trade register, status of company, and representation rights. Based on a rule engine of public portals (e.g. Maisa or MyTax), PoA requests are verified against the attestations of attributes in the Mandate Register. For instance, when acting on behalf of a company, the PoA (i.e. mandate to represent a company) is validated in real-time against the trade register. The third parties accepting digital PoAs may set their own rules for which attributes are checked using the suomi.fi rule engine.

Authentication is based on strong identification through banking codes, Mobile ID (mobiilivarmenne) or the Citizen Certificate. These authentication methods can all be used to confirm the identity at login to Suomi.fi e-Authorizations.

Banking codes are identification tokens granted by different Finnish banks, and can be used for e-identification, both for citizens and companies.

Mobile ID is offered by some mobile operators and are used for authentication purposes. Strong authentication requires a mobile token, activated on the phone’s SIM card, which is the user’s eID. To get the mobile certificate, citizens must have a phone contract with an offering mobile operator, along with Finnish banking codes, and a SIM card that supports Mobile ID.

Citizen Certificate is an ID card that can be used to prove the identity of citizens when logging in to public e-services, such as Suomi.fi.

In case of citizens acting on behalf of a company (i.e. for taxation or business purposes), the natural persons log in using one of the above identification methods, whereafter their rights are checked in real-time against the trade register and the PoA database.

Authentication options in Finland are varied but lack the strong central eID of some other EU nations. It is confirmed that Finland is working on an eID and a pilot for the EUDiW, which will strengthen authentication and verification in the future. As a result, maturity is currently at an intermediate level.

The main platform, Suomi.fi e-Authorizations, provides an integrated solution across public sectors, but also integrates with third-party solutions. The solution operates behind various e-services managed by different public authorities, verifying that individuals have the necessary authorization or rights to represent another party within the service. For instance, to pick up medicine on behalf on someone else, assignees can provide its own and the assignor’s personal identification number to pharmacies, which have a system to check authorization in real-time against the Suomi.fi database. For handling general healthcare matters, the PoA is verified from the PoA database upon log in.

For taxation matters, the PoA is automatically checked when doing business on the MyTax platform (the Finnish Tax Administration's e-service for taxpayers: “vero.fi”). This works for both businesses and citizens.

Suomi.fi e-Authorizations relies on several national systems which are used to verify users (e.g. based on existence, age), and to validate existing authorizations (e.g. family relation, position at company) to perform tasks. Databases include Population Information System, Guardianship Information System, Association Register, Trade Register, and Business Information System, which are all connected to a Mandate Register. The databases used depends on the specific scope of the PoA. In this way, the validity of PoAs can be checked in real-time, which enhances the security and reduces the risk of fraud.

The Suomi.fi e-Authorizations solution integrates with other public platforms to access and deliver data using APIs or the Suomi.fi- palveluväylä (Data Exchange Layer).

Currently, Finland’s infrastructure poses as rather advanced to accommodate cross-border interoperability, however, there a several challenges to grant or receive PoAs to or from foreign individuals and businesses. To grant and receive Suomi.fi authorisations, foreign individuals must have a Finnish personal identity code and a Finnish identification method (i.e. banking codes, Mobile ID, or Citizen Certificate). This is because the solution is based on Finnish registers and databases, hence, the utilisation of local eIDs from other countries is not possible, as identities cannot be matched reliably, while differences in definitions of rights are not available (e.g., rights of a CEO). If the foreign individuals do not have a Finnish personal identity code or other way to identify themselves, they cannot either grant or receive PoAs, and thus they must e.g. handle tax matters by filing paper forms.

Foreign individuals can access Suomi.fi using the eIDAS portal allowing to log in via a national eID. However, the e-Authorization module of the platform cannot be used in this regard, as the service is based on Finnish registers and databases. Foreign individuals can thus not grant PoAs unless it is related to business matters. Instead, foreign individuals must apply for a user identifier (UID), followed by an application to the Finish Authenticator service (app) provided by DVV. Foreign companies can grant a representative the right to act on behalf of the company if they either have a Finnish eID or a foreign unique identifier UID, as well as Suomi.fi authorisation (see verification). The company can then apply to grant a PoA for an individual representative to act on its behalf using this UID.

Foreign companies wanting to grant the right to act on behalf of the company without a Finnish personal ID must request a foreign UID, which entails downloading the Finnish Authenticator App, and uploading verification such as passport. Having established a UID, a request must be submitted for Suomi.fi authorisation separately. If a Finnish Business ID has been issued to the foreign company, this should be used to request the Suomi.fi authorisation.

However, it is already possible to transmit prescription information to some EU countries, including Estonia, while the transmission of patient data across EU borders is being worked on. It is unclear whether other countries also have non-disclosure systems for personal data, along with personal identity code practices that are similar to Finland. The use of suomi.fi e-Authorizations in a cross-border setting would require a way to identify the related persons and real-time access to databases in other countries (identity matching). In theory, this could currently be possible with Estonia, but this would still require manual check of identity by DVV-officials.

