6. Lithuania

The primary insights from the report on Lithuania's digital framework for PoAs depict a segmented system that varies across healthcare, taxation, and business sectors, with an advancement towards complete integration still pending.

In the healthcare sector, Lithuania relies on the e-sveikata platform for PoA processes, whereas in taxation, users engage with VMI, the state tax authority's platform. In the business realm, PoAs are overseen through the Registrucentras, facilitating company related PoA management.

Digital identification in Lithuania is anchored by tools like iPasas and VIISP, bolstering security and legitimacy for users on various platforms. However, these options present diverse authentication methods which could raise security questions and impact the ease of cross-sector and cross-border interoperability.

Internationally, Lithuania grapples with the challenge of cross-border coordination due to the idiosyncrasies inherent in the national registry integration for PoAs, thus complicating EU interoperability. Despite this, the nation is engaged in pilot initiatives such as OOTS and EUDIW, hinting at progression towards unified digital PoA standards and better alignment with EU digital initiatives.

Legally, sector-specific regulations delineate the creation, use, and termination of PoAs in Lithuania, with legal responsibilities and limitations framed by internal policies, tax legislation, and business law. This defines the liabilities involved and aligns with national legal frameworks governing representation and agency.

On the social front, while strides have been made towards ensuring digital PoAs are accessible to all, the procedures lack complete inclusivity and uniform support across sectors, with tailored adjustments still in development to cater to individuals with disabilities. Despite language support for non-native speakers and guardianship provisions, Lithuania's PoA digital services currently focus predominantly on the business sector, suggesting the need for broader education and facilitation in digital PoA processes for individuals.

As Lithuania advances its digital PoA infrastructure, it faces the dual task of harnessing technological advancements while ensuring social inclusiveness, striving for a harmonized system that addresses all citizen needs in transitioning to a holistic, digital-legal structure.

This section examines the maturity of technical standards and barriers across access, authentication, verification, and integration of digital PoAs in Lithuania

The following describes the maturity for technical standards and barriers regarding access, authentication, verification, and integration, alongside cross-border interoperability to highlight advantages and disadvantages in Lithuania.

Table 28. Lithuania’s maturity for technical standards and barriers

In Lithuania, each sector has separate platform solutions for handling PoAs.

To grant or request PoAs in the healthcare sector, such as for picking up prescribed medicine on behalf of another, or managing another person’s health related matters, citizens must access the e-sveikata platform solution and log in through one of various ID methods. Here, citizens can set PoA scope, choose assignee and determine the duration of the PoA. For the e-sveikata platform, concerns have been raised in the public regarding the usability of existing functionality, however, the criticism extends to the e-service platform as a whole, i.e. ESBPI, which is considered less user friendly.

For taxation matters, citizens must access the state tax authority’s platform solution, VMI and log in using on of various ID methods, using the same ID infrastructure as for healthcare matters. On the platform, citizens and companies have full availability of PoA options through various interconnected systems, including selecting roles and exact forms that assignee’s have access to read, edit, send, or receive on behalf of the person or company, as well as setting expiration date for the PoA. VMI administers several interconnected systems, of which Mano VMI is the main to order digital services, including the issuance of PoAs. EDS and i.MAS are systems for declaring taxes and administrating tax-related information, separately, which the PoAs can be used for. No single PoA can enable an individual person to represent a company in all VMI systems.

For business matters, most activities related to PoAs are carried out through Registrucentras, the (State Enterprise Center of Registers). From here, companies can grant a PoA to an individual to act on behalf of the company, as well as to other legal entities. Assignors can select an assignee, exact services provided to assignee, expiration date and more. Scope and type of PoAs may vary according to industry and type of legal entity.

Overall, the Lithuanian PoA landscape is split into sectors, with access to healthcare, taxation, and business matters occurring on separate platforms. The ease of access to these and sector specificity, indicate an advanced level of maturity regarding access to PoAs. 

In Lithuania, there is one true national ID, which is a personal ID card, the EU-notified AKT eID, used with an integrated chip reader or using NFC functionality, linking the chip-enabled card within the mCard LTU application. Verification occurs on VIISP, through the online verification service iPasas or an independent identification service, such as bank credentials, state registry, or digital signature when accessing PoA platforms.

VIISP (The State Information Resources Interoperability Platform) is a public system designed to provide a one-stop-shop for individuals to access public and administrative digital services, among other things enabling data exchange and digital identification of a person. To create a PoA, one must login to the specific PoA platform required via VIISP. Verification is provided automatically by the system integrating with the national registry data and VIISP, using personal code, name, surname for health PoAs. For taxation, the same is needed plus state code to establish identity, as well as email and phone number to ensure communication for taxation. For business, the attestation of attributes includes name, surname, personal identification number (or birth certificate), address of the place of residence, and legal entity code. If an organisation from a foreign country is involved, the name and registered office in country where legal entity is registered would also be necessary.

