Scope of regulation

We at the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom steer and supervise compliance with the provisions and regulations that apply to our field of activity. We supervise many kinds of activities, and this page explains how we interpret the rules and legislation governing our sector and which activities are governed by the regulation we work with. Examples include telecommunications and other transmission of communications, digital services under the NIS 2 Directive, strong electronic identification and eIDAS electronic trust services.

Questions of interpretation often arise about whether a company’s or an organisation’s service or a part of it is to be considered as an activity steered and supervised by the NCSC-FI. The following table lists activities regulated by law, including practical examples. Further below, you will find more specific descriptions of interpretative practice concerning different activities within the scope of the regulation we supervise.

Regulation defines different roles for operators, and it is important to identify the roles individual operators have in practice. For the most part, the regulation discussed here only concerns specific activities. However, certain operators may have several roles governed by regulation. Each activity is assessed separately.

The following presents different activities governed by the regulation we supervise and discusses established interpretative practice.

Scope of regulation
Activity defined in law (relevant act in brackets)	Practical examples of operators
telecommunications (Act on Electronic Communications Services 917/2014)	traditional telecommunications operators, such as providers of telephone and broadband services television and radio network providers several commercial and non-commercial providers of communications networks and communications services which have not traditionally been perceived as telecommunications operators, for example services provided over the internet (over-the-top or OTT services) and WLAN networks that are provided to a set of users not subject to any prior restriction digital infrastructure providers under the NIS 2 Directive, i.e. exchange point providers and DNS service providers when domain name service is provided as part of internet access service
internal networks in properties (Act on Electronic Communications Services)	Housing companies and other holders of internal communications networks in real estate buildings.
dedicated network operator (Act on Electronic Communications Services, section 244 a, subsection 2)	Owner or holder of a critical dedicated network critical dedicated networks mean dedicated networks of operators essential to vital functions of society that are connected to a public communications network; these operators include nuclear power plants, ports and airports, for example see the Traficom Regulation on critical parts of a communications network
corporate subscriber (Act on Electronic Communications Services)	Telecommunications operators’ corporate or organisation customers that process their customers' or their own traffic data
other conveyance of communications (Act on Electronic Communications Services)	In addition to telecommunications operators and corporate subscribers communications providers mean other parties that convey electronic communications as a third party with regard to the parties to the communications
cookies (Act on Electronic Communications Services, section 205)	Service provider that saves cookies or other data on the use of an electronic service on a user’s terminal device or uses such data see Traficom’s cookie guidance
digital service (Cybersecurity Act, Annex II, section 2)	Digital service providers in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e. online marketplaces online search engines social networking services platforms
digital infrastructure (Cybersecurity Act, Annex I, section 6)	Digital infrastructure providers in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e. internet exchange points top-level domain (TLD) name registries cloud computing services data centre services content delivery networks DNS service providers (see Domain Name team) trust services (see trust service) public electronic communications networks (see telecommunications) publicly available electronic communications services (see telecommunications)
ICT service management (Cybersecurity Act, Annex I, section 7)	ICT service management providers in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e. managed services managed security services
research organisations (Cybersecurity Act, Annex II, section 5)	Research organisations in accordance with the Cybersecurity Act issued under the NIS 2 Directive, i.e. research organisations that have as their primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but that are not educational institutions in practice, VTT Technical Research Centre of Finland Ltd
public administration (Information Management Act, section 3)	Public administration organisation under the NIS 2 Directive, i.e. central government organisations wellbeing services counties
associated services and associated facilities (Act on Electronic Communications Services)	For example, providers of the following associated services or associated facilities related to an electronic communications network and/or an electronic communications service: conditional access system electronic programme guide (EPG) number translation system identification, location and presence service and similar service associated with communications networks or services that enables the provision of a communications network or service or supports the provision of services via them buildings, entries to buildings and building wiring, ducts, masts and other physical structures, facilities or elements associated with a communications network or service that enable the provision of a communications network or service or support the provision of services via them
strong electronic identification (Act on Strong Electronic Identification and Electronic Trust Services)	Registered providers of strong electronic identification means identification broker service
trust service (eIDAS Regulation (EU) 910/2014)	Qualified and non-qualified trust service providers under the eIDAS Regulation: certificate, validation service or preservation service for electronic seals or electronic signatures certificate for website authentication electronic time stamp electronic registered delivery service

ACTIVITIES THAT WE DO NOT SUPERVISE

The NCSC-FI does not supervise the content or marketing of communications or, as a rule, the provision of public authority networks or public authority communications services. Because the set of users using public authority networks or public authority communications services is subject to prior restriction, these networks and services are not considered public telecommunications. Public authority networks and public authority communications services may be incorporated into telecommunications operators' public communications networks. If so, they must not cause operability or information security disturbances in a public communications network.