Currently, EU wallets (EUDIW) are being prepared. The purpose is to use this to identify yourself instead of using banking credentials. Finland has considered the attestations of attributions necessary to prove the appropriate transaction.

The OOTS has not been implemented as a finished product in Finland, but the basic principles are followed in the Soumi.fi platform. Foreign companies wanting to grant the right to act on behalf of the company without a Finnish personal ID must request a foreign UID, which entails downloading the Finnish Authenticator App, and uploading verification such as passport. Having established a UID, a request must be submitted for Suomi.fi authorisation separately. If a Finnish Business ID has been issued to the foreign company, this should be used to request the Suomi.fi authorisation.

Foreign individuals can access Suomi.fi using the eIDAS portal allowing to log in via a national eID. However, the e-Authorization module of the platform cannot be used in this regard, as the service is based on Finnish registers and databases. Foreign individuals can thus not grant PoAs unless it is related to business matters. Instead, foreign individuals must apply for a user identifier (UID), followed by an application to the Finish Authenticator service (app) provided by DVV. Foreign companies can grant a representative the right to act on behalf of the company if they either have a Finnish eID or a foreign unique identifier UID, as well as Suomi.fi authorisation (see verification). The company can then apply to grant a PoA for an individual representative to act on its behalf using this UID.

Overall, Finland demonstrates a higher degree of infrastructure for cross border PoA solutions but similarly to other nations, is missing some of the final touches. The current integration with Estonia and other nations for healthcare matters demonstrates the advanced level of cross border readiness.

Citizens and businesses log into the Suomi.fi e-Authorizations platform solution to handle PoAs. Gaining access requires strong verification via Finnish banking codes, Mobile ID, or Citizen Certificate. All information is checked against national registers for both identity and rights to act on behalf of another party.

On the Suomi.fi e-Authorizations platform, citizens and businesses can request or grant PoAs. The PoA is established from a list of pre-set PoA themes. All PoAs are free of charge.

If a PoA is requested, the request can be accepted (or rejected) by logging into the portal.

All authorizations (PoAs) are stored in a cloud-based authorization register (Mandate register), hosted on AWS servers.

All PoAs can be viewed on the Suomi.fi e-Authorizations platform solution. To e.g. use the PoA to pick of medicine at the pharmacy, no device is needed, while it is only necessary to use the personal identity numbers of the assignee and the assignor. For e-services, such as MyTax, the assignee can login to the platform directly to be able to act on behalf of the assignor.

Third parties (e.g. pharmacies) can access the Mandate Register to ensure validity of PoAs in real-time.

The PoA is always in force for a set duration and can be terminated at any point through the Suomi.fi e-Authorizations platform enabled by the real-time based system. A suomi.fi warning message may be sent when the PoA term is coming to an end.

In the event of change or revocation, the PoA is updated in real-time into the register.

The following section will first present an overview of legal topics, followed by a review of EU initiatives.

In Finland, PoA types is often sector-specific, with limited or restricted versions being the most prevalent. In healthcare, PoAs are used mainly for pharmacy and health-related matters, while in the taxation field, they are utilized for tax declarations and real estate tax issues. In the business realm, PoAs facilitate salary processing, custom clearances, and applications for company funding. Although no explicit legal basis for PoAs is mentioned in the data, Finland's Contracts Act appears to provide a relevant legal framework. Liability issues are mitigated by the suomi.fi valtuudet service, which verifies PoAs in real-time but details on liability are unclear due to insufficient data. Lastly, barriers to granting PoAs include age and guardianship restrictions, as well as the need for representation rights in the trade register for legal person assignors in both taxation and business sectors. Finland is also aligning with key EU regulations and initiatives, such as eIDAS 2.0 and OOTS, while progressing towards full implementation of the EUDIW.

This section covers the legal topics also included in the main report: semantics, types of PoAs, legal basis, liability, and legal barriers.

Table 17. Role description of various sectors

The most commonly PoAs used are limited/restricted PoAs. Within the health sector are PoAs for pharmacy matters and to handle health and social care related matters. For taxation matters, the most commonly used PoA is for tax declaration and to handle real estate tax matters. Within the business sector, PoAs are mostly used for processing salary information, custom clearance and applying for company funding.

 According to the data collected there are nothing stated regarding the legal basis for PoAs. However, as a result of desk research made by the core team, there is a Finnish Contracts Act (Act: 228/1929) which seems to be at least slightly similar to the Scandinavian Agreement Acts and includes sections regarding PoAs in chapter 2. 

The suomi.fi valtuudet service naturally decreases the risk of misuse and fraud, as it real-time checks the validity of the PoA. For these PoAs the use cases are well defined by the third party (although not on the level of which medicine). Due to the inadequate data collected, additional information on liability is unfortunately not available.

