Subjects to regulation

We steer and supervise compliance with the provisions and regulations that apply to our field of activity. We supervise many kinds of activities and provide information on the interpretation of them and whether the operations is subject to regulation. Examples include telecommunications, digital services under the NIS Directive, strong electronic identification, domain name registrars and eIDAS electronic trust services.

Questions of interpretation often rise about whether a company’s or an organisation’s service or a part of it is to be considered as an activity steered and supervised by the NCSC-FI. We have listed activities regulated by law and practical examples of them in the following table. Further below, you will find more specific descriptions of interpretative practice concerning different subjects to regulation.

The following summary can be made of the interpretations of activities:

  • Regulation applies to an operator only if it is specifically directed to the activity in question.
  • A company can have multiple roles when offering services.
  • Each activity is assessed on a case-by-case basis.

Below, we present established interpretative practice. For example, interpretation of telecommunications activity is quite well established, even though distinction between telecommunications and transmission of other forms of communication can sometimes be difficult.

Subjects to regulation

Activity defined in law
(the act in question in parenthesis)

Practical examples of operators

telecommunications activity

(Act on Electronic Communications Services)

  • traditional telecommunications operators such as providers of telephone and broadband services
  • television and radio network providers
  • several commercial and non-commercial providers of communications networks and communications services which have not traditionally been perceived as telecommunications operators, for example many over-the-top (OTT) services, i.e. services provided along with the internet access services and WLAN networks
  • digital infrastructure providers under the NIS Directive, i.e. exchange point providers and DNS service providers

associated services and associated facilities

(Act on Electronic Communications Services)

Providers of associated services or associated facilities related to an electronic communications network and/or an electronic communications service:

  • system subject to conditional right of use
  • electronic programme guide (EPG)
  • number conversion system
  • identification, location and presence service as well as similar service associated with communications networks or services that allows the offering of a communications network or service or supports the provision of services through them
  • a building; entry to building and building cabling; cable duct; mast and other physical structure, function or element related to a communications network or service that allows the offering of a communications network or service or supports the provision of services through them

internal networks in properties

(Act on Electronic Communications Services)

Housing companies and other holders of internal communications networks in real estate buildings

corporate subscriber

(Act on Electronic Communications Services)

Corporate or association customers that process their customers' or their own identification data

other conveyance of communications

(Act on Electronic Communications Services)

In addition to telecommunications operators and corporate subscribers

  • also other parties that convey electronic communications as a third party with regard to the parties to the communications

cookies

(Act on Electronic Communications Services)

Saving data on cookies or on other use of electronic services on the user’s terminal device and the use of such data

digital service

(Act on Electronic Communications Services)

Digital service providers under the NIS Directive:

  • online marketplace
  • online search engine
  • cloud service

strong electronic identification

(Act on Strong Electronic Identification and Electronic Trust Services)

Registered strong electronic

  • identification means providers
  • identification broker service providers

trust service

(EU’s so called eIDAS Regulation)

Qualified and non-qualified trust service providers under the eIDAS Regulation:

  • certificate, validation service or preservation service for electronic seals or electronic signatures
  • certificate for website authentication
  • electronic time stamp
  • electronic registered delivery service

domain name brokering

(Act on Electronic Communications Services)

An operator who has registered as a domain name registrar

SUBJECTS THAT ARE NOT UNDER OUR SUPERVISION

The NCSC-FI does not supervise the content or marketing of communications or provision of authority networks or authority communication services. Because the set of users using public authority networks or authority communication services is subject to prior restriction, the networks are not public telecommunications. Public authority networks and authority communication services may be incorporated into telecommunications operators' public communications networks. Thus, they must not cause operability or information security disturbances in a public communications network.

Telecommunications and telecommunications operators

The NCSC-FI supervises information security requirements, functionality requirements and preparedness for interference and exceptional circumstances, assistance provided to emergency services authorities and police authorities as well as confidentiality of electronic communications and traffic data.

