To-be analysis

In this chapter, we explore the "to-be" scenario of PoAs, while remembering digital transformation within the European Union, with a particular focus on emerging solutions shaping the future of cross-border processes as a natural backdrop. The EU is actively supporting the development of key initiatives like the EU Digital Identity Wallet (EUDIW) and interconnected systems such as the Once Only Technical System (OOTS), both of which are currently under development and implementation.

The chapter begins by summarizing key takeaways from the current state ("as-is") analysis. It then explores the potential impacts of relevant legislation, examining where these initiatives currently stand on the path toward a fully digitized EU.

Two use cases derived from the "as-is" descriptions are presented to illustrate future scenarios for the two most common Powers of Attorney (PoAs). These use cases, drawn from respectively business and tax contexts, take a generic approach to highlight critical challenges that can be addressed through the integration of EUDIW and systems like OOTS.

To substantiate these use cases, a comprehensive Proof of Concept (PoC) is introduced. This PoC provides a detailed breakdown of the stakeholder journey, shedding light on both technical and procedural insights necessary for the successful integration of the EUDIW into a larger European solution framework. The PoC focuses on optimizing PoA management, examining how the EUDIW can streamline the process while addressing technical considerations for future implementation. It tracks the four key phases of PoA management—accessing, generating, using, and concluding—and identifies the roles and interactions of essential participants, including the PoA assignor, the assignee, the EUDIW, and the PoA service platform.

The effect of PoA relevant EU regulation

This section contains an assessment of the effect of PoA relevant EU regulation, including the following:

The European Digital Identity Regulation 2024/1183 (eIDAS 2.0), including EU Digital Identity Wallet (EUDIW)
Single Digital Gateway Regulation 2018/1724 (SDGR), including Once Only Technical System (OOTS)
Regulation on the European Health Data Space (EHDS), COM(2022) 197, and the
Directive on Upgrading Digital Company Law (UDCL), COM(2023) 177.
Interoperable Europe Act?
Web Accessibility directive?

Section Methodology aims to delineate the impact of each EU regulation by exploring the deviation between the digital standard demanded by each regulation against the pre-existing digital capacity within the Nordic-Baltic region prior to the regulations' introduction.

The assessment comprises a legal analysis of the necessary digital levels set by the EU, a comparative look at the digital maturity before these regulations, and an analysis of the impact based on the gap between the required and prior standards.

It is important to clarify our analysis does not contrast EU regulations against more rigorous potential national requirements or current implementation status. Rather, it provides a broader evaluation of what implementation may entail for EU member states, with emphasis on the Nordic-Baltic context. The analysis will be refined to articulate this scope more clearly, ensuring readers grasp the specific effects on the Nordic-Baltic states without confusion.

Methodology

The effect of each of the regulations above is uncovered by finding the difference between the digital standard required by the regulation and the actual digital level of the Nordic-Baltic countries before the implementation of the regulations above.

Thus, the first step is a brief legal analysis of the digital level required by each EU regulation, including most important requirements.

The second step involves outlining the digital readiness levels within the Nordic-Baltic region as it stood just before the new regulations took effect, detailing the existing digital infrastructure and capabilities at that time.

The third step is the comparison of the two steps above – a large difference between the required digital level and the digital level before each regulation means a large effect of the regulation, while a small difference means a small effect.

This methodology described above is illustrated below.

Figure 2. Methodology for assessing the effect of PoA-relevant EU regulation

eIDAS 2.0 2024/1183, Including EU Digital Identity Wallet

The eIDAS 2.0 entered into force on 20 May 2024 and is a revision of the original eIDAS regulation from 1 July 2016. The objective of the eIDAS 2.0 is to introduce digital identity solutions and new trust services, which provide access to secure and reliable electronic identification services for EU residents.

Digital Level Required by the Regulation

The regulation aims to ensure a proper functioning internal market and the provision of a proper level of security of electronic identification and trust services across the union, cf. the regulation, art. 1.

The following three subjects in the regulation are of greatest importance to cross border PoA use and is described in further detail in appendix 3 below:

Digital Identity Wallet
Electronic attestation of attributes
Unequivocal identity matching

Digital Level Before the Regulation

Prior to the adoption of the eIDAS 2.0 regulation, the original eIDAS regulation served as the regulatory framework for electronic transactions in the European Union. The aim of the original eIDAS regulation was to establish a comprehensive EU cross-border and cross-sector framework for secure, trustworthy and user-friendly electronic transactions which embraced the electronic identification, authentication and trust services.

