7. Norway
The analysis of Norway's digital PoA infrastructure reveals a system in transition, striving to weave together digital, legal, and cross-border elements to boost convenience and inclusiveness.
Norway's approach entails distinct digital platforms for handling PoAs across the sectors of healthcare, taxation, and business. These platforms are rooted in a solid eID framework that is broadly embraced by Norwegians, enhancing identification and verification processes essential for PoA functions.
The country, however, faces hurdles in achieving cross-border coherence, particularly in validating foreign nationals' identities and PoAs. Alignment with the EU's legal standards, including eIDAS 2.0, remains a work in progress. National efforts are discernible in initiatives like eIDAS 2.0 adoption, reflecting a wider movement toward consolidating digital PoA structures and fostering better data interchange in accordance with European norms.
From a social perspective, Norway is proactive in making digital PoA services reachable to individuals with disabilities and has provided mechanisms for manual PoAs. These initiatives are complemented by multilingual support across digital platforms, aiding users who may not speak Norwegian and ensuring representation for those needing help with PoA engagements.
Norwegian PoA statutes are distinctly outlined within its sectors, influenced by laws like the Norwegian Agreement Act and specific legislations catering to taxation and healthcare. These regulations prescribe the extent of liabilities and enforce compliance with the country's legal tenets related to agency and contractual dealings.
As Norway progresses in optimizing its digital PoA landscape, it needs to balance technological advancement with social equity, ensuring the digital shift includes adequate support for all citizens, thereby fostering an inclusive, electronically enabled legal environment.
7.1 Digital and process
This section examines the maturity of technical standards and barriers across access, authentication, verification, and integration of digital PoAs in Norway.
7.1.1 Technical Standards and ID Infrastructure: Advantages and Disadvantages
The following describes the maturity for technical standards and barriers regarding access, authentication, verification, and integration, alongside cross-border interoperability to highlight advantages and disadvantages in Norway.
Digital | Basic | Intermediate | Advanced | Fully integrated |
Access to handle PoAs |  | |||
Verification | | |||
Authentication | | |||
Integration | | |||
Cross-border interoperability | |
Table 32. Norway’s maturity for technical standards and barriers
Access to handle PoAs
In Norway, there are a few access points to handle PoAs that are generally sector specific. PoA matters are split up according to healthcare, taxation, banking and more. One portal, Altinn, connects citizens with public and private entities, and integrates some PoAs for the relevant sectors, such as taxation and business. This platform connects various digital services and allows for the creation of PoAs, notifications and more for some sectors.
For healthcare matters, citizens can log into the national healthcare portal, HelseNorge. In HelseNorge, citizens can access, view, and create PoAs digitally, as well as use any PoAs they have been assigned on behalf of their assignors.
Taxation matters can be conducted in the taxation authority’s portal, Skatteetaten, with some also available in Altinn. Skatteetaten uses Altinn-APIs to delegate digital PoAs. On both platforms, PoAs can be viewed and assigned both in digital formats, as well as more traditional forms that can be filled out as PDFs and submitted with physical or electronic signature. In some cases, attorneys or lawyers need to handle tax matters for a company, to which they need to fill out a form to request access to the tax files. The forms are available digitally at Skatteetaten, where there is currently one PoA options (view taxa. The Norwegian Tax Administration will then inform the assignor (company) that the assignee has applied for access. Further, a different form must be filled out for non-digital citizens to grant a PoA to a trusted private person to handle their tax matters. The forms are sent by e-mail to the Norwegian tax administration.
In the business sector, general PoA matters are handled in Altinn as well. However, the most frequently used PoAs identified in the business sector in Norway in this report involve mainly banking matters, which require a consent-based loan application, transferring PoA to bank or insurance, or for bank account affairs. Hence, the PoA is primarily handled directly with the bank/insurance company. Moreover, the business sector has established other platforms that are partly based on PoAs regarding Debt (norsgjeld.no) and Pension (norskpensjon.no).