Definitions in the act: telecommunications operations of telecommunications operators is public communications or network service

Telecommunications regulation is applied to operations and services if they fulfil the characteristics of the definitions in the Act on Electronic Communications Services concerning telecommunications.

Key definitions in the act are telecommunications operator, communications service and network service:

  • Telecommunications operator means a network operator or a communications service operator offering services to a set of users that is not subject to any prior restriction, i.e. provides public telecommunications services.
  • Communications service means a service consisting either completely or primarily of transmitting messages in a communications network, or of transfer and transmission service in a mass communications network.
  • Network service means a service a telecommunications operator (network operator) provides comprising a communications network in its ownership or for other reasons in its possession for the purposes of transmitting or distributing messages.
    Communications network means a system comprising cables and devices joined to each other for the purpose of transmitting or distributing messages by wire, radio waves, optically, or by other electromagnetic means.
    Public communications network means a communications network used to provide communications services to a set of users that is not subject to any prior restriction.

The content of communication and public ICT services are not telecommunications

The following are not telecommunications

  • content of the communications, e.g. content on websites, maintenance of a discussion forum or provision of videos on websites
  • ICT services, such as provision of devices or software, online recording services of programmes, video-on-demand services, pay-TV packages or pay-TV cards.
  • surveillance or alarm services provided via telecommunications connections (e.g. in nursing and security services)

A set of users that is not subject to any prior restriction

Public telecommunications means provision of electronic communications services to a set of users that is not subject to any prior restriction.

Examples of services that have been interpreted as having a set of users that is not subject to any prior restriction

  • Application-bound communications services are typical for example in voice and instant messaging services provided on the internet. Similarly to other products, users can freely acquire the required applications.
  • Terminal devices include communications services independent from mobile operators. Examples of these are instant messaging, email and text or multimedia messages.
  • Communications services of network communities and the social media, in which becoming a member is unrestricted to the extent that the membership cannot solely be regarded as prior restriction of a set of users.
  • Networks that have small geographical coverage or that have new types of administration ways such as WLAN network that offer internet access services. Regionally, they can be situated in a very restricted region, but if the set of users using them is unspecified, the geographic coverage does not solely make the set of users subject to any prior restriction.

Services to a set of users subject to prior restriction is not public telecommunications

The Agency has interpreted a set of users subject to prior restriction restrictively in supervision.

The justification for the Act (HE 221/2013, the detailed justification for the definition of a telecommunications operator in section 3) states that, when assessing whether a set of users is subject to any prior restriction or not, the following aspects, among others, must be taken into account:

  • nature of the network and service
  • extent of the network and set of users and
  • restrictive aspect of the requirements for becoming a user.

A communications service only functions with a certain application or on a certain terminal device or a network or a service is available only in a certain geographic area does not solely make the service in question a service for a set of users subject to prior restriction.

Examples of a set of users subject to prior restriction

  • services provided by a company to its employees or by a school to its students
  • internal communications services used by taxi centres and taxis
  • communications services that are provided by a café or a hotel and that concerns, in itself, an unspecified set of customers, but the set of users is so small that, as a whole, provision of the service cannot usually be regarded as public telecommunications

However, employers, housing companies, schools or hotels which provide communications services to their users, among others, may be subject to regulation concerning corporate or association subscribers.

Communications service must include transmission of messages

Communications service means a service consisting either completely or primarily of transmitting messages in a communications network, and of transfer and transmission service in a mass communications network.

The transmission that meets the definition of a communications service is, at minimum, considered to be the management of an email server connected to the internet or the management of calls by means of IN functions. By contrast, the provision of pure peer-to-peer network software (pure P2P) is not regarded as the provision of a communications service if the messages are not routed through the device of the service provider, i.e. the service provider does not participate in the transmission of the messages.

Interpretation of network service

The interpretation of a network service is not as established as the interpretation of a communications service. The Agency has provided guidance concerning the interpretation of a network operator and network service to different communal and local actors who construct, for example, fibre networks, as well as in some implementations involving several actors.

