1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern the fintech space in your jurisdiction?
Iceland's legislative and regulatory landscape has undergone significant changes to accommodate the growth of fintech. This evolution reflects the need to adapt existing laws on financial services, data protection, IT and network security to new technologies and business models. The legal framework is largely shaped by EU directives and regulations.
'Fintech' is not specifically defined in Icelandic legislation. Instead, fintech activities fall under broader definitions of general financial laws. Some of the key governing laws include:
- the Act on Financial Undertakings (161/2002), which outlines licensing, operations and supervision for various financial entities and applies broadly, including innovative fintech providers;
- the Act on Payment Services (114/2021), which implements the EU Second Payment Services Directive (PSD2);
- the Act on Technological Aspects such as Remote Contract Formation (114/2021);
- the General Data Protection Regulation (GDPR) and Act 90/2018, which sets strict standards for processing personal data;
- Act 78/2019 on the Security of Network and Information Systems of Critical Infrastructure and Regulation 866/2020 on cybersecurity and IT infrastructure; and
- the Act on Anti-money Laundering (AML) and Terrorist Financing (140/2018), which incorporates EU AML/countering the financing of terrorism (CFT) rules.
Act on the Issuance and Treatment of E-money (17/2013)
New EU regulations such as the Markets in Crypto-Assets Regulation (MiCA) and the Digital Operational Resilience Act (DORA) will also impact fintech companies in Iceland when they will be implemented through the European Economic Area (EEA) framework, especially in areas related to crypto-assets and digital resilience (both are currently being implemented in Iceland).
1.2 Do any special regimes apply to specific areas of the fintech space?
Yes, special regulatory frameworks apply to specific areas of the fintech space in Iceland. For payment services and electronic money institutions, the Act on Payment Services (114/2021):
- implements PSD2;
- sets requirements for licensing and consumer protection; and
- grants the Central Bank of Iceland (CBI) the authority to:
-
- issue regulations on various matters such as account information service providers and payment service providers; and
- require the establishment of a separate entity for the operation of electronic money, distinct from other activities, if it affects financial strength or hinders supervision.
The regulatory framework for electronic money institutions is primarily found in the Act on the Issuance and Treatment of E-money No. 17/2013. This Act implements Directive 2009/110/EC, known as EMDII (E-Money Directive II), concerning the establishment and operation of e-money institutions.
As for virtual asset providers and currency exchange services, specific regulations apply to these regimes and impose requirements on entities, such as registration with and supervision by the Central Bank of Iceland.
For cryptocurrencies, the European Union's MiCA, effective in 2024, is significant and will require licensing for stablecoin issuers and other crypto-related services. DORA, effective in 2025, sets requirements for digital resilience for financial institutions, including fintech firms.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
The main supervisory authority for financial activities in Iceland, including fintech, is the Financial Supervisory Authority (FME) of the CBI. The FME became part of the CBI in 2020. Previously, it was an independent institution, but its role remains extensive.
It supervises numerous entities and activities in the financial market, many of which directly or indirectly relate to fintech. It has the power to:
- issue licences;
- conduct supervision and inspection;
- require reporting; and
- impose fines or other sanctions for non-compliance.
The Financial Supervision Committee operating within the CBI oversees and approves matters related to financial institutions.
The Ministry of Finance and Economic Affairs plays a role in shaping the legal framework through legislation. Further, the Directorate of Internal Revenue supervises entities not covered by the FME; while the European Free Trade Association Surveillance Authority plays a limited oversight role in line with EEA rules.
The Data Protection Authority (DPA) exercises broad oversight over the processing of personal data in Iceland, including fintech-related processing activities. Its role is to ensure compliance with data protection laws and regulations, particularly:
- Act 90/2018 on Data Protection and the Processing of Personal Data; and
- the GDPR.
This role is seen as particularly important with respect to fintech companies due to their reliance on data processing. The DPA has the authority to:
- investigate breaches;
- issue fines; and
- demand compliance.
1.4 What is the regulators' general approach to fintech?
The general approach of the Icelandic regulators to fintech is primarily technology neutral (functional). This means that:
- the regime is intended to remain adaptable in a constantly changing environment; and
- existing laws and regulations are applied to new services regardless of the technology used.
Currently (mid-2025), there is no general regulatory sandbox in place for fintech companies in Iceland. However, it may be inferred that the Icelandic regulators' approach to fintech is adaptable and includes certain flexibility to address innovation. Since the general approach is technology neutral, in some cases this can provide room for innovation within the current framework.