PoAs are generally handled digitally in Norway through access to various PoA platforms and health, tax, and business matters in many cases works well with predefined PoAs. However, the country’s general landscape does not appear entirely clear, which lands Norway on an intermediate level. Altinn, interestingly, is scheduled to be phased out and replaced by Altinn 3.0, a more developed version by 2026, which may strengthen the access and integrations, including for private matters.
Verification
Norway’s PoA platforms utilizes a strong ID infrastructure setup to verify citizens and businesses through eIDs. The eID solutions include BankID, Buypass, Commfides, and MinID, which are all attached to personal identification number of Norwegian citizens. All eID solutions can be used as means to verify citizens’ identity to access PoA platforms (e.g. HelseNorge or Skatteetaten). Moreover, the three solutions are at the highest level of security, which demonstrates a high level of verification maturity for digital PoAs.
Generally, BankID is issued by citizens’ bank and is the most used eID mean in Norway and is also the necessary means for an assignor to grant PoAs related to banking matters, with MinID as an alternative.
Authentication
The Norwegian eID infrastructure leverages the robust authentication mechanisms of the various eIDs available, which all use a form of qualified electronic signature in combination with multi factor authentication. This uses either, physical key codes, authenticator apps, or physical authentication in combination with the personal identification number and a password.
BankID is the most widely used eID in Norway. BankID is a PKI solution where a private key is generated and stored, used to sign and authenticate, which is protected with respective pin codes. Citizens selects login via BankID and writes their personal identification number. Hereafter, they open the app, and enter a personal password.
Buypass has various ID and authentication methods, including PKI on a “smart card”, mobile 2 factor authentication, PKI for mobile and biometric ID.
Commfides is mostly used by firms, e.g., pharmacy technicians, and involves a card-reader.
The solutions demonstrate a high level of authentication in Norway, with the use of an eID being necessary for all digital PoA steps.
Integration
In Norway, there is no central PoA administration platform solution integrating all PoAs (public or private). Instead, PoAs for healthcare, taxation and business matters are handled separately.
Furthermore, the health system is not fully integrated with other public health services in the sector. For instance, a PoA for HelseNorge services cannot be used to access services in Helfo (the Norwegian Health Economics Administration).
Several interviewees have voiced a need for a general archive of PoAs. PoAs can cover several sectors, e.g., bank and health, but if it is only possible to register within one sector, it will not be accessible to other third parties looking to validify a request from the person that had been given the PoA.
Altinn is the digital service providing integration for PoA matters, as Skatteetaten integrates fully with the platform. Altinn also provides digital services and PoAs for some business matters. However, it is not an overall repository of PoAs and does not integrate with healthcare or other sectors. The upcoming version 3.0 of Altinn may develop the level of integration in Norway.
Additionally, the DSOP collaboration, a collaboration between state and business actors for digitalization, provides a link between actors to send data for information such as banking, insurance, debt registrations, and more, when requested and if authorised. However, this is does not integrate with PoA solutions, from the data collected.
Overall, integration is fragmented across the Norwegian PoA landscape, with some developments being made. Maturity can be considered as intermediate. No further data was collected regarding authorization or integration standards.
Cross-border interoperability
Today, all Norwegian PoAs requires personal identification numbers, which are issued for national citizens and linked to the digital identities through eID mechanisms. For example, Altinn relies on the credentials of the personal identification number. Thus, foreign citizens and business cannot digitally request or grant a PoA.
The biggest challenge to this is around matching identities with foreign citizens and businesses. It is thereby suggested to enable the acceptance of other EU countries’ national eID to provide access for foreigners.
Furthermore, the fact that the sectors are not even integrated nationally, as for the healthcare sector. Integrating with health services across borders may therefore be a complex exercise.
7.1.2 PoA Process
Access & verification
For healthcare matters, Norwegian citizens can login to HelseNorge to handle PoAs. For taxation matters citizens can login to Skatteetaten or Altinn. Other digital PoAs and business matters can be accessed through Altinn or banks/the specific service’s websites.
