How we regulate

We coordinate and monitor provisions on information security, non-interference and confidential communications. We draft regulations, recommendations and reports on these subjects while registering and monitoring related operators. We also support information sharing between the operators. Our guiding principles are cooperation, transparency, reliability and fairness.

Prior guidance and efficient monitoring

We focus on proactive and high-impact guidance to support the operational possibilities of businesses. Our guidance includes:

  • advice to businesses and their customers
  • national and international stakeholder cooperation
  • supporting co-regulation and self-regulation
  • drafting regulations that specify obligations laid down by law
  • preparing guidelines and recommendations
  • studies, reports, publications
  • monitoring the development in the sector.

 

We monitor compliance with legislation to:

  • identify any problems in time to prevent them
  • settle matters in cooperation with operators while ensuring confidentiality of information
  • adjust our measures to be as effective as possible with the broadest impact possible
  • avoid unnecessary court proceedings by acting flexibly
  • invest in steering and supervision of basic services
  • issue, whenever necessary, a written decision which may be appealed to an administrative court.

 

Our monitoring includes:

  • reports and surveys
  • collecting monitoring statistics
  • inviting and handling incident reports
  • conformity assessment and registration
  • supervisory decisions on complaints, disputes or other matters
  • inspection visits.

Guidance and monitoring may be regular or case-specific and it may concern a large group of operators or a single operator. We react to changes in legislation, markets and technology, discoveries made in stakeholder cooperation, needs of the parties subject to supervision and related conflicts, complaints, and other enquiries by customers.

Guidance

Legislative assistance to businesses and their customers

When service providers subject to the NCSC-FI’s supervision or their customers contact us or have questions, the first step is to provide advice. We provide advice online and by email, post or phone on matters that, according to law, are subject to the NCSC-FI’s supervision. In other matters, we advise customers to contact the appropriate authority. We cooperate with other authorities to resolve customers' problems and provide the advice they need.

We also provide advice to customers subject to our supervision with regard to compliance with and application of provisions and good practices. We provide both oral and written advice in working groups, seminars and other events, as well as individually. However, we do not give consultative advice to businesses regarding their operations or how they could be conducted.

National and international cooperation

The NCSC-FI takes actively part in national and international cooperation in the field. We also participate in public dialogue and inform openly and proactively about our decisions and guidelines.

National cooperation helps reacting to changes in the operating environment and provides information. Through cooperation, national knowledge and expertise can be shared and included in the preparation of different matters. At the same time, operators get to have a say in matters affecting their operation. By listening to our stakeholders, we can take the wishes, interests and views of operators and service users into account in our decisions.

Besides taking part in the dialogue, seminars and official cooperation platforms in the field, we also support national cooperation by establishing working groups. Some working groups are established for a specific task while others are permanent. The working groups provide advice and collect expertise. They are not decision-making bodies. Depending on their purpose, the working groups may include representatives of telecommunications operators, telecommunications industry, user groups and other cooperation organisations.

When a new working group is established, we will make the information broadly available to stakeholders. Interested parties can join the working group at a later stage, too.

National cooperation also includes a wide range of joint projects aimed at encouraging progress and developing processes in the field together with other operators.

The NCSC-FI participates in international cooperation both at the European and global level. Forums for international cooperation include official working groups established for the implementation of EU Directives or Regulations, and unofficial groups of supervisory authorities. We also actively exchange information with authorities in the Nordic and Baltic countries, in particular.

Co-regulation and self-regulation

Promoting co-regulation and self-regulation is a part of national cooperation.

Co-regulation or self-regulation can either replace or complement regulation based on legislation or official requirements.

  • Co-regulation is usually a combination of legislation and self-regulation. Co-regulation means trying to reach the objectives laid down by law in cooperation with private operators using their own processes. In goal-oriented co-regulation, the authority sets the objectives and leaves the details of the implementation to be decided by the subjects to the regulation.
  • Self-regulation means processes, codes of conduct, guidelines or voluntary agreements adopted by private sector operators amongst themselves and for themselves to steer and organise their operation. Besides codes of conduct, efficient self-regulation includes a monitoring system with sanctions and a mechanism for dispute resolution.