As an example, according to Article 5 of the Act on Market Infrastructures for Financial Instruments Based on Distributed Ledger Technology (Blockchain) (56/2024), the FME (as part of the CBI) is authorised to grant and revoke specific licences and exemptions for operating such infrastructure. Therefore, special exemptions or adaptations can apply for certain new technological solutions. Also, fintech companies and startups seeking to register or obtain a licence from the FME can engage in a pre-licensing dialogue with the FME and obtain instructions. Another example is crowdfunding and peer-to-peer lending, which may fall within the scope of the investment services laws. In such cases:
- the FME assesses applicants on a case-by-case basis; and
- a quasi-sandbox approach is informally applied.
In general, the Icelandic regulators have declared openness to fintech innovation. They offer informal engagement and guidance for fintech startups seeking clarity on licensing and compliance. However, they maintain a cautious, risk-based approach, with a strong emphasis on risk management and protection of:
- financial stability;
- consumers; and
- personal data.
Due to the relatively small size of the Icelandic market, regulation is mostly in line with EU trends.
1.5 Are there any trade associations for the fintech sector?
No specific trade association is currently dedicated solely to the fintech sector in Iceland. However, fintech firms may participate in broader industry associations such as the Confederation of Icelandic Enterprise and the Icelandic Financial Services Association, both of which represent financial institutions, including those using financial technology.
Although not a trade association, the Icelandic Blockchain Foundation acts as an interest group for parts of the fintech sector. It advocates for innovation and policy reform specifically around digital currencies and blockchain-based services. It:
- provides startup support and advice; and
- connects blockchain-related entrepreneurs and projects with funding and expertise.
At the European level, the European FinTech Association is active and may influence Icelandic firms through EEA cooperation. The lack of a dedicated local fintech association may reflect the relatively small size of the Icelandic fintech market.
2 Fintech market
2.1 Which sub-sectors of the fintech industry have become most embedded in your jurisdiction?
The main fintech sub-sectors embedded in the Icelandic financial system are:
- payment processing and e-money services (digital payment solutions, mobile payments and interbank systems); and
- online banking and digital banking channels.
These have become fundamental services which form an integral part of Icelandic financial institutions' information technology.
Activities in the area of securities brokerage and financial instrument markets have also grown rapidly and are well defined in the regulatory framework (Act on Markets for Financial Instruments (115/2021)). The laws include specific provisions on:
- direct electronic access; and
- the operation of financial instrument marketplaces.
Virtual assets (eg, cryptocurrencies) and distributed ledger technology are newer sectors that are still in their early stages, although the existence of specific laws and regulations indicates their growing significance. The Regulations on Currency Exchange Services and Virtual Asset Service Providers (151/2023) and the Act on Market Infrastructure for Financial Instruments Based on Distributed Ledger Technology (56/2024) suggest that these sub-sectors are becoming more embedded and require specific regulatory frameworks and supervision.
2.2 What products and services are offered?
Fintech products and services in Iceland primarily focus on payment services, such as:
- mobile apps for transfers (eg, banking apps from Landsbankinn and Íslandsbanki);
- digital wallets; and
- contactless payments.
Electronic identity solutions, such as Auðkenni, are also key to the digital finance ecosystem. Some firms offer digital investment services, including robo-advisory and crowdfunding platforms. Insurtech services, such as digital insurance offerings, are present but less developed. Cryptocurrency services, including exchanges or wallets, remain limited but may expand as new regulations – such as the European Union's Markets in Crypto-Assets Regulation – framework are implemented.
2.3 How are fintech players generally structured?
Fintech players in Iceland are generally structured as small startups or subsidiaries of larger financial institutions, such as banks. Startups are commonly registered as private limited companies and operate with small teams focused on specific technologies, such as payment solutions. Larger financial institutions may develop fintech products internally or in partnership with external tech firms. These partnerships are often flexible and not based on ownership, allowing for collaborative innovation. Universities and research centres may also be involved in early-stage solution development.
2.4 How are they generally financed?
Fintech firms in Iceland are generally financed through a mix of:
- equity;
- angel investment;
- venture capital; and
- public grants.
Small startups often rely on:
- funding from founders, friends and family; and/or
- government support – including grants from the Technology Development Fund, administered by Rannís, the Icelandic Centre for Research.
Larger fintech projects, particularly those connected to banks, may receive direct funding from their parent institutions. International venture capital is less common due to the small market size, though interest is growing through European Economic Area (EEA) cooperation. Some fintech firms also explore crowdfunding as a supplementary funding method, though this is still an emerging trend in Iceland.