Primarily, a mere construction or ownership of a communications network is not considered to be public telecommunications. The operations become telecommunications when the network is provided or used for transmitting public communications services. In its guidance, the Agency’s starting point has been, in terms of assessing a telecommunications operator, that a telecommunications operator is an operator that administrates the network and exercises power of decision concerning to whom the network is provided. It is not relevant how many telecommunications operators (service provider) operate in the network.

Distinction between network and service operators is sometimes difficult, especially with regard to IP networks and IP-based services, because the line can be based on interpretations. For example, in communications services provided via internet access (i.e. OTT services), the provider of a communications service may possess, at minimum, nothing but the server which is used for implementing and routing on the open internet.

The definition of telecommunications is technology-neutral

The regulation of telecommunications is technology-neutral. It applies to targeted communications such as telephone, text message, broadband and email services and to mass communications such as cable television, IPTV, terrestrial television and radio services.

In mass communications networks, telecommunications is, for example, the maintenance and provision of terrestrial, cable and IPTV networks and the provision of cable or IPTV subscriptions. The technical transmission of programme stream and telecommunications include, for example, the synchronisation of the sound and the picture, as well as the transmission of the information on teletext television and in the EPG.

A free service can also be public telecommunications

Public telecommunications can be subject to charge or free of charge. In addition, other than a commercial operator can be a telecommunications operator referred to in the Act on Electronic Communications Services because no charge requirement is laid down for public telecommunications in the act. The regulation of telecommunications operators can therefore concern for example cities or other non-commercial operators and free internet services.

Examples of telecommunications activity (External link)

Corporate subscribers

According to the Act on Electronic Communications Services, corporate or association subscriber means an undertaking or organisation which subscribes to a communications service or an added value service and which processes users’ messages, traffic data or location data in its communications network;

Examples of corporate or association subscribers are business operators, cooperatives, limited companies, associations, educational institutions, and government agencies. A corporate or association subscriber can be, for example, an undertaking that acquires and provides telephone and broadband subscriptions for its employees and a WLAN connection for those who visit the premises, and processes identification data in its internal network, i.e. information associated with a legal or natural person used to transmit a message. Also, residents of housing companies sharing a subscriber connection can be corporate subscribers. Families are not considered as corporate or association subscribers even if a family has an internal communications network (WLAN network) at home and the family members use it for example to surf online via a shared broadband connection.

A corporate or an association subscriber’s obligations regarding functionality, information security, protection of confidential communications, and on the other hand, rights to process traffic data are regulated in the Act on Electronic Communications Services. The NCSC-FI at Traficom supervises compliance with these provisions. According to the act, Traficom is authorised to issue certain technical regulations that specify the provisions of the act, but so far the agency has not used its powers concerning corporate or association subscribers.

Communications providers

Communications provides are operators the services of which are based on the confidential transmission of communications, for example, within a certain electronic service.

Due to its duties, a communications provider must often process messages and traffic data to be able to provide functioning services and clarify any faults or disturbances.

The act contains provisions on the communications providers' right to process data and obliges them to ensure information security of their services.

Communications providers include:

  • Telecommunications
  • Corporate or association
  • Other communications providers

Other electronic communications providers are a group of operators that became subject to information security and data protection regulation in the Act on Electronic Communications Services as of the beginning of 2015. As a result of this, the regulation of confidentiality and ensuring information security in electronic communications covers all communications providers as their role in the protection of confidential communications is crucial.

Examples of services by other communications providers

Other communications providers mean all such operators acting as communications providers corresponding to telecommunications operators in relation to users. They are external third parties in relation to users that communicate with each other through the service. Transmitting confidential communications does not need to be the only purpose of the service, or even its main purpose, in order for the operations to be subject to regulation. In fact, in several services the transmission of confidential communications is just one feature among many.