These are established regardless of which digital identification tool is selected by the user to log in, demonstrating a higher degree of maturity. While the eID is EU-notified, it remains manual in situations needing a card reader for utilisation. Moreover, the variety of ID methods available and the security of identity verification in combination with this can be considered more complex, and thereby less advanced. Thus, verification can be considered at an intermediate level.

Authentication in the Lithuanian PoA landscape occurs through the iPasas, VIISP or taxation identification services. The iPasas service can be used for authentication to the healthcare and business platforms for PoA, e-sveikata and Registrucentras respectively. iPasas offers the option to authenticate using a variety of options, these include LTid, text message verification with personal identification number, cryptographic USB, the physical AKT eID chip card, or through electronic banking credentials. Similarly to iPasas, the VIISP Platform allows authentication via a series of options, which include text message verification with personal identification number, cryptographic USB, physical chip card, eID via browser extension, contactless ID card via QR code, or through electronic banking log in. VIISP identification service is used for login to e-sveikata and integrates with VMI via API calls. For taxation, VMI has its own authentication portal, offering similar authentication options to iPasas and VIISP. The taxation identification service allows authentication via cryptographic USB, physical chip card, text message through personal identification number, or through electronic banking log in. Similarly, VMI integrates to the national registry to verify users upon login.

Overall, the authentication landscape for digital PoAs in Lithuania is extensive and provides many options for login to access PoAs and public digital services. While this gives citizens the liberty to choose authentication option, it also leaves room for compatibility and security concerns. Generally, login via text message authentication has been deemed too insecure, in favour of other forms of multifactor authentication (MFA). The security of login via banking services was not possible to verify and what the physical forms of authentication (cryptographic USB and card), were unclear in terms of what the login is combined with, though physical forms of MFA are generally highly secure. The establishment of a national eID and the integrations across platforms to ensure verification and authentication are positive signs however, and the underlying infrastructure seems to be in place to take the next step in terms of maturity. Currently however, the maturity can be considered intermediate.

In Lithuania, the PoA landscape is separated distinctly by sectors, with healthcare occurring on one platform, taxation another, and business a third. From the data collected, there was no indication of direct integration between the PoA platforms. However, there are underlying integrations via VIISP and the State Enterprise Center of Registers, which administrate the state registers for population, legal entities, PoAs and more. These are used for verification of identity of legal and natural persons first and foremost, as well as the registration of PoAs.

Additionally, the Lithuanian PoA landscape integrates with various forms of authentication. For health, the assignee must show its ID at a pharmacy, but no data informs whether the third-party can verify the validity of a PoA. Nevertheless, the PoA is visible on e-sveikata. For taxation, the PoA can only be used for self-service (public e-services) via the platform (Mano VMI). When signing in, the user automatically checks the individual’s PoA, however, third parties do not need to inspect the PoAs. For business, there is a public search engine allowing to identify POAs in the registry by providing identification number and PoA ID. Overall, the level of integration indicates an intermediate level of maturity. 

In 2023, Lithuania has successfully implemented of the functional capabilities of the electronic identification eIDAS node, which meet the requirements of the eIDAS regulation, in the Lithuanian national electronic identification information system. A foreigner may thereby login to public information systems, incl. PoA platforms, by using a foreign eIDAS certified ID through iPasas on VIISP. However, this has not been integrated and does not work in practice yet. Additionally, the verification to access PoAs across sectors requires an integration with the Lithuanian national registry and therefore requires a Lithuanian personal identification number. 

The development of an EU approved eID also marks a step in the right direction for eventual cross-border PoAs. Moreover, while EUDIW is being tested, this has currently no relation to PoAs technically, however, the results of the pilot may serve as a breeding ground for future integration. Generally, experts have doubts about implementing cross-border PoAs, as existing initiatives such as eIDAS encounter numerous challenges regarding identity matching, while EU countries frequently update and adjust their systems. This makes the solution potentially unfeasible. Moreover, the findings suggest that some representatives believe cross-border solutions cannot work effectively, due to varying personal ID formats or authentication methods, which can cause challenges when connecting cross-border register. Lithuania does not have a centralised PoA solution today, which means each institution provides, stores, and utilises the PoAs according to internal rules, which would be difficult to align without having a centralised solution within the countries.