2.5 How are they positioned within the broader financial services landscape?
Fintech firms in Iceland are often positioned as providing services that are complementary to traditional financial services, rather than as direct competitors. They frequently collaborate with major banks, such as Landsbankinn, Íslandsbanki and Arion Bank, which dominate the domestic financial market. Fintech players typically focus on digital innovations – such as payment apps, investment platforms and automation tools – to enhance user experience and operational efficiency. Due to the small size of the Icelandic market, competition is limited and fintech firms tend to support, rather than disrupt, existing financial institutions. Through EEA regulations, Icelandic fintech companies can also access broader international markets, which strengthens their role in the financial ecosystem.
2.6 Do start-ups generally outsource back office functions and is there a developed market for them to access? What are the legal implications of outsourcing?
Yes, many fintech startups in Iceland outsource back-office functions – such as IT services, accounting and compliance – to reduce costs and focus on core innovation and product development. While the domestic outsourcing market is relatively limited, firms can engage both local and international service providers, particularly through cooperation within the EEA.
Legal frameworks such as the General Data Protection Regulation and the Digital Operational Resilience Act (effective 2025) set strict requirements for:
- data protection;
- cybersecurity; and
- third-party risk management.
Fintech companies/startups in Iceland must ensure that their outsourcing partners comply with these obligations, especially when handling sensitive financial or personal data.
The Financial Supervisory Authority (as part of the Central Bank of Iceland) may request disclosures and risk assessments regarding outsourcing arrangements. Non-compliance with these regulatory requirements may result in administrative sanctions, including fines or revocation of licences.
3 Technologies
3.1 How are the following key technologies in the fintech space regulated and what specific legal issues are associated with each? (a) Internet (e-commerce); (b) Mobile (m-commerce); (c) Big data (mining); (d) Cloud computing; (e) Artificial intelligence; and (f) Distributed ledger technology (Blockchain, cryptocurrencies)
(a) Internet (e-commerce)
E-commerce in Iceland is primarily governed by the Act on Electronic Commerce and Other Electronic Services (30/2002), which implements the EU E-commerce Directive (2000/31/EC). This law sets requirements for:
- transparency;
- provision of consumer information; and
- the conclusion of electronic contracts.
In the fintech sector, these provisions apply to:
- online banking services;
- digital marketplaces; and
- payment platforms.
Additionally, the General Data Protection Regulation (GDPR), implemented in Iceland through Act 90/2018, sets strict requirements for personal data protection, especially when handling sensitive financial information.
Legal challenges include:
- ensuring data security;
- combating online fraud; and
- fulfilling consumer protection obligations.
(b) Mobile (m-commerce)
Mobile commerce (m-commerce) in Iceland is primarily regulated under the same legal framework as e-commerce. The core laws include:
- the Act on Electronic Commerce (30/2002); and
- the Act on Payment Services (120/2011).
The Payment Services Directive introduced requirements for strong customer authentication, particularly for mobile payments, to reduce fraud and enhance security.
In addition to these regulations, the GDPR (Act 90/2018) applies to the collection and processing of personal data in mobile financial applications. This means that fintech firms offering mobile services must implement strict data protection measures.
Legal challenges in the mobile commerce space include:
- ensuring the technical and data security of mobile apps;
- preventing unauthorised access and data breaches; and
- providing clear, user-friendly information regarding terms of service and data usage.
Under Act 90/2018, companies must report significant data breaches without undue delay and if possible within 72 hours, or risk penalties.
(c) Big data (mining)
Big data (mining) in Icelandic fintech is mainly regulated by the GDPR (Act 90/2018). Fintech firms must:
- obtain clear consent;
- ensure transparency; and
- collect only necessary personal data.
Depending on the nature, scope, context and purposes of the processing, it may also be mandatory to conduct a data protection impact assessment prior to data mining, especially when new technologies are being applied. Depending on the outcome and whether there is an indication that the processing may involve a high risk to the rights and freedoms of data subjects, prior consultation and prior authorisation from the Data Protection Authority (DPA) may also be required.
The Anti-money Laundering Act (140/2018) also encourages data use to detect fraud and money laundering.
Key legal issues include:
- securing valid consent;
- preventing data misuse; and
- protecting against breaches.
Firms must also respect user rights, such as access and deletion of data. The DPA oversees GDPR compliance and may issue fines of up to €20 million or 4% of global turnover. The Central Bank of Iceland (CBI) can also require reports related to data use in the context of anti-money laundering/countering the financing of terrorism.