Despite becoming a fundamental element to facilitate a single market in several sectors, e.g. financial services and reuse of data in administrative procedures, the eIDAS had some limitations, such as limited attributes and no obligation to notify national eID schemes.

Effect of the regulation

The eIDAS 2.0, cf. above, is a major upgrade to the original eIDAS, with the introduction of the EUDIW, expansion of trust services and identity matching to facilitate cross-border interactions. The Nordic-Baltic countries are moving in tandem with the EU initiatives to enhance the digital identity and trust framework, although specific progress and readiness levels can only be accurately determined with detailed into each country's ongoing efforts and current digital infrastructure capabilities.

The journey from existing levels of digital identity infrastructure to those required by eIDAS 2.0, including the EUDIW, is a significant leap for the Nordic-Baltic countries. The new regulations pose higher levels of security, trust services, interoperability, and functionality, implying that the Nordic and Baltic countries must undertake substantial efforts to align with these enhanced standards.

The changes required by eIDAS 2.0 are not just incremental improvements; they involve comprehensive updates to the digital identity and authentication ecosystem within the EU. The introduction of the EUDIW, for example, is a pivotal element that reinforces user control over personal data, enabling secure cross-border electronic transactions, and supports selective disclosure of personal information. Such a system promotes advanced technical requirements and legal frameworks that may be challenging to implement, especially considering the diverse landscape of existing national systems and levels of digital maturity across Member States.

The eIDAS 2.0, therefore, can be seen as a catalyst for significant digital transformation within the EU's digital identity landscape, pushing Member States to both modernize and standardize their approaches to digital identity and trust services. The regulatory impact is expected to be extensive, fostering a digital single market that is more secure, efficient, and user centric.

Single Digital Gateway Regulation 2017/1724, including Once Only Technical System

The SDGR entered into force in December 2018, and three different implementation periods apply, with the general implementation deadline being December 2020. The objective of the SGDR is to establish a single-entry point where EU natural and legal persons can access information about relevant rights, rules and obligations across Member States.

Digital Level Required by the Regulation

The regulation aims to establish rules for creating a single digital gateway (SDG), providing natural and legal persons easy access to high quality information, to efficient procedures, effective assistance and problem-solving services regarding Union and national rules applicable to national and legal persons exercising or intending to exercise their rights derived from Union law in the field of the internal market. Additionally, the use of procedures by cross-border users and the implementation of the “once-only” principle, cf. (EU) 2018/1724 art. 1.

The following three subjects in the regulation are of greatest importance to cross border PoA use and is described in further detail in appendix 3 below:

Your Europe Portal
Access to information
Once-Only Technical System (OOTS)

Digital Level Before the Regulation

The Your Europe portal has existed since 2006, providing access to citizens and businesses information on EU- and national rights. However, prior to the SDGR there has been no single-entry point, with the result that EU countries often struggle to understand which rules that apply in the concrete example, or which steps are required to carry out the procedures.

As a result, looking up information was a complex and time-consuming process scattered across different websites and with various levels of quality. To combat this problem the European Parliament and the Council of the European union adopted the SDGR.

Effect of the Regulation

Assessing the distance between pre-existing levels and the required compliance standards of the SDGR, including the OOTS, it appears that Member States are facing a substantial journey ahead. The regulation aims to provide a centralized digital single-entry point for a range of services and information, procedures, assistance services, and problem-solving mechanisms, which is a major undertaking.

Transforming the existing infrastructure to be conform with the SDGR, demands significant modifications to how information is presented and accessed online. This includes, the streamlining and digitalization of cross-border procedures, and the implementation of the "once-only" principle to reduce administrative burdens on citizens and businesses. The principle ensures that citizens and businesses only need to provide certain standard information to public administrations once, which then is reused in future interactions. The Your Europe portal will provide easy access to relevant Union and national webpages across the Member States. These elements of the regulation will have a considerable effect on the Member States, with regards to simplifying and unifying digital access to a wide range of services and information across the EU.

In summary, the SDGR including the OOTS, represent an ambitious and challenging regulation, that will lead to a shift in how citizens and businesses interact with public administrations. The regulation will have a positive impact on improving the digital single market's accessibility and efficiency, resulting in reduced administrative burdens, increased transparency, promote participation in the internal marked and likely boost cross-border activity. Consequently, the change in regulations will have comprehensive implications for the landscape and activities of cross-border PoA in the Nordic-Baltic area.