Further, despite the OOTS being implemented, facilitating ‘once only’ principles for digital services to EU citizens, there are currently no perceived benefits for dissemination of cross-border PoAs. Overall, Lithuania can provide access to foreigners with the eIDAS portal implemented, but the internal infrastructure is still not capable for cross-border integration with regards to digital PoAs. With signs of development through, e.g., through EU initiatives, the cross-border interoperability maturity can be considered intermediate.

This section outlines the general process and user journey for the assignors and assignees of PoAs in Lithuania.

Citizens and businesses can access the separate PoA platforms (e-sveikata, VMI, and Registrucentras) by logging in via one of the many authentication methods (methods include: LTid, text message verification with personal identification number, cryptographic USB, physical chip card, contactless ID card via QR code, or through electronic banking log in, depending on the platform). Identity is verified when logging in via integrations with the citizen registry or the use of an eID. 

Creation of PoAs occurs on the separate PoA platforms. Generally, the platforms follow very similar steps for creating PoAs. Following access and verification, users can create PoAs according to sector, choose an assignee, for healthcare always a natural person, for taxation and business either natural or legal person, select type of PoA, for taxation and business this goes down to type of forms able to access, edit or send/receive, and select length of PoA. Creation of PoA requires no additional verification or authentication. When creating business related PoAs there is a nominal fee involved depending on the type of PoA, around €4.00, no other PoAs have any costs. For business, there is no act of accepting PoAs, as it is treated as a one side agreement by the Assignor.

Digital use of PoAs generally occurs on the same platform the PoA is created when the assignee logs in to the platform. From here they can access, view, edit, and/or send/receive data depending on the specific PoA. This is however different for Taxation, where the PoA is used on separate systems, e.g. i.MAS or EDS for taxation matters, from where accountants or other assignees can use their PoA for matters on behalf of the assignor.

Physical use of a digital PoA is different depending on the sector. A digital PoA for taxation cannot be used when physically visiting the state tax authority but can be used to log in digitally at their local self-service PCs. For physical healthcare PoAs, such as picking up prescribed medicine for someone else, the assignee must show their physical personal ID to utilize the PoA.

For Business cases, there is no distinction between digital and physical PoAs. However, in the situation that notary services may be required, the PoA can no longer be provided digitally, as notary services are not provided digitally.

For all PoAs, the assignor can set the duration of validity, fixed or indefinite and PoA is terminated automatically when the date is reached. Termination before expiration date of PoA could not be determined for healthcare matters. For taxation, the both the assignor and assignee can terminate the PoA. For business PoAs, they can be terminated at any time, but must be done physically.

The following section will first present an overview of legal topics, followed by a review of EU initiatives.

In Lithuania, PoAs varies from sector to sector with the specific or limited PoA being the most used. Within health, PoAs are used to view a patient’s referrals or picking up medicine, for taxation PoAs can be used for granting access to look at taxation data or submitting tax related forms. For business PoAs are used for e.g. checking a company’s data in a register or establishing a subsidiary. According to the data collected the legal basis for health is internal documentation. The legal basis for taxation is the Internal State tax inspectorate legal acts and information system Ts&Cs and for business the legal basis is general provisions regulated by law. Regarding liability the assignor holds the full responsibility, but the specific details are unclear due to insufficient data. Barriers to granting PoAs within the three sectors in Lithuania include age and mental capacity. Lastly, Lithuania is in the pilot phase for OOTS and EUDIW, but still in the planning phase or yet to being with implementing the other EU initiatives.  

This section covers the legal topics also included in the main report: semantics, types of PoAs, legal basis, liability, and legal barriers.

Table 29. Role descriptions of various sectors

Regarding the viewing power to view a patient’s referrals and execution power e.g. picking up medicine the PoA used is specific or limited, which allows the assignee to act on behalf of the assignor in specific matters. For taxation the PoA used is either specific or limited, for viewing power e.g. access to look at taxation data, execution power e.g. submitting tax related forms or decision power e.g. possibility to add assignees. For business the PoA used is also either specific or limited for viewing power e.g. checking a company’s data in a register, execution power e.g. competing and providing electronic sets of financial reports or decision power e.g. establishing a subsidiary.

According to the data collected by the country experts, the legal basis for PoAs within the health sector is internal documentation (internal procedural documents approved by the Ministry of Health or the Registry centre) These documents work as low-level documents defining certain internal procedures. Based on the other sectors which are regulated, it is assumed that there must be some legislation that regulated PoAs within the health sector.  

Regarding the taxation sector, the legal basis is the Internal State tax inspectorate legal acts and information system Ts&Cs, with which the user must be familiarized and must confirm.