Conditions for co-regulation

Based on the study, Traficom considers that:

  • the most appropriate and viable model is goal-oriented co-regulation where the authority set the goals together with the operators in the field
  • the subject must be sufficiently technical and neutral from a competition point of view
  • the preparation process must be fair and open
  • monitoring and sanctions belong more appropriately to the authority than businesses
  • appropriate indirect monitoring methods include public commitment to co-regulation and, depending on the subject, publication of related measures
  • the organisations involved in co-regulation are ultimately responsible for ensuring that requirements laid down by competition law are not infringed.

Regulations specifying legal provisions

It is not practical to include detailed provisions on constantly changing technical matters in legislation. Therefore, Traficom has been authorised issue technical regulations that specify the law. These regulations are legally binding and they apply to operations or operators in general, not individual operators.

The NCSC-FI drafts the regulations related to its sector. Regulations are issued on matters that are considered to require legislation to be truly effective. In practice, regulations are mainly prepared by working groups established by the NCSC-FI in cooperation with stakeholders.

MORE INFORMATION

Guidelines and recommendations

The NCSC-FI publishes guidelines and recommendations on subjects in its field. Unlike regulations, these documents are not legally binding. The guidelines and recommendations provide information on best practices to operators subject to our supervision, their customers and other stakeholders.

We draft the recommendations and guidelines independently or in cooperation with operators in the field. Recommendations and guidelines may be published either as single documents or they be included in other publications. Recommendations published as single documents are typically longer whereas recommendations included in other documents are usually brief and more specific.

Studies, reports and publications

The NCSC-FI drafts studies, reports and reviews on subjects in its field either independently or in cooperation with stakeholders. Sometimes they can be ordered from third parties.

In practice, reviews, reports and other publications usually outline a state of affairs or a trend. Publications may also contain a preliminary study for a future regulation or recommendation.

Monitoring of development

The NCSC-FI monitors the technical and legislative development in its field, that is information security and operational reliability. We need to be aware of the development in the field to be able to perform our steering and supervision duties.

Monitoring

Reports and surveys

The NCSC-FI sends written surveys to businesses and organisations subject to its supervision either regularly or as necessary to see how they meet the requirements laid down by law and regulations in their operations. The surveys are very detailed and they usually concern specific areas and certain operator groups.

Based on the responses, we can provide the businesses general information on best practices, oblige them to repair any defects, adjust supervision and guidance, assess needs to amend regulations, and produce public information on networks and services.

Collecting monitoring statistics

Provisions falling within the scope of our supervision, such as Traficom's technical regulations, oblige operators to collect and compile statistics. For example, telecommunications operators must prepare statistics on the repair times of functionality disturbances. We collect these statistics regularly in order to create an overview of networks and services.

Incident reports

Under law, several operators are obliged to report any disturbances, information security violations or threats to information security to an authority.

Besides these statutory incident reports, other operators also send the NCSC-FI reports about violations of and threats to information security, as well as performance incidents.

Based on the reports, we compile a situation picture on the performance and information security of communications networks and services, digital services and other services subject to our supervision. We use the reported information to prevent similar incidents in the future and to monitor compliance with current provisions.

The reporting obligations applies to, for example, the following cases:

  • Telecommunications operators and digital service providers referred to in the NIS Directive must notify Traficom, or in practice the NCSC-FI, of significant information security violations or threats to information security in its services (information security incidents).
  • Telecommunications operators must also report other events that prevent or significantly interfere communication services (functionality incidents).
  • Moreover, legislation obliges telecommunications operators to notify subscribers and users of any information security or functionality incidents.
  • Providers of strong electronic identification services must report any significant incidents.
  • Electronic trust services (both qualified and non-qualified eIDAS trust services) must report significant incidents.

Conformity assessment and registration

Prior to commencing services, providers of strong electronic identification services and providers of qualified trust services referred to in the EU eIDAS Regulation must submit a notification of their intention and a report of fulfilling the requirements.

The NCSC-FI verifies that the operations fulfil relevant requirements and registers the services.

