Information security

Legislation contains obligations for different types of operators to ensure the security of their networks and services, as well as rights related its implementation. Information security provisions apply to telecommunications operators, communications providers, corporate or association subscribers, domain name registrars and digital services referred to in the NIS Directive, which include cloud services, online marketplaces and search engines. The Act on Electronic Communications Services contains most of the provisions, and Traficom regulations specify these provisions. We guide and monitor compliance with information security obligations.

Information security means the administrative and technical measures taken to ensure

  • confidentiality of data, which means that the data is only accessible by those who are entitled to use it,
  • integrity of data, which means that the data can only be modified by those who are entitled to do so, and
  • availability of data, which means that the data and information systems can be used by those who are entitled to use them.

Digital service providers' obligations

This page describes the security-related rights and obligations of telecommunications operators, corporate or association subscribers and other communications providers as well as their customers, or the subscribers. Obligations of digital service providers referred to in the NIS Directive are listed on the Digital services and infrastructure page.

Rights and obligations of telecommunications operators, corporate or association subscribers, and other communications providers

In the Act on Electronic Communications Services, a communications provider is defined as a telecommunications operator, corporate or association subscriber, or other party that conveys electronic communications. Each of the above must ensure the information security of their services, messages, traffic data and location data when transmitting electronic messages. The obligations of a corporate or association subscriber have been limited to only cover the processing of users’ messages, traffic data or location data.

Security measures must be in line with the severity of threats, level of technical development to defend against the threat and costs incurred by these measures.

The Act authorises the NCSC-FI at Traficom to issue further regulations on the information security obligations applicable to all communications providers and on incident reports by telecommunications operators. Traficom's regulations are legally binding on operators. They apply to telecommunications operators under normal circumstances, in disruptive situations under normal circumstances and under exceptional circumstances.

Planning and maintenance obligation

Under the Act, public communications networks and services, which mean telecommunications operators’ networks and services, as well as the communications networks and services connected to them shall be planned, built and maintained in such a manner that:

  • the technical quality of electronic communications is of a high standard and information security is ensured,
  • the networks and services withstand normal, foreseeable climatic, mechanical, electromagnetic and other external interference as well as information security threats,
  • significant information security violations and threats against them and other defects and disruptions that significantly affect their performance can be detected,
  • the data protection, information security and other rights of users and other persons are not endangered,
  • the networks and services do not cause unreasonable electromagnetic or other interference or information security threats.

The measures must take into account

  • security of operations,
  • security of communications,
  • security of hardware and software, and
  • security of information material.

Rights related to maintenance and management of security threats and incidents

All security measures must be implemented with care, and they must be in line with the severity of the mitigated incident. The measures must not limit freedom of speech, the confidentiality of a message or the protection of privacy any more than is necessary for the purpose of safeguarding information security. The measures must be discontinued if the conditions for them specified in legislation no longer exist.

Under the Act, communications providers or parties acting on their behalf have the right to undertake necessary measures for ensuring information security:

  1. in order to detect, prevent, investigate and commit to pre-trial investigation any disruptions in information security of communications networks or related services;
  2. in order to safeguard the possibilities of the sender or recipient of the message for communications; or
  3. in order to prevent preparations of means of payment fraud referred to in Chapter 37(11) of the Criminal Code planned to be implemented on a wide scale via communications services.

The necessary measures referred to in the Act may include:

  1. automatic analysis of message content;
  2. automatic prevention or limitation of message transmission or reception;
  3. automatic removal of malicious software that poses a threat to information security from messages; and
  4. any other comparable technical measures in the meaning of subsections 1–3.

If a communications network, service or device creates serious economic or operational hindrance to other communications networks, services or connected services, device, the user or other person, the telecommunications operator or owner or holder of the communications network or device shall take immediate measures to correct the situation and, if necessary, disconnect the communications network, service or device.

Regulation on information security in telecommunications operations

Traficom has issued technical regulation 67 on information security in telecommunications operations. Regulation 67 contains provisions on:

  • information security measures in all telecommunications operator's communications networks and services,
  • specific information security requirements for interfaces,
  • specific requirements for internet access services,
  • specific requirements for email services, and
  • informing customers about information security issues.

Incident reports in telecommunications services and related Regulation

Under the Act on Electronic Communications Services, the telecommunications operator must notify Traficom, or in practice the NCSC-FI, immediately of significant information security violations or threats to information security in its services. The telecommunications operator shall also notify subscribers and users of such incidents.

Traficom has issued technical regulation 66 on disturbances in telecommunications services (External link), which specifies the telecommunications operator's obligations to notify information security violations or related threats to users and Traficom.

In addition, telecommunications operators shall notify Traficom as well as subscribers and individuals concerned of any personal data breaches. This notification obligation is laid down in Commission Regulation (EU) No 611/2013 (External link).

A telecommunications operator can submit such notifications to the NCSC-FI via our e-services.

NCSC-FI recommendations and guidance

Besides binding regulations, the NCSC-FI has issued multiple recommendations on the security of communications networks and services intended to telecommunications operators, in particular. The NCSC-FI also publishes statistics and notices on current information security phenomena and threats, as well as guidance on related protection and recovery.

Rights and obligations of the customer or the subscriber

A subscriber, or a legal or natural person who is party to an agreement concerning the provision of a communications service or an added value service for a purpose other than telecommunications operations, has the right to request secure networks and services from telecommunications operators. However, the Act also provides that a subscriber shall maintain equipment or a system to be connected to a public communications network in accordance with instructions from the telecommunications operator so as not to endanger the information security of the public communications network or service.

In other words, a subscriber must ensure the information security of its own equipment. Both telecommunications operators and device manufacturers provide instructions and guidance for this purpose. Moreover, the NCSC-FI publishes alerts and notices on current information security threats and related protection and recovery.

Registrars' rights and obligations

Under the Act on Electronic Communications Services, a domain name registrar means an operator who has made a domain name notification.

Domain Name Regulation

Traficom has issued technical regulation 68 on domain name services (External link).

The Domain Name Regulation applies to domain names that end with fi or ax and to the registration and management of such names. Besides other obligations, Regulation 68 contains provisions on registrars’ information security obligations. They include:

  • specific security requirements for an EPP (Extensible Provisioning Protocol) interface of the fi-domain name register
  • registrars’ information security management
  • reporting security incidents, i.e. situations that disturb or threaten performance or information security, to the authority administrating the domain name register.

Read more about registrars’ obligations in the Registrar's guide (External link).