Scope of regulation
We at the National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom steer and supervise compliance with the provisions and regulations that apply to our field of activity. We supervise many kinds of activities, and this page explains how we interpret the rules and legislation governing our sector and which activities are governed by the regulation we work with. Examples include telecommunications and other transmission of communications, digital services under the NIS Directive, strong electronic identification and eIDAS electronic trust services.
Questions of interpretation often arise about whether a company’s or an organisation’s service or a part of it is to be considered as an activity steered and supervised by the NCSC-FI. The following table lists activities regulated by law, including practical examples. Further below, you will find more specific descriptions of interpretative practice concerning different activities within the scope of the regulation we supervise.
Regulation defines different roles for operators, and it is important to identify the roles individual operators have in practice. For the most part, the regulation discussed here only concerns specific activities. However, certain operators may have several roles governed by regulation. Each activity is assessed separately.
The following presents different activities governed by the regulation we supervise and discusses established interpretative practice.
Activity defined in law
Practical examples of operators
internal networks in properties
Housing companies and other holders of internal communications networks in real estate buildings.
dedicated network operator
Owner or holder of a critical dedicated network
Telecommunications operators’ corporate or organisation customers that process their customers' or their own traffic data
other conveyance of communications
In addition to telecommunications operators and corporate subscribers
Service provider that saves cookies or other data on the use of an electronic service on a user’s terminal device or uses such data
Digital service providers under the NIS Directive:
associated services and associated facilities
For example, providers of the following associated services or associated facilities related to an electronic communications network and/or an electronic communications service:
strong electronic identification
Registered providers of strong electronic
Qualified and non-qualified trust service providers under the eIDAS Regulation:
ACTIVITIES THAT WE DO NOT SUPERVISE
The NCSC-FI does not supervise the content or marketing of communications or, as a rule, the provision of public authority networks or public authority communications services. Because the set of users using public authority networks or public authority communications services is subject to prior restriction, these networks and services are not considered public telecommunications. Public authority networks and public authority communications services may be incorporated into telecommunications operators' public communications networks. If so, they must not cause operability or information security disturbances in a public communications network.
Telecommunications and telecommunications operators
The NCSC-FI supervises compliance with information security and functionality requirements in telecommunications operations, preparedness for interference and exceptional circumstances, the obligations to provide assistance to emergency services and police authorities as well as the confidentiality of electronic communications and traffic data.
According to the Act on Electronic Communications Services, corporate subscriber means an undertaking or organisation that subscribes to a communications service or a value-added service and processes users’ communications, traffic data or location data in its communications network.
Examples of corporate subscribers include sole traders, cooperatives, limited liability companies, associations, educational institutions and government agencies. A corporate subscriber can be, for example, an undertaking that acquires and provides telephone and broadband subscriptions for its employees and a WLAN connection for those who visit the premises, and processes identification data in its internal network, i.e. information associated with a legal or natural person used to transmit communications. Residents of housing companies sharing a subscriber connection can also be corporate subscribers. Families are not considered corporate subscribers even if a family has an internal communications network (WLAN network) at home and the family members use it for example to surf online via a shared broadband connection.
Corporate subscribers’ obligations regarding functionality, information security, protection of confidential communications, and on the other hand, their rights to process traffic data are regulated by the Act on Electronic Communications Services. The NCSC-FI at Traficom supervises compliance with these provisions. Under the Act, Traficom is also authorised to issue certain technical regulations that specify the provisions of the Act, but so far Traficom has not used its powers concerning corporate subscribers.
Communications provides are operators whose services are based on the confidential transmission of communications, for example, within a certain electronic service. The operations of communications providers are regulated to ensure the confidentiality of electronic communications.
Communications providers must often process electronic communications and traffic data to be able to provide well-functioning services and address any faults or disturbances. The law contains provisions on communications providers' right to process communications and obliges them to ensure the information security of their services.
Communications providers include:
- telecommunications operators
- corporate subscribers
- other communications providers that convey electronic communications for other than personal or comparable customary private purposes.
