Strong electronic identification, electronic signature and certification activities

Strong electronic identification, electronic signature and certification activities

Strong electronic identification means the verification of the identity of a person by an electronic method. In strong electronic identification, the identification device and its user can ultimately be connected to the person's true identity. The identification device used for strong electronic identification are bank identifiers used by banks, the Population Register Centre's citizen certificate and telecom operators' mobile certificates. Strong electronic identification enables consumers to certify their identity safely as they use various electronic services.

Electronic signature means data in an electronic form that is linked or logically connected to some other electronic data and used as a device for verifying the identity of the signatory. At its simplest, this can mean signing of e-mail with the person's name. An advanced electronic signature means an electronic signature that is unambiguously linked to the signatory, and that is linked to the data to be signed in such a way that any alterations made in the data can be detected.

A certificate is a certificate electronically signed by a reliable third party verifying that a specific public key belongs to a specific user of a key. With the help of a certificate, it is possible to verify a person's identity, or verify an identity and link the verification data to the signatory of the signature. In addition to the public key, the certificate also contains other data, such as the name of a person or organisation, the day of granting of the certificate, last day of validity or individualised serial number. The Act on strong electronic identification and electronic signatures contains provisions on the data content of qualified certificates and operations of the certification service provider.

Service providers offering strong electronic identification and qualified certificates must submit a notification to FICORA. FICORA maintains a public register on identification service providers and certification service providers offering qualified certificates. FICORA also monitors that identification service providers and certification service providers offering qualified certificates comply with the obligations imposed on them by the legislation.

The objective of the Act is to create common rules for the provision of strong electronic identification services. It will likewise promote the provision of identification services and the use of electronic signatures. The Act is founded on the principle that users must be able to trust information security and protection of privacy when they use strong electronic identification services.

FICORA also acts as the appellate authority in matters concerning the operations of identification service providers and certification service providers offering qualified certificates, as well as electronic signatures based on qualified certificates. Consumers may contact FICORA if they suspect that the identification service provider acts against the legislation or regulations regarding strong electronic identification and electronic signatures.

The Data Protection Ombudsman monitors the compliance of provisions concerning personal data by virtue of the Act on strong electronic identification and electronic signatures. FICORA and the Data Protection Ombudsman collaborate with the Financial Supervisory Authority, the Finnish Competition Authority and the Consumer Agency when performing supervision tasks.