Creating the PoA
For healthcare matters, PoAs can be created directly in HelseNorge. For taxation matters this can be done either on Skatteetaten or on Altinn, however, there is also the option to do it via PDF forms filled out and sent to the tax authorities.
For banking and other PoAs an assignor must fill out a form, either online via the individual platforms or by printing out a PDF.
PoAs are stored on government servers (HelseNorge, Skatteetaten, Altinn) or at Bank’s or other third party servers.
There are no costs involved.
Some PoAs grants permission without acceptance by default (e.g., PoAs for parent/child or bank account affairs), while others require the assignee to fill out a form (e.g., Next of kin to people not capable of taking care of themselves). Moreover, this is the case if assigner is requesting the PoA.
For some taxation matters, the assignee is required to e-mail its signature on paper to the Norwegian tax administration. For companies, this is done between the company and the private person or the company they are representing.
For other taxation matters, the financial institution sends an SMS to the person applying for a loan, the loaner logs in with BankID, gives consent (PoA) for the institution to get the necessary information from the tax authority.
Use PoA
For all the citizen PoAs in question, the PoAs can be used directly when logging into the adequate platforms, e.g., HelseNorge, Altinn, or the assignor’s bank account. Similarly, companies (e.g., banks) can access the assignor’s data upon having created a PoA.
Third-party interactions also differ slightly. In some cases, an ID is sufficient (e.g., analogue PoA to handle dead persons estate). For healthcare PoAs involving physical presence, such as picking up prescribed medicine, the data suggests that assignee can show ID at the pharmacy.
Terminate PoA
A PoA can be valid for a limited period, indefinitely, or until withdrawn by the assignor or assignee (both can do so). PoAs that are still valid can be changed, e.g. by assignor for healthcare matters. When a PoA is changed, it will be deleted, and a new one is automatically created with the changes. Deleted and invalid PoAs will automatically be moved to the historical archive from where they, in most cases, are deleted after five years. Communication channels for notifications are for health received in HelseNorge or via DigiPost. Some authorities also use SMS, e.g. for tax authorities to notify assignor to provide consent through BankID.
In case of changes to regulations or the implementation of new digital services, the Tax Administration may change the scope of the permission regarding the bank account affairs. Consequently, rights may differ from the original mandate. Significant changes to the scope of PoAs will be notified at least four weeks in advance.
7.2 Legal Aspects
The following section will first present an overview of legal topics, followed by a review of EU initiatives.
In Norway powers of attorney (PoAs) are used across in the health, taxation and business sectors, e.g. granting parents’ rights to act on behalf of their children (up to age 16), to handle the assignors’ assets if the assignor dies or for loan applications for businesses. The legal basis in Norway is primarily, Lov om avslutning av avtaler, om fuldmagt og om ugyldige viljeserklæringer (avtaleloven), supplemented by other acts in specific matters. There is limited data on liability regarding PoAs in Norway, but it is assumed to be similar to the Nordic standard. Legal barriers exist for minors (under the age of 18) and for people with mental limitations, and in certain instances one must have a registered address in Norway.
7.2.1 Legal Topics
This section covers the legal topics also included in the main report: semantics, types of PoAs, legal basis, liability, and legal barriers.
Semantics
Health sector | Taxation sector | Business sector | |
Assignor | Parents or citizen with capabilities. | Private person or a person who is in charge of the tax affairs for a company. Could also be the local court. | Bank costumer or insurance costumer |
Assignee | The persons with the official parental responsibility. | Either a private trusted person (e.g. a family member), or an accountant or lawyer. | Another private person, often a family member or person within a close circle of the bank costumer. Could also be a company through an authorized person, e.g., CEO. |
Table 33. Role descriptions of various sectors
A third party in Norway could be the tax authority, public authorities and financial institutions who are members of the DSOP-cooperation. Some financial institutions who are a part of the DSOP are; Brønnøysundregisteret, Bits AS and Finans Noreg. However, especially The Norwegian Tax Authority is frequently a third party since they are the ones providing information about tax and income. Moreover, it is often creditors who interact as third parties, typically electricity suppliers, healthcare providers, and others who have a claim against the customer.