For PoAs within the health sector, the assignor must be over the age of 18 and not in a guardianship in order to grant a PoA to an assignee.

Within the taxation sector, the assignor must be over the age of 18 and not in a guardianship in order to grant a PoA to an assignee. Furthermore, in case of a natural person signing the PoA on behalf of a legal person they must have representation rights registered in the trade register called PRH (Finnish patent and registration office).

If a natural person is signing a PoA on behalf of a legal person within the business sector, the assignor must have representation rights registered in the trade register.

The table below summarises the implementation status for each regulative in the Finnish context. The content is unfolded in the section below.

Table 18. The implementation status for each regulative in Finland

According to the Finish Digital and population data services agency, a project implementing the revised version of eIDAS has been launched and the project term runs until 31 December 2026. 

Described in the European Commission’s June 2024 version of the ”Once-Only Technical System Acceleratormeter as ”Production ready”, more specifically as “Technically ready” entailing that Finland is finalizing the configuration. At the moment, the collected data shows OOTS not currently being in use as a product, however the main principles are used in the Suomi-fi-service.

No grade included above, as sufficient data was not available to the country expert.

According to the data collection, Finland is participating in three pilot projects, including POTENTIAL, EWC, and the DC4EU consortium. These projects were launched in April 2023 and cover use cases such as digital driving licenses, digital identities/wallets, and higher education diplomas and student data. Finland is currently in a pilot phase and therefore yet to fully implemented the EU Digital Identity Wallet, which is expected in 2026. 

Grades for the implementation of EHDS and UDCL are not included, cf. paragraph 3.3.2 above.

The table below illustrates the status of Finland's efforts to ensure digital inclusion, with the following text explaining the specific measures implemented. The table highlights which measures are fully or partially in place. Overall, Finland has implemented most of the identified measures.

In some areas, Finland exceeds basic requirements, offering features like multiple language options, services for web accessibility complaints, and a robust system for digital powers of attorney managed by trustees or spokespersons.

Table 19. The status of Finland’s efforts to ensure digital inclusion

In cases where a citizen does not have the necessary digital skills to generate a digital PoA, PoAs can be given and accepted physically at DVV-offices (Digital and Population Data Services Agency) and then in turn registered in the online database allowing for digital usage. If the vulnerable person is not able to visit DVV offices, they can use an assistant to help them. The assistant has to identify themself on the suomi.fi-platform and physically deliver the signed PoA to a DVV-office. The process takes place in the form of an application for PoAs and the accepted PoAs are registered in approx. one week.

The official website for citizen matters, Suomi.fi, is available in both Finnish, English and Swedish, which is the official language in Åland. The several language options are to avoid discrimination of non-Finnish speakers.

EN 301 549 was effectively implemented in Finland by 23 September 2018, as part of the transposition of the EU Web Accessibility Directive into Finnish law.

The Regional State Administrative Agency for Southern Finland oversees the accessibility of digital services nationwide, covering public sector operators and parts of the private sector. Under new accessibility regulations, the agency will also monitor digital services offered to users.

New accessibility requirements | Traficom

These requirements extend beyond EU standards, affecting both public and private providers offering services or products covered by accessibility laws. Finland's legislation introduces two key points: Websites must offer an accessible feedback channel, including details on how the feedback will be used. Providers must supply documentation for services lacking accessibility, explaining alternatives and providing contact information for further inquiries.

Web Accessibility in Europe: The Full Compliance Guide (2024)

The instructions on the authorization application form indicate the other ways in which the assignor can prove his or her identity if he or she does not have a valid identity document. For example, a trustee or private guardian can make an application for a PoA and ask the person, who appointed him/her, to sign it. In addition to the signature, a copy of the assignor's identity document must be attached to the authorization application in palace of the digital ID.

If the assignor is no longer able to understand the matter, a trustee or private guardian can sign the application on their behalf. However, only matters that fall within the trustee's or guardian's legal authority can be included in the application.

A certified copy of the PoA from the Office for Digital and Population Information, or a copy of the guardianship order, must be attached when a trustee or guardian acts on the assignor’s behalf.

https://www.suomi.fi/ohjeet-ja-tuki/valtuudet/henkilon-valtuudet/nain-valtuutat-jos-et-voi-kayttaa-sahkoisia-palveluja

If the assignor is ineligible to establish a PoA, such as being underage, a PoA cannot be created. This can cause challenges in healthcare settings for minors and their parents, or for individuals with conditions like dementia who lack full decision-making capacity. In these cases, a trustee is appointed to manage their affairs.

The national association for seniors in Finland, Senioriliitto, organizes educational workshops in digital skills for elderly people. The organization is nationwide, but for members only, which means that some groups without membership and digital skills are not included for the trainings.