Proposals: European Health Data Space (EHDS) and Upgrading Digital Company Law (UDCL)

At the time of delivery of this report, the EHDS and UDCL constitute proposals for a regulation and a directive, respectively, and are therefore not yet finally adopted at the EU level. Thus, the effects of the proposals are described together and not in detail.

Digital Level Required by the Regulations

European Health Data Space (EHDS)

The objective of the regulation is to create a common framework for sharing and using health data across the Union (single market). It will enable individuals to take control over their health data and facilitate the exchange for healthcare delivery across the EU.

The current status of the EHDS is that the members of the European Parliament approved the creation on 24 April 2024. The provisional agreement still needs to be formally approved by the Council. Once published in the Official Journal of the EU, it will enter into force 20 days later and then applied two years after (with certain exceptions).

The following two subjects in the regulation are of greatest importance to cross border PoA use and is described in further detail in appendix 3 below:

Primary use of data
Secondary use of data

Upgrading Digital Company Law (UDCL)

The UDCL is a proposal for a directive. The objective of the directive is to improve transparency regarding EU companies by making more information available on a cross-border basis. To enable cross-border use of trustworthy company data and lastly to modernize EU company law.

The European Commission published a proposed directive for UDCL in March 2023. The next steps regarding the UDCL involve negotiations between the Council and the European Parliament. If the directive gets adopted each EU member state will have two years to transpose it into national legislation.

The UDCL will make companies’ data more easily available, enhance trust and transparency in companies across the Member States. This will create a more connected public administration and reduce unnecessary restrictions for companies and other relevant stakeholders in cross-border situations.

The following three subjects in the regulation are of greatest importance to cross border PoA use and is described in further detail in appendix 3 below:

Information about companies
Digital EU power of attorney

Digital Level Before the Regulations

Regarding, the EHDS, there was no specific regulation prior to the proposal that addresses the cross-border sharing and use of health data. Regarding, the UDCL, there have been other EU initiatives, with the goal of digitalizing company law in the EU Member States, such as the directive (EU) 2017/1132. The UDCL is an expansion and improvement of the use of digital tools and processes in company law, with the aim to accelerate the process of digitalization in company law for EU Member States.

Both proposals will centralize data and information sharing cross-border in the EU, creating a framework that will significantly improving the efficiency and accessibility to data. Despite the Member States being in the early stages of implementing the proposals, similar national initiatives regarding EHDS and UDCL already exist. In Denmark for instance, it is possible to view health data about yourself on Sundhed.dk, and on Virk.dk you can access various company data, such as registration number, address and ownership.

Effect of the Regulations

Considering the scope and implications of the proposals, the EHDS and UDCL, the journey from the status quo to the level required imposed by the initiatives is likely be considerable and complex for the Member States. However, some of the Nordic-Baltic countries already have national registries within health data and business information, which is likely to ease the implementation process.

Shifting from the existing national efforts to being compliant with the proposals, EHDS and UDCL, will naturally require adjustments. For instance, Member States will have to ensure that individuals can exercise control over their health data and that this data can be seamlessly and securely exchanged for healthcare and research purposes. This requires substantial advancements in national digital health infrastructures, including interoperable electronic health records and robust data protection measures to uphold individual rights. Additionally, Member States will need to implement mechanisms for a standard digital EU PoA and ensure that company data is easily accessible and trustworthy. This necessitates updates to national commercial registries, legal frameworks to support digital PoAs that are compatible with the EUDIW, and systems that can validate and uphold the interoperability of these digital tools across the EU.

In conclusion, the implementation of the EHDS and UDCL proposals will have a significant impact on Member States, necessitating major infrastructural and technological enhancements. These enhancements must align with elevated standards of data governance, security, and cross-border interoperability, signalling a substantial transformation of the digital landscape within the Member States. Importantly, this transformation will include the evolution of Powers of Attorney (PoA), as these regulatory changes will implicitly shape the future framework and processes for PoA, strengthening their security, validity, and recognition across the EU.

Description of PoA use-cases

This section explores how the European Digital Identity Wallet (EUDIW) can enhance cross-border PoA processes across member states. The following two use cases are analysed:

Company A in Country X grants a PoA to Company B in Country Y for tax or business matters.
Company A in Country X grants a PoA to Company B in the same country to handle business matters for a branch in Country Y.

