• Digital certificates do not serve as personal identification in the same way as plastic ID cards and passports do.

• A fundamental aspect of the implementation of digital driving licenses is that they must not only be viewed on a screen but also verified. A digital certificate is not valid unless it can be scanned.

• The digital driver's license is the most widespread digital certificate in Iceland. Such certificates are accessible to everyone with a driver's license through the Ísland.is mobile app.

Security is a process

In the development of digital solutions, the security objectives of the police and Digital Iceland are fundamentally the same as in the real world – to protect people, their property, and their information. Digital security focuses on protecting data, access, and infrastructure, and the development of digital certificates follows strict processes, similar to other solutions at Digital Iceland:

• Leading security experts conduct an independent review of the technical architecture and implementations. Furthermore, the code for Digital Iceland's solutions is open and accessible to everyone, which increases trust in the solutions.

• Security testing in the form of general audits and simulated attacks. Action is taken immediately when vulnerabilities are found, and the implementations of solutions are adapted.

• Adherence to international security standards, such as ISO 27001, NIS2, and ISO 18013-5, in Digital Iceland's software development, and especially in the development of certificates. In the near future, ISO 18013-5 will be a prerequisite for Icelandic driving licenses to be recognised in Europe.

Digital certificates must be verified – viewing is not enough

It is very important that everyone who accepts digital certificates verifies them. In the case of digital driving licenses, this is done by scanning the barcode that appears with the certificate in the Ísland.is mobile app. A scanner for this purpose is also available in the app, so one phone can easily be used to verify a certificate on another. To increase security, digital certificates are implemented with:

• A one-minute validity period for the barcode to limit misuse through copying.

• If a mobile phone is offline, digital certificates cannot be verified by scanning; this is clearly indicated in the interface.

• Each barcode is deactivated as soon as a new one is requested, which prevents double use. This also prevents barcodes from being repeatedly requested with a new login session.

We encourage everyone who relies on certificates for service delivery or to confirm rights to always verify them by scanning. This applies, for example, to pharmacies, sellers of alcohol and nicotine products, and bouncers.