An operator providing the following services may be a communications provider:

  • Dating services including a communication feature between users
  • Communication solutions for schools enabling communication between parents and teachers
  • Services for sports teams and clubs enabling sending notifications to members or communication between parents and coaches
  • WLAN services for a limited set of users, such as WLAN networks in individual cafés

The obligations imposed in the act cover naturally only the part of the service involving transmission of confidential communications. For example, a possibility for users to communicate with each other in online dating services is just one feature of the service. Providing a discussion feature within an online dating service is transmission of communications, and its confidentiality and security is guaranteed by the regulation.

Schools often use services that enable teachers to send messages to parents, or vice versa. Parties providing and maintaining such services are communications providers. Communications providers also include operators providing sports clubs and teams with solutions or services enabling sending of notifications or communications between the members of the team, or for instance, between parents and the coach.

WLAN services for a limited set of users, such as WLAN services provided by individual cafés or hotels are also considered as communications providers. The provision of extensive WLAN services, such as services with an extensive coverage area provided by cities, may also be regarded as general telecommunications which are subject to obligations concerning telecommunications.

Online publications and discussion forums are not transmission of communications

Operators providing network messages or publications, or engaging in publication operations are not considered to be communications providers. An operator providing an online public discussion forum, for example, is not a communications provider. Transmission of communications for personal or private purposes is not subject to the provisions of the Act on Electronic Communications Services, either. This means, for example, WLAN base stations provided by households that are used only among the residents and occasional visitors.

Digital service and infrastructure providers (NIS)

The EU Directive on the Security of Network and Information Systems (NIS Directive) contains provisions on information security obligations and disruption reporting concerning critical infrastructure providers in several sectors.

The NCSC-FI steers and supervises digital service providers and digital infrastructure providers referred to in the directive. The obligations of these operators are laid down in the Act on Electronic Communications Services.

Digital infrastructure providers

The provisions of the NIS Directive on digital infrastructures concern

  • Internet Exchange Points (IXPs)
  • Domain Name Servers (DNSs)
  • Top-level domains (in Finland .fi and .ax)

In Finland, the provision of internet exchange points and domain name servers is covered by the regulation on public telecommunications in cases where the internet exchange points join public telecommunications networks, and where domain name services are offered as a part of internet access services. The operators providing these elements of digital infrastructure are telecom operators, which are subject to the regulatory framework for public telecommunications. The requirements for information security in telecommunications operations and incident reports are laid down in the Act on Electronic Communications Services and in the supplementing technical regulations issued by the agency.

In Finland, national internet top-level domains are governed by the authorities: Traficom is responsible for the .fi domain and the Government of Åland governs the .ax domain. These are also regulated in the Act on Electronic Communications Services and in the legislation on the openness and information security of government activities. The so-called registry-registrar model is applied to domain names and the obligations of the registrars regarding information security and incident reports are laid down in the Act on Electronic Communications Services and in the agency’s regulation on domain names that end with .fi or .ax and the registration of such names.

Digital service providers

The regulations on digital services of the NIS Directive apply to the following types of digital services (examples of service providers operating in Europe in brackets):

  • online marketplace providers (AppStore, Amazon)
  • online search engine providers (Google and Bing)
  • cloud computing service providers (Microsoft Office 365, DropBox)

Online marketplace: The regulation applies to online marketplaces allowing consumers and traders to conclude online sales or service contracts with traders. These include digital app stores offering apps and software by a number of different traders.

Online search engine: The regulation applies to online search engines that allow the user to perform searches of, in principle, all websites on the basis of a query on any subject.

Cloud computing service: The regulations may apply to many types of cloud services, i.e. computing resources: infrastructure (for example networks or services) (IaaS), software and applications (SaaS), or platforms (PaaS).

However, the regulations do not apply to micro and small enterprises. The enterprises are defined in accordance with the NIS Directive in more detail in the Commission’s recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises (External link).

