The objective of regulation and the NCSC-FI’s steering and supervision activities is to ensure that communications networks and services are reliable and sufficiently resilient. Another basic goal is to ensure that disturbances can be quickly detected and fixed. This is why preparedness is important: it helps resume normal operations.
Overall, the requirements concern the following themes:
- Functionality: the ability of systems to operate in accordance with relevant expectations and specifications.
- Resilience: technical measures to prevent defects and failures in individual parts of communications networks and services from affecting the operability of networks and services provided to end users.
- Preparedness: advance preparations and measures designed to ensure that activities can be carried out with minimum disturbance under all conditions. Preparedness involves assessing risks that could compromise the continuity of operations and, based on the assessment, planning and implementing measures to ensure continuity.
- Management of disturbance: preventing, observing, mitigating and eliminating events that may disturb the operability and information security of communications networks and services and recovering from such events.
Under the law, public communications networks and communications services and the communications networks and services connected to them must be planned, built and maintained in such a manner that:
- the technical quality of electronic communications is of a high standard
- the networks and services withstand normal, foreseeable climatic, mechanical, electromagnetic and other external disturbance
- their reliability can be monitored
- defects and disruptions that significantly interrupt their functionality can be detected
- access to emergency services is secured as reliably as possible even in the event of network disruptions
- they function as reliably as possible even in the exceptional circumstances referred to in the Emergency Powers Act and in disruptive situations under normal circumstances.
The requirements on service quality must be commensurate with the number of users of the communications networks and services, the geographical area served and their significance to the users.
Under the law, if a communications network, service or device creates serious economic or operational hindrance to other communications networks, services or connected services, devices, users or other persons, the telecommunications operator or the owner or holder of the communications network or device must take immediate measures to correct the situation and, if necessary, disconnect the communications network, service or device from the public communications network.
The NCSC-FI at Traficom has specified the above-mentioned legal requirements with several technical regulations:
- Regulation on the technical implementation and ensuring of emergency traffic
- Regulation on the technical characteristics of metallic local loops and network equipment connected to them
- Regulation on electrical protection of communications networks
- Regulation on resilience of communications networks and services and of synchronisation of communications networks
- Regulation on disturbances in telecommunications services.
Regulations issued by the Finnish Transport and Communications Agency Traficom specify in further detail the provisions of acts, and they are legally binding on operators. Legislation and regulations apply to telecommunications operators under normal circumstances, in disruptive situations under normal circumstances and under exceptional circumstances.
In addition to legally binding provisions, the NCSC-FI has also issued numerous recommendations on the reliability and resilience of communications networks and services as well as on preparedness and the management of disturbances.
Disturbance management means observation, fixing issues and learning
Despite the requirements of resilience and preparedness, all communications networks and services sometimes experience faults and defects.
Traficom’s Regulation 66 on disturbances in telecommunications services requires telecommunications operators, for example, to detect and manage disturbances. In practice, this means monitoring the networks and services. The Regulation requires that:
- telecommunications operators constantly monitor their communications networks and services to detect and prevent events that may disturb or threaten their functionality
- telecommunications operators have appropriate and documented systems and procedures for the reception and analysis of internal and external disturbance notifications, software alerts, hardware alerts, device status alerts and other communications network or service monitoring notifications
- telecommunications operators prepare and maintain documented instructions for procedures on how to address events that disturb or threaten the functionality of communications networks or services and for minimising their impact and removing them without undue delay.
Disturbance notifications support oversight and users’ access to information
Telecommunications operators must notify the NCSC-FI without undue delay of significant incidents or threats to their services that prevent or interfere with communication services. Telecommunications operators must also inform subscribers and users about any significant disturbances in communication networks or services. The NCSC-FI’s Regulation 66 has extended the scope of the notification obligations laid down by law. The requirements aim to improve access to information in the event of disturbances.
Based on disturbance notifications and final reports, the NCSC-FI compiles a situational picture of the status of Finnish communications networks and services. We convey information on situational awareness to central government organisations and, for example, regularly publish statistics, reviews and case-specific notices on disturbances.
However, the regulation that the NCSC-FI supervises does not specifically lay down obligations binding telecommunications operators with respect to the maximum numbers or duration of disturbances. Under the law, the NCSC-FI does not have powers to impose such obligations, and we cannot require operators to fix faulty services within a specific time. Instead, we supervise that telecommunications operators have the technical means and capability to detect and fix disturbances.
Reliability regulation balances expectations and preconditions
The reliability requirements concerning resilience and preparedness are necessary to ensure the operability of widely used communications services (e.g. mobile communications services) even in the event of a disturbance. Evaluating the reliability of communications services is particularly difficult for consumers. The marketing of these services is mainly based on price, and price is also often the determining factor in consumer decisions on purchasing services. Consumers still have the right to expect that the communications services they have purchased function well and are of high technical standard. Because consumers have practically no opportunity to influence the reliability of the communications services they purchase, reliability must be ensured by means of legislation.
It should also be noted that meeting the requirements of functionality, resilience and preparedness incurs costs that influence the price end users have to pay for communications services.
Therefore, it is important to find a balance between these two aspects when determining how strict requirements should be. The definition of technical requirements always involves weighing several factors and consulting the industry. In practice, the requirements reflect an overall assessment of expectations, preconditions and consequences. The NCSC-FI continuously monitors technical developments that help ensure the functionality of communications networks and services and assesses the need and opportunities to amend regulations and recommendations.
The NCSC-FI cooperates with various players at national and international level to ensure that communications networks and services are free from disturbances.
For example, we head the disturbance cooperation working group (HÄTY) that serves as a cooperation forum for telecommunications operators, electricity companies, contractors and the authorities, helping them prepare for different disturbances.
We also cooperate with our Nordic counterparts in the Nordic Network and Information Security group, the Nordic NIS. In practice, the agencies in the group exchange information on different disturbances and on preparing for them as well as gather and share lessons learned from the development and enforcement of regulation.
At the European level, similar work is carried out in the working group for telecommunications authorities established by the European Network and Information Security Agency (ENISA). The objective of the group is to help the European Union and its member states become better prepared to prevent, fight off and address network and information security issues. As part of this work, we submit to the European Commission and ENISA annual summary reports of the disturbance notifications we receive from telecommunications operators. The NCSC-FI has also appointed a National Liaison Officer (NLO) who acts as a point of contact between ENISA and Finland and represents Finland as an alternate member in the ENISA Management Board (primary representative from the Ministry of Transport and Communications).