(d) Cloud computing
Cloud computing in fintech in Iceland is regulated mainly by:
- the GDPR (Act 90/2018); and
- the upcoming EU Digital Operational Resilience Act (DORA), effective in 2025.
Fintech firms must:
- ensure strong data protection, especially when data is stored outside Iceland; and
- comply with risk management and digital resilience requirements under DORA.
The Act on Financial Undertakings (161/2002) also requires firms to guarantee security and stability when using cloud services.
Legal challenges include:
- protecting personal data;
- meeting outsourcing rules; and
- notifying the CBI about cloud service contracts.
The CBI can impose fines for non-compliance and the DPA may intervene in case of data protection violations.
(e) Artificial intelligence
Artificial intelligence (AI) in fintech is still evolving and mainly falls under the GDPR (Act 90/2018) when personal data is involved, particularly in automated decision making. The upcoming implementation of the EU AI Act into Icelandic law, expected in 2026, will introduce specific rules for high-risk AI systems such as credit scoring tools. Key legal issues include:
- ensuring transparency;
- preventing bias; and
- protecting consumer rights and personal data.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Distributed ledger technology (DLT), including blockchain and cryptocurrencies, is lightly regulated in Iceland. Crypto service providers must comply with the Anti-money Laundering Act (140/2018), especially regarding exchanges and wallets. The EU Markets in Crypto-Assets Regulation, effective in the European Union since 2024, will introduce mandatory licensing and conduct requirements when it will be implemented in Iceland. Legal issues include:
- money laundering and terrorist financing risks;
- consumer protection; and
- financial stability.
4 Activities
4.1 How are the following key activities in the fintech space regulated and what specific legal issues are associated with each? (a) Crowdfunding, peer-to-peer lending; (b) Online lending and other forms of alternative finance; (c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb); (d) Forex; (e) Trading; (f) Investment and asset management; (g) Risk management; (h) Roboadvice; and (i) Insurtech.
(a) Crowdfunding, peer-to-peer lending
Crowdfunding and peer-to-peer lending in Iceland are governed by the European Crowdfunding Service Provider Regulation (2020/1503), implemented into Icelandic law through the Act on European Crowdfunding Service Providers (45/2024). The act requires:
- platform licensing;
- transparency; and
- consumer protection.
The Act on Financial Undertakings (161/2002) and the Anti-money Laundering (AML) Act (140/2018) also apply. Legal challenges include:
- ensuring accurate risk disclosures;
- preventing fraud; and
- meeting AML/countering the financing of terrorism (CFT) requirements.
(b) Online lending and other forms of alternative finance
Online lending and other forms of alternative finance in Iceland are regulated under the Act on Financial Undertakings (161/2002), which requires lenders to obtain a licence from the Central Bank of Iceland (CBI). The General Data Protection Regulation (GDPR) (Act 90/2018) applies to the processing of personal data, while the AML Act (140/2018) mandates know-your-customer (KYC) and anti-fraud measures. Legal challenges include:
- ensuring consumer protection;
- avoiding over-indebtedness; and
- safeguarding personal data.
The market remains small due to the strong position of traditional banks.
(c) Payment services (including marketplaces that route payments from customers to suppliers (eg, Uber and AirBnb)
Payment services are governed by the Act on Payment Services (120/2011). Service providers must:
- obtain a licence from the CBI; and
- follow rules on good business practices (Rules 353/2022).
Strong customer authentication (SCA), data protection under the GDPR (Act 90/2018) and AML obligations under the AML Act (140/2018) also apply. Legal challenges include:
- securing transactions;
- preventing fraud; and
- ensuring transparency.
Iceland has a well-developed payment services market supported by banks and fintech firms.
(d) Forex
Forex trading in Iceland is primarily regulated by the Foreign Exchange Act (70/2021), which generally allows unrestricted foreign exchange transactions, though the CBI may impose restrictions or require reporting. When forex trading is provided as a financial service, it also falls under the Act on Financial Undertakings (161/2002) and the Act on Markets in Financial Instruments (115/2021), which implement the Second Markets in Financial Instruments Directive (MiFID II). These laws require:
- licensing;
- transparency; and
- investor protection.
The AML Act (140/2018) imposes KYC and AML monitoring obligations. Legal challenges include:
- preventing market manipulation;
- managing risk exposure; and
- ensuring regulatory compliance.
(e) Trading
Trading in financial instruments in Iceland is governed by the Act on Markets in Financial Instruments (115/2021), which implements MiFID II. This law:
- requires service providers to be licensed by the CBI; and
- ensures:
- transparency;
- fair market practices; and
- investor protection.