The sections below unfold the identified PoA use cases. The application of EUDIW and OOTS frameworks are described in the use cases as fully implementable. This is for illustrative purposes and does not reflect the maturity level or success of the relevant solutions

Use case 1: Using PoA for cross-border tax handling

Figure 2 illustrates a use case where Company A, located in Country X, requires assistance from Company B, based in Country Y, to handle its tax or business matters, such as viewing or editing tax data. This scenario highlights the potential of using EUDIW to manage and authenticate cross-border tax matters within the EU framework. The process is divided into four distinct phases.

This use case demonstrates how the EUDIW, combined with interoperable frameworks such as OOTS and eIDAS Nodes, could facilitate secure, efficient, and transparent management of cross-border business processes, ensuring mutual recognition and legal equivalence across EU member states.

Figure 3. Company A in Country X needs Company B in Country Y to handle its tax or business matters (e.g. view/edit tax data)

1. Accessing PoA

The process begins with the assignor from Country X, who already has access rights to handle and assign PoAs on behalf of Company A, accessing their national PoA platform. This platform facilitates the management of PoAs specifically for taxation matters.

To securely log into the PoA platform, the assignor uses the European Digital Identity Wallet (EUDIW), which verifies and authenticates their credentials through the stored digital identity, which is added when setting up the wallet via using the national eID. The EUDIW ensures secure cross-border authentication of the assignor's identity.

2. Creating the PoA

Through the PoA platform, Company A (represented by the assignor) grants a PoA to Company B (represented by the assignee) to handle specific tax-related tasks. The assignor defines the duration and scope of the PoA, ensuring that the delegation of authority is precise and limited to the agreed parameters.

As part of the process, additional information about the assignee, such as professional or business credentials, could be retrieved from the authentic source in national registries in Country Y via the Once-Only Technical System (OOTS). Once the PoA is finalized, it can potentially be securely transmitted to the assignee's EUDIW and stored there. Additionally, the PoA is registered in the national PoA registry in Country X, and the assignee may receive a notification about the granted authorization.

3. Using the PoA

When the assignee from Company B in Country Y needs to act on behalf of Company A, they log into the taxation PoA platform in Country X. This is achieved through an eIDAS Node, which enables seamless and secure authentication using the EUDIW.

While managing tax matters on behalf of Company A, the assignee may need additional documentation or mandate data. Such information could be retrieved efficiently from the relevant national registries via the OOTS framework. This ensures that all necessary data is accessible to the assignee without unnecessary duplication of effort.

With access granted, the assignee proceeds to handle tax-related tasks for Company A on the taxation portal in Country X. The platform provides secure and streamlined access to tax data, ensuring compliance with relevant regulations and preserving data integrity. If further tax-related information is required during the process, it could be retrieved using OOTS.

4. Termination of PoA

The PoA is terminated either automatically after the predefined duration expires or manually if one of the parties decides to end the agreement earlier. To confirm the termination, the involved party logs into the taxation platform using the EUDIW for secure authentication.

Once the PoA is terminated, it is removed from both the assignee’s EUDIW and the national registry in Country X. This ensures that the authorization is no longer valid, safeguarding against unauthorized use of the now-terminated mandate.

Use case 2: Using locally assigned PoA for cross-border tax/business handling

Figure 22 illustrates a use case where Company A, based in Country X, requires Company B, also based in Country X, to handle business matters (e.g., financial reporting) for its branch in Country Y. The process utilizes the European Digital Identity Wallet (EUDIW) to manage, authenticate, and validate a PoA for these tasks securely.

Figure 4. Company A in country X needs Company B in the same country to handle business matters (e.g. financial reporting) in branch in Country Y

1. Accessing PoA

The process begins with an authorized representative (assignor) from Company A accessing the PoA platform in Country X, which manages authorizations for business matters.

The assignor logs into the platform using EUDIW, which provides a stored verified and authenticated digital identity that is added when setting up the wallet via using the national eID. The platform validates the assignor's credentials and confirms their mandate to act on behalf of Company A. Once authenticated, the assignor is granted access to initiate the PoA process.

2. Creating the PoA

On the PoA platform, the assignor defines the PoA by selecting a representative (assignee) from Company B to act on behalf of Company A. The assignor specifies the scope and duration of the PoA, ensuring it is tailored to the specific business needs in Country Y.