Other electronic communications providers are a group of operators that became subject to the information security and data protection regulation in the Act on Electronic Communications Services from the beginning of 2015. As a result of this, the regulation of confidentiality and ensuring information security in electronic communications covers all communications providers as their role in the protection of confidential communications is crucial. It is not always simple to draw a line between telecommunications based on the definitions of Directive (EU) 2018/1972 and other conveyance of communications.
Digital service and infrastructure providers (NIS)
The EU Directive on the security of network and information systems (NIS Directive) contains provisions on information security obligations and disruption reporting concerning critical infrastructure providers in several sectors.
The NCSC-FI supervises and provides guidance to the digital service providers and digital infrastructure providers referred to in the Directive. The obligations of these operators are laid down in the Act on Electronic Communications Services. With respect to digital service providers, the NCSC-FI only supervises those operators whose main establishment in the EU is located in Finland. If a digital service provider operating in Finland has its main establishment in some other EU country, the competent supervisory authority is the authority of the country where the main establishment is located.
MORE INFORMATION ON OBLIGATIONS CONCERNING THE ACTIVITIES
Providers of associated services and facilities
The Act on Electronic Communications Services defines associated services and associated facilities related to a communication network or service. The NCSC-FI supervises compliance with provisions on information security, functionality and protection of confidential communications related to the provision of these services.
Associated service means a conditional access system, electronic programme guide, number translation system, identity, location and presence service and similar service associated with communications networks or services that enables the provision of a communications network or service or supports the provision of services via them.
Associated facilities mean an associated service and buildings, entries to buildings and building wiring, ducts, masts and other corresponding physical structures, facilities or elements associated with a communications network or service that enables the provision of a communications network or service or supports the provision of services via them.
As of yet, there is practically no interpretative practice concerning associated facilities or services. Interpretation is guided by the examples included in the definitions. The definition of the facilities may be of significance, for example, in the regulation of the technical quality and information security of communications networks and services. The definitions also describe the facilities and services that are not regarded as telecommunications when treated separately.
Strong electronic identification services
Providers of strong electronic identification services are service providers that have submitted a notification on their operations in accordance with the Act on Strong Electronic Identification and Electronic Trust Services (617/2009) and that have been entered in the register referred to in the Act.
Electronic identification means the verification of the identity of a person by electronic means. Strong electronic identification enables consumers to verify their identity safely in various electronic services. It also enables the providers of electronic services to identify their customers.
In Finland, there are two types of providers of services for strong electronic identification:
- Identification means providers provide users with identification means (e.g. banking codes, mobile certificates and citizen certificates on identity cards).
- Identification broker services sell identification services to electronic services.
- One service provider may act in both roles and provide identification means and broker services.
- According to the Act, the registered providers of strong identification services form a trust network.
The assurance level of a strong electronic identification service may be substantial or high.
Strong electronic identification services include:
- online banking codes provided by banks
- mobile certificates issued by telecommunications operators
- the Digital and Population Data Services Agency’s Citizen Certificate stored on an identity card issued by the police and certain other identification certificates on various organisation cards
- registered identification broker services.
Electronic trust services (eIDAS)
Electronic trust services are means to enable secure electronic transactions. They are governed by the EU eIDAS Regulation (EU) 910/2014.
Trust services may be either qualified or non-qualified. In Finland, the qualification is issued by the NCSC-FI at Traficom. Qualified trust services can be found in national trusted lists that are valid in all EU countries.
Non-qualified trust services are, as defined by the eIDAS Regulation, services for which qualification has not been applied by the provider.
Qualified electronic trust services may include the following services (applicable Article of the eIDAS Regulation in brackets):
- certificate, validation service or preservation service for electronic signatures (Articles 28, 33 and 34)
- certificate, validation service or preservation service for electronic seals (Articles 38 and 40)
- electronic time stamp (Article 42)
- electronic registered delivery services (Article 44)
- certificate for website authentication (Article 45)
Non-qualified trust services include:
- such above-mentioned services that have not been notified or entered in the trusted list
- certain other service types, such as creation service for advanced electronic signatures or seals
Domain name registrars
Information about the operations of domain name registrars (incl. information security in registrars’ operations) and fi-domain names is available on the Traficom web pages on domain names.