As-Is description
The as-is description identifies the most frequently used PoAs in the Nordic and Baltic regions and maps the current PoA landscape, focusing on governance differences and identifying practices, particularly for vulnerable populations and non-digital users. This analysis draws on data from the interviews and desk research conducted by national experts in each country of scope.
The analysis will cover the following themes across the country descriptions:
- Digital aspects, addressing differences in digital governance like infrastructure access and PoA technical standards.
- Legal aspects, highlighting variations in legal governance, such as liability, authorization barriers, and the legal basis for PoAs, while considering relevant EU initiatives.
- Equality aspects, exploring the social implications of proposed solutions, especially how different countries address representation for vulnerable and non-digital populations.
Most Frequently Used PoAs
As the first part of the analysis, the most frequently used PoAs in the Nordic-Baltic countries have been identified. The identification process consists of four steps, which are summarized in figure 1 below.
Figure 1. Identification process steps
In the first step, the analysis is narrowed down to focus on health, tax and business. The sectors have been chosen in close collaboration with Nordic Council of Ministers, including NOBID, based on workshops and interviews showing the most important sectors for PoA use.
The second step builds on an extensive data collection approach, where up to the three most frequently used PoAs in each sector are identified for all countries included in the project.
The data collection in step two results in a gross list of PoAs sorted by countries providing an elaborate overview in step three making it possible to identify similarities and trends across countries (see appendix 2 for a full overview).
The selection of the most frequently used PoAs is the result of an assessment of a number of factors.
The primary factor is the determination by country experts and their respondents regarding how frequent the PoAs are used in the respective countries. This is especially relevant for the PoA “Collecting prescription drugs” appearing as one of the most frequently used PoAs in the health sector for almost all Nordic-Baltic countries.
Other factors include insights from desk research as well as workshops and interviews with stakeholders including representatives from NOBID and national departments and authorities – These factors have i.a. contributed to the assumption that the “Parent/guardian representing a child” is one of the more frequently used PoAs in across the Nordic-Baltic countries.
Especially with regard to the tax and business sector, the data collection shows many different PoAs covering a number of quite specific tasks or actions. However, even though the PoAs concern different specific tasks, they seem very similar with regard to i.a. actors, platforms, process, regulation, equality measures etc. Thus, for the purpose of the above high-level overview, we have aggregated the PoAs to reflect the actions within “Tax affairs” and “Business management”, respectively.
The described approach identifies the four most frequently used PoAs (step 4) across the relevant sectors in all Nordic-Baltic countries provided in the table below:
Table 4. The most frequently used PoAs
Sector | PoA title | Description |
Health | Collecting prescription drugs | Allows picking up prescribed medicine on behalf of another person. |
Health | Parent/guardian representing a child | Gives parents or guardians power of attorney over their child’s medical data, allowing them to view it, make changes, book appointments etc. |
Taxation | Tax affairs | Grants accountants or other trusted persons access to view and manage tax info on behalf of another person, submit annual tax returns, handle tax-related tasks, etc. |
Business | Business management | Allows for CEO or other legal person to access company data, or act on behalf of the company. |
Mapping of the current PoA landscape in the Nordic-Baltic Region
The level of interoperability of each country’s digital PoA solutions has been assessed across the digital, legal, and social themes. The purpose of this assessment is to provide an overview of the PoA landscape in each country, including how PoAs are obtained, which systems/platforms it involves and the requirements for doing so. In total, the examination evaluates the solutions' ability to operate across Nordic countries—i.e., their interoperability. A more advanced PoA solution in legal, social, and digital aspects indicates that a country is better equipped to support cross-border functionality with its PoA system.
Table 4 provides an overview, and the three dimensions are expanded upon in their own sections below. The review will vary in depth and approach for each dimension, with the digital dimension being particularly examined . This is because the digital dimension is especially significant in working with digital PoAs, as well as in the upcoming work in the to-be analysis.
Table 5. Comparative state of integration/implementation across the Nordic-Baltic region
Focus | Denmark | Estonia | Faroe Islands | Finland | Iceland | Latvia | Lithuania | Norway | Sweden | Greenland |
Digital | ||||||||||
Access to handle PoAs | N/A | |||||||||
Verification | N/A | |||||||||
Authentication | N/A | |||||||||
Integration | N/A | |||||||||
Cross-border interoperability | N/A | |||||||||
Legal | ||||||||||
eIDAS 2.0 | N/A | N/A | ||||||||
OOTS | N/A | N/A | ||||||||
SDGR | N/A | N/A | N/A | N/A | ||||||
EUDIW | N/A | N/A | ||||||||
Social Inclusion | ||||||||||
Options for physical PoAs | N/A | |||||||||
English language options available | N/A | |||||||||
Information Systems for people with impairments | N/A | |||||||||
Alternative access to digital ID | N/A | N/A | ||||||||
Spokesperson/ representation of other people to obtain a PoA | N/A | |||||||||
Education, support-service and facilitators to obtain a digital PoA | N/A | N/A | ||||||||
Scale of integration/implementation | ||||||||||
N/A | Basic / have not yet started | Intermediate / planning implementation | Advanced / partly implemented | Fully integrated / implemendet | ||||||
The figure illustrates a comparison between all Nordic-Baltic countries examined across various relevant focus areas, based on the country reports located in appendix 1. For each focus areas across digital, legal, and social aspects, the darker the colour indicate the level of integration or implementation at the current state in each country. Further, some of these areas hints to whether the countries are geared for cross-border PoA interoperability.