Once confirmed, the PoA is securely stored in the national registry of Country X and sent to the assignee's EUDIW. The assignee is notified of the PoA and may be required to acknowledge or accept it within their EUDIW to complete the authorization process. This ensures transparency and readiness for subsequent steps.

3. Using the PoA

The assignee logs into the business PoA platform in Country Y using EUDIW through an eIDAS Node, enabling cross-border interoperability. EUDIW securely verifies and authenticates the assignee’s identity, and the PoA platform confirms their authorization to act on behalf of Company A.

If additional business data or documentation is required to carry out tasks in Country Y, the platform could retrieve this information seamlessly through the Once-Only Technical System (OOTS). This ensures efficient access to relevant data while maintaining compliance with data-sharing regulations.

4. Termination of PoA

The PoA remains active until its set duration expires or until either party—Company A or Company B—initiates early termination. To terminate the PoA, the assignor logs into the PoA platform using EUDIW to authenticate their identity and confirm the termination.

Once confirmed, the PoA is removed from the national registry in Country X and the assignee’s EUDIW, ensuring the authorization is no longer valid. This step maintains the security and integrity of the PoA process, ensuring no unauthorized actions can occur after termination.

Proof of Concept in the EUDIW framework

To support and validate the identified use cases for PoA, a detailed Proof of Concept (PoC) has been developed. This PoC outlines the processes each actor, human and non-human, goes through and highlights key technical and procedural observations relevant to integrating the European Digital Identity Wallet (EUDIW) into a pan-European solution architecture. The PoC focuses on demonstrating how EUDIW can facilitate and enhance PoA management, while identifying technical perspectives to guide future implementation. It involves four core stages: accessing, creating, using, and terminating PoAs, and features four key actors, the assignor, assignee, EUDIW, and the PoA platform.

The PoC revolves around the use of EUDIW to authenticate and verify digital identities, ensuring secure, seamless interactions. Additionally, the Once-Only Technical System (OOTS) is included as a potential interlinking mechanism to retrieve mandate documentation or supplementary data from national registries, supporting cross-border operability. Furthermore, this Proof of Concept demonstrates the potential of EUDIW to streamline and secure the management of PoAs. By leveraging verified credentials, robust authentication methods, and systems like OOTS, the PoC showcases how EUDIW can potentially enhance efficiency, interoperability, and trust in PoA processes. This approach supports a unified digital identity framework, facilitating both national and cross-border interactions in a secure and user-friendly manner.

Figure 5. Proof of Concept in the EUDIW framework

→ Download image (PDF)

Key observations

This section outlines key observations derived from the Proof of Concept (PoC) analysis, which explores the processes and challenges associated with creating, managing, and using digital PoA across borders. The observations shed light on critical areas for improvement, based on the two use cases outlined, such as cross-border identity matching, digitalization of PoA creation, identification of international assignees, data retrieval mechanisms, and the role of notifications and acceptance in PoA workflows. These findings are integral to understanding how the European Digital Identity Wallet (EUDIW) and interlinking systems can facilitate seamless cross-border PoA solutions.

(a) Login with EUDIW as a repeated process to verify and authenticate digital identity

The current login landscape requires EU-notified eID solutions, which are available in many, but not all, countries. In the target state, national EUDIWs would incorporate such eIDs as part of the solution, enabling the storage of digital identities.

In the Access phase of the PoC, the complete process for verifying and authenticating the assignor’s identity using EUDIW is described. The process begins with the assignor logging into the designated PoA platform using EUDIW. EUDIW provides a verified digital identity along with the necessary attestation of attributes, allowing the platform to authenticate the user. This involves validating the assignor’s identity and mandate to act, often through queries to national registries, such as business or personal registries.

Once the identity and mandate are verified, the assignor can proceed to authenticate using secure methods. These methods include Qualified Electronic Signatures (QES) with Multi-Factor Authentication (MFA) or Public Key Infrastructure (PKI). If verification fails, access is denied, and the user is prompted to restart the process. This sequence can be repeated and applied by both the assignor and the assignee at various steps, specifically steps 9, 13, 14, 16.1 and 16.2, which are marked with a red asterisk.

However, the login process differs in step 14 compared to the initially outlined procedure, as this step presents challenges related to matching cross-border identities and mandates. These challenges are elaborated in Key Observations 9 and 10.

