The certification process for systems connecting to the Kanta Services includes:
- joint testing carried out with Kela's Kanta Services
- an information security assessment with an information security inspection body accredited by Traficom.
More information on the certification process can be found on the THL website: Regulations and certification - System provider(opens new window) ( Thl.fi, in Finnish).
Compliance with key requirements
The supplier of a social welfare and healthcare information system or wellbeing app must describe the intended purpose of the system and the fulfilment of the key requirements concerning the system when submitting the registration notification to the Finnish Supervisory Agency or when applying for certification. The registration notification is submitted by using a system form based on harmonised classification. The minimum requirements for systems created for different intended purposes have been specified through national profiles.
The specifications of the key requirements, the profiles and forms can be found on THL’s Regulations page(opens new window) (Thl.fi, in Finnish). The regulation on the key requirements contains the key functionalities, data contents and data security requirements for information systems intended for the processing of client and patient data or wellbeing data.
More specific information on the certification process can be found on THL’s website Regulations and certification - System provider(opens new window) (Thl.fi, in Finnish).
Joint testing for certification
Joint testing is required for an information system certified to classes A2 and A3 and for a wellbeing app in class A. The content and scope of the joint testing may vary considerably between systems.
Read in more detail about the joint testing process and its phases.
It is a good idea to start preparing the certification of a new system by familiarising yourself with THL’s regulations and guidelines(opens new window) (Thl.fi, in Finnish). They determine the class of the information system and the system profile / information system profiles.
Familiarise yourself with the requirement specifications, data contents and technical guidelines for information system providers published and maintained by the Kanta Services.
Test carefully
It is important to test the information system’s functionalities comprehensively in the design and development phase to ensure that the actual joint testing of Kanta interoperability can be carried out with a system that is as complete and functional as possible.
The functionalities of the information system must also be tested independently against the Kanta client test environment before joint testing. The Kanta Services provide a free browser-based validation service for HL7 CDA R2 documents for checking the data structures of documents that will be stored in Kanta.
The service certificates required for using the client test service are ordered from the Digital and Population Data Services Agency.
Join the client test environment
You will join the client test environment from the test environment. Familiarise yourself with the client test environment and the applications for joining.
Joining the client test service
Read more about the publication schedule
In the publication schedule of the Kanta Services, you will find the functionality development schedules required by legislation as well as the deployment deadlines set for social welfare and healthcare service providers. The publication schedule is updated 3-4 times a year.
Prepare for joint testing
- Before registering for joint testing, make sure the functionalities have been carefully tested in your own system
- Fill in THL’s system form (THL regulation 5/2024, Appendix 4(opens new window) Thl.fi, in Finnish) carefully.
- Register for joint testing no later than 2 months before the planned beginning of testing
Read more about the joint testing process and more detailed instructions for joint testing.
Information security assessment and register notification to the Finnish Supervisory Agency
When the joint testing has been successfully completed, agree on an information security assessment with an inspection body accredited by Traficom. The information security inspection body issues an information security certificate for a maximum of three years.
When the information security assessment has been completed, send a registration notification and its appendices to the Finnish Supervisory Agency. More detailed instructions are provided by the Finnish Supervisory Agency.
- Social welfare and healthcare information systems(opens new window) (Lvv.fi, in Finnish)
- Registration of a social welfare and healthcare information system(opens new window) (Lvv.fi, in Finnish)
When the compliance of the information system is renewed, the information system must be updated to correspond to the valid Kanta specifications.
Separate periods of validity “valid for certification” and “valid for production use” are indicated in the Kanta Services for all common and service-specific specifications of the Kanta Services. The information system provider must ensure that the "valid for certification" date of the specifications is not exceeded.
Specifications of Kanta services
The producer of the information system service must provide Kela with up-to-date information on which requirements related to the Kanta Services have been implemented and which specification version has been used in the implementation.
Contact us on time and find out about the need for joint testing
To ensure that the information system meets the requirements for compliance, it must undergo joint testing as required in legislation and by Kela.
The information system provider must contact Kela and the information security inspection body 6 months before compliance expires (THL regulation 4/2024(opens new window), Thl.fi, in Finnish).
Kela is contacted by using the registration form of the Testain service for Kanta joint testing (Renewal of certification - assessment of the need for joint testing + the Kanta Service concerned). Based on this, the joint testing expert will assess whether joint testing is required because of the change.
Kela assesses on a system-specific basis what joint testing is required to renew compliance. It is also possible that joint testing is not needed.
It is possible to proceed to the assessment of information security even if the system is undergoing joint testing. However, in connection with the registration notification, the Finnish Supervisory Agency verifies that the joint testing required by legislation and based on up-to-date specifications of the Kanta Services has been carried out in the information system.
Ensure smooth running of joint testing
To ensure that the joint testing required for renewing compliance can be completed well in time, register for joint testing when your information system is as complete as possible, no later than 2 months before the planned beginning of testing.
Before starting joint testing, the information system provider must ensure that the functionalities to be jointly tested have been comprehensively tested in the provider’s own system.
The information system provider is also responsible for carefully filling in THL‘s system form (THL regulation 5/2024, Appendix 4(opens new window), Thl.fi, in Finnish). Always use the latest version of the system form published by THL.
Notify Kela of significant deviations
Significant deviations in class A2 or A3 systems or wellbeing apps must also be notified to Kela (THL regulation 5/2024(opens new window), Thl.fi, in Finnish).
Send the notification to Kela to the following address: kanta@kanta.fi. Also explain if, for example, a deadline has been set for a specific joint testing so that it can be prioritised in the review of joint testing.
Further enquiries
- Questions related to joint testing: yhteistestaus@kanta.fi
- Guidance in certification matters: sotetiedonhallinta@thl.fi