Types of PoAs
The most commonly used PoA within the health sector is the general PoA grating parents rights to act on behalf of children up until 16 years of age. This PoA grants parents the right to represent their kids in contact with health service providers.
Within the taxation sector, a specific/limited PoAs to view, execute, granting decision power, access assignors’ bank account and to handle assignors’ assets such as real estate if the assignor dies is commonly used.
For businesses, a PoA regarding bank account affairs and loan application is commonly used.
Legal basis
In Norway, the legal basis for agreements and PoA is very similar to the Danish since the contract law in the Nordic countries are very similar. However, in Norway it is the Norwegian Agreement Act (“LOV-1918-05-31-4 Lov om avslutning av avtaler, om fuldmagt og om ugyldige viljeserklæringer (avtaleloven)”) that includes sections on PoAs and when they are legally binding.
The data collected from Norway also show that regarding health PoAs the Act “LOV-1999-07-02-63 Lov om pasient- og brukerrettigheter” is applicable. If the PoA includes circumstances regarding death the Act “LOV-2019-06-14-21 Lov om arv og dødsboskifte” is applicable. Moreover, the Act “LOV-2022-12-16-90 Lov om regnskapsførere” is applicable for taxation matters.
Liability
In general, data regarding the liability in PoAs in Norway was not available to the country expert.
However, since the legal basis seem very similar in the Nordic countries, there is reason to assume that liability regulation is similar, as well. Thus, the paragraph liability regulation in Denmark may provide useful information on liability in Norway.
However, within the health sector, the PoA must be written by the patient, given to someone, and the guardian parent must consign if the PoA concerns cognitive disabilities.
A potential liability challenge shown by the data collection is that foster parents is not considered in the regulation, which may be troubling under the circumstances where the biological parents might still have PoA.
Legal barriers
In Norway, the age of 18 of the citizen is a barrier when granting or being granted a PoA. Furthermore, the mental health status of the citizen is also fundamental.
Within the taxation sector, the assignor/assignee must be an accountant or lawyer if representing a company.
Within the business sector, the mental health status is also important. Furthermore, the assignor/assignee must be in a position to represent the company. Additionally, one must have a registered address in Norway to apply for loans.
Furthermore, the collected data shows a specific challenge regarding loans. Apparently, taking out loans cross-border at this point is not possible since all loan applications is denied if the registered address is not in Norway.
7.2.2 Status of implementation of relevant EU initiatives
The table below summarises the implementation status for each regulative in the Norwegian context. The content is unfolded in the section below.
Legal | Have not started | Planning implementation | Pilot phase or partly implemented | Fully implemented |
Electronic, Identification, Authentication and Trust Services (eIDAS 2.0) | | |||
Once Only Technical System (OOTS) | | |||
EU Single Digital Gateway Regulation (SDGR) | | |||
EU Digital Identity Wallet (EUDIW) | | |||
The European Health Data Space (EHDS) | | |||
Upgrading Digital Company Law (UDCL) | N/A | |||
Table 34. The implementation status for each regulative in Norway
Electronic, Identification, Authentication and Trust Services (eIDAS 2.0)
The eIDAS 2.0 entered into force mid-2024, with an implementation deadline for national EUDIWs at late-2026 at the latest. Due to the insufficient data collected it hasn’t been possible to provide further information about this regulation in Norway. Additionally, this means that the score given is indefinite due to the missing data.
Once Only Technical System (OOTS)
OOTS 2.0 Project started in spring 2024. Phase one will last until the first half of 2025 and concentrate on studies on Legal and Technical Aspects. After that the project group consisting of national SDG and OOTS coordinators and experts will choose the proof-of-concept implementations that are carried out within the framework of the project. The project is planned to end at the end of 2026.