Digital
In the following, there will be an overarching review of the digital landscape across countries. Each criterion that has been presented in table 5 will be described and reviewed.
Access to handle PoAs
Access to handle PoAs examines how PoA platforms are accessed, and how the PoAs can be handled domestically. This involves the technical ease of creating, assigning, and using a PoA for healthcare, business, and tax matters. The handling may vary from basic solutions where a PoA is sent directly via e-mail or similar simple services, to a fully integrated one-stop-shop for PoA management and use for all actors involved. Reaching an advanced level requires access via at least a single platform solution to one or multiple sector specific PoAs (e.g. for health), while the intermediate level depicts a less mature process, which may involve more manual steps, for instance, sending a self-developed document via public mailbox or uploading via a platform solution.
The existing processes and solutions present for gaining access to handle PoAs differ widely across the Nordic-Baltic region. All countries except Greenland have one or more platform solutions in place for citizens and companies to handle PoAs domestically, hence, no country can be considered basic in this regard. Of all countries, the currently most advanced access to handle PoAs is found to be in Finland, with Denmark, Sweden, Iceland, and Lithuania at a slightly lower level of maturity.
Most countries have multiple PoA platforms specific to the sectors of healthcare, taxation, and business, while a few have or are developing a single access point aggregating the access to handle PoAs across all public sectors. Finland has a single platform, Suomi.fi-valtuudet, that aggregates and presents all PoAs to be handled end-to-end. Thus, the country is considered having fully integrated access to handle PoAs. Countries with sector specific platforms include Denmark, Faroe Islands, Norway, Iceland, Estonia, Latvia, and Lithuania. Following right behind Finland, are countries like Denmark, which has a common platform (Digital Fuldmagt) for most public PoAs, and MitID Erhverv for most business matters, but a separate platform to handle taxation PoAs. Meanwhile, Sweden just launched a similar platform (Mina ombud) which is not fully integrated with all the current sector specific PoA solutions yet. Iceland does not have a dedicated, central PoA platform solution, however, the central platform for public administration e-services, Ísland.is, serves as a single access point for handling PoAs across the three sectors, through the ‘My pages’ feature. Lithuania is like many others divided into sector specific platforms. The solutions allow citizens and businesses to access and handle PoAs by sector in an easy way.
Further, Estonia’s central authorization management platform, Pääsuke, enables central authorization management, but it currently only works for healthcare matters. A solution for businesses is also being developed, to which the country shows strong progress towards the advanced level. Albeit Norway also has separate PoA platforms for each of the three sectors in question and provides access to handle PoAs, the country’s PoA platforms landscape in some cases appear complicated. This leaves Norway at a slightly lower level, but ongoing developments set the direction for a more advanced access infrastructure, e.g. with the implementation of Altinn 3.0 and the DSOP collaboration.
Furthermore, some platform solutions in the countries, regardless of sectors, allow both citizens and companies to access and handle PoAs end-to-end on the platform. Other countries’ solutions involve PDFs, e-signatures, and e-mails, which is a decisive factor in the assessment score for digital aspects, depicted as slightly lower than countries with more developed end-to-end platform solutions.
For instance, Estonia, Latvia, and Faroe Islands also have PoA solutions segregated by sectors. Some of the solutions facilitates the PoA handling to a rather mature level, but these or the general processes face challenges or complexity compared to other countries. In Estonia, the access to handle the most frequently used PoAs described is rather well-functioning across health, taxation, and business. Nevertheless, it is common practice in the country to grant PoAs via digitally signed documents (e.g., PDFs), often sent by e-mail. In Latvia, accessing the healthcare PoA solution in e-veseliba allows to handle PoAs end-to-end. However, creating PoAs for taxation in EDS in some cases requires assignors to upload a self-created, digitally signed PoAs, which sometimes require a notary. To this, gaining access to some business matters (procuration or commercial PoAs) require a formal application with notarized approval to the authority. In the Faroe Islands, Vangin is accessed to handle healthcare and public matters end-to-end. Meanwhile, the taxation and business PoA solutions, Borgaragluggin and Vinnugluggin require users to fill out a PDF, electronically sign it, and sending it to the relevant authorities.
Verification
Verification is the process used to confirm that a digital identity is associated with an actual person. It is essentially a truth check that validates if an identity corresponds to a real-life individual. Hence, this section seeks to map: (1) How the identity of assignees and assignors is verified to gain access to respective country’s PoA platform solution(s), and (2) How the identity of assignees and assignors is verified when initiating a PoA transaction (i.e. creating or requesting a PoA). The digital verification of an identity can be done through different methods, each varying in the level of maturity for basic e-signatures on PDFs to fully integrated qualified electronic signatures via eIDs.
