Strong electronic identification and qualified certificates
Strong electronic identification is governed by the national Identification and Trust Services Act and the EU eIDAS Regulation. Electronic trust services are covered by the eIDAS Regulation.
Providers of strong identification services may provide identification devices for users (identification device provider) or sell identification services to eServices (identification broker service). One company may act as both device provider and broker service provider.
The assurance level of a strong electronic identification service may be substantial or high.
The providers of strong identification services are listed in FICORA's register.
A device of strong electronic identification may be notified to the European Commission as a cross-border identification device. In such case, it is subject to the eIDAS Regulation and the Commission Implementing Decisions issued under the Regulation. The requirements laid down in the Identification and Trust Services Act correspond to EU legislation.
Electronic trust services are covered by the eIDAS Regulation. Trust services may either be qualified or non-qualified. The status of a qualified trust service requires a conformity assessment by an accredited conformity assessment body and a notification to FICORA before commencing operations.
Qualified electronic trust services may include the following services (applicable Article of the eIDAS Regulation in parentheses):
- certificate, validation service or preservation service for electronic signatures (Articles 28, 33 and 34)
- certificate, validation service or preservation service for electronic seals (Articles 38 and 40)
- electronic time stamp (Article 42)
- electronic registered delivery services (Article 44)
- certificate for website authentication (Article 45)
Qualified trust services are entered in a trusted list maintained by FICORA.
Non-qualified trust services include such above-listed services or other services referred to in the eIDAS Regulation that have not been notified or entered in the trusted list. Non-qualified services are subject to ex post supervisory activities which are substantially lighter than those applied to qualified trust services.
FICORA supervises strong electronic identification services and electronic trust services. FICORA monitors that the services meet the requirements set out for them and enters the services in the register or trusted list. FICORA is the appellate authority in matters related to the operations of identification service providers and trust services. FICORA is not competent to settle any contractual disputes.
Providers of these services are subject to:
- Notification obligation. Identification service providers and qualified trust service providers based in Finland must submit a written notification to FICORA before commencing the operations.
- Audit obligation. Providers of strong electronic identification services and providers of qualified trust services must attach an audit or assessment report on conformity assessment to their commencement notification. An updated report must be submitted at least every two years.
- Provision prohibition. If an identification service or trust service does not meet legal requirements, FICORA prohibits the identification service provider from providing its identification service as strong electronic identification or withdraws the status of a qualified trust service.
- Obligation to notify changes. Identification service providers and qualified trust service providers must notify FICORA of any changes to the information they have provided in their commencement notification. FICORA must also be notified of the termination of operations or the transfer of operations to another service provider.
- Obligation to notify disturbances. Service providers must notify FICORA of any significant threats and disturbances concerning the information security and functionality of the service as well as of any repair measures. This obligation to notify disturbances also applies to non-qualified trust services.
- Monitoring fees. The commencement notification is subject to a registration fee. Operators entered in the identification service register or trusted list must pay an annual monitoring fee. Section 47 of the Identification and Trust Services Act contains provisions on the fees.
General guidance and development of strong electronic identification and electronic trust services is the responsibility of the Ministry of Transport and Communications.
The Data Protection Ombudsman supervises compliance with personal data provisions of the Identification and Trust Services Act and eIDAS Regulation. If necessary, FICORA and the Data Protection Ombudsman collaborate with the Financial Supervisory Authority and the Finnish Competition and Consumer Authority when performing supervisory tasks.
The Finnish Accreditation Service FINAS is responsible for the accreditation of conformity assessment bodies for qualified trust services. Moreover, FICORA must approve the assessment body.