Electronic identification

Strong electronic identification services

Strong electronic identification means the verification of the identity of a person by electronic means. Strong electronic identification enables consumers to verify their identity safely in various electronic services. It also enables the providers of electronic services to identify their customers.

In Finland, there are two types of providers of services for strong electronic identification:

• Identification means providers provide users with identification means.
• Identification broker services sell identification services to electronic services.
• One service provider may act as both a means provider and broker service provider.

The assurance level of a strong electronic identification service may be substantial or high.

Strong electronic identification services include: 

• online banking codes provided by banks
• mobile certificates issued by telecommunications operators
• the Digital and Population Data Services Agency’s Citizen Certificate stored on an identity card issued by the police and certain other identification certificates on various organisation cards 
• registered identification broker services

Identification means

Strong electronic identification may be based on different technical processes.

What all of these means have in common is that they must use at least two of the following authentication factors and a dynamic authentication mechanism:

• knowledge-based authentication factor where the person is required to demonstrate knowledge of it (e.g. password or PIN code)
• possession-based authentication factor where the person is required to demonstrate possession of it (e.g. identification number device, mobile application or list of PIN codes)
• inherent authentication factor that is based on a physical attribute of a natural person (e.g. fingerprint or iris).
• Dynamic authentication means an electronic process:
• using cryptography or other techniques
• to provide a means of creating on demand an electronic proof that the subject is in control or in possession of the identification data and
• which changes with each authentication between the subject and the system verifying the subject’s identity.

Certificate

Some means of strong electronic identification are based on certificates. Generally, certificates are needed in identification, encryption and electronic signatures via information networks. A certificate is a certificate electronically signed by a trusted organisation, authenticating the identity of the holder of the certificate.

Certificates include a public key that is used to identify the holder of the certificate. Certificates also contain other data, such as the following:

• the name of the person or organisation
• the day of granting the certificate
• the certificate’s last day of validity or
• a unique serial number.

Provisions on the data content of certificates used for identification are laid down in the Act on Strong Electronic Identification and Electronic Trust Services.

Trust network

Providers of strong electronic identification services that have submitted a notification in accordance with the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and meet the requirements of the Act, form a trust network for electronic identification as from 1 May 2017 under the Act.

The aim of the trust network is to allow electronic services to centrally obtain electronic identification from the identification broker service without having to conclude contracts with all identification means providers. The purpose of the network is to facilitate and increase the use of strong identification in electronic services.

Providers of identification services can act in two different roles within the trust network. An identification service provider can provide electronic identification means for end users (identification means provider) or forward identification events to providers of electronic services (identification broker service). An identification means provider may also provide broker services providing identification to electronic services.

In the trust network model, identification means providers have an obligation to make a means available to all registered identification broker services at a price laid down by law. This means that identification means providers must make it possible for broker services to offer the relying party (provider of electronic services) the opportunity to identify their customers using a strong electronic identification means. Brokering is based on bilateral contracts.

Working group for trust network cooperation

On 30 May 2017, the Finnish Communications Regulatory Authority established a cooperation working group for the trust network under the Government decree 169/2016. Only the members of the group are invited to its meetings. In the group, operators can promote co-regulation and the exchange of information among registered identification service providers.

The group discusses matters concerning the national trust network for identification service providers. Members also exchange information on technical and other developments in the sector.

Supervision of identification services

The NCSC-FI at Traficom supervises electronic identification services.

• The aim of the supervision is to ensure that the provision of identification services is reliable and secure.
• We monitor that the services meet the requirements set out for them and enter the services in the register.
• We are also the appellate authority in matters concerning the operations of identification service providers.
• We are not competent to settle any contractual disputes.

Providers of strong electronic identification services are subject to the following obligations:

• Notification obligation: An identification service provider based in Finland who intends to offer services must, prior to commencing such services, submit a written notification to Traficom.
• Audit obligation: Providers of strong electronic identification services must attach to their commencement notification a conformity assessment report. The conformity of their operations must be assessed regularly, and assessment reports are valid for a maximum of two years. 
• Provision prohibition: If an identification service does not meet the requirements laid down by law, Traficom may prohibit the service provider from offering its identification service as strong electronic identification. 
• Obligation to notify changes: Identification service providers must notify any changes to the information they have provided in their commencement notification. Traficom must also be notified of the termination of operations or the transfer of operations to another service provider.
• Obligation to notify disturbances: Service providers must notify Traficom of any significant threats and disturbances concerning the information security and functioning of the service as well as of any corrective action taken.
• Supervision fees: The commencement notification is subject to a registration fee. Operators entered in the identification service register must pay an annual supervision fee. Provisions on the fees are laid down in section 47 of the Act on Strong Electronic Identification and Electronic Trust Services.
• Agreement obligation in the trust network: Identification means providers must agree with identification broker services that they can provide to electronic services the identification of customers who use the identification means in question.  

Other supervisory authorities

The Ministry of Transport and Communications is responsible for the general guidance and development of strong electronic identification. The Ministry of Finance is responsible for guiding the provision of electronic services by the public administration. The Digital and Population Data Services Agency is responsible for the Suomi.fi identification used in public services.

The Data Protection Ombudsman supervises compliance with the personal data provisions of the Act on Strong Electronic Identification and Electronic Trust Services. The Financial Supervisory Authority supervises strong identification in accordance with the Payment Services Act. The Finnish Competition and Consumer Authority supervises consumer protection and the effectiveness of the market and competition. If necessary, Traficom and the Data Protection Ombudsman collaborate with the Financial Supervisory Authority and the Finnish Competition and Consumer Authority when performing supervisory tasks.