Across the Nordic-Baltic region, there is a tiered approach to the level of digital maturity for verification, which is primarily determined by the standardisation and integration of electronic identification (eID) solutions. In some countries there is a relatively mature approach with a single eID solution that works across PoA platforms (and other public and private e-services), while other countries use multiple verification methods, both digital, e-signatures and sometimes physical ID cards, to which these are considered less mature. See table 6 for a complete overview of the different digital ID options in each country and whether they are EU notified. The eID notification process within the EU entails the incorporation of national electronic identification (eID) schemes into the eIDAS Network after a peer review to ensure compliance with the eIDAS Regulation's quality and security standards. While notification is typically mandatory for eID schemes to join the eIDAS Network, certain exceptions allow for the use of non-notified eID schemes. The responsibility for notifying an eID scheme rests with its corresponding Member State. Having a notified eID enables optimised PoA interoperability across EU countries (see further elaboration in section Cross-border interoperability).
The countries with the most advanced verification standards are Denmark, the Faroe Islands, Iceland, and Estonia. These have a single standardised eID solution that works across platforms in the public and private sectors. These countries can be considered ‘fully integrated’, which is the highest level defined.
Denmark is emerging as a frontrunner with a highly standardised approach, using the nationally adopted and EU notified eID, MitID. This is split into MitID Privat for individuals and MitID Erhverv for businesses with corresponding digital identities for both natural and legal persons. This separation ensures streamlined verification processes, using mechanisms such as physical photo IDs for initial verification of individuals, and business registration numbers alongside executive representation for businesses.
The Faroe Islands, despite not being an EU member, comply with EU standards through their eID solution, Samleikin, displaying a level of maturity comparable to that of Denmark.
Iceland adheres to a similarly stringent digital identification standard, relying solely on eIDs to meet the security requirements for PoA verification. The Icelandic Registry (Þjóðskrá) manages the critical National Identification Number (Kennitala), which is a cornerstone in establishing the identity of legal and physical persons within PoA processes. The requirement to contract with certified providers and, for certain services, biometric identification further solidifies Iceland's strong verification security.
Estonia has implemented a comprehensive digital identity system that integrates mandatory EU-approved eID criteria and attributes, enhanced by a PKI solution providing high security and facilitating widespread use of public and private sector services. The range of eID carriers, including a physical ID card, mobile ID, smart-ID and digi-ID, meets the needs of both the public and private sectors. Estonian PoA verification seamlessly integrates personal identification numbers for both citizens and businesses within their eID system, indicative of an advanced stage of digital verification maturity.
The countries considered marginally less integrated are Norway, Sweden, and Latvia. While the countries all possess EU notified eIDs, which can enable cross-border solutions equally to those achieving fully integrated maturity, they also possess other verification solutions that are not EU notified. As a result of this, they can be recognised for their advanced digital verification infrastructure but have a more complex verification landscape with differing levels of maturity. Norway has an ID infrastructure with several eID options, including BankID, Buypass, Commfides and MinID, where BankID and Buypass are EU notified. These are all linked to the individual personal identification numbers of Norwegian citizens. Latvia's verification system is centred on its eID, namely the eParaksts card and eParaksts Mobile, which is EU notified, while PoA platforms also accept SMART-ID and internet banking methods. Similarly, Sweden's verification system emphasises a high trust level eIDs (a Swedish e-identification standard) such as the EU notified BankID and Freja eID, as well as Foreign eID.
Lastly, Finland and Lithuania's digital verification method show room for advancement, as they are evaluated to have an intermediate maturity level. In Finland, national eIDs are not in use yet. Instead, citizens log into Soumi.fi using their bank credentials, mobiilivarmenne (Mobile ID certificate) or an ID-card issued by the police. Lithuania has a diverse approach to verification, allowing for methods such as iPasas, VIISP, separate services such as bank credentials and the EU-notified eID-ATK. ATK is associated with a physical card with an embedded chip that can be used with a card reader or by linking the chip-enabled card within the mCard LTU application.
Looking across the Nordic and Baltic verification landscape, a spectrum of digital verification processes is evident, ranging from highly standardised and mature systems in Denmark, Faroe Islands, Iceland, and Estonia to more diverse and developing infrastructures. Nevertheless, all the countries examined can be considered above basic verification methods, hence, there is generally a high level of maturity in digital verification across all countries. However, the divergence highlights the need for further development and possibly an increasing need for standardisation, especially given the security implications and ease of cross-border transactions within this geographical grouping.
Table 6. Electronic ID (eID) solution
Country | Electronic ID (eID) solution – EU notified in blue |
Denmark |
|
Greenland |
|
Faroe Islands |
|
Norway |
|
Sweden |
|
Iceland |
|
Finland |
|
Estonia |
|
Latvia |
|
Lithuania |
|
Authentication
Authentication involves confirming that a previously verified individual trying to access a platform is indeed the legitimate owner of the associated digital identity. This authentication is a recurring process, undertaken whenever an individual tries to access a platform solution or the services of a PoA, ensuring the user's identity matches their claim during access attempts. The authentication phase within a PoA across the Nordic and Baltic countries exhibits varying degrees of digital maturity, with some countries demonstrating advanced levels of authentication mechanisms, while others show intermediate to developing stages.
