Certification of a new system

Certification of a new system

The certification of a new information system involves preparatory tasks as well as tasks related to system development, testing and a data security assessment.

Phases of certification of a new information system

Preparation phase

Start preparing for the certification of a new system by familiarising yourself with THL’s regulations and guidelines (thl.fi) (in Finnish), which describe the requirements related to the functionality, interoperability and data security of health care information systems or wellbeing applications. Based on THL’s regulations, information system profiles must be identified for the information system based on its intended purpose.

Read more about the requirement specifications, data contents and technical guidelines for information system providers published and maintained by Kanta Services.

The Act on the Processing of Client Data in Healthcare and Social Welfare 703/2023, i.e. the Client Data Act (finlex.fi) (in Finnish), brings together the statutes concerning data protection and secrecy, rights of access and disclosure of client data, document processing, client and patient documents, national information systems, and control of information management.

An information system conforming to the Client Data Act can only be deployed once its data can be found in the social welfare and health care information system database maintained by Valvira.

System development phase

Thorough testing

In the information system’s design and development phase, comprehensive testing of the system’s functionalities is important in order to have as complete and functional a system as possible when actual joint testing of Kanta interoperability begins. 

The functionalities of the information system must also be tested independently against the Kanta client test environment before joint testing. The Kanta Services will provide a free browser-based validation service for HL7 CDA R2 documents for checking the data structures of documents to be stored in Kanta.

The test professional cards and the service certificates required for using the client test service are ordered from the Digital and Population Data Services Agency.

Join the client test environment

You join the client test environment from the test environment. Learn more about the client test environment and the applications to join.  

Read about the release schedule

The publication schedule for the Kanta Services includes the schedule for development phases for statutory functionalities as well as the deployment deadlines for social welfare and health care providers. The publication schedule is updated 3–4 times a year.

Learn about data security requirements

THL’s regulation on key requirements includes data security requirements for information systems intended for the processing of client and patient data or wellbeing data. 

The obligation to draw up an information security plan applies to all social welfare and health care service providers, pharmacies, and Kanta intermediary service providers. The regulation concerning the information security plan and a template for this can be found on THL’s Regulations and guidelines page (thl.fi) (in Finnish).

Prepare for joint testing 

Joint testing is mandatory for class A2 and A3 information systems and it is intended to ensure that the information system has been implemented in accordance with national specifications for interoperability. To make joint testing as smooth as possible: 

  • Before registering for joint testing, make sure that the functionalities have been thoroughly tested in your own system
  • Fill out THL’s system form (THL Regulation 5/2024, Appendix 4) carefully
  • Register for joint testing no later than two months before the planned start of testing

Read more about the joint testing process and more detailed instructions for joint testing

Data security assessment and notifying Valvira of registration

Once the joint testing has been successfully completed, agree on the data security assessment with an inspection body accredited by Traficom (kyberturvallisuuskeskus.fi). The information security inspection body will issue an information security certificate for a maximum period of three years. 

Once the data security assessment has been completed, send the notification of registration and its attachments to Valvira. More detailed guidelines are provided by Valvira.

Phases of certification of a new information system. Click on the image to enlarge the PDF file.
Phases of certification of a new information system (in Finnish only). Click on the image to enlarge the PDF file. 


Supporting material:

Last updated 13.5.2024