Register of identification service providers

Traficom maintains a public register of service providers that are based in Finland and provide strong electronic identification, and of the services provided by them.

The register (Excel) includes those identification service providers that 

• have submitted a notification to Traficom and
• meet the requirements for strong electronic identification as set out in the Act on Strong Electronic Identification and Electronic Trust Services.

The register includes

• the service provider’s contact details
• the contact details of its revocation service
• a link to the service provider’s identification principles.

Each service provider’s identification principles specify how the service provider in question meets its obligations as referred to in the Act on Strong Electronic Identification and Electronic Trust Services.

The loss or unlawful use of an identification means can be reported to the identification service provider’s revocation service.

In addition to the full identification service register, all qualified operators included in the trust network and the identification means they broker (only own means, own and others’ means, others’ means) can be checked from the file on operators, interfaces and contact information (“Toimijat, rajapinnat ja kontaktitiedot”). The file also contains commercial and technical contact details.

Notifications and payments to Traficom

Providers of strong electronic identification services and trust service based in Finland must submit a written notification to Traficom before commencing the operations.

Under the Act on Strong Electronic Identification and Electronic Trust Services, service providers must also submit notifications on any changes to and disturbances in their services.

For more information on the content of the notifications, please see the Guideline 214/2016 O on electronic identification and trust service notifications. Provisions on the registration and supervision fees payable to Traficom are laid down in section 47 of the Act on Strong Electronic Identification and Electronic Trust Services (External link).

Cross-border identification and the eIDAS Regulation

The EU eIDAS Regulation contains provisions on cross-border electronic identification. National identification means can be notified to the European Commission. If an identification means passes the peer review by other EU countries, it can be used for identification in public sector services in all EU countries. The eIDAS Regulation has also affected the national regulation of identification services.

The eIDAS Regulation entered into force on 1 July 2016. It brought about changes to electronic identification at the national level. The requirements laid down in the Act on Strong Electronic Identification and Electronic Trust Services were amended to correspond to EU legislation. In Finland, two assurance levels are used for identification in accordance with the eIDAS Regulation: substantial and high. The aim is to ensure that it is easy for various parties to apply for EU notification at any stage as long as they meet the requirements set at the national level. Therefore, identification service providers do not have to create different identification solutions for cross-border situations and for national identification.

Identification services that meet national requirements can be found in the register maintained by Traficom. If they wish, providers of identification services at a substantial or high assurance level can apply for EU notification. The notification process and the included peer review by EU countries are governed by the eIDAS Regulation and the European Commission’s implementing acts.

• For more information on notifications, please visit the European Commission’s website: Overview of pre-notified and notified eID schemes under eIDAS (External link)

By the autumn of 2018, users of notified identification services should be able to identify themselves in public services across the EU. To put it simply, this means for instance that strong Swedish electronic identifications notified to the Commission can be used in Finnish public sector services and, correspondingly, notified Finnish means of identification are accepted in Swedish public services. The eIDAS Regulation requires public sector bodies to recognise notified identification schemes, but the Regulation does not include provisions on the implementation of and requirements on the electronic services and transactions.

Identification events between Finland and other countries will be relayed via a national node administered by the Digital and Population Data Services Agency. Interoperability and security requirements for national nodes are laid down in Commission Implementing Regulation (EU) 2015/1501.

Identification in a foreign public sector e-service using a Finnish identification means takes place via an identification broker service and the national node. Identification in a Finnish public sector e-service takes place via the national node and Suomi.fi.

Cross-border identification in private services

In the first phase, the national node will focus on identification in public sector services and only in the next phase will it be examined whether identification in private electronic services could be implemented.

As the national node is currently not available for private electronic services, customers using international identification devices can be identified on the basis of an agreement, similar to identifying to a foreign private service using a Finnish identification device. The reliability of a foreign identification service could be verified by means of notification, on the basis of regulation and supervision of the home state of the identification service, if any, or on the basis of an agreement.

If an identification service belonging to the trust network wishes to broker strong identification in foreign services, the same requirements for the interface and the contractual relationship between the identification broker service and the electronic service apply as in the case of domestic electronic services. It must also meet the requirements set for identification broker services in Regulation 72 issued by the Finnish Communications Regulatory Authority.

Legislation and other documents on strong electronic identification

Below you will find legislation, regulations and other documents concerning electronic identification, including supervision decisions, recommendations, explanatory memoranda, guidelines and publications.

Legislation

• Commission Implementing Regulation (EU) 2015/1502 (External link) on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (“Assurance Level Regulation”)

Legislation – cross-border identification

• REGULATION (EU) No 910/2014 (External link) OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (“eIDAS Regulation”)
  • Commission Implementing Decision (EU) 2015/296 (External link) establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (“Cooperation Network Decision”)
  • Commission Implementing Regulation (EU) 2015/1501 (External link) on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (“Interoperability Regulation”)
  • Commission Implementing Regulation (EU) 2015/1502 (External link) on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (“Assurance Level Regulation”)
  • Commission Implementing Decision (EU) 2015/1984 (External link) defining the circumstances, formats and procedures of notification pursuant to Article 9(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (“Notification Procedure Decision”)

Guidelines and recommendations