The GDPR (Act 90/2018) applies to personal data processing and the AML Act (140/2018) requires monitoring of transactions to prevent money laundering. Legal challenges include:
- preventing insider trading;
- preventing market abuse; and
- ensuring client protection.
(f) Investment and asset management
Investment and asset management in Iceland are governed by:
- the Act on Financial Undertakings (161/2002), implementing MiFID II;
- the Act on Managers of Alternative Investment Funds (45/2020), implementing the Alternative Investment Fund Managers Directive; and
- the Act on Undertakings for Collective Investment in Transferable Securities (128/2011), implementing the Undertakings for Collective Investment in Transferable Securities Directive.
These laws require:
- licensing;
- transparency; and
- proper risk management.
The GDPR (Act 90/2018) and the AML Act (140/2018) also apply. Legal challenges include:
- ensuring accurate risk disclosures;
- avoiding conflicts of interest; and
- protecting investors.
(g) Risk management
Risk management in fintech in Iceland is governed primarily by the Act on Financial Undertakings (161/2002), which requires financial companies to maintain effective risk management systems. The CBI:
- oversees risk management practices; and
- may issue specific regulations related to risk assessment and mitigation.
The upcoming implementation of the EU Digital Operational Resilience Act (effective 2025) will further strengthen requirements for digital resilience and operational risk management. Additionally, the GDPR mandates risk assessments when processing personal data. Key legal challenges include:
- ensuring system security;
- minimising operational risks; and
- complying with outsourcing rules.
The CBI requires regular risk management reports and non-compliance can result in fines or other sanctions.
(h) Roboadvice
Roboadvice in Iceland is governed primarily by the Act on Markets in Financial Instruments (115/2021) and the Act on Financial Undertakings (161/2002). These laws require:
- licensing;
- transparency; and
- adherence to investor protection rules.
The GDPR applies to personal data processing and the upcoming implementation of the EU AI Act (effective 2026) will introduce additional requirements for AI systems. Legal challenges include:
- ensuring transparency;
- avoiding bias in advice; and
- protecting consumers.
(i) Insurtech
Insurtech in Iceland is governed by the Act on Insurance Activities (100/2016), which implements the EU Solvency II Directive. This law requires:
- licensing;
- financial stability; and
- effective risk management.
The GDPR applies to personal data processing within insurtech services. Key legal challenges include:
- ensuring data protection;
- fulfilling consumer information obligations; and
- preventing discriminatory pricing practices.
5 Data security and cybersecurity
5.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for fintech companies?
The applicable data protection regime in Iceland is the Act on Data Protection and the Processing of Personal Data (90/2018), which implements the EU General Data Protection Regulation (GDPR). Fintech companies, which handle sensitive financial and personal data (eg, in payment services or credit scoring), must:
- conduct risk assessments;
- report data breaches, if possible, within 72 hours; and
- uphold consumer rights, such as:
-
- the right to access;
- the right to rectification;
- the right to erasure ('right to be forgotten'); and
- the right to restrict processing.
The Data Protection Authority (DPA) oversees compliance and can impose fines up to €20 million or 4% of a company's annual global turnover for violations. Legal challenges include:
- ensuring data protection in cloud environments;
- preventing data breaches; and
- complying with rules for international data transfers, especially outside the European Economic Area.
5.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for fintech companies?
The applicable cybersecurity regime for financial institutions in Iceland, including fintech companies, is primarily built upon a framework that transposes EU directives. It emphasises the protection of critical infrastructure and robust operational resilience.
The primary legislative pillar is the Act on the Security of Network and Information Systems of Critical Infrastructure (78/2019) ('NIS Act'). It applies to network and information systems of 'operators of essential services' in Iceland within the sectors of banking and financial market infrastructure. This directly includes many fintech companies operating in these areas. The act emphasises:
- enhancing the resilience of the community's information systems; and
- improving:
-
- analysis;
- preparedness; and
- response to cyber threats.
The Act on Financial Undertakings (161/2002) contains general provisions on operational risk. It states that a financial undertaking must have policies and processes to assess and manage operational risk, including risks related to infrequent events that can have severe consequences. This inevitably includes cybersecurity risks. It also stipulates that financial undertakings must have a response plan and a business continuity plan to ensure their continued operation and limit damage in case of severe disruptions to the company's operations (see Article 78(g) of the same act).