Telecommunications and telecommunications operators

The NCSC-FI supervises compliance with information security and functionality requirements in telecommunications operations, preparedness for interference and exceptional circumstances, the obligations to provide assistance to emergency services and police authorities as well as the confidentiality of electronic communications and traffic data.

Telecommunications regulation is applied to operations and services if they fulfil the characteristics of the definitions concerning telecommunications given in the Act on Electronic Communications Services.

More information on the obligation to submit a telecommunications notification is available here.

For telecommunications, key terms defined in legislation include ‘telecommunications operator’, ‘communications service’ and ‘network service’:

Telecommunications operator means a network operator or a communications service operator offering services to a set of users that is not subject to any prior restriction, i.e. provides public telecommunications services.
Communications service means
- a service consisting either wholly or mainly of the conveyance of communications in a communications network (e.g. internet access service),
- a transmission and broadcasting service in a mass communications network and
- an interpersonal communications service.
Network service means a service where a telecommunications operator (network operator) provides a communications network in its ownership or for other reasons in its possession for the purposes of transmitting or distributing communications.
- Communications network means a system comprising interconnected wires and devices for the purpose of transmitting or distributing communications by wire, radio, optical or other electromagnetic means.
- Public communications network means a communications network used to provide communications services to a set of users that is not subject to any prior restriction.

At the beginning of 2021, the definition of communications services was extended to include interpersonal communications services, including number-independent interpersonal communications services. These concepts are based on the European Electronic Communications Code established by the Telecoms Package Directive (EU) 2018/1972. An interpersonal communications service means a service that enables interactive targeted communications via a communications network between a set of persons determined by the persons participating in the communication. Examples of these services include traditional voice calls and emails but also instant messaging services.

A number-independent interpersonal communications service means an interpersonal communications service that does not connect with a number or numbers in national or international numbering plans. Examples of these services include voice, video, video conference and instant messaging services and email services provided via the internet. These services are not based on numbering like traditional call and voice communications services and SMS services. The service provider does not necessarily have to participate in the transmission of communications. Instead, the service may be implemented based on peer-to-peer communication, for example. The matter is discussed in more detailed in the rationale for amending the Act on Electronic Communications Services: Government proposal HE 98/2020, p. 174–176 (in Finnish).

Telecommunications operators that only provide number-independent interpersonal communications services do not have to submit a telecommunications notification or pay the information society fee. These operators also have lighter obligations with respect to users’ rights.

Telecommunications does not cover, for example, the following:

in interpersonal communications, minor ancillary features to other services, such as communication channels in online games (see recital 17 of Directive (EU) 2018/1972)
content services, such as websites, blogs, discussion forums or streaming and video-on-demand services (VoD)
provision of hardware or software, online recording services of programmes, pay-TV packages or pay-TV cards
surveillance or alarm services provided via telecommunications connections (e.g. in nursing and security services).

Public telecommunications means the provision of electronic communications services to a set of users that is not subject to any prior restriction.

Examples of services that have been interpreted as having a set of users that is not subject to any prior restriction:

Application-bound communications services are typical for example in voice and instant messaging services provided on the internet. Similarly to other services, users can freely acquire the required applications.
Communications services independent of the provider of the mobile network or internet access services, such as instant messaging or email.
Communications services of network communities and the social media, in which becoming a member is unrestricted to the extent that the membership cannot solely be regarded as prior restriction of a set of users.
WLAN networks that offer internet access services to a set of users that is not subject to any prior restriction. Regionally, they can be located in a very restricted area, but if the set of users using them is unspecified, geographic coverage alone does not make the set of users subject to prior restriction.

Traficom has interpreted the concept of ‘a set of users subject to prior restriction’ restrictively in its supervision activities.

The rationale for the Act on Electronic Services, formerly known as the Information Society Code, (HE 221/2013, the detailed rationale for the definition of a telecommunications operator in section 3) states that, when assessing whether a set of users is subject to any prior restriction or not, the following aspects, among others, must be taken into account:

nature of the network and service
extent of the network and set of users and
the restrictive aspect of the requirements for becoming a user.

The fact that a communications service only functions with a certain application or on a certain terminal device or that a network or service is only available in a certain geographic area does not solely make the service in question a service for a set of users subject to prior restriction.

Examples of a set of users subject to prior restriction:

services provided by a company to its employees or by a school to its students
internal communications services used by taxi centres and taxis
a communications service that is provided by a café or a hotel to its customers; even though the service is used by an unspecified set of customers, the set of user is so small that, as a whole, the provision of the service cannot usually be regarded as public telecommunications.

However, employers, housing companies, schools, hotels or other similar operators that provide communications services to their users may be subject to regulation concerning corporate subscribers or other communications providers (see below).

