Skip to main content

Security and privacy

Banner Image

Security and privacy are the cornerstones of our product proposition. We work to ensure that we have a common security baseline enforced for all our products and services. We emphasize sustainable design and underscore the importance of end-to-end product security testing.  Security and privacy are part of everything that we do. From design through to delivery, we aim to ensure that customer networks are seamlessly secure. 

distance

Our commitment to privacy spans every facet of our decision making and product design 

three lines

Our ‘Three lines of defense’ risk model consists of business groups and corporate functions forming the first line of defense, central privacy experts as the second line, and an independent audit team as the third.

 

astar 5g

The ASTAR 5G end-to-end testing lab, has a singular focus on cybersecurity

 

Security

Nokia has well-established cybersecurity processes built into its overall security risk management framework. This integration is achieved through the implementation of a robust Security Program set on various processes, such as cybersecurity risk management, third-party security risk management, security incident management and disaster recovery.  

In 2023, Nokia conducted a security training program that included annual mandatory training, quarterly awareness campaigns, monthly phishing simulations, and expanded initiatives to safeguard key data such as our Zero-Trust and Critical Information Protection Program and our dedicated Application Security Program. In 2023, the mandatory training completion rate was 98%.

We have developed and maintain an actionable Cyber Resilience service, built on an assessment of the cyber risks Nokia is most likely to experience. This includes investments in our Cyber Defense Center and our Computer Emergency Response team, as well as the execution of regular incident simulations and tabletop exercises to ensure resilience in case of a cyber event.  

We have also strengthened our third-party security process through improved supplier selection procedures, ensuring that security governance and compliance are embedded in our supplier selection processes and contracts. 

Product and services security

At Nokia, we recognize the paramount importance of product and services security in the rapidly evolving landscape of telecommunications and technology. The number and frequency of DDoS attacks have grown from one or two a day to well over 100 per day in many networks, based on traffic monitored by Nokia from June 2023 to June 2024. In an era marked by digital transformation and interconnected ecosystems, the security of our offerings is crucial to our operations. We understand that our customers rely on Nokia for solutions that not only elevate performance but also guarantee the integrity and confidentiality of their critical data. 

We continue to invest in security research and are dedicated to achieving a common security baseline enforced for all products and services. To accelerate our security ambitions, we are reinforcing the Nokia Design for Security framework, driving end-to-end product security testing initiatives like our Advanced Security Testing and Research (ASTaR) lab, and leveraging our own security innovations.  

Secure products are our priority, supported by initiatives such as our Product Security Transformation Program, the pursuit of certifications for essential 5G products, and the evolution of our product security platforms. We have set up Service Security as a separate domain to cover the full-service lifecycle with a properly defined Service Security framework, and we remain focused on the continuous certification of services teams in the ISO 27001 standard. We also have a program dedicated to enhancing the security of Nokia service companies and joint ventures. 

Third-Party Security

Nokia’s security ambition is also reflected in its supplier selection processes, contracts and supplier (re)assessments ensuring effective security to be in place in our supply chain and with our Third Parties.

Security & privacy examples

End to end optimization Product life cycle

Security and privacy are an intrinsic part of the product life cycle and fully integrated into our design process. It is present and evident at every level and every stage. We have developed a Nokia Design for Security process that enables product security features and controls to identify, mitigate and manage security vulnerabilities.

Making 5G networks secure demands end-to-end optimization of security operations from devices to radio sites and network core.

This is why 5G radio security cannot be an afterthought.

Data privacy

Privacy approach

We have rolled out a comprehensive Privacy Framework across Nokia, and to improve awareness and understanding of privacy requirements throughout the company, we have rolled out mandatory privacy training for all employees. In 2023, the mandatory training completion rate was 98%. 

Given the rapidly changing privacy regulatory landscape, we apply a comprehensive company-wide privacy program to ensure accountability for privacy at all levels of Nokia. We use a ‘Three lines of defense’ risk model with business groups and corporate functions forming the first line of defense. A multi-skilled central team of privacy experts forms the second line, and an independent audit team forming the third line, to provide assurance with oversight by the Audit Committee. 

We have established the practice of having a privacy steering committee with relevant senior executives representing business groups and central functions, who all have privacy responsibilities and accountability as part of their role for the organization they represent. Privacy updates are also regularly provided to Nokia’s Board of Directors and to the Audit Committee.  

The Privacy Program builds privacy into our processes, products, and services. We have established core principles based on relevant laws and best practices to enable us to exercise the highest standards of integrity in dealing with and protecting personal data. We assess new privacy laws to ensure that we implement the requirements into our program and related processes. We have matured our central solution for documentation and reporting to catalogue how we use data and conduct privacy assessments that aim to mitigate privacy risk. 

We are transparent about how we use personal data and how individuals can contact us with questions about their data that we hold in our systems or to share any concerns. We observe the concept of data minimization, meaning we endeavor only to collect personal data that is necessary for the purposes for which it is collected and to retain such data for no longer than is necessary.  

We implement appropriate controls to ensure that only persons with a clear and justifiable need to know can access personal data. We also have formal processes and procedures in place to manage and mitigate any risk related to data subjects in the event of a personal data breach. These processes also include mechanisms to communicate in a timely fashion with supervisory authorities, should that be required. 

In 2023 we initiated a review dedicated to ensuring that privacy by design is built into our products and services.  We also launched a new central privacy hub on Nokia.com to ensure we are transparent and share our privacy principles and privacy notices. We updated our process for receiving data subject access requests. 

A continuous program of privacy awareness, training, and enablement ensures we effectively address areas of the highest privacy impact. This includes targeted role-based training, and a network of certified privacy professionals that regularly provide coaching on privacy topics.  

In 2023, there were no substantiated complaints regarding breaches of customer data. For the latest information on our security and privacy visit our website.

Standards and Principles

Contributing and driving security standards

We take an active role in security standards such as GSMA SECAG which defined NESAS (security assurance scheme for networks), GSMA Fraud and Security group, 3GPP SA3 (defining security standards for 5G), in ETSI and others. The development and maintenance of our products and services are sustained by a company-wide Information Security Framework to reduce business risks by protecting and managing information in a consistent way, protecting Nokia’s customer data, and enabling transparency and accountability with respect to the handling of all information: 

  • Our security controls and processes follow the ISO/IEC 27001 standard and NIST Cybersecurity Framework to ensure we identify and detect security threats and risks to our systems 
  • A critical information protection program protects Nokia’s and its customers’ information 
  • Our security awareness program drives cultural knowledge of security best practices and avoids potential threats to Nokia’s information 
  • A Third-party Security Risk Management process for Nokia suppliers ensures supply chain security and complies with legal and regulatory requirements 
  • Continuous internal and external auditing and external and internal simulated attacks activities validate the security implementation 
  • ISO/IEC 27001 certifications for selected sites assure security compliance is attained. The scope of the certification is continuously expanded
security

For further information on the Nokia approach to Security and Privacy you can also visit the dedicated Nokia web page.