Last review date: 30 December 2024
☒ omnibus – all personal data
☒ sector-specific
E.g., telecoms, public healthcare and welfare, local government, law enforcement, legal procedures, financial, insurance
☒ constitutional
Last review date: 30 December 2024
Act No. 90/2018 on Data Protection and Processing of Personal Data ("Data Protection Act") implementing the GDPR into Icelandic law.
Rules No. 50/2023 on Electronic Surveillance, established pursuant to the authorization outlined in Paragraph 5 of Article 14 of the Data Protection Act.
Regulation No. 606/2023 on the Processing of Information on Financial Matters and Creditworthiness, established pursuant to the authorization outlined in Paragraph 2 of Article 15 of the Data Protection Act.
Rules No. 1150/2023 on the Procedure for the Icelandic Data Protection Authority, established pursuant to the authorization in Paragraph 3 of Article 38 of the Data Protection Act.
Last review date: 30 December 2024
Act No. 70/2022 on Electronic Communications ("Electronic Communications Act") which implements Directive (EU) 2018/1978 establishing the European Electronic Communications Code into Icelandic law and Act No. 75/2021 on the Electronic Communication Office, which addresses the role of the supervisory authority in Iceland.
Regulation No. 1221/2007 on the protection of information in general telecommunication and 1222/2007 on the function of general telecommunication networks.
Act No. 78/2019 on the Security of Network and Information Systems of Critical Infrastructures (“Network Security Act”) implementing Directive (EU) 2016/1148 concerning Measures for a High Common Level of Security of Network and Information Systems across the Union ("NIS Directive") into Icelandic legislation and Regulation No. 866/2020 on the Security of Network and Information Systems of Operators of Essential Services set on the basis of the provisions of Act No. 78/2019.
Rules No. 720/2023 on the General Authorization to Operate Electronic Communications or Provide Electronic Communications Services, established pursuant to the authorization outlined in Paragraph 4 of Article 7 of the Electronic Communications Act.
Last review date: 30 December 2024
Act No. 55/2024 on a framework for the free flow of non-personal data, implementing Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018.
Last review date: 30 December 2024
Yes.
National level:
A draft regulation on telecommunication security has been published in the government's consultation portal. The regulation is set to replace the existing regulations No. 1221/2007 and No. 1222/2007, based on Article 78 of Act no. 70/2020. The proposed changes aim to bring the legal framework up to date, aligning it with current best practices on information security and risk management for telecommunication networks and services.
In the Action Plan on Artificial Intelligence, it is stated that work is underway to draft legislation on the state‘s information technology operations, which will grant the Ministry of Finance and Economic Affairs the authority to establish rules regarding technical standards. The status of this draft is still uncertain.
Implementation of laws at EEA level:
The Electronic Communications Office of Iceland ("ECOI") has already begun the preparation for implementation of the NIS2 Directive, which broadens the scope of application and also extends the relevant obligations, compared to NIS. However, the Directive is still under review by the EEA and EFTA countries, and therefore the implementation process has not begun. It is uncertain when NIS2 will be implemented to national law but the ECOI expects that it will be in 2026.
The draft legal Framework, implementing regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”), has been published in the government‘s consultation portal, and is expected to enter into force in July 2025. The Act sets forth uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.
In July 2024 the EU AI Act was adopted, with the first obligations taking effect in February 2025 in the EU. The Act provides graduated regulation of AI products based on risk categories. The AI Act is still under review by the EEA and EFTA countries, and therefore the implementation process has not begun in Iceland so the timeframe for the implementation is uncertain.
The Digital Service Act (“DSA”), entered into force in January 2024 in the EU, but is still under review by the EEA and EFTA countries, and therefore the implementation process has not begun in Iceland so the timeframe for the implementation is uncertain.
A Regulation tailored to harmonize rules on the fair access and use of data generated in the European Union across all economic sectors (“Data Act”) entered into force in the EU in January 2024. The Act is currently under review by the EEA and EFTA countries, and therefore the implementation process has not begun in Iceland, so the timeframe for the implementation is uncertain. It is nevertheless mentioned in the Action Plan on Artificial Intelligence.
The Cyber Resilience Act (“CRA”), introducing new obligations on manufacturers of products with digital elements designed to ensure the cybersecurity of such products, entered into force in the EU on 10 December 2024, but will mostly be applicable 11 December 2027. The CRA is currently under review by the EEA and EFTA countries and therefore the implementation process has not begun in Iceland, so the timeframe for the implementation is uncertain.
The Data Governance Act (2020/868), applicable in the EU since 24 September 2023, is still under review by the EEA and EFTA countries and therefore the implementation process has not begun in Iceland, so the timeframe for the implementation is uncertain. It is nevertheless mentioned in the Action Plan on Artificial Intelligence.
The Political Advertising Regulation (“PAR”) (2024/900), adopted on the 13 March 2024 in the EU, lays down certain rules and requirements, including transparency and due diligence obligations, for the provision of political advertising and related services as well as on targeting techniques and ad-delivery techniques involving personal data processing in the context of online political advertising provision. The PAR is currently under review by the EEA and EFTA countries and therefore the implementation process has not begun in Iceland, so the timeframe for the implementation is uncertain.