Update from the TCMB: Guidance 1.2 for Service Providers Offering Community Cloud Services
Contents
- The number of competent personnel required to be employed by an outsourced service provider wishing to offer community cloud services was increased.
- Additional requirement introduced for external service providers that do not have their own data center ownership.
- Amendments were made to the certification requirements for data center standards related to the secondary data center.
- The requirement for community cloud service certificates to be obtained from a certification body that is a member of the International Accreditation Forum (IAF) was changed to a certification body accredited by the Turkish Accreditation Agency (TURKAK).
- A communication channel for the eligibility application process was established.
As known, the Central Bank of the Republic of Turkey (TCMB) published the first version of the Guidelines on External Service Providers Providing Community Cloud Services to Payment and Electronic Money Institutions in July 2022. Following this, amendments were made to the Guidelines on 24 April 2023 (Guideline 1.1) and changes were made to the eligibility requirements and oversight of external service providers.
You can reach the article on the amendments to Guideline 1.1 here.
As a recent development, TCMB updated Guideline 1.1 and published the new version on 4 September 2023 (Guideline 1.2).
We compiled the changes within the scope of Guideline 1.2 below:
The number of competent personnel required to be employed by an outsourced service provider wishing to offer community cloud services was increased.
The number of personnel to be employed in the operation/monitoring team, infrastructure team and information security teams who have at least 7 years of experience in similar fields was increased from 1 person in Guideline 1.1 to 2 people in Guideline 1.2.
Additional requirement introduced for external service providers that do not have their own data center ownership.
In case the external service provider that wants to offer community cloud service does not have its own data center ownership, it should only obtain hardware hosting or dedicated hardware services from external service providers that meet the data center standards in Guideline 1.2 for primary and secondary centers.
Amendments were made to the certification requirements for data center standards related to the secondary data center.
In Guideline 1.1, if the outsourced service provider did not have a TSE TS EN 50600 data center operation certificate with an Availability Class, Protection Class and Energy Detail Level of at least 3 for the secondary center, it was required to have met the requirements to meet these certifications.
As per Guideline 1.2, if the external service provider does not have a TSE TS EN 50600 data center operation certificate with an Availability Class, Protection Class and Energy Detail Level of at least 3 for the secondary center, it is sufficient to have a Tier 3 or Tier 4 data center infrastructure certificate. However, in the absence of both certificates, a TSE TS EN 50600 data center operation certificate with an Availability Class, Protection Class and Energy Detail Level of at least 3 must be obtained.
The requirement for community cloud service certificates to be obtained from a certification body that is a member of the International Accreditation Forum (IAF) was changed to a certification body accredited by the Turkish Accreditation Agency (TURKAK).
According to Guideline 1.2, the following certificates must be obtained from a certification body accredited by TURKAK:
- TS ISO/IEC 27001 Information Security Management System certificate
- TS EN ISO 22301 Business Continuity Management certificate
- TS ISO/IEC 20000-1 Information Technology Service Management System certificate
- TS ISO/IEC 27017 Information Security Management System for Cloud Services certificate
- TS ISO/IEC 27701 Personal Data Management System certificate
- A communication channel for the
eligibility application process was established.
In Guideline 1.2, it is regulated that external service providers can contact [email protected] e-mail address in case they require information about the process.
Under the heading "Implementation of the Guidelines" in Guideline 1.2, it is stated that external service providers may be granted eligibility provided that they have a Tier certificate for the primary center, but that these external service providers are obliged to comply with Guideline 1.2 until 31 December 2024.
In addition, outsourced service providers that have already been granted eligibility by TCMB to offer community cloud services, as well as firms that have not yet applied, must comply with Guideline 1.2 until 31 December 2024.
You can reach the full text of Guideline 1.2 published by the TCMB here (only available in Turkish).