The interpretation of a network service is not as established as the interpretation of a communications service. Traficom has provided guidance concerning the interpretation of a network operator and network service to different communal and local actors who construct, for example, fibre networks, as well as in some implementations involving several actors.

As a rule, the mere construction or ownership of a communications network is not considered to be public telecommunications. The operations become telecommunications when the network is provided or used for transmitting public communications services. In its guidance, Traficom's starting point has been to assess which company (or companies) administrates the network and has the power to decide to whom the network is provided. It is not relevant how many telecommunications operators (service operators) operate in the network.

The regulation of telecommunications is technology neutral. It applies to targeted communications such as telephone, text message, broadband and email services and to mass communications such as cable television, IPTV, terrestrial television and radio services.

In mass communications networks, telecommunications means, for example, the maintenance and provision of terrestrial, cable and IPTV networks and the provision of cable or IPTV subscriptions. The technical transmission of programme stream and telecommunications include, for example, the synchronisation of sound and picture, as well as the transmission of the information on teletext television and in the electronic programme guide (EPG).

Public telecommunications can be subject to charge or free of charge. Operators other than commercial operators can also be telecommunications operators within the meaning of the Act on Electronic Communications Services because the law does not require public telecommunications to be provided against payment. This means that regulation concerning telecommunications operators may also apply to cities, other non-commercial operators and services provided free of charge on the internet, for example.

Corporate subscribers

According to the Act on Electronic Communications Services, corporate subscriber means an undertaking or organisation that subscribes to a communications service or a value-added service and processes users’ communications, traffic data or location data in its communications network.

Examples of corporate subscribers include sole traders, cooperatives, limited liability companies, associations, educational institutions and government agencies. A corporate subscriber can be, for example, an undertaking that acquires and provides telephone and broadband subscriptions for its employees and a WLAN connection for those who visit the premises, and processes identification data in its internal network, i.e. information associated with a legal or natural person used to transmit communications. Residents of housing companies sharing a subscriber connection can also be corporate subscribers. Families are not considered corporate subscribers even if a family has an internal communications network (WLAN network) at home and the family members use it for example to surf online via a shared broadband connection.

Corporate subscribers’ obligations regarding functionality, information security, protection of confidential communications, and on the other hand, their rights to process traffic data are regulated by the Act on Electronic Communications Services. The NCSC-FI at Traficom supervises compliance with these provisions. Under the Act, Traficom is also authorised to issue certain technical regulations that specify the provisions of the Act, but so far Traficom has not used its powers concerning corporate subscribers.

Communications providers

Communications provides are operators whose services are based on the confidential transmission of communications, for example, within a certain electronic service. The operations of communications providers are regulated to ensure the confidentiality of electronic communications.

Communications providers must often process electronic communications and traffic data to be able to provide well-functioning services and address any faults or disturbances. The law contains provisions on communications providers' right to process communications and obliges them to ensure the information security of their services.

Communications providers include:

telecommunications operators
corporate subscribers
other communications providers that convey electronic communications for other than personal or comparable customary private purposes.

Other electronic communications providers are a group of operators that became subject to the information security and data protection regulation in the Act on Electronic Communications Services from the beginning of 2015. As a result of this, the regulation of confidentiality and ensuring information security in electronic communications covers all communications providers as their role in the protection of confidential communications is crucial. It is not always simple to draw a line between telecommunications based on the definitions of Directive (EU) 2018/1972 and other conveyance of communications.

Other communications providers mean all such operators that are not telecommunications operators or corporate subscribers but convey electronic communications in a manner corresponding to the activities of telecommunications operators in relation to users. They are external third parties in relation to users that communicate with each other through the service. Conveying confidential communications does not need to be the only purpose of the service, or even its main purpose, in order for the operations to be subject to regulation. In fact, in several services the transmission of confidential communications is just one feature among many.

For example, an operator providing the following services may be a communications provider even if it is not considered a telecommunications operator:

dating services including a feature for communication between users
communication solutions for schools enabling communication between parents and teachers
services for sports teams and clubs enabling the sending of notifications to members or communication between parents and coaches
WLAN services for a limited set of users, such as WLAN networks in individual cafés.

The obligations imposed by law naturally only cover the part of the service involving the transmission of confidential communications. For example, a possibility for users to communicate with each other in an online dating service is just one feature of the service. Providing a discussion feature within an online service is transmission of communications, and its confidentiality and security is guaranteed by regulation.

Schools often use services that enable teachers to send messages to parents, or vice versa. Parties providing and maintaining such services are communications providers. Communications providers also include operators providing sports clubs and teams with solutions or services enabling the sending of notifications or communications between the members of the team, or for instance, between parents and the coach. Even though a service that gives its users the opportunity for unidirectional communications is not considered an interpersonal communications service (telecommunications), it may constitute other conveyance of communications subject to the regulation concerning the confidentiality of electronic communications.