(b) Further examine attestation of attributes to implement PoA

Currently, the attributes required to verify identities and create PoAs vary significantly between countries, with the only consistent ones being those mandated by EU-notified eIDs. The specific attributes required also depend on the operation being performed. For instance, logging into a PoA platform generally requires basic attributes such as family name, first name, date of birth, and person identifier. However, creating and assigning a PoA demands more specific attributes, including legal status, powers, and mandates to represent legal entities.

As highlighted in section Legal Topics, member states are responsible for ensuring the provision of the required attestation of attributes. EUDIW is anticipated to accommodate most of the necessary attestations for both PoAs and cross-border PoAs. In Step 14, matching the powers and mandates to the identity of the assignee is crucial. Any additional attributes required by a local PoA provider that are not already stored in the Wallet could potentially be sourced via OOTS from local registries, but this aspect requires further investigation.

It is important to note that not all countries currently have EU-notified eIDs, and EUDIW solutions are still in development. As a result, the general maturity of these systems will need to improve in the coming years to fully enable the proposed PoC.

For reference, the attributes required for PoAs and EUDIW align with the specifications outlined in the eIDAS 2.0 Regulations 2024/1183.

(c) EUDIW May Necessitate Streamlined Digital PoA Maturity

Step (7) entails choosing PoA scope and time frame, which is already possible for domestic purposes in many countries. Ideally, standardized PoAs could be assigned, e.g. for handling tax matters, which could also underpin the validity of utilizing the PoA in another country, which is the case in use case 2 (Key observation d).

However, today some Nordic and Baltic countries still rely on manual processes for creating PoAs. These processes often involve drafting PoAs as PDF documents and manually uploading them to national platforms. To speed up implementation of PoAs in EUDIW, it could thus be investigated whether EUDIW could enable the creation steps (7–9) and storage step (11) of PoAs in PDF-format, and if such could be used to validate the mandate granted to prove rights and whether the validation process can be digitalized. Moreover, it is important to understand whether the PoA would be valid in a different country, such as is required in use case 2. If not, it may be necessary to strengthen the digital maturity levels of PoA in some member states, e.g. enable pre-determined PoAs for rights to edit or view taxes.

Furthermore, in some jurisdictions, PoAs for tax or business matters require notarized approval, adding complexity and delay to the process. This would require the PoA to be stored on the EUDIW after notarization, adding another step to the process, or consider new possibilities for notarized PoAs in a digital perspective. For instance, increasing the level of digital PoA maturity in such countries could include the notarization process within the PoA platform. Transitioning to fully digital platforms for PoA creation will not only enhance efficiency but also support interoperability with EUDIW, thereby enabling seamless cross-border collaboration. Considering all of this could also inform priorities on which countries to test the PoA implementation with EUDIW, and which challenges to solve in the long run.

(d) Consider how to include a foreign organisation in the PoA scope

In step (7), when the assignor needs to choose PoA scope and time frame, certain challenges can be pointed out. In use case 2, the assignor in country X needs to assign a PoA to a legal entity from the same country. However, the assignee must be able to use the PoA in a different country, hence, it should be considered how to include the foreign organisation (e.g. branch of the company in country Y) to the scope of the PoA on the platform (in country X). Currently, it is not possible to digitally assign a PoA in one country granting rights to access or view information related to an organizational branch in another country on a national PoA platform, unless this is outlined in a self-developed PDF.

This raises similar challenges to use case 1 that should be considered, as data on foreign organisations could be necessary to retrieve from the local platform, when selecting a foreign entity in step (8), which is elaborated in key observation e. This could be achieved via the OOTS, retrieving data from relevant foreign registries. OOTS is elaborated in key observation f.

(e) Solve Identification and Matching of International Assignees

In step (8), the assignor selects the assignee of the PoA. This process differs from use case 1 to 2.

In use case 1, the assignor needs to assign the PoA to a foreign legal entity or natural person with existing rights to act on behalf of the company. However, creating cross-border PoAs requires mechanisms to identify and assign international assignees within national PoA platforms. Current systems often lack this functionality, which limits the ability to handle international transactions efficiently.

One potential approach to retrieve the international identity and additional details about the assignee is via OOTS from relevant international registries, ensuring interoperability between systems. Another could be to enable international assignees to log into the assignor's national platform, e.g. via an eIDAS node to request a PoA using the assignor’s business identity number (e.g., national unique identifier). This process could simplify the identification and assignment of international assignees by leveraging existing identity frameworks while ensuring the validity of the PoA.