While the GDPR and the Data Protection Act do not directly concern cybersecurity, it is an integral part of the overall picture. Cyberattacks often lead to personal data breaches, which trigger obligations under data protection legislation – for example, requirements for the notification of the DPA and data subjects.
As for specific implications for fintech companies (especially operators of essential services in banking or financial market infrastructure), they must first and foremost comply with the requirements of the NIS Act. This includes:
- implementing appropriate technical and organisational measures to manage risks to the security of their network and information systems; and
- reporting severe security incidents to the Central Bank of Iceland.
Overall, the framework ensures stability and security in the financial system, especially for critical infrastructure. This will be further enhanced with the upcoming implementation of the EU Digital Operational Resilience Act, effective from 2025, which sets out detailed requirements on:
- digital resilience;
- risk management; and
- mandatory cyber incident reporting.
6 Financial crime
6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for fintech companies?
In Iceland, the fight against money laundering and other forms of financial crime is governed by a comprehensive regulatory framework based on international standards, particularly from the Financial Action Task Force and the European Union. One key law in this respect is the Act on Measures Against Money Laundering and Terrorist Financing (140/2018). It has far-reaching implications for fintech companies – particularly providers of:
- payment services;
- electronic money services; and
- virtual asset-related services.
These implications entail extensive compliance obligations on matters such as:
- reporting;
- customer due diligence;
- transaction monitoring;
- suspicious transaction reporting; and
- data retention.
Another key statute is the General Penal Code (19/1940), which penalises money laundering and other financial crimes. According to Article 246 on money laundering, the penalty can be up to six years' imprisonment. Article 264(2) covers self-laundering – that is, where the person who committed the predicate offence (eg, tax evasion or fraud) subsequently launders the proceeds thereof. In Supreme Court Judgment 29/2020, a conviction for self-laundering was upheld despite the predicate offence (tax crime) being time barred, as the act of holding and disposing of the proceeds continued after self-laundering became a criminal offence. The Supreme Court considered money laundering to be a 'state offence' that does not become time barred until the state of affairs ceases.
7 Competition
7.1 Does the fintech sector present any specific challenges or concerns from a competition perspective? Are there any pro-competition measures that are targeted specifically at fintech companies?
The fintech sector in Iceland faces specific challenges from a competition perspective, mainly stemming from the prevailing market conditions in the financial sector. This is largely due to:
- the small size of the market;
- the concentration of incumbents; and
- limited infrastructure for new entrants.
First, the Icelandic banking and payments market is dominated by a few dominant commercial banks – notably:
- Íslandsbanki;
- Landsbankinn; and
- Arion Bank.
This makes it difficult for fintechs to gain access to core financial infrastructure and customer bases.
Second, regulatory barriers such as licensing, compliance costs and local presence requirements pose additional challenges, especially for smaller or foreign fintechs.
However, several pro-competition measures in Iceland support fintech development. The implementation of the Second Payment Services Directive via the European Economic Area Agreement allows fintech firms to access bank account data and initiate payments through open application programming interfaces, fostering innovation and reducing entry barriers. The Competition Authority is actively monitoring the digital sector to remove barriers and promote consumer access to new services. Settlements with banks, such as with Íslandsbanki, aim to lower switching costs and encourage market entry. Finally, the Act on Markets for Financial Instruments ensures transparent, non-discriminatory access to trading venues, benefiting fintech firms seeking platform access.
8 Innovation
8.1 How is innovation in the fintech space protected in your jurisdiction?
Innovation in the fintech sector in Iceland is protected through a combination of:
- IP rights;
- trade secrets protection;
- data protection laws; and
- the regulatory framework, which supports secure and compliant operations.
Fintech innovations – such as software, platforms, algorithms and digital tools – can be protected under Iceland's IP system, which is largely harmonised with European frameworks. IP rights are administered by the Icelandic Intellectual Property Office.
Innovation in the fintech space is also protected through a regulatory sandbox specifically for distributed ledger technology (DLT)/blockchain activities. Iceland has enacted EU Regulation 2022/858 on a pilot regime for market infrastructure based on DLT, as per Article 2 of the Act on Market Infrastructure for Financial Instruments Based on Distributed Ledger Technology (Act 56/2024). This pilot regime offers a controlled environment in which innovative solutions built on DLT (eg, blockchain) can be tested and developed, potentially with temporary exemptions from existing regulations. This protects innovative companies in this field from the full burden of regulation during the development phase.
Under Act 90/2018 and the General Data Protection Regulation, fintech firms must protect personal data. While not traditional 'intellectual property' the secure handling of data is often a core part of a fintech firm's value and innovation. Compliance:
- helps to maintain trust; and
- prevents data misuse by competitors.
