Cybersecurity 2024 - Part 2

 2. Key Laws and Regulators at National and Subnational Levels

 2.1 Key Laws

Some important sector-specific pieces of legislation are as follows.

Electronic Communications Sector

The By-Law on Network and Information Security in the Electronic Communications Sector (the “By-Law NIS in the E-Communications Sector”)

The purpose of this By-Law is to regulate the procedures and principles to be followed by operators, and to ensure network and information security.

E-communications service providers must take measures for network and information security set forth in this By-Law, such as establishing an information security management system and a reporting and feedback mechanism to ensure that information security breach incidents and security vulnerabilities are reported without any delay.

Energy Sector

The By-Law on Cybersecurity Competency Model in the Energy Sector

Please see 1.7 Key Developments.

The By-Law on Management Systems in Nuclear, Radiation and Radioactive Waste Facilities

The purpose of this By-Law is to establish a management system that prioritises the security of the organisation and its facilities. The security policy (which includes personnel training, adopting security measures, organisational and systematic structure) is determined and monitored by the top management. The management systems in these organisations are subject to internal and external audits.

Banking and Finance Sector

The By-Law on Information Systems of Banks and Electronic Banking Services (the “ISBEBS By-Law”)

The purpose of this By-Law is to regulate the minimum procedures and principles to be taken as a basis in the management of the information systems used by banks in:

— the performance of their activities;

— the provision of electronic banking services and the management of the risks related thereto; and

— the necessary information systems controls that must be established.

The Communiqué on Management and Auditing of Information Systems of Financial Lease, Factoring and Finance Companies

The purpose of this Communiqué is to regulate the procedures and principles regarding the management of information systems used by financial leasing, factoring and financing companies in the performance of their activities within the scope of the Financial Lease, Factoring and Finance Companies Law and independent auditing thereof.

The Communiqué on Data Sharing in Payment Services

The purpose of this Communiqué is to regulate the procedures and principles regarding the management and auditing of the information systems used by payment and electronic money institutions and the data-sharing services of payment service providers. The Communiqué includes detailed provisions on data security measures to be adopted by payment and electronic money institutions and on security vulnerabilities and breaches.

It obliges institutions to ensure the security of information systems and to hold the board of directors (BoD) accountable for the management thereof. Additional measures are required for information systems containing sensitive customer data. The Communiqué requires organisations to notify the customers and the DP Authority when such sensitive customer information is leaked.

E-governance

The By-Law on Procedures and Principles Regarding Carrying out e-State Services

According to this By-Law, while carrying out e-governance services, each public institution and organisation must:

— adopt cybersecurity measures for their own information systems;

— keep access records; and

— ensure the accuracy, integrity and confidentiality of this information.

The By-Law on Internet Domain Names

The domain registrars providing services for the Turkish top-level domain-name system are subject to the Internet Domain Names Regulation published by ICTA. As per this Regulation, the registrars are required to ensure the cybersecurity of their operations and notify ICTA of any security breach accordingly.

 2.2 Regulators

Please see 1.2 Regulators and 2.4 Data Protection Authorities or Privacy Regulators.

 2.3 Over-Arching Cybersecurity Agency

Currently, there is no overarching cybersecurity agency in Türkiye. ICTA, as explained previously, has general cybersecurity powers besides its role as the regulatory body of the telecommunications sector.

The DTO also performs a wide range of tasks in relation to digital transformation, which includes cybersecurity-related matters.

 2.4 Data Protection Authorities or Privacy Regulators

The primary supervisory and regulatory authority in Türkiye is the DP Authority.

The decision-making body of the DP Authority is the DP Board. The main duties and powers of the DP Board are as follows:

— conducting investigations upon the complaints of the data subjects or ex officio if it becomes aware of the alleged violation, and taking temporary measures, where necessary;

— concluding the complaints of those who claim that their rights concerning personal data protection have been violated;

— maintaining the Data Controllers’ Registry (VERBIS);

— imposing administrative sanctions that are provided in the DP Law;

— determining and announcing those countries with adequate levels of protection of personal data for the purpose of international data transfers; and

— approving the written undertaking of controllers in Türkiye and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for the purpose of international data transfers.

 2.5 Financial or Other Sectoral Regulators

The BRSA, CMB and TRCB are entitled to regulate cybersecurity-related issues in their respective sectors.

Please see 1.2 Regulators, 4.3 Critical Infrastructure, Networks, Systems and Software and 5.8 Reporting Triggers for security and reporting requirements under certain financial and other sectoral legislation.

