REGISTER LOGIN

Update from the TCMB: Guidance 1.2 for Service Providers Offering Community Cloud Services

25.09.2023
Gökçe

Contents

As known, the Central Bank of the Republic of Turkey (TCMB) published the first version of the Guidelines on External Service Providers Providing Community Cloud Services to Payment and Electronic Money Institutions in July 2022. Following this, amendments were made to the Guidelines on 24 April 2023 (Guideline 1.1) and changes were made to the eligibility requirements and oversight of external service providers.

You can reach the article on the amendments to Guideline 1.1 here.