Iceland, Denmark, Faroe Islands, Estonia, and Norway can all be considered at an advanced level, utilizing, for example, multi-factor authentication mechanisms, biometrics, encryption of data, and high-security measures. None of the countries has reached the highest level, ‘fully integrated’ for authentication, while the advanced level is considered the highest possible according to technical standards.
Iceland’s authentication maturity reaches a high maturity due to its integration of the national ID database with the eID system and the use of multi-factor authentication. This authentication mechanism is widely adopted across the public and private sectors, reflecting Iceland's strong position in digital identity authentication, despite its eID system not being notified by the EU under the eIDAS regulation. Both Denmark and the Faroe Islands exhibit an advanced digital PoA maturity level by using similar secure, centralized solutions to authenticate digital identity. In Denmark, MitID serves this purpose by requiring multi-factor authentication. In the Faroe Islands, the Samleikin system demands multiple personal details and upholds the same level of digital authentication maturity as Denmark. Estonia and Norway demonstrate a similar high degree of maturity, with Norway utilizing a robust eID infrastructure that includes qualified electronic signatures paired with multi-factor authentication mechanisms. Conversely, Estonia relies on eID solutions such as Smart-ID and Mobile-ID, incorporating encryption and security measures to confirm identities across private and public services.
Finland and Sweden show an intermediate authentication infrastructure. Finland uses several robust identification mechanisms, such as bank codes, mobile ID and the citizen certificate, to facilitate logins to its Suomi.fi-valtuudet (e-Authorizations) platform. Meanwhile, Sweden offers several authentication options, including BankID, FrejaID and authenticator apps. Both countries are making significant efforts to improve their digital authentication frameworks. Finland, for example, is currently developing a national eID that is expected to improve authentication capabilities in the future.
Latvia can also be considered at an intermediate state for authentication, using several EU notified methods such as eID cards and eParaksts mobile, but does not require additional authentication for PoAs, relying instead solely on the national personal code. Similarly, Lithuanias authentication offers a wide range of options such as iPasas, VIISP alongside banking credentials etc. for access to the PoA. There are signs of progress for Lithuania, such as the introduction of a digitalized national eID and advances in multi-platform integration.
The observation highlights a spectrum of maturity in digital identity authentication for PoAs among these nations. Frontrunners such as Denmark, the Faroe Islands, Iceland, Norway, and Estonia have secured and sophisticated authentication infrastructures that are both standardised and advanced. In contrast, nations such as Finland, Sweden, Latvia, and Lithuania are in an active development phase, working to fill existing gaps and improve their digital authentication capabilities.
Integration
The category of integration examines (1) How the specific PoA platform solutions are integrated with other public and private platforms and systems, focusing on healthcare, taxation, and business, and (2) How the existing ID infrastructure is integrated with systems in the PoA landscape.
The scale in the assessment of the maturity of integration aspects goes from one off, day-to-day PoA agreements (e.g. stand-alone, signed document to be used one time), to a fully integrated environment, in which data exchange is interconnected with all relevant stakeholder and agency systems automatically. This highest level of maturity can, however, be seen as an ideal state of integration, which no country currently has achieved with respect to the PoA landscape. Nevertheless, all countries (except Greenland) have reported a certain level of integration, while two countries stand out with a more advanced level of integrated infrastructure for PoAs.
The most advanced integration level reported for PoA solutions are identified to be in Denmark and Finland. According to the data collected, the Danish and Finnish national PoA platform solutions integrate with other public services for at least a single sector. Particularly, the primary solution for each country separately, Digital Fuldmagt (DK) and Suomi.fi-valtuudet (FI), aggregates a multitude of PoAs for almost the whole public sector and enables data exchange with third-party platforms. In Finland, the solution integrates with a range of national registries to (1) verify and authenticate digital identities and validating these against the defined representation rights, and (2) to verify the validity of PoAs in real-time, e.g. when interacting with third parties. While Finland’s level of integration with a single platform function for all public PoAs, Denmark, additionally portrays a strongly integrated eID infrastructure, having a single ID solution working across all public e-services (see section Verification).
The other countries, Sweden, Faroe Islands, Iceland, Norway, Estonia, Latvia, and Lithuania exhibit intermediate integration levels. Sweden’s three sector specific PoA platform solutions currently use different IT infrastructures but have APIs in place. The country is pursuing a fully integrated model, and finds its newly launched platform, Mina ombud, bringing together PoAs from various domains, and strengthening integrations to a more advanced degree going forward. The Faroe Islands has certain integrations between taxation and healthcare PoAs through the central Vangin platform, however, any further integration availability is either lacking or unknown. The country, however, relies significantly on its eID, Samleikin, for integration across different public and private platforms. For Iceland, PoA platforms are sector-specific (e.g., Heilsura and Skatturinn). PoAs created here are not compiled in a centralized database, but the platforms integrate with a range of e-services accessible via the central Island.is platform. However, no data exchange outside each sector has been reported. Norway's setup also forces citizens and businesses to handle PoAs for the examined sectors separately. Moreover, there is no central PoA archive, hence, the PoAs can only be used within the sector in which it is registered. The country is in a transitional phase towards better integration through services like Altinn and the DSOP initiative.
