Navigation path

Action 38 in Finland flag Finland

Member States to establish pan-European Computer Emergency Response Teams

Indicator Status Evidence
Has a national or governmental CERT been established? Yes CERT-FI is the operational unit within Finnish Communications Regulatory Authority, FICORA. Legal foundation for CERT-FI can be derived from Act on the Protection of Privacy in Electronic Communications(PPEC, 516/2004, most appropriately Section 31), Communications Market Act (393/2003) as well as two government decrees on the communications regulatory authority (60/2004 and 761/2006). Key tasks of CERT-FI are laid out in Section 31 of PPEC: Section 31 - Duties of the Finnish Communications Regulatory Authority (1) The Finnish Communications Regulatory Authority shall [..] 2) collect information on violations of and threats to information security in respect of network services, communications services and value added services; 3) investigate violations of and threats to information security in respect of network services, communications services and value added services; 4) publicize information security matters; [..] Additionally Section 21 of PPEC effectively establishes CERT-FI as the official point of contact for reporting network and information security incidents in Finland: Section 21 - Information security notifications to the Finnish Communications Regulatory Authority (1) The telecommunications operator must notify the Finnish Communications Regulatory Authority without undue delay of significant violations of information security in network services and communications services and of any information security threats to such services that come to the attention of the telecommunications operator. A notification shall also be made of consequences of information security violations and of measures undertaken to prevent the reoccurrence of such violations and threats of such violations. [..] (3) The Finnish Communications Regulatory Authority may issue further regulations on the content, form, and delivery to the Finnish Communications Regulatory Authority of the notification referred to in subsection 1. A similar arrangement for major faults and disturbances in the public telecommunications networks can be found in the Communications Market Act. Additional strategic positions are laid out in two contract-based assignments: 1) In year 2006 Ministry of Transports and Communication (MINTC) appointed FICORA (and thus CERT-FI) to be the provider of the national situational awareness service in matters regarding the security and stability of the public telecommunications network. This appointment builds on the foundations of PPEC Section 31 where it is stated that FICORA should "publicize information security matters". (The unofficial translation of PPEC is a bit misleading as the original Finnish wording can be interpreted more broadly to mean "dissemination of information" instead of merely making it public.) 2) The mutual agreement of 2007 between National Emergency Supply Agency (NESA) and Finnish Communications Regulatory Authority (FICORA) expanded key services provided by CERT-FI to the private sector in charge of the critical infrastructure protection. This agreement was not meant to introduce additional mandate but rather ensure that CERT-FI has adequate resources to provide services for the private companies considered critical to Finnish emergency preparedness.
Is the CERT fully operational? Yes The core service portfolio of CERT-FI is reasonably well supported by the legal mandate and the additional agreements. The roles and responsibilities of CERT-FI in these functions are clear and unambiguous. However, the provision and funding of the so-called GovCERT services have so far been not been adequately addressed. The steering of government’s own ICT systems belongs to the responsibility of Ministry of Finance. Nngotiations for adequate funding are active with FICORA at the moment.
Does the CERT participate in international CERT communities/initiatives? Yes CERT-FI is a member of or is represented at EGC, TF-CSIRT / TI, FIRST, FI-ISAC, IWWN and the Nordic Stoltenberg 7 -group (S7). We are also participating on many informal information exchanges among the security community. The multilateral security agreement between Nordic countries has been the base for the emerging Stoltenberg 7 cooperation. This arrangement is bringing multilateral CSIRT cooperation to a new level, facilitating information exchange of protectively marked information among the group partners.

Best Practice Case

FICORA has built a high degree of trust between different stakeholders both from the telecom and other critical sectors who inform about certain information on infosec breaches or vulnerabilities. It is also entitled to receive information about disruptions in telecom networks and services. Informing CERT-FI about information security incidents does turn against the informer itself because CERT-FI is not obliged to pass this information without specific provisions on to law enforcement authorities (Nevertheless the victim of information security breach has of course rights and means to criminal justice procedures). The multilateral security agreement between Nordic countries has been the base for the emerging Stoltenberg 7 cooperation. This arrangement is bringing multilateral CSIRT cooperation to a new level, facilitating information exchange of protectively marked information among the group partners.

Other initiatives:

External contribution

External contributions are more than welcome. If you would like to share with us a country, regional or local-level initiative relevant for this DAE action, you can do it via the online form.