We at the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom steer and supervise compliance with the provisions and regulations that apply to our field of activity. We supervise many kinds of activities, and this page explains how we interpret the rules and legislation governing our sector and which activities are governed by the regulation we work with. Examples include telecommunications and other transmission of communications, digital services under the NIS 2 Directive, strong electronic identification and eIDAS electronic trust services.
Questions of interpretation often arise about whether a company’s or an organisation’s service or a part of it is to be considered as an activity steered and supervised by the NCSC-FI. The following table lists activities regulated by law, including practical examples. Further below, you will find more specific descriptions of interpretative practice concerning different activities within the scope of the regulation we supervise.
Regulation defines different roles for operators, and it is important to identify the roles individual operators have in practice. For the most part, the regulation discussed here only concerns specific activities. However, certain operators may have several roles governed by regulation. Each activity is assessed separately.
The following presents different activities governed by the regulation we supervise and discusses established interpretative practice.
| telecommunications (Act on Electronic Communications Services 917/2014) |
|
| internal networks in properties (Act on Electronic Communications Services) | Housing companies and other holders of internal communications networks in real estate buildings. |
| dedicated network operator (Act on Electronic Communications Services, section 244 a, subsection 2) | Owner or holder of a critical dedicated network
|
| corporate subscriber (Act on Electronic Communications Services) | Telecommunications operators’ corporate or organisation customers that process their customers' or their own traffic data |
| other conveyance of communications (Act on Electronic Communications Services) | In addition to telecommunications operators and corporate subscribers
|
| cookies (Act on Electronic Communications Services, section 205) | Service provider that saves cookies or other data on the use of an electronic service on a user’s terminal device or uses such data
|
| digital service (Cybersecurity Act, Annex II, section 2) | Digital service providers in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e.
|
| digital infrastructure (Cybersecurity Act, Annex I, section 6) | Digital infrastructure providers in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e.
|
| ICT service management (Cybersecurity Act, Annex I, section 7) | ICT service management providers in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e.
|
| research organisations (Cybersecurity Act, Annex II, section 5) | Research organisations in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e.
|
| public administration (Information Management Act, section 3) | Public administration organisation under the NIS 2 Directive, i.e.
|
| associated services and associated facilities (Act on Electronic Communications Services) | For example, providers of the following associated services or associated facilities related to an electronic communications network and/or an electronic communications service:
|
| strong electronic identification (Act on Strong Electronic Identification and Electronic Trust Services) | Registered providers of strong electronic
|
| trust service (eIDAS Regulation (EU) 910/2014) | Qualified and non-qualified trust service providers under the eIDAS Regulation:
|
ACTIVITIES THAT WE DO NOT SUPERVISE
The NCSC-FI does not supervise the content or marketing of communications or, as a rule, the provision of public authority networks or public authority communications services. Because the set of users using public authority networks or public authority communications services is subject to prior restriction, these networks and services are not considered public telecommunications. Public authority networks and public authority communications services may be incorporated into telecommunications operators' public communications networks. If so, they must not cause operability or information security disturbances in a public communications network.
Telecommunications and telecommunications operators
The NCSC-FI supervises compliance with information security and functionality requirements in telecommunications operations, preparedness for interference and exceptional circumstances, the obligations to provide assistance to emergency services and police authorities as well as the confidentiality of electronic communications and traffic data.
Corporate subscribers
According to the Act on Electronic Communications Services, corporate subscriber means an undertaking or organisation that subscribes to a communications service or a value-added service and processes users’ communications, traffic data or location data in its communications network.
Examples of corporate subscribers include sole traders, cooperatives, limited liability companies, associations, educational institutions and government agencies. A corporate subscriber can be, for example, an undertaking that acquires and provides telephone and broadband subscriptions for its employees and a WLAN connection for those who visit the premises, and processes identification data in its internal network, i.e. information associated with a legal or natural person used to transmit communications. Residents of housing companies sharing a subscriber connection can also be corporate subscribers. Families are not considered corporate subscribers even if a family has an internal communications network (WLAN network) at home and the family members use it for example to surf online via a shared broadband connection.
Corporate subscribers’ obligations regarding functionality, information security, protection of confidential communications, and on the other hand, their rights to process traffic data are regulated by the Act on Electronic Communications Services. The NCSC-FI at Traficom supervises compliance with these provisions. Under the Act, Traficom is also authorised to issue certain technical regulations that specify the provisions of the Act, but so far Traficom has not used its powers concerning corporate subscribers.
Communications providers
Communications provides are operators whose services are based on the confidential transmission of communications, for example, within a certain electronic service. The operations of communications providers are regulated to ensure the confidentiality of electronic communications.