In the Baltics, Estonia currently relies on granting authorizations separately in each database, as no central register exist, except for the central PoA platform, Pääsuke. However, this only integrates with few registries, e.g., the health portal. The eID solution is moreover strongly integrated across public and private solutions, and all integrations from PoA platforms are done via APIs. Latvia's PoA platforms are also sector-specific, but the rather disparate systems hinder seamless inter-sector data exchange. The e-veseliba health platform works end-to-end, but the EDS (tax) and Enterprise Register (business) platforms involves PDFs. Although these can be uploaded and viewed by all actors, the information about the agreement to relevant institutions happens manually. Lithuania exhibits no direct integrations between its sector-specific PoA platforms, but the interoperability platform, VIISP, integrates with some State Enterprise registers, which administers PoAs. Moreover, the PoA landscape integrates with various authentication methods, and for business PoAs can be identified via a public search engine.
Cross-border interoperability
The cross-border interoperability category focuses on the extent to which the countries in the Nordic-Baltic region handles PoAs and ID infrastructure for digital identities across national borders. It outlines whether it is feasible for foreign individuals or legal entities to create a PoA in one country and authenticate using a digital identity issued by their home country. This review applies to legal entities, individuals and individuals acting on behalf of a legal entity.
The digital PoA landscape within the Nordic and Baltic nations showcases diverse levels of interoperability for cross-border PoAs. These variations are influenced by each country's legal structures, technological progress, and engagement with European Union-wide initiatives for digital collaboration (e.g. technical implementation of the eIDAS Node and EUDIW).
Finland and Estonia stand out with a higher degree of interoperability for digital cross-border PoA solutions, demonstrating a forward-looking approach. This is primarily due to the existing integration between the two, and other EU countries
Such as Croatia, Portugal, Spain, Czech Republic and Poland
Norway, Denmark, and Lithuania are assessed to be just at an intermediate state in its effort to accommodate cross-border interoperability for PoAs. In Norway, the process for granting or requesting digital PoAs is heavily intertwined with national citizen credentials, which creates a barrier for foreign citizens and businesses. Efforts are underway to incorporate other EU eIDs, but the current lack of integration across sectors presents additional obstacles to achieving cross-border functionality. Denmark, like all other countries, faces the significant task of establishing a reliable system to authorize non-residents, particularly those without a Danish CPR number. Current solutions, like MitID, could potentially align with EU regulations, but there remain issues, especially concerning tax matters for non-residents, which highlight the need for further enhancements of the system to support effective cross-border integration. As for Lithuania, its initiative with the iPasas service to provide authentication using an eIDAS-approved electronic identification reflects a commitment to European norms. However, since this feature has not been fully implemented, it highlights the present challenges.
On a basic maturity level, Iceland, Sweden, the Faroe Islands, and Latvia are found, which present a diverse picture of development stages within their respective PoA cross-border readiness. Iceland confronts limitations due to an outdated legal framework and financial constraints in implementing digital solutions, particularly in healthcare. However, Iceland's acknowledgment of eIDs from the EU represents progress toward greater integration. There is a recognized need for further advancements to facilitate cross-border PoAs, especially challenges related to verifying roles and rights for both the assigner and the assignee in transactions across borders. Sweden's PoA framework is in the early stages of adopting cross-border solutions, underpinned by active deliberations on their practical implementation. For now, the eIDAS Node is not applicable in the health sector, but the portal works with the taxation platforms. Demand for these services from other countries is currently minimal. Sweden is looking forward to regulatory and technological developments – for instance, the EUDIW to improve the process of accessibility and verification for cross-border identities. For the Faroe Islands, their EU non-member status introduces additional complexities in achieving cross-border integration. While they have an eID compliant with eIDAS, there's currently no support for integration with Danish systems, except for citizens with a Danish CPR number. In Latvia, inconsistent practices across various sectors and a lack of cohesive links between state institutions pose challenges for enabling cross-border PoAs. There is scepticism among some parties in Latvia and Lithuania about the feasibility of establishing an integrated system that effectively manages where data is stored on Latvia's end.
Lastly, the following countries have an EU notified eID which strengthens their possibilities for cross-border PoAs: Denmark, Faroe Islands, Norway, Sweden, Estonia, Latvia, and Lithuania. Iceland has an eID that complies with the EU regulation but is not EU notified yet. Finland does not have an EU notified eID. See table 6 for a complete overview of the different digital ID options in each country.
The common denominator among these countries is the pressing need for legal and technological harmonisation to advance cross-border PoA solutions, supported by EU-wide initiatives such as eIDAS, EUDIW and EHDS. Active efforts are being made to close the gaps in legal recognition, authorization, verification, and identity matching, all of which are critical elements in improving a PoA infrastructure that can operate across borders. Many of the countries have implemented the eIDAS Node technically, allowing foreign actors to login using their local EU-notified eIDs, however, without identity matching, this does not work in practice. Incremental progress, mutual recognition and refinement of the EU digital framework are essential for these countries to unlock the full potential of cross-border digital PoA functionalities.
Legal Aspects
In the following, there will be an overarching review of the legal landscape across countries. First, there will be a description of selected legal topics. Secondly there will be a general description of the status of the implementation of the EU initiatives.