Supervisory decisions on complaints, disputes or other matters

The NCSC-FI at Traficom is the appellate authority in several matters. If a problem cannot be settled by means of guidance or negotiations, Traficom settles the matter in an administrative procedure and issues a decision open to appeal.

Such decision may be required, for example, if an operator subject to regulation has neglected or violated provisions and fails to correct its actions, or if a party needs a decision due to conflicting interests or differences in interpretation.

The NCSC-FI may investigate the actions of businesses and organisations subject to its supervision on its own initiative, on request by the Ministry of Transport and Communications, or on the basis of a complaint.

The NCSC-FI can only settle matters in which it is competent to do so under law. In other matters, the NCSC-FI advises the customer to contact a competent authority or transfers the matter to the appropriate authority.

Under the Administrative Procedure Act, complaints, disputes or other matters are settled usually by hearing all parties involved in writing. Oral reports and inspections are also possible.

Traficom issues a reasoned written decision on the compliance of the examined operations, and obliges, if necessary, the party violating or neglecting the provisions to rectify the situation. To support the decision, a conditional fine, a threat of termination or a threat of completion may be imposed.

Appeal directions are attached to the decision. The directions provide information on the court to which the decision can be appealed. Traficom’s decisions are appealed, depending on the case, either to the Administrative Court, the Supreme Administrative Court, or the Market Court. Traficom's decisions concerning technical operability and information security may be appealed to the Administrative Court. The decision must be complied with despite any appeal unless the Administrative Court orders otherwise.

The NCSC-FI cannot oblige in its decision that the technical operability of an individual customer's communications service is repaired within a certain period. The decision only verifies whether the operations of a telecommunications operator have complied with relevant provisions. However, a customer may be entitled to a standard compensation or some other kind of compensation due to a violation of contract. Disputes concerning compensations are settled by a general court of law. Consumers can also contact the Consumer Disputes Board.

Cases when the NCSC-FI can issue binding decisions to rectify actions to achieve compliance with statutory requirements include:

  • maintenance and ensuring of the technical operability and information security of a telecommunications operator's communications network or communications service
  • processing principles of traffic data and messages
  • cost reimbursement to a telecommunications operator for implementing official requirements in a communications network (telecommunications interception and monitoring)
  • fulfilling the reliability requirements of strong electronic identification or qualified trust services, and if necessary, revocation of registration
  • fulfilling the agreement obligation in a trust network for strong electronic identification.

Inspections

The NCSC-FI may perform inspections related to technical reliability, information security and other regulated reliability to obtain more precise and valid data on the matter than can usually be obtained through written reports. The purpose of technical inspections is to ensure that services are implemented as required by provisions monitored by the NCSC-FI. An inspection can be a general inspection or it can focus on a specific subject. If necessary, an inspection can also be carried out in order to resolve a single complaint. Both actual systems used for service provision and the systems supporting the provision may be inspected.

The inspected parties can also receive guidance from the NCSC-FI and give feedback on how provisions are applied in practice. The right of access and its preconditions are always laid down by law, and an inspection is carried out to monitor statutory obligations.

In practice, inspections are agreed on in advance, unless it compromises the purpose of the inspection. The subject to the inspection may also have to submit some preliminary reports. The inspection can concern equipment, systems, equipment facilities or documents. Inspections on operational reliability and information security cannot be performed in facilities governed by the provisions on domiciliary peace. The general outlines of the inspection process are laid down in the Administrative Procedure Act.

A record, report or other document is drawn up of the inspection. The inspected party is entitled to check the document in question. On the basis of the inspection report, the NCSC-FI can, if necessary, issue decisions on rectification obligations, prohibition decisions or other decisions.

The NCSC-FI at Traficom may perform, for example:

  • a technical or safety inspection on the operations or equipment facilities of a telecommunications operator
  • an inspection on strong electronic identification service providers, trust service providers, and their services
  • an inspection on an assessment body referred to in the Act on Strong Electronic Identification and Electronic Trust Services.
  • The NCSC-FI may have the safety inspection referred to in the Act on Electronic Communications Services performed by an independent expert of its choice.