 2.6 Other Relevant Regulators and Agencies

Please see 1.2 Regulators.

 3. Key Frameworks

 3.1 De Jure or De Facto Standards

ISO/IEC 27001 is an international standard for management of information security. It is translated into Turkish by the Turkish Standards Institute (TSI), and the TS EN ISO/IEC 27001 standard has been drafted under the name of “Information Technology – Security Techniques – Information Security Management Systems – Requirements”.

ISO/IEC 27001 is a frequently used international standard in Türkiye which indicates an institution’s qualifications with regard to establishing and maintaining cybersecurity measures.

Obtaining an ISO/IEC 27001 certificate is a de jure standard in several sectors, especially in the e-communications sector and energy sector, and for e-invoice service providers. However, many organisations have chosen to voluntarily comply with the ISO 27001 standard as a good practice to improve cybersecurity.

Another standard that draws attention to information security in Türkiye, especially in the banking sector, is Control Objectives for Information and Related Technologies (COBIT). All banks are required to meet COBIT standards thanks to the BRSA’s communiqués and by-laws which have been published since 2006 and have made COBIT-based auditing mandatory for all banks.

COBIT process management is used not only in banks but also in the finance and production sectors.

In the banking sector, Payment Card Industry Data Security Standards (PCI DSS) is another set of standards created to ensure the security of credit card transactions.

The Centre for Internet Security Critical Security Controls (CIS CSC) is also another global standard focused on reducing cybersecurity risks and protecting organisations against cyberattacks, which is increasingly implemented among public institutions and large-scale private sector companies in Türkiye.

According to the CMB’s Communiqué on Independence Audit of Information Systems, auditors who audit public companies must have a CISA certificate.

ICTA’s National Occupational Standards for Cybersecurity Personnel, published in the Official Gazette in 2020, defines the scope of the job and minimum requirements for the working conditions thereof.

Also, the DP Authority has published guidelines on personal data security, which provide helpful advice on security compliance with the DP Law.

 3.2 Consensus or Commonly Applied Framework

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.

 3.3 Legal Requirements and Specific Required Security Practices

Cybersecurity

On 27 October 2021, the DTO published the Information and Communication Security Audit Guideline, which set forth the steps to be taken to comply with the ICS Guideline (published on 27 July 2020), which mainly adopts ISO 27001-like certification criteria.

The ICS Guideline elaborates on cybersecurity measures that must be taken by public organisations, as well as by companies that provide critical infrastructure services.

The issues regulated by the Guideline are as follows:

— security measures for the groups of assets (network and system security, application and data security, portable devices and platform security, security of IoT devices, personnel security, security of physical environments);

— security measures towards areas of application and technology (personal data security, instant messaging security, cloud computing security, security of crypto applications, security of critical infrastructures, new development and supply); and

— consolidation measures concerning operating systems, databases and servers.

Data Protection

The DP Authority issued the Guideline on Personal Data Protection (Technical and Organisational Measures) (the “Measures Guideline”) in 2018.

Technical measures that were laid out in the Measures Guideline are as follows:

— authorisation matrix;

— authorisation control;

— access logs;

— user account management;

— network security;

— application security;

— encryption;

— penetration test;

— attack detection and prevention systems;

— log records;

— data masking;

— data loss prevention software;

— back-up;

— firewalls;

— up-to-date antivirus systems;

— deleting, destroying or anonymising; and

— key management.

Organisational measures laid out in the Measures Guideline are as follows:

— preparing a personal data-processing inventory;

— establishing institutional policies (access, information security, usage, retention and destruction, etc);

— data processing and confidentiality agreements (between controllers and between controllers and processors);

— privacy undertakings by employees;

— periodic and/or random inspections within the institution;

— risk analyses;

— adding legislation-compliant provisions to employment contracts and disciplinary regulations;

— institutional communication (crisis management, informing the DP Board and data subjects, reputation management, etc);

— training and awareness-raising activities regarding information security and legislation; and

— registering with VERBIS.

If the personal data is kept on the cloud, the following measures are recommended:

— encryption of data with cryptographic methods;

— encrypted transfer of data to cloud environments;

— where possible, using encryption keys specifically for each cloud solution service; and

— deleting/destroying all copies of encryption keys when the cloud computing service expires or is terminated.

Moreover, the DP Board introduced stricter requirements for processing of special categories of data.

 3.4 Key Multinational Relationships

Please see 1.4 Multilateral and Subnational Issues.