Lastly, while regulation is primarily designed for risk management and market integrity, it indirectly protects innovation by:
- creating legal certainty for new services (eg, Second Payment Services Directive-based services);
- preventing unlicensed or fraudulent actors from copying or exploiting innovations without regulatory scrutiny; and
- encouraging secure environments for innovation (eg, through cybersecurity requirements and supervisory guidance from the Financial Supervisory Authority and CERT-ÍS).
8.2 How is innovation in the fintech space incentivised in your jurisdiction?
Innovation in the fintech industry in Iceland is incentivised through a combination of:
- direct financial support;
- tax benefits;
- advisory services; and
- a competition policy framework designed to foster a dynamic market environment.
Public support manifests in agreements with public or private entities for various innovation projects, such as digital workshops (Article 9 of the Act on Public Support for Innovation). Grants and funds have been established – examples include:
- the Lóa Project Grant, which incentivises innovation in rural areas; and
- the Kría Innovation Fund, which aims to promote an effective and internationally competitive financing environment for startups and innovation companies in Iceland.
Tax incentives were created with laws on tax deductions for research and development (R&D) projects. More specifically, innovation companies are entitled to a special tax deduction amounting to 20% of the incurred costs for R&D projects that have received confirmation from Rannís, the Icelandic Centre for Research. Finally, competition has been a tool in promoting innovation through policies and measures taken by the Competition Authority aimed at:
- reducing switching costs;
- encouraging more active oversight; and
- preventing tacit collusion.
Such measures are intended to stimulate competition and thus to create incentives for efficiency and innovation.
9 Talent acquisition
9.1 What is the applicable employment regime in your jurisdiction and what specific implications does this have for fintech companies?
Iceland's employment regime is based on:
- statutory labour laws;
- collective bargaining agreements (CBAs); and
- individual contracts.
Collective agreements apply universally, setting minimum standards for:
- wages;
- working hours; and
- benefits.
This means that fintech companies must comply with strict employment rules, including in relation to:
- mandatory pension contributions;
- regulated termination procedures; and
- limited flexibility in contract terms.
These protections increase compliance obligations and employment costs, making it essential for fintech companies to plan carefully when hiring in Iceland.
9.2 How can fintech companies attract specialist talent from overseas where necessary?
Fintech companies in Iceland aiming to attract international specialist talent must leverage specific legal provisions and tax incentives designed to facilitate the employment of such personnel. Simultaneously, it is crucial to be aware of certain potential difficulties that may arise during the process.
The Icelandic government has implemented regulations to support the import of specialised expertise. Regulation 1202/2016 on deductions from the income of foreign specialists is a key instrument in this regard. Its objective is to attract foreign specialists with the necessary knowledge and skills to work in Iceland, which can prevent companies from having to relocate their operations abroad, as stated in Article 1 of the regulation. This regulation offers a direct financial incentive for individual employees.
Furthermore, the Directorate of Labour is authorised to grant temporary work permits for positions requiring specialist expertise, as per Article 8 of the Act on the Rights of Foreigners to Work (97/2002). To obtain such a permit, several conditions must be met.
10 Trends and predictions
10.1 How would you describe the current fintech landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
The fintech landscape in Iceland is continuously evolving, driven by technological advancements and the implementation of European regulations, despite remaining a concentrated market.
As for the current state of the market, the implementation of the Second Payment Services Directive has been a major driving force, leading to:
- the emergence of new payment service providers such as payment initiation service providers and account information service providers; and
- the development of open banking through application programming interfaces.
This:
- has fostered increased digitalisation; and
- aims to:
-
- enhance competition; and
- reduce barriers to entry in the financial market.
Icelandic regulations are largely harmonised with EU regulations. A significant new development is the implementation of EU Regulation 2022/858 on a pilot regime for market infrastructure based on distributed ledger technology (see Article 3 of the Act on Markets for Financial Instruments and Article 2 of the Act on Market Infrastructures for Financial Instruments Based on Distributed Ledger Technology). Although this legislation has already been implemented, its impact on the development of new fintech solutions is expected to become more prominent in the next 12 months. This pilot regime offers an environment in which new solutions can be tested with temporary derogations from existing rules.
Iceland will continue to implement and adapt to changes in EU/European Economic Area financial legislation – for example, the EU Digital Operational Resilience Act (DORA) (2022/2554). DORA is scheduled to enter into force in Iceland on 1 November 2025. Simultaneously, the Central Bank of Iceland will issue rules that incorporate the EU regulatory technical standards accompanying DORA.