Legal Topics
On a general level, the legal approach to PoA in the Nordic-Baltic countries is quite uniform and the countries share many regulation features as further described below, including i) semantics, ii) types of PoAs, iii) legal basis, iv) liability and v) legal barriers. However, the specific regulation varies to some extent in the countries and some data has not been exhaustible accessible to the country experts.
Semantics
The following table shows the most commonly mentioned assignor and assignee within the different sectors. Moreover, the most common third parties within the three sectors have been highlighted in the table below.
Table 7. Most commonly mentioned assignor and assignee within the different sectors
Health sector | Taxation sector | Business sector | |
Assignor | Citizen over a given age (see legal barriers to see different age limits across the countries) | Taxpayer, pensioner, or anyone with tax obligations who wishes to delegate their responsibilities. | The legal entity or company. Could be the business itself, typically represented by a person, such as CEO, owner, or legal representative. |
Assignee | Anybody chosen by the assignor | Anybody chosen by the assignor. Alternatively, an accounting company or individual capable of managing tax returns and such. | An employee, such as a CFO, an external accountant or lawyer. The assignee is authorized to act on behalf of the company in certain contexts. |
Third parties | National authorities, e.g. health departments/authorities, and other actors, e.g. pharmacies | National authorities, e.g. tax departments/authorities | National authorities, e.g. business departments/authorities, or private actors, including banks |
Type of PoAs
In the Nordic-Baltic region, various forms of digital PoAs are used to assign and exercise rights across the health, taxation and business sectors.
An often-occurring type of PoAs across all sectors in the Nordic-Baltic countries is the specific/limited PoA entailing an assignor assigning their rights to an assignee within a certain area. An example from the health sector is an assignor in need of prescription assigning their right to pick up an exact type and amount of medicine from a specific pharmacy before a certain date.
Another often occurring type of PoA is the general type of PoA, including the rights to handle all the assignor’s affairs unless otherwise restricted. The data collection shows parents’ acting on behalf of their children is the most widely used general PoA across the Nordic-Baltic countries.
Legal basis
All the Nordic and Baltic countries are based on civil law. The specific legal governance of PoA varies depending on the sector and country but the Nordic-Baltic countries share a number of regulatory similarities.
Most importantly, the Nordic-Baltic countries seem to have a widespread use of PoA regulation through national acts, especially general acts concerning agreements, including e.g. agreements' commencement, termination, and validity. Especially, the Scandinavian general acts concerning agreements seem very similar.
These general acts seem in most countries to be supplemented by more specific acts on specific types of PoA – e.g. the Danish act on future powers of attorney – or certain sectors, e.g. the Latvian law on the rights of patients.
Furthermore, based on the data collection, the legal basis for PoAs is assumed to be governed at least in part by contractual customs and traditions as a PoA, in its essence, is simply a series of agreements between the relevant parties.
Liability
Liability for PoA use in the Nordic-Baltic countries seem to depend on the objective circumstances and subjective motives of the parties involved in a transaction making liability relevant.
Evidently, the objective circumstances include a loss for an involved party in order for a liability issue to be relevant. Otherwise, there would be nothing to be liable for. Also, the PoA must be misused, i.e. utilized in a way not intended by the assignor, in order for someone else than the assignor to be liable for the actions – in other words, if the PoA is carried out in accordance with the assignor’s instructions, then no one else but the assignor can be liable for the actions occurred.
The subjective motives are, usually, that an actor in Nordic-Baltic countries must act with different types of due care or risk being liable for losses – also sometimes described as good faith or “how a normal person would have acted”. Of course, an actor can be liable for a loss after deliberate misuse of the PoA, however the standard of due care means that an actor can also be liable for negligent actions, depending on the circumstances.
As shown above as well as in the country reports, this subject is not easily accessible and contain many nuances and different terminology across the Nordic-Baltic countries making a precise and in-depth legal coverage across all countries difficult.
Legal barriers
The overall subjects for the legal barriers across the Nordic-Baltic countries are quite similar and include at least the following: i) age, ii) mental capabilities and iii) resident details. Some countries also use requirements of notarization adding a layer of security.
Regarding i) age, all Nordic-Baltic countries seem to have age requirements in place, but the exact requirements are varying from 13 years to 18 years and PoA use for underage persons require parents’ consent. Therefore, an otherwise legal PoA made by a citizen under the required legal age will not be binding.
Furthermore, based on the data collection and desk research all Nordic-Baltic countries are assumed to have requirements for ii) mental capabilities, stating – in various forms and wordings – that legal PoA use is contingent on sufficient mental capabilities of the actors. Thus, citizens cannot assign their rights to other actors if they are not mentally sound.
Finally, all Nordic-Baltic countries seem to have implemented requirements regarding iii) resident details, including in most countries requirements of having a social security number before being able to apply for digital ID in order to create digital PoAs on the relevant platforms. However, at least one country has implemented measures enabling non-resident persons to apply for a digital ID. Some countries have implemented a requirement of having an address in the country. These types of requirements entail an obvious hindrance for increased cross-border use and will be described in further detail in the to-be section of this report.
EU Initiatives
This section provides an overview and an assessment of the countries’ work with implementing the EU regulations listed in section Status for implementation of relevant EU initiatives in relation to PoAs. The implementation stage of these EU initiatives varies across the Nordic-Baltic countries, although all countries recognize the importance of implementing the regulations.