This has no real effect on use case 2, as the assignor selects an assignee from the same country and using their national PoA platform, as is currently the norm.

(f) Possibility of Retrieving PoA-related Data Using the OOTS

In step (11), the proof of concept proposes that the PoA is stored locally in the assignee and assignor’s EUDIW. Key data relevant to PoAs is typically stored in national registries, and in some cases, dedicated PoA registries. While EUDIW could store credentials, documents and PoAs, additional documentation may be required during the initial use of PoAs across borders. The Once-Only Technical System (OOTS) offers a potential solution by enabling the retrieval of relevant data directly from national registries, ensuring that the information is accurate and up to date. This would, however, require a link between the local registries and OOTS. Moreover, manual validation of OOTS-retrieved data may initially be necessary to confirm its accuracy. Over time, the system could be optimized to allow retrieved data to be stored securely in EUDIW, reducing redundancy, and streamlining cross-border PoA processes.

(g) Decide on Notifications

Effective notification mechanisms could be critical for ensuring that assignees are aware of PoAs assigned to them. In current systems, assignees are typically notified through national platforms, such as digital mailboxes or directly within PoA platforms. In some countries, however, there are no notifications enabled, leaving the responsibility to inform other parties (e.g., assignee) about the PoA to the assignor. To enhance this process, notifications could be integrated with EUDIW, providing assignees with direct and secure updates regarding their assigned PoAs. For instance, in step (12), once the PoA is stored securely in a national registry and assignee receives it in its EUDIW, it could be decided to implement notifications as effective communications. Moreover, this could have implications for step (13) if the assignee must accept the PoA (elaborated in key observation h). Regardless of the method, ensuring prompt and reliable notifications could underpin the successful adoption and operation of cross-border PoA systems.

(h) Clarify Requirements to PoA Acceptance by Assignee

In many countries, the process of creating a PoA includes an acceptance step, where the assignee must confirm their role, such as in step (13) of the PoC. This step is usually performed through the PoA platform, requiring electronic signature or eID verification. Including an acceptance phase could provide a potentially critical safeguard against errors, such as incorrectly assigned PoAs, and strengthens trust in the system. Moving forward, it should be determined whether the acceptance step is necessary. If this is the case, it would be necessary to clarify the requirements to whether acceptance should occur within EUDIW, on the local PoA platform, or through a hybrid approach. Consideration must also be given to the user experience, ensuring that the acceptance process remains intuitive and secure while serving as an effective failsafe mechanism.

(i) Investigate Cross-Border Identity matching

In both use cases, the assignee must log into a foreign platform via the EUDIW in step (14). Accessing the PoA platform locally today requires utilization of a national eID, which will be integrated into the EUDIW at the target state. However, a fundamental challenge in enabling cross-border PoAs is the validation and matching of foreign identities. While several countries already support foreign users through eIDAS login, PoA platforms and national registries often lack the capability to verify these users' identities reliably. This limitation hinders seamless international transactions and collaborations.

Implementing the eIDAS framework in conjunction with EUDIW across all participating nations holds promise for bridging this gap. The interoperability provided by EUDIW could enable secure identity matching, ensuring that assignors and assignees from different countries are validated effectively. Notably, the CBDS Programme under the Nordic Council of Ministers is addressing this issue by seeking to create practical solutions for cross-border identity matching.

(j) Resolve Cross-Border PoA Mandate Matching

In step (14) for use case 2, the local PoA platform must, in addition to matching a foreign identity described in observation (i), retrieve information about the PoA created in a foreign country for use on its local platform. As the PoA has been created in a different country, this constitutes a few challenges. First, the local PoA platform must be informed of the PoA, which could be achieved via EUDIW storing the PoA and presenting it to the local platform upon the assignee logging in. Second, the PoA should be compatible with the local requirements in that country, so that all the required information is presented upon request. If all requirements are not met via the PoA and attestation of attributes stored on EUDIW, additional information could be provided through the OOTS. Alternatively, a way to share PoAs across borders might be explored earlier in the process, such as in step (13), when assignee accepts the PoA, or step (10) when the local platform stores the PoA. Some of the possibilities around PoA storage are highlighted in key observation f. Finally, it is important to note that legal requirements for PoAs may differ from country to country and streamlining these may be key to use case 2.