EU Single Digital Gateway Regulation (SDGR)
Applies to Norway as well but may have a different application deadline than the EU-members. According to supplementary data collected, the Norwegian Directorate of Digitalization, the regulation is not completely implemented in Norwegian legislation, but the Directorate is working on meeting the requirements set in the regulation.
EU Digital Identity Wallet (EUDIW)
According to the European Commission, Norway is participating in four large-scale pilot projects that are testing the EU Digital Identity Wallet and leading one of them. These projects were launched in May 202 and cover use cases such as digital driving licenses, payments, and educational and professional qualifications. The pilots are expected to continue until 2025.
The European Health Data Space (EHDS) and Upgrading Digital Company Law (UDCL)
The collected data shows the Norwegian Authority for E-health is following the development of the regulation and making assessments along the way to determine how to comply with the regulation, thus qualifying for the score 2.
However, grades for the implementation of EHDS and UDCL are not included, cf. paragraph 3.3.2 above.
7.3 Social Inclusion
In the table below, the progress of Norway's endeavours in facilitating digital inclusivity is depicted. The ensuing narrative details the various initiatives Norway has undertaken in this domain. The table categorizes the status of these measures, highlighting those that have been fully realized and others still under partial implementation. Overall, Norway demonstrates a significant adoption of these identified measures within its public sector, culminating in a high degree of digital accessibility and integration.
Social | Have not started | Planning implementation | Partly implemented | Fully implemented |
Options for physical PoAs | | |||
English language options available | | |||
Information Systems for people with impairments | | |||
Alternative access to digital ID | | |||
Spokesperson/ representation of other people to obtain a PoA | | |||
Education, support-service and facilitators to obtain a digital PoA | |
Table 35. Norway’s endeavours in facilitating digital inclusivity
7.3.1 Options for physical PoAs
Options for physical PoAs include downloading and filling out paper forms offered by various institutions, such as NAV, pharmacies, Kartverket, UDI, or Posten. These can be signed and delivered physically or uploaded for processing. Legal websites like Jurio or Justify also provide services to create PoAs, with options for digital or physical signing. It's generally more challenging to draft a handwritten PoA due to concerns over witnesses and validity.
7.3.2 English language options available
The two digital platforms for dialogue between businesses, private individuals and public agencies, altinn.no and helsenorge.no, are available in English, Nynorsk and Bokmål.
7.3.3 Information Systems for people with impairments
EN 301 549 has been implemented in Norway, although Norway is not a member of the EU. As part of the European Economic Area (EEA), which includes EU member states and the three EFTA (European Free Trade Association), Norway has implemented the EU Web Accessibility Directive (Directive (EU) 2016/2102), which references EN 301 549. Therefore, Norway is obligated to implement the same accessibility requirements for public sector websites and mobile applications as EU member states. In extension, the standard is implemented for both public and private sector websites designed or updated after 2014.
7.3.4 Alternative access to digital ID
Various digital login methods exist for public services in Norway, typically requiring a personal identification number. An alternative without such a requirement is the Commfides USB pin. Options include MinID issued by the Digitalisation Agency, BankID provided by banks, Buypass ID in smart card or mobile form, and Commfides, a secure USB pin issued by Commfides Norge AS at a cost and requiring a physical ID card or passport.
7.3.5 Spokesperson/ representation of other people to obtain a PoA
Legal PoA is a statutory right that allows an individual to represent a family member who is unable to manage their own affairs as described in vergemålsloven §94 §85. This authority does not require a formal PoA from the family member in question, nor the appointment of a guardian. The law grants this right to a specific group of individuals—close relatives—enabling them to act on behalf of the person through legal PoA.
7.3.6 Education, support-service and facilitators to obtain a digital PoA
Entities like Digihjelpen from the Norwegian Association of Local and Regional Authorities (KS) offer guidance and support at community locations such as libraries or service centers for individuals needing assistance with digital services. Additionally, volunteer organizations like the Red Cross and public libraries provide similar support services.