On 15 December 2025, the Finnish Transport and Communications Agency (Traficom) issued a new regulation on the interoperability of communications networks and services: Order 28 L/2025. The order takes effect on 4 May 2026 and supersedes the previous regulation from November 2023.

While the regulation covers a broad range of telecom interoperability topics, a significant part of the update directly affects caller ID handling, SMS Sender IDs, and application-based messaging (SMS, MMS, RCS). For companies using business messaging in Finland or sending traffic into Finland, this is not a cosmetic update. It introduces stricter technical and operational requirements.

This is an overview of the changes and the actions required of operators and messaging providers.

What is Order 28 L/2025?

Order 28 L/2025 is Traficom’s binding regulation on how communications networks and services must interoperate in Finland. It is issued under the Act on Electronic Communications Services (917/2014) and is legally enforceable.

The order applies to:

  • public communications networks and services

  • telecom operators providing call and messaging services

  • application interfaces (APIs) used to send SMS, MMS, and RCS messages

Stronger controls on caller ID and sender identity

The core focus of the new order is the correctness, legitimacy and traceability of calling and sending identifiers.

Under the new rules, the originating telecom operator is responsible for ensuring that:

  • the calling party number (A-number)

  • the forwarding number (if applicable)

  • SMS, MMS and RCS sender identifiers

are correct, unambiguous, and legitimately used by the sender.

If a number or sender ID is not under the operator’s direct control, the operator must verify that the sender has a clear right to use it and that billing remains reliable.

New obligations for SMS, MMS and RCS messaging

The most impactful changes for business messaging appear in Chapter 4, Section 10, which explicitly covers:

  • SMS

  • MMS

  • RCS messages

Blocking of international spoofed messages

Operators must block inbound SMS, MMS and RCS messages from international interfaces if:

  • the sender appears as a Finnish phone number, or

  • the sender is an alphanumeric sender ID

If the sender is a short code, it must be replaced with "Unknown" or the message must be blocked.

Application interfaces (APIs): higher compliance requirements

For messages sent via application interfaces, operators must ensure that:

  • the sender of the message is known

  • the sender has the right to use the Finnish number they present

  • alphanumeric sender IDs are not misleading

  • alphanumeric sender IDs clearly relate to the sender’s actual business activity

Telecom operators may enforce these requirements contractually on API customers and partners, but responsibility remains with the operator.

If sender rights cannot be verified, the sender must be changed to "Unknown" or the message must be blocked.

Important enforcement milestone: 2 November 2026

The regulation introduces a clear future enforcement date.

From 2 November 2026, if sender rights cannot be verified, operators must:

  • block messages that use Finnish phone numbers as sender IDs

  • block messages that use alphanumeric sender IDs, or alternatively replace the sender ID with "Spam"

This date is particularly relevant for businesses relying on alphanumeric sender IDs or shared sending setups.


SMS Sender ID registration and enforcement

The order formalises enforcement around protected SMS Sender IDs:

  • SMS Sender IDs registered under Traficom’s numbering decisions are considered protected

  • three months after registration, operators must block messages using that Sender ID unless the sender is verifiably the legal entity that registered it

This strengthens Sender ID ownership protection and reduces brand impersonation.


Mandatory monitoring and reporting

Operators must produce monthly statistics covering, among other things:

  • inbound international calls using Finnish numbers

  • blocked calls due to incorrect or prohibited numbering

  • calls forwarded due to roaming

  • blocked or modified messages in application interfaces

  • authorised alphanumeric sender IDs

This significantly increases monitoring and audit expectations.

What this means in practice

Order 28 L/2025 increases the operational bar for business messaging in Finland:

  • caller ID and sender ID spoofing controls become stricter

  • international traffic is more aggressively filtered

  • API-based messaging must be fully traceable and authorised

  • enforcement is phased, with a hard messaging deadline in November 2026

For businesses using SMS, RCS or voice services, the key takeaway is simple: sender identity can no longer be treated as a configuration detail — it is now a regulated compliance requirement.

We will continue to monitor how Finnish operators implement these rules in practice and what this means for cross-border messaging use cases.

If you’re sending messages in Finland and want to understand how these changes affect you, get in touch with us or reach out to your account manager.