Renewal of certification

Certification renewal process 

When certification needs to be renewed

The certification must be renewed when the previous information security certificate or certificate of conformity is due to expire. The certification may also need to be renewed if significant changes are made to the information system, or if the requirements imposed on the information system change significantly. 

If significant changes are made to the system or the requirements change significantly while the information security certificate is valid, a change audit may be required. 

The information system service provider must provide Kela with up-to-date information on which of the jointly tested requirements related to the Kanta Services have been implemented and on which specification versions the implementations are based.

Schedule and need for joint testing

The information system provider must contact Kela and the information security inspection body six months before the conformity expiry date (THL Regulation 4/2021). 

The joint testing of the Kanta Services determines on a system-specific basis what joint testing is required in order to renew the certificate. It is also possible that joint testing is not needed before proceeding to the data security assessment. 

In order to proceed to the data security assessment, the implementation of the information system must be based on up-to-date specifications of the Kanta Services.

Ensure smooth joint testing

In order for the certification renewal process to proceed smoothly and without delay, register for joint testing no later than two months before the planned start.

The information system provider must ensure that the functionalities to be jointly tested have been comprehensively tested in its own system. The information system provider is also responsible for carefully filling out THL’s system form (THL Regulation 5/2021, Appendix 4). 

To ensure smooth joint testing, it is also important that the test case tables for the Kanta joint testing are filled out carefully.

Data security assessment

The information security inspection body carries out a data security assessment and issues a data security certificate for a maximum period of three years. 
Once the data security assessment has been completed, send the notification of registration and its attachments to Valvira. More detailed guidelines are provided by Valvira.

Supporting material

• THL Regulation 4/2021 (in Finnish, thl.fi)
• Sign up for joint testing 
• Notifications to Valvira submitted by information system and intermediary services providers (valvira.fi)