Renewal process for certificate of conformity
When to renew a certificate of conformity
Certification must be renewed when the previous information security certificate or certificate of conformity is expiring. If significant changes are made to the system or the requirements change significantly during the period of validity of the information security certificate, an accredited information security inspection body will assess whether the information security certificate will need to be updated.
The information system service provider must provide Kela with up-to-date information on which joint testing requirements regarding the Kanta Services have been implemented.
Get in touch in time to identify the need for joint testing
In order for the information system to meet the compliance requirements, it must be joint tested due to statutory requirements and as required by Kela. The information system supplier must be in contact with Kela and the accredited information security inspection body 6 months prior to the expiry of the certificate of conformity (THL Regulation 4/2024). This takes place by sending the system form to Kela to yhteistestaus@kanta.fi so that an assessment of the potential need for joint testing can be done.
Kela will assess on a system-by-system basis what joint testing is required in order to renew compliance. It is also possible that no joint testing is required.
Even if the system has ongoing joint tests, progress can be made in assessing data security. However, Valvira monitors in connection with the registry notification that the information system has undergone the joint testing required by legislation and based on the current definitions of the Kanta Services.
Ensure smooth joint testing
In order to ensure timely completion of joint testing required for the renewal of the certificate of conformity, register for joint testing at the latest 2 months before the planned start of testing.
Before starting the joint testing, the information system supplier must ensure that the functions to be tested in joint testing have been extensively tested in their own system. It is also the responsibility of the information system supplier to complete THL’s system form carefully (THL Regulation 5/2024, Appendix 4).
In order to ensure smooth joint testing, it is also important that the test case tables for Kanta joint testing are completed carefully.
Note the validity period of specifications
When renewing information system compliance, the information system must be updated to reflect the current Kanta specifications. Separate validity periods for “voimassa sertifioinnissa” (valid certification) and “voimassa tuotantokäytössä” (valid production use) have been stated on Kanta.fi for all common and service-specific specifications of Kanta Services. The information system supplier must ensure that the “valid certification” date of the specifications is not exceeded.
The accredited information security inspection body issues an information security certificate
The accredited information security inspection body will conduct an information security assessment and provide an information security certificate for up to three years.
After the information security assessment has been completed, send a registry notification and appendices to Valvira. The updated information related to the renewal of the certificate of conformity must be notified to Valvira’s information system register no later than one month after issuance of the renewed information security certificate (THL Regulation 4/2024, Section 10 Renewal of Compliance). More detailed guidance is provided by Valvira.