Another important EU instrument in its implementation phase is the Markets in Crypto‑Assets Regulation (MiCA). The implementation period in Iceland is 18 months, giving existing crypto‑asset service providers time to continue operating under former national rules while applying for MiCA authorisation. This period runs from 30 December 2024 (MiCA's full application date) until 1 July 2026.
Lastly, the Competition Authority is expected to continue emphasising the promotion of competition and the reduction of barriers to entry in Icelandic markets, including in the field of digital operations. This could lead to further actions or settlements that encourage innovation and a more open market.
Overall, increased competition and diversity in fintech services are expected in Iceland in the coming months (from mid-2025 onwards).
11 Tips and traps
11.1 What are your top tips for fintech players seeking to enter your jurisdiction and what potential sticking points would you highlight?
Entering the Icelandic fintech market presents both promising opportunities and notable challenges. As a member of the European Economic Area (EEA), Iceland offers a regulated and innovation-friendly environment aligned with EU standards.
Top tips: Start early engagement with the Financial Supervisory Authority, now part of the Central Bank of Iceland, to:
- clarify licensing requirements; and
- avoid regulatory delays.
Fintech companies must understand that certain services, such as electronic money issuance, may require a legal entity and active management presence in Iceland, in line with Act 114/2021.
Iceland's EEA membership allows for the potential passporting of licensed services across the EEA. Given that many legal and regulatory materials are only available in Icelandic, it is advisable to work with local legal and compliance experts to ensure full understanding and adherence to local requirements.
One of the most significant advantages for fintech companies is the implementation of the Second Payment Services Directive through Act 114/2021. This has laid the foundation for open banking in Iceland, enabling new types of payment service providers – such as payment initiation service providers and account information service providers – to access bank accounts via open application programming interfaces.
Another promising development is Iceland's participation in the European Union's distributed ledger technology (DLT) pilot regime under EU Regulation 2022/858. For companies focused on blockchain and decentralised finance, this regime offers a valuable opportunity to innovate without bearing the full burden of traditional regulatory constraints from the outset.
Given the small and tightly held nature of the Icelandic financial market – dominated by a few large banks – it may be more strategic for new entrants to specialise in underserved niches rather than attempt to compete head-on with incumbents. Targeting specific market segments or developing tailored products can yield better results than broad-based market strategies.
Forming strategic partnerships with local institutions can also be a practical pathway to market entry. Collaborating with banks, technology providers or infrastructure entities such as the Icelandic Banks' Data Centre can:
- ease access to essential systems;
- reduce entry costs; and
- help newcomers to:
-
- navigate the regulatory landscape; and
- develop trust with local customers.
In this context, it would be advisable to contact Reykjavik Fintech—a community and collaboration platform fostering fintech innovation in Iceland. Founded in 2018, the community recently began operating an Innovation Centre that offers support to young startup companies and related parties. According to their website:
"Reykjavik Fintech brings together companies, investors, banks, and startups—relevant players from all levels of experience—by arranging networking conventions, launching events and conferences, all to breed innovation and maximise the potential of rewarding partnerships to make a lasting impact in the everyday lives of people and businesses. We also cultivate connections to the international fintech scene—other clusters as well as companies and investors." 1
Challenges: Despite these opportunities, fintech companies should be aware of several challenges. The Icelandic market is relatively small and oligopolistic, with a few dominant banks controlling most of the financial infrastructure and customer data. Regulatory and operational requirements, such as local presence obligations and capital thresholds, can further raise the barrier to entry – especially for smaller or foreign firms. Foreign payment providers may also face practical hurdles when dealing with the Icelandic currency, the krona. The currency itself, being somewhat volatile, adds another layer of complexity for foreign firms used to operating in more stable currency environments.
Moreover, while Iceland's financial regulation is broadly aligned with EU law through the EEA Agreement, local implementation details and language-specific documentation can make compliance difficult. For instance, many official documents and regulatory communications are only available in Icelandic, meaning that foreign entrants may need local legal or compliance support to interpret obligations and correspond with authorities effectively.
In conclusion, Iceland offers a well-regulated and innovation-friendly environment for fintechs, with:
- strong alignment to European law;
- opportunities in open banking and blockchain innovation; and
- supportive mechanisms for attracting talent and funding.
However, its small market size, high concentration, regulatory complexity and barriers to infrastructure access require a well-planned, locally informed strategy for successful market entry.
Footnote
1. https://en.fjartaekniklasinn.is/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.