4. Iceland
The examination of Iceland's current digital PoA infrastructure shows a developing landscape with room to improve in integrating digital, legal, and cross-border aspects to enhance accessibility and efficiency.
Iceland has adopted a centralised digital platform approach, namely Ísland.is, serving public administration needs, including PoA management, which integrates sector specific PoA solutions for healthcare, taxation, and business. This integration facilitates the authentication and issuance of PoAs within these domains, leveraging Iceland's eID system which enjoys wide adoption amongst residents. Nevertheless, PoA data exchange across sectors remains absent.
Challenges persist particularly with cross-border compatibility and accessibility for foreign nationals. While the country works to align with EU regulations like eIDAS 2.0, progress towards full integration is ongoing, with key initiatives like the OOTS still under technical development. This reflects a broader trend towards enhancing digital PoA frameworks and striving for better data exchange systems consistent with European standards.
In terms of social inclusion, Iceland demonstrates a commitment to ensuring that digital PoA services are accessible to people with impairments and has implemented options for physical PoAs. Efforts are also being made to ensure that information systems accommodate non-Icelandic speakers and enable representation for individuals needing assistance in PoA transactions.
The legal landscape around PoAs in Iceland is sector-specific, with regulations such as the Children's Act facilitating guardians' access to minors' health data. The business sector operates under a mix of formal laws and customs, with clear implications for liability and adherence to Icelandic agency and contract laws.
As Iceland continues to enhance its digital PoA offerings, it faces the imperative to reconcile rapid digitalization with the need to prevent the exclusion of vulnerable citizens, ensuring that the transition to a more automated and electronic system leaves no one behind.
4.1. Digital and process
This section examines the maturity of technical standards and barriers across access, authentication, verification, and integration of digital PoAs in Iceland.
4.1.1 Technical Standards and ID Infrastructure: Advantages and Disadvantages
The following describes the maturity for technical standards and barriers regarding access, authentication, verification, and integration, alongside cross-border interoperability to highlight advantages and disadvantages in Iceland.
Digital | Basic | Intermediate | Advanced | Fully integrated |
Access to handle PoAs |  | |||
Verification | | |||
Authentication | | |||
Integration | | |||
Cross-border interoperability | |
Table 20. Iceland’s maturity for technical standards and barriers - No data on EU Digital identity Wallet.
Access to handle PoAs
In the Healthcare sector, patients (assignors) can log into the Health Portal, Heilsuvera, to assign PoAs. eIDs are the only means of authentication and identification of the security standard required for electronic identification into electronic healthcare in Iceland.
Companies’ Taxation matters can be performed within Skatturinn, to gain access to PoAs for Tax returns, payroll tax obligations etc. The PoA will then be sent to legal domicile of the company by mail. It is furthermore possible to call the Service Center at Skatturinn and ask for it there. On the skatturinn website there are several templates for PoAs.
For Business matters, PoAs can be accessed through the platform solution Ísland.is, which integrates with a variety of services, such as tax filings, company registration services, and other government portals, allowing the assignee to access these services on behalf of the company. The assignor and the assignee log in to the platform using their eID.
PoAs are not housed in a single, centralized database but are integrated into various sector-specific services, accessible through Ísland.is. The system supports secure authentication of PoA delegations for tasks such as tax filing, healthcare decisions, and legal matters. Therefore, the system supports digital access to handle PoAs to a strong degree.
Verification
Registers Iceland (Þjóðskrá) holds the National Registry and manages National Identification Number (Kennitala), which are crucial for verifying both natural and legal persons involved in PoAs. It ensures that legal rights, such as PoAs, can be validated securely. This number is used to link your identity to the electronic ID and verify your personal information against the national registry.
Electronic IDs are the only means of verification and identification of the security standard required for electronic identification into electronic healthcare, taxation, and business matters in Iceland. Verification of access to digital PoAs are therefore fully supported.
Furthermore, the following attributes are linked to the verification:
- National Identification Number (Kennitala) This number is used to link your identity to the electronic ID and verify your personal information against the national registry.
- Agreement with the Certified Provider Auðkenni, which is the main issuer of eIDs in Iceland. This involves registering your details and verifying your identity in person at a service centre, typically a bank or a mobile service provider's office.
- Biometric Identification (for some services). For initial registration or certain high-security actions, biometric identification (such as showing a passport or other official ID document in person) is required to establish your identity. This ensures that the eID is securely linked to the rightful individual.
Authentication
National ID Database are integrated with the eID system, this database authenticates identities via national eIDs, which are used to authorize PoAs digitally. This infrastructure ensures secure authentication and access to documents related to PoA agreements.
The PoA platforms (Heilsuvera, Skatturinn and Island.is) leverages the secure authentication mechanisms provided by the national eID system (Rafræn skilríki) to a strong degree and involves two-factor authentication. It is widely adopted by the public and private sectors as well as approximately 97% of the eligible population (aged 13 or older). The eID system is built on secure cryptographic protocols, offering authentication and digital signature functionalities. Citizens use their eIDs via smartcards, SIM-based solutions, or mobile apps for secure access to various services. It is utilized for various services, including banking, government portals, healthcare, education, and digital signatures. Iceland's eID has not yet been notified by the EU under the eIDAS regulation.
Authentication for accessing, e.g., the Heilsuvera platform or initiating Digital PoA Transaction involves PIN codes, eIDs, and multi-factor authentication (MFA) for assignor and assignee. This PIN code is required every time you authenticate using the eID. It serves as a security measure to confirm your identity during login and digital signing processes.
Integration
Iceland has a centralized digital platform called Ísland.is, which serves as the primary gateway for public administration services. Managed by Digital Iceland, this platform brings together services from over 250 public agencies and municipalities, allowing individuals and businesses to interact with various government functions in one place. Citizens can access a wide range of services such as tax filings, health records, and more, all through their eID, making it a one-stop solution for many life events.
While there is no single, dedicated PoA platform, the Ísland.is portal allows individuals to manage and authenticate PoAs related to different sectors. This central platform offers access to PoAs in areas such as tax services, healthcare, and legal matters. By using the eID, users can authenticate their authority and access relevant PoAs linked to specific government services.
For now, the data collected do not suggest integrations enabling data exchange outside each sector. Nevertheless, Iceland is in the process of implementing the Once-Only Technical System (OOTS) as part of its broader digital transformation initiatives. The core of Iceland's implementation of OOTS is through Straumurinn, a national data exchange platform that builds on the X-Road interoperability framework. This system will allow secure and efficient data exchanges between public and private sectors and is a significant step toward fully realizing the once-only principle for digital services in Iceland.
Cross-border interoperability
For healthcare, the existing legal framework is outdated (dating back to the 1930s) and does not align well with modern data privacy regulations like GDPR. In the data collected, a need for synchronized European laws and the flexibility to grant different types of PoA for different matters was emphasized. The healthcare system lacks funding to implement comprehensive digital solutions. The banking sector has reduced number of branches and moved services online, using significant resources to ensure customer accessibility and security. The healthcare sector, however, struggles to implement similar features due to financial limitations. The Heilsuvera platform is designed to comply with the EU’s eIDAS regulation, which allows for the use of electronic identification from other European Economic Area (EEA) countries.
When using PoA in regard of taxation or business matters, in cross border transactions the most challenging task is to be able to map the roles and rights for both the assigner and the assignee, i.e. who is who and what is the assignee allowed to do.
For the platform solutions and PoAs to be available across country borders, two infrastructure elements are needed. First, Iceland’s eID must comply with eIDAS, allowing EU citizens to authenticate using their national eIDs for cross-border transactions, including PoAs. This infrastructure will enable the verification of identities and authorizations across borders.
Second, PoA documents and related legal agreements must be accessible and verifiable across borders, requiring secure database integration with EU systems through cross-border databases. For instance, (1) BRIS (Business Registers Interconnection System): Relevant for legal entities across borders, ensuring that PoAs related to business activities are recognized, and (2) European Health Data Space (EHDS): For health-related PoAs, this sector-specific infrastructure will allow for cross-border access to medical records.
4.1.2 PoA Process
Access & verification
Healthcare: For medical Prescriptions, the assignor’s identity is verified at the time of logging into Heilsuvera to ensure that the correct person is authorizing the delegation of rights. This process requires the assignor to log in using their eID (rafræn skilríki), ensuring their identity is verified. The assignee's identity is also verified when logging into the system to accept the PoA. The assignee is also required to show proof of identity, typically done through an ID card, driver's license, or any other legally accepted form of identification when picking up the medicine. Pharmacies also require proof of the PoA which is automatically updated in the Heilsuvera portal.
For guardians to have access to My pages on Heilsuvera.is, the assignee's access is verified against the national registry, which contains information on parent-child relationships. This ensures that the person claiming to be a guardian has a legal connection to the child. The assignee's identity is also verified when logging into the Heilsuvera portal.
For taxation and for business matters, the identity of the assignor and the assignee is verified when logging into the skatturinn web portal or Ísland.is using the eID. The eID is linked to national identification, which is validated through secure channels by Icelandic authorities, typically during the registration of the eID. This ensures that both the assignor and assignee are verified before the PoA is granted or accepted.
Create PoA
PoAs for medical Prescriptions are created and established through 'My pages' on the Heilsuvera portal. This authorization can specify if the assignee is empowered to pick up any medication on behalf of the prescription holder for an indefinite period or just a single medication for a limited amount of time. For taxation, a request for a PoA can be created on the web portal skatturinn.is and the PoA will then be sent to the legal domicile of the company by mail. Templates to PoAs can be found on the skatturinn website. For business matters, the PoA is established by the assignor (e.g., the legal representative of the company) through the Ísland.is platform.
The assignor within the health area can create and accept the PoA digitally through the Heilsuvera platform. The digital authorization is recorded in the system, making it accessible to pharmacies. The assignee also needs to log in with their eID to confirm their acceptance of the authorization. This ensures that the assignee is fully aware of their role and agrees to take on the responsibilities involved.
No information for accepting PoAs for taxation or business matters was collected.
Use PoA
When using the PoA, it can be found digitally by logging into either the Heilsuvera platform, a centralised system accessible to all pharmacies in Iceland, or Icelandic tax administration's web-portal etc.
Third party actions happen by checking whether the PoA is active in the e-prescription gateway for medical prescriptions. And verifying the identity of the assignee (1). When a guardian accesses Heilsuvera, they are logged into the portal using eID. The Heilsuvera system itself acts as the authority that validates the PoA based on verified data from the national registry (i.e., the link between the guardian and the child, and the child’s age) (2). The same happens for taxation as the reliance on eID as a secure form of authentication not only confirms the assignee’s identity but also ties the action directly to a specific authorization, preventing unauthorized access. For business matters, the usage of the authorization portal service provided by Ísland.is the holder of the PoA can give access to various parts of the service website in question.
Terminate PoA
Within health a system integration and real time verifications scans if the PoA still are valid. The PoA are terminated when the child turns 16, and for medical prescriptions either by specifying a time limit for the PoA when creating it, or by logging in and terminating the PoA on the Heilsuvera portal.
For business matters, the assignor can access the active PoA in the ‘My Pages’ section at Ísland.is and edit the PoA to change the scope, duration, or other details (e.g., assigning new rights or changing the assignee), and lastly, it is possible to Revoke/terminate the PoA entirely, ending the rights granted to the assignee.
4.2 Legal Aspects
The following section will first present an overview of legal topics, followed by a review of EU initiatives.
In Iceland, specific or limited PoA documents are commonly used across various sectors. The Children's Act (Act no. 76/2003) governs PoAs in health, allowing guardians to access minors' health data on Heilsuvera.is, with no other health sector PoA regulations identified. The business sector relies on a mix of formal laws and customs, requiring adherence to Icelandic agency and contract laws. Liability concerns hinge on the good or bad faith of the PoA actor, with digital services demanding providers accommodate PoA users, thus heightening liability risk. Each sector has unique barriers, such as minimum age requirements, legal capacity, and the necessity for an Icelandic electronic ID for transactions in business and taxation sectors.
4.2.1 Legal Topics
This section covers the legal topics also included in the main report: semantics, types of PoAs, legal basis, liability, and legal barriers.
Semantics
Health sector | Taxation sector | Business sector | |
Assignor | The individual who holds a prescription or guardians for their child up to the age of 16 | Person with legal authority over the company, such as owners, partners or board members | The holder of the power of procurement (usually the CEO of the company) |
Assignee | The individual who is authorized to act on behalf of the assignor or the individuals with official parental responsibility/guardianship | A (authorized) representative, often an accountant, payroll administrator or tax agent/advisor | Could be an employee, a legal representative, or any other designated individual who is given the authority to access the company’s digital services |
Table 21. Role description of various sectors
Types of PoA
In general, the most frequently used PoAs for Iceland, cf. across all the three sectors, specific/limited PoAs are the most frequently used.
Legal basis
The Act no. 76/2003, Children’s Act (Barnalög) outlines the rights and duties of parents regarding their children’s upbringing and welfare. This act regulates the PoAs where guardians have access to “My pages” on Heilsuvera.is which is a site where you can access health data. According to the data collected, there are no other acts regulating PoAs within the health sector.
Due to lack of data, there are no laws mentioned within the taxation sector.
Regarding the business sector, the legal basis for PoAs is a combination of formal laws and established customs. The PoA must comply with Icelandic laws governing agency relationships, while also adhering to the basic principles of contract law (such as clarity, consent, and specificity).
Liability
When considering liability in Iceland good/bad faith matters when someone acts on a PoA. This also applies when the PoA and the solutions used to act are digital.
A difference between the PoA for digital services and a general PoA is that the service provider is required to adapt their solutions to enable someone who has a PoA to use them, which increase the risk of mistakes leading to liability disputes.
Barriers
Within the health sector, there are limitations with regards to age, where the assignee has to be at least 16 years old, to have access to the Heilsuvera.is platform. Additionally, within the health sector, the only limitation to the general PoA, is that parents cannot make decisions about organ donation on behalf of their children.
For the taxation sector the limitations include age and employment status, but the country expert was not able to collect data specifying the further extent thereof.
Regarding the business sector the age of both the assignor and assignee must be at least 18 years of age. Further, both parties must have the mental capacity to understand the legal implications of the PoA. Further, the assignor must be recognized as a legal representative in Iceland and the assignee must have an Icelandic electronic ID. Additionally, the assignor must be an authorized representative of the company, while the assignee does not need to be an employee but must be capable of fulfilling the role. Lastly, both the assignor and the assignee must use and Icelandic Electronic ID.
4.2.2 Status of implementation of relevant EU initiatives
The table below summarises the implementation status for each regulative in the Icelandic context. The content is unfolded in the section below.
Legal | Have not started | Planning implementation | Pilot phase or partly implemented | Fully implemented |
Electronic, Identification, Authentication and Trust Services (eIDAS 2.0) | | |||
Once Only Technical System (OOTS) | | |||
EU Single Digital Gateway Regulation (SDGR) | N/A | |||
EU Digital Identity Wallet (EUDIW) | | |||
The European Health Data Space (EHDS) | N/A | |||
Upgrading Digital Company Law (UDCL) | N/A | |||
Table 22. The implementation status for each regulative in Iceland
Electronic, Identification, Authentication and Trust Services (eIDAS 2.0)
According to the data collected, Iceland has a national eID, Rafræn Skilríki. The revised version of eIDAS is being implemented towards 2026. As Iceland must implement the eIDAS 2.0, it is likely that some planning has begun, thus stage 2 has been assumed above.
Once Only Technical System (OOTS)
In the data collected it is stated that Iceland is currently in the process of implementing the OOTS as part of its broader digital transformation initiatives. The core of the implementation of OOTS is through Straumirinn, a national data exchange platform that builds on the X-Road interoperability framework.
EU Single Digital Gateway Regulation (SDGR)
No grade included above, as sufficient data was not available to the country expert.
EU Digital Identity Wallet (EUDIW)
There is no information on this matter in the analytical framework. However, desk research on www.island.is shows Iceland participating in a multi-country consortium, with some of Europe’s most trusted identity experts, where the aim is to deliver a cross-border payment pilot strongly aligned with the aims of EUDIW. Therefore, a stage 2 is most likely.
The European Health Data Space (EHDS) and Upgrading Digital Company Law (UDCL)
Grades for the implementation of EHDS and UDCL are not included, cf. paragraph 3.3.2 above.
4.3 Social inclusion
In the table below, the status of Iceland's efforts to ensure digital inclusion is shown. The table highlights which measures that are fully or partially implemented. The following text explains which measures that have been implemented so far and how they are implemented. Overall, Iceland has fully implemented some of the identified measures. In some areas, Iceland is in the development stages, while they in other areas exceeds basic requirements, offering, especially, disabled people a rather handhold assistance tailored the specific needs through the Disability Rights Protection Office.
However, some concerns have been addressed during interviews with key stakeholders pointing that the digitalization is moving too quickly with the risk of leaving vulnerable citizens behind.
Social | Have not started | Planning implementation | Partly implemented | Fully implemented |
Options for physical PoAs | | |||
English language options available | | |||
Information Systems for people with impairments | | |||
Alternative access to digital ID | | |||
Spokesperson/ representation of other people to obtain a PoA | | |||
Education, support-service and facilitators to obtain a digital PoA | |
Table 23. Iceland’s efforts to ensure digital inclusion
4.3.1 Options for physical PoAs
Individuals without an eID, can deliver a physical PoA document in order to give another individual access to e.g. their digital inbox[1].
4.3.2 English language options available
The national Icelandic citizen website, Ísland.is, is available in English. Also, the website explaining how to grant a PoA in the name of a person or a company is described in English to support the inclusion of non-Icelandic speaking people.
4.3.3 Information Systems for people with impairments
EN 301 549 has been implemented in Iceland, even though Iceland is not a member of the EU. This is because Iceland is part of the European Economic Area (EEA), which includes EU member states and three EFTA (European Free Trade Association) countries: Iceland, Norway, and Liechtenstein. The EU Web Accessibility Directive (Directive (EU) 2016/2102), which references EN 301 549, has been incorporated into EEA legislation. As a result, Iceland is obligated to implement the same accessibility requirements for public sector websites and mobile applications as EU member states.
4.3.4 Alternative access to digital ID
In Iceland, efforts to ensure inclusion for vulnerable assignors in the PoA process are still in developmental stages. Some of the measures that have been discussed to be implemented are alternative access to digital ID.
There has been ongoing dialogue about enabling municipalities to provide electronic IDs, as e.g. social workers are familiar with their clients’ situations. This could help streamline access to necessary digital services for vulnerable individuals.
Also, there are considerations for alternative methods of authentication beyond traditional PINs, such as using fingerprints, facial recognition, or even emojis. However, details on the implementation of these alternatives are still unclear.
4.3.5 Spokesperson/ representation of other people to obtain a PoA
Individuals with disabilities can appoint personal spokespersons, persónulegir talsmenn, allowing them to make decisions independently. However, the access to decision-making is somewhat restricted due to the potential risk of fraud, e.g. by having access to bank accounts. To represent a vulnerable assignor, a spokesperson must be officially authorized by the Rights Protection Office, regardless of the assignor’s personal preferences, such as appointing a family member. This ensures that the representative is deemed suitable to act in the best interest of the assignor.
The Disability Rights Protection Office can also assist digital vulnerable people to make an agreement with someone they trust to become their personal spokesperson if they need support to exercise their legal capacity and to be recognized as persons before the law.
The office provides documentation confirming the role as representatives of the vulnerable person. However, there are challenges with financial institutions, such as banks, which may not recognize these documents.
4.3.6 Education, support-service and facilitators to obtain a digital PoA
This overview presents Icelandic initiatives dedicated to improving digital competencies through education, training, and support services, including digital PoA facilitation.
Fjölmennt offers specialized digital training for individuals with intellectual disabilities, while Tölvumidstöd (TMF) provides IT counseling and courses. Public libraries also support digital literacy through free workshops. Fræðslumiðstöð atvinnulífsins enhances employability through digital upskilling, while the Digital Competence Cluster collaborates with institutions to promote digital skills nationwide. Private initiatives like TV and Akademias offer ICT training for both individuals and companies, contributing to Iceland’s growing digital literacy.