Electronic, Identification, Authentication and Trust Services (eIDAS 2.0)
Across all the Nordic-Baltic countries, the revised eIDAS (“eIDAS 2.0”) is being implemented. The countries are implementing the adjustments in the regulation towards 2026.
Once Only Technical System (OOTS)
According to the data collected and to European Commission’s “June 2024 version of the OOTS Acceleratormeter” all the countries in the Nordic-Baltic region are currently working with the OOTS and some of the countries are very close to having a final and complete product.
EU Single Digital Gateway Regulation (SDGR)
Regarding the SDG Regulation, the data is insufficient but for the countries where we have collected data the national agencies and directorates are currently working on the implementation.
EU Digital Identity Wallet (EUDIW)
Most of the countries in the Nordic-Baltic region are participating in multiple pilot projects regarding the European Digital Identity Wallet. The pilot projects are expected to continue until either 2025 or 2026.
The European Health Data Space (EHDS) and Upgrading Digital Company Law (UDCL)
The initiatives EHDS and UDCL are not yet adopted at an EU level, and data regarding the implementation of the initiatives have not been available in most of the Nordic-Baltic countries.
Social inclusion
This section provides a cross-border overview of the current state of PoA options and support systems, with a particular emphasis on social inclusion.
It examines various aspects, including physical PoA options for individuals with limited digital skills or health conditions, the availability of English language resources to support non-native speakers, and the accessibility of information systems for individuals with impairments. Additionally, it discusses alternative pathways for obtaining digital identification and the representation options for those unable to manage their digital tasks. Finally, the section highlights educational and support services that assist individuals in navigating the PoA processes, underscoring the importance of creating inclusive environments that enable equitable access to legal resources for all.
Across the countries, different concerns have been raised when it comes to include all citizens in the digital development/solutions. The concerns are especially related to elderly people, people with cognitive challenges, people with disabilities (e.g. vision impairments) and people who do not have the sufficient documentation to obtain a digital ID or other credentials necessary to use digital services.
Although all the countries of our research have developed different solutions to strengthen the digital inclusion, some concerns have still been raised. The concerns relate to the rapid digital development and the declining in-person interaction that the digital development leads to.
A general concern has been raised about lacking digital skills and a citizen's mental and physical state to manage online PoAs, risking accidental authorizations without full understanding. Often reliant on relatives for assistance, these citizens face challenges when family members are unavailable, raising questions about legitimate consent. The lack of oversight in digital processes can make it easier for unauthorized individuals to exploit these users.
Also, relying on automated systems often removes necessary human interaction, limiting flexibility for tailored solutions. Automated processes may overlook the needs of diverse users, making it difficult for those who don’t fit a typical profile, which is an argument for the countries to have the option for physical PoAs still.
Overall, while significant strides have been made in enhancing social and digital inclusion through PoA systems, continued efforts are necessary to address remaining barriers and ensure equitable access for all individuals across these countries.
Options for Physical PoAs
All countries are assessed to have fully implemented options for physical PoAs. This is because in most countries, physical PoA options are crucial for those unable to use digital platforms due to limited digital skills or health conditions.
Denmark, for example, allows physical PoAs to be issued through municipal service centres for individuals, particularly the elderly, who struggle with digital processes. Here, an authority figure digitizes the physical PoA on behalf of the user, making it more accessible. In Finland, citizens can give PoAs physically at Digital and Population Data Services Agency (DVV) offices, which then register them in a database for future digital use. If an individual cannot physically visit the office, they can assign an assistant who provides the signed PoA to the DVV on their behalf. Iceland also allows individuals without electronic ID (eID) to submit a physical PoA, which provides an essential alternative for digital inclusion.
English Language Options Available
Many countries have implemented English language options to ensure inclusivity for non-native speakers. Finland’s main public platform, Suomi.fi, provides options in Finnish, English, and Swedish. Similar Estonia’s main digital service portal, Eesti.ee, is available in Estonian, English, and Russian, facilitating access for the country’s diverse linguistic groups.
Information Systems for People with Impairments
Countries across the board comply with the EN 301 549 and WCAG 2.1 standards for accessibility, ensuring public sector websites and mobile applications are accessible to individuals with disabilities.
Denmark, for instance, goes beyond the minimum standards, requiring feedback mechanisms and accessibility statements for all public digital content. The Danish Agency for Digitization enforces these laws, making accessibility compliance a priority. In Sweden, the Agency for Digital Government (DIGG) oversees compliance with the Act on Accessibility to Digital Public Services, ensuring that digital environments are accessible to all users, including those with disabilities.
Alternative Access to Digital ID
Alternative pathways for digital ID are being explored to include vulnerable individuals who cannot easily access traditional ID channels. These differs between countries, whether they have fully implemented alternative access, or only partly implemented it.
Denmark allows certain institutions, such as psychiatric wards, to issue or renew digital IDs (MitID) for patients, reducing the need for them to visit municipal offices and minimizing stress. Similarly, Norway offers options like MinID, BankID, and Commfides USB tokens as alternatives, providing secure access to public services. Iceland has ongoing discussions about enabling municipalities to provide electronic IDs, allowing familiar social workers to assist vulnerable individuals in accessing digital services.