Communications providers must often process electronic communications and traffic data to be able to provide well-functioning services and address any faults or disturbances. The law contains provisions on communications providers' right to process communications and obliges them to ensure the information security of their services.
Communications providers include:
- telecommunications operators
- corporate subscribers
- other communications providers that convey electronic communications for other than personal or comparable customary private purposes.
Other electronic communications providers are a group of operators that became subject to the information security and data protection regulation in the Act on Electronic Communications Services from the beginning of 2015. As a result of this, the regulation of confidentiality and ensuring information security in electronic communications covers all communications providers as their role in the protection of confidential communications is crucial. It is not always simple to draw a line between telecommunications based on the definitions of Directive (EU) 2018/1972 and other conveyance of communications.
Digital services and infrastructure, ICT services, research and public administration
National regulation (Cybersecurity Act and Information Management Act) implementing the EU Cybersecurity Directive (NIS 2 Directive) includes provisions on cybersecurity risk management obligations and the obligation to report significant incidents. The obligations apply, for example, to digital infrastructure providers, digital service providers, ICT service management providers, research organisations and the public administration.
The NCSC-FI guides and supervises the above-mentioned entities in Finland. Digital service providers, ICT service management providers and some digital infrastructure providers fall within the scope of the NCSC-FI’s supervision if their main establishment in the EU is in Finland. If a service provider operates in Finland but its main establishment is in some other EU Member State, the competent authority is the supervisory authority in the country where the main establishment is located.
Providers of associated services and facilities
The Act on Electronic Communications Services defines associated services and associated facilities related to a communication network or service. The NCSC-FI supervises compliance with provisions on information security, functionality and protection of confidential communications related to the provision of these services.
Associated service means a conditional access system, electronic programme guide, number translation system, identity, location and presence service and similar service associated with communications networks or services that enables the provision of a communications network or service or supports the provision of services via them.
Associated facilities mean an associated service and buildings, entries to buildings and building wiring, ducts, masts and other corresponding physical structures, facilities or elements associated with a communications network or service that enables the provision of a communications network or service or supports the provision of services via them.
As of yet, there is practically no interpretative practice concerning associated facilities or services. Interpretation is guided by the examples included in the definitions. The definition of the facilities may be of significance, for example, in the regulation of the technical quality and information security of communications networks and services. The definitions also describe the facilities and services that are not regarded as telecommunications when treated separately.
Strong electronic identification services
Providers of strong electronic identification services are service providers that have submitted a notification on their operations in accordance with the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and that have been entered in the register referred to in the Act.
Electronic identification means the verification of the identity of a person by electronic means. Strong electronic identification enables consumers to verify their identity safely in various electronic services. It also enables the providers of electronic services to identify their customers.
In Finland, there are two types of providers of services for strong electronic identification:
- Identification means providers provide users with identification means (e.g. banking codes, mobile certificates and citizen certificates on identity cards).
- Identification broker services sell identification services to electronic services.
- One service provider may act in both roles and provide identification means and broker services.
- According to the Act, the registered providers of strong identification services form a trust network.
The assurance level of a strong electronic identification service may be substantial or high.
Strong electronic identification services include:
- online banking codes provided by banks
- mobile certificates issued by telecommunications operators
- the Digital and Population Data Services Agency’s Citizen Certificate stored on an identity card issued by the police and certain other identification certificates on various organisation cards
- registered identification broker services.
Electronic trust services (eIDAS)
Electronic trust services are means to enable secure electronic transactions. They are governed by the EU eIDAS Regulation (EU) 910/2014.
Trust services may be either qualified or non-qualified. In Finland, the qualification is issued by the NCSC-FI at Traficom. Qualified trust services can be found in national trusted lists that are valid in all EU countries.
Non-qualified trust services are, as defined by the eIDAS Regulation, services for which qualification has not been applied by the provider.
Qualified electronic trust services may include the following services (applicable Article of the eIDAS Regulation in brackets):
- certificate, validation service or preservation service for electronic signatures (Articles 28, 33 and 34)
- certificate, validation service or preservation service for electronic seals (Articles 38 and 40)
- electronic time stamp (Article 42)
- electronic registered delivery services (Article 44)
- certificate for website authentication (Article 45)
Non-qualified trust services include:
- such above-mentioned services that have not been notified or entered in the trusted list
- certain other service types, such as creation service for advanced electronic signatures or seals
Domain name registrars
Information about the operations of domain name registrars (incl. information security in registrars’ operations) and fi-domain names is available on the Traficom web pages on domain names.