According to the recommendation:

  • The category micro and small enterprises (SMEs) comprises enterprises with less than 250 employees and annual turnover of a maximum of 50 million euros or an annual balance sheet total not exceeding 43 million euros.
  • Within the SME category, a small enterprise is a company employing fewer than 30 employees whose annual turnover or balance sheet totals no more than 10 million euros. Within the SME category, a micro enterprise has less than 10 employees and an annual turnover or balance sheet of a maximum of 2 million euros.
  • The Commission’s recommendation has more detailed guidance on how a company’s ownership is taken into account in defining thresholds for the number of employees or the financial figures.

In other words, if the number of employees or the financial figures of a digital service provider, i.e. an online market place, search engine or cloud service, exceeds these figures, the regulations imposed by the NIS Directive apply to it.

Associated services and facilities providers

The Act on Electronic Communications Services defines associated services and associated facilities related to a communication network or service. The NCSC-FI supervises compliance with provisions on information security, functionality and protection of confidential communications related to providing these services.

Associated service means a system subject to a conditional right of use; electronic programme guide; number conversion system; identification, location and presence service as well as similar service associated with communications networks or services that allows the offering of a communications network or service or supports the provision of services through them.

Associated facilities means an associated service and a building; entry to building and building cabling; cable duct; mast and other physical structure, function or element related to a communications network or service that allows the offering of a communications network or service or supports the provision of services through them.

Interpretative practice related to associated facilities or services does not exist yet in principle. The examples included in the definitions steer the interpretation. The definition of the functions may be of significance e.g. in the regulation of the technical quality and information security of communications networks and services. The definitions also describe the functions and the services that are not regarded as telecommunications when treated separately.

Domain name registrars

Domain name registrar means an operator who has registered as a domain name registrar according to the Act on Electronic Communications Services. In practice, registrars enter fi-domain names in the domain name register and update related information in the register on their customers’ behalf. Registrars are subject to responsibilities and obligations imposed by law. The NCSC-FI at Traficom steers and supervises information security of domain name operations.

Strong electronic identification services

Providers of strong electronic identification services are service providers that have submitted a notification on their operations in accordance with the Act on Strong Electronic Identification and Electronic Trust Services(617/2009) and that have been entered in the register referred to in the Act..

Strong electronic identification means the verification of the identity of a person by electronic means. Strong electronic identification enables consumers to certify their identity safely in various electronic services. It also enables the providers of electronic services to identify their customers.

In Finland, there are two types of providers of services for strong electronic identification

  • Identification means providers provide users with identification means (identification means provider) (e.g. banking codes, mobile certificates, citizen certificates on identity cards)
  • Identification broker services sell identification services to electronic services (identification broker service)
  • One service provider may act as both a means provider and broker service provider
  • The registered providers of strong identification services form a trust network as provided

The assurance level of a strong electronic identification service may be substantial or high.

Strong electronic identification services are

  • online banking codes
  • mobile certificates issued by telecommunications operators
  • the Digital and Population Data Services Agency’s Citizen Certificate stored on an identity card issued by the police and certain other identification certificates on various organisation cards
  • registered identification broker services

Electronic trust services (eIDAS)

Electronic trust services are means to enable secure electronic transactions. They are governed by the eIDAS Regulation (EU) 910/2014.

Trust services may be either qualified or non-qualified. In Finland, the qualification is sought with the NCSC-FI at Traficom. Qualified trust services can be found in national trusted lists that are valid in all EU countries.

Non-qualified trust services are, as defined by the eIDAS Regulation, services for which qualification has not been applied by the provider.

Qualified electronic trust services may include the following services (applicable Article of the eIDAS Regulation in parentheses):

  • certificate, validation service or preservation service for electronic signatures (Articles 28, 33 and 34)
  • certificate, validation service or preservation service for electronic seals (Articles 38 and 40)
  • electronic time stamp (Article 42)
  • electronic registered delivery services (Article 44)
  • certificate for website authentication (Article 45)

Non-qualified trust services include:

  • such above-mentioned services that have not been notified or entered in the trusted list
  • certain other service types, for example creation service for advanced