Spokesperson/Representation of Other People to Obtain a PoA
For individuals unable to handle their digital tasks, countries offer representative options that allow a trusted person to act on their behalf. Most countries have fully implemented this, but some countries have not started implementing it, or are planning to implement it.
In Iceland, personal spokespersons, known as "persónulegir talsmenn," can assist people with disabilities by making decisions on their behalf, although they must be formally authorized by the Rights Protection Office to ensure credibility and prevent fraud. Finland, meanwhile, requires legal documentation for representatives, including certified PoA copies from the Office for Digital and Population Information, ensuring a legal basis for such authority.
Education, Support Services, and Facilitators to Obtain a Digital PoA
Educational and support services play a significant role in assisting individuals with limited digital skills to navigate PoA processes. Almost all countries have partly implemented this.
In Iceland, public libraries and institutions like Fjölmennt and TMF offer free digital literacy workshops and IT courses, creating inclusive spaces for diverse groups to gain digital competence. In Norway, the Digihjelpen initiative offers municipal-level guidance services at designated locations, such as libraries and service centers, specifically tailored to help vulnerable individuals with digital services.
Main takeaways
To explore future cross-border interoperability of PoA solutions, 5 key takeaways emerge from the As-Is analysis and findings.
- Countries have varying levels of digital PoA maturity. Variations in platforms solutions to access and handle PoAs, the adoption of electronic IDs (eID), approaches to national PoA registries, and digitalization level of PoA creation, all result in differing levels of digital PoA maturity across the Nordic-Baltic region. Most countries have sector-specific platforms to handle PoAs for healthcare, taxation and business matters separately, while some has a single solution, consolidating PoAs. Further, most countries have adopted eIDs, but the level of advancement vary with some countries supporting multiple EU notified eIDs and others offering other forms of authentication and verification. The PoA registry landscape is also complex, with few countries operating with a national cross-sector PoA registry, meaning that PoAs are generally stored and registered in many different registries nationally. Finally, the digitalization level of PoAs varies, with some countries offering fully digital PoAs across all sectors via national solutions, and others relying on PDF forms signed with e-signatures. This results in a complex landscape for digital PoAs, especially with regards to cross-border interoperability.
- Cross border interoperability is still lacking. Wide-ranging differences in PoA governance, legal standards, and digital readiness across the Nordic-Baltic countries create barriers to interoperability. The current PoA landscape in the Nordic-Baltic region is highly complex, as countries prepares for cross-border interoperability. Many countries have enabled login to national PoA platforms via an eIDAS node, allowing foreigners to login with their local EU notified eIDs. However, identification of actors is currently dependent on personal identifiers located in national registries. Thus, matching and verifying international identities of legal and natural persons remains a general challenge, as well as matching PoA mandates across borders, with only a few cases of existing cross-border PoAs. Consequently, developing cross border initiatives for PoAs is challenging. The EU initiatives regarding cross-border interoperability may help with this.
- Engagement with EU-wide initiatives may be key. Ongoing EU-wide initiatives, including the European Digital Identity Wallet (EUDIW), offer critical opportunities for enhancing interoperability, as they include several European countries, are aligned with existing legislation, and have a pragmatic starting point, looking to solve concrete challenges. Alignment with these initiatives and leveraging their frameworks for proof of concepts can provide valuable insights and models for advancing cross-border PoA solutions. Testing use cases and integrating verified credentials and attestation mechanisms are essential steps toward overcoming current technical and legal obstacles.
- All Nordic-Baltic countries use the same overarching legal principles, even though these principles are applied differently across the countries and the different domestic circumstances. For instance, all countries apply the same freedom to enter into agreements, however the relevant domestic acts across the Nordic-Baltic varies depending on the countries. The legal frameworks governing PoAs in the Nordic-Baltic countries are, to a high degree, built on the same principles, including the fundamental freedom to enter into agreements. However, the application of these legal principles differs to some degree, especially regarding legal barriers, e.g. age requirements, mental capacity stipulations, and residency prerequisites. A more uniform legal approach in the Nordic-Baltics should make for cross-border easier and more available to Nordic-Baltic people and companies.
- Progress and challenges in social inclusion vary across countries. While there are ongoing challenges in ensuring full digital inclusion, such as the risk of excluding vulnerable groups, particularly the elderly, individuals with cognitive impairments, and those with limited digital skills or health conditions, the Nordic-Baltic countries have made significant progress. The Nordic and Baltic countries have implemented various measures to improve access to digital PoAs, including physical PoA options for those who are unable to use digital platforms. Furthermore, English language resources and accessibility measures for individuals with impairments have been introduced. There are also alternative pathways for obtaining digital identification and options for trusted representatives to act on behalf of individuals who are unable to manage their digital tasks. Educational and support services, such as digital literacy workshops, have played a crucial role in assisting those with limited digital skills to navigate the PoA processes. However, concerns remain about the rapid pace of digitalization and the potential for excluding certain groups, particularly when in-person interactions are reduced. While substantial progress has been made, continued efforts are necessary to address these barriers and ensure equitable access to PoAs for all individuals across these countries.