WLAN services for a limited set of users, such as WLAN services provided by individual cafés or hotels, are also considered communications providers. The provision of extensive WLAN services, such as services with an extensive coverage area provided by cities, may also be regarded as general telecommunications. In that case, the operations are also subject to obligations concerning telecommunications.

Operators providing online messages or publications, or engaging in publication operations are not considered to be communications providers. An operator providing a public online discussion forum, for example, is not a communications provider. The transmission of communications for personal or private purposes is not subject to the provisions of the Act on Electronic Communications Services, either. This means, for example, WLAN base stations that are managed by households and used only by the residents and occasional visitors.

Digital services and infrastructure, ICT services, research and public administration

National regulation (Cybersecurity Act and Information Management Act) implementing the EU Cybersecurity Directive (NIS 2 Directive) includes provisions on cybersecurity risk management obligations and the obligation to report significant incidents. The obligations apply, for example, to digital infrastructure providers, digital service providers, ICT service management providers, research organisations and the public administration.

The NCSC-FI guides and supervises the above-mentioned entities in Finland. Digital service providers, ICT service management providers and some digital infrastructure providers fall within the scope of the NCSC-FI’s supervision if their main establishment in the EU is in Finland. If a service provider operates in Finland but its main establishment is in some other EU Member State, the competent authority is the supervisory authority in the country where the main establishment is located.

Providers of associated services and facilities

The Act on Electronic Communications Services defines associated services and associated facilities related to a communication network or service. The NCSC-FI supervises compliance with provisions on information security, functionality and protection of confidential communications related to the provision of these services.

Associated service means a conditional access system, electronic programme guide, number translation system, identity, location and presence service and similar service associated with communications networks or services that enables the provision of a communications network or service or supports the provision of services via them.

Associated facilities mean an associated service and buildings, entries to buildings and building wiring, ducts, masts and other corresponding physical structures, facilities or elements associated with a communications network or service that enables the provision of a communications network or service or supports the provision of services via them.

As of yet, there is practically no interpretative practice concerning associated facilities or services. Interpretation is guided by the examples included in the definitions. The definition of the facilities may be of significance, for example, in the regulation of the technical quality and information security of communications networks and services. The definitions also describe the facilities and services that are not regarded as telecommunications when treated separately.

Strong electronic identification services

Providers of strong electronic identification services are service providers that have submitted a notification on their operations in accordance with the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and that have been entered in the register referred to in the Act.

Electronic identification means the verification of the identity of a person by electronic means. Strong electronic identification enables consumers to verify their identity safely in various electronic services. It also enables the providers of electronic services to identify their customers.

In Finland, there are two types of providers of services for strong electronic identification:

Identification means providers provide users with identification means (e.g. banking codes, mobile certificates and citizen certificates on identity cards).
Identification broker services sell identification services to electronic services.
One service provider may act in both roles and provide identification means and broker services.
According to the Act, the registered providers of strong identification services form a trust network.

The assurance level of a strong electronic identification service may be substantial or high.

Strong electronic identification services include:

online banking codes provided by banks
mobile certificates issued by telecommunications operators
the Digital and Population Data Services Agency’s Citizen Certificate stored on an identity card issued by the police and certain other identification certificates on various organisation cards
registered identification broker services.

Electronic trust services (eIDAS)

Electronic trust services are means to enable secure electronic transactions. They are governed by the EU eIDAS Regulation (EU) 910/2014.

Trust services may be either qualified or non-qualified. In Finland, the qualification is issued by the NCSC-FI at Traficom. Qualified trust services can be found in national trusted lists that are valid in all EU countries.

Non-qualified trust services are, as defined by the eIDAS Regulation, services for which qualification has not been applied by the provider.

Qualified electronic trust services may include the following services (applicable Article of the eIDAS Regulation in brackets):

certificate, validation service or preservation service for electronic signatures (Articles 28, 33 and 34)
certificate, validation service or preservation service for electronic seals (Articles 38 and 40)
electronic time stamp (Article 42)
electronic registered delivery services (Article 44)
certificate for website authentication (Article 45)

Non-qualified trust services include:

such above-mentioned services that have not been notified or entered in the trusted list
certain other service types, such as creation service for advanced electronic signatures or seals

Domain name registrars

Information about the operations of domain name registrars (incl. information security in registrars’ operations) and fi-domain names is available on the Traficom web pages on domain names.

Scope of regulation

ACTIVITIES THAT WE DO NOT SUPERVISE

Telecommunications and telecommunications operators

Definitions in legislation: telecommunications operators’ telecommunications operations are public communications or network services

Interpersonal communications services

Content services and public ICT services are not telecommunications

A set of users that is not subject to any prior restriction

Services to a set of users subject to prior restriction are not public telecommunications

Interpretation of network service

The definition of telecommunications is technology neutral

Free services can also be public telecommunications