For business matters, the legal basis is a combination of general provisions, that are regulated by law, and special matters that are regulated by the institution or company to which PoA is submitted.

The assignor holds full responsibility for the PoA, including notifying about the PoA assignee and informing third parties. When the PoA is notarized, additional security considerations are addressed. The data collected on liability is limited, and it is therefore assumed that liability in Lithuania is regulated similarly to the other countries.

Regarding the health sector, the assignor, and the assignee (the user) must be 18 years old or older, or legally emancipated. For taxation matters the assignor and assignee (user) must be 18 years or older, additionally it is assumed that the person must be of appropriate legal capacity. Within the business sector, both parties (the user) must be 18 years or older and be of appropriate legal capacity. 

The table below summarises the implementation status for each regulative in the Lithuanian context. The content is unfolded in the section below.

Table 30. The implementation status for each regulative in Lithuania

The score of eIDAS 2.0 for Lithuania is fairly uncertain. There is no information regarding this in the data collection. The revised version of eIDAS is being implemented towards 2026. Therefore, it is assumed that Lithuania must be at least in the planning implementation stage because the full implementation is time consuming. The score is therefore set at 2, but this is an assumption and with a level of uncertainty. 

The OOTS is currently being implemented as part of the “Digital Services Platform” project, which began in May 2023 and is set to be completed by April 2026. The system facilitates the “once only” principle for providing digital services to EU citizens, allowing secure cross-border data exchanges through the eDelivery network.

No grade included above, as sufficient data was not available to the country expert.

Lithuania is participating in the pilot project POTENTIAL for the development of a technical solution for testing digital driver’s license. Lithuania is participating in the project together with, among others, Estonia, Germany, and France. The EUDIW are currently facing challenges related to difficulties in mapping the information on how and which institution will process the data, which attributes will be stored etc.

Grades for the implementation of EHDS and UDCL are not included, cf. paragraph 3.3.2 above. 

In Lithuania, where a digital PoA is not attainable, individuals must visit a Registry Centre to obtain one in person, a situation that mainly affects the elderly. Despite official e-services like Epaslaugos.lt being only partially translated into English, the country adheres to EU regulations, including EN 301 549 and WCAG 2.1, to enhance accessibility for people with impairments. However, gaps remain, especially for those with visual disabilities due to insufficient implementation of these standards.

There are no existing technical solutions for guardians to manage PoAs for the vulnerable, and the process is tightly governed by legal frameworks. Nonetheless, modifications are possible when represented by associations calling for such changes.

Digital PoAs in Lithuania are limited mostly to business use at this time, lacking centralization and widespread educational support, unlike in neighbouring Latvia where PoAs can be managed either in paper form or digitally across various sectors. Latvia provides more robust language support and navigational assistance for its e-services through customer service centers, despite similar challenges with complete digital inclusivity.

Table 31. Status of efforts in ensuring digital inclusion

In cases where a digital PoA cannot be obtained, the only alternative is to go to a physical office of the Registry Centre and demand to issue a digital PoA on-site. It is especially elderly people who are the target group for the physical procedure.

The official administrative and public e-service portal, Epaslaugos.lt, is in Lithuanian and partly translated into English depending on the services of request.

Both EN 301 549 and WCAG 2.1 are implemented in Lithuania as part of the broader European Union regulations on accessibility. EN 301 549, which includes WCAG 2.1 standards, is the EU’s accessibility framework for Information and Communication Technology (ICT). It sets requirements for public sector services and products to ensure they are accessible to individuals with disabilities.

IS solution is not adapted to people with visual impairments, which arise from several factors. Primarily, there may have been an oversight during the design and development stages, where accessibility standards like WCAG were not fully integrated or enforced. Furthermore, existing infrastructure and content might not have been audited or updated to meet these standards post-implementation, leading to gaps in accessibility. Lastly, the absence of a formal procedure to ensure continued adherence to accessibility guidelines can lead to such shortcomings not being systematically identified and addressed.

I'm not sure if I understood the question's intent. But you can always access your digital services (including the ID itself) if you go directly to the local branch office of the respective institutions (Tax Inspection Authority or the Registry Centre). No external organisations/institutions participate in this process.

There are currently no technical solutions available for guardians to assist vulnerable individuals in establishing a PoA. However, PoA processes are developed according to legal acts and regulations. If associations representing specific interest groups submit requests for improvements, efforts are made to implement changes, provided they are both technically and legally feasible.

Digital PoAs are still a fairly niche service in Lithuania, mostly needed only by businesses. Since the issuance of digital PoAs is not centralized, there have been no notable efforts in making education, support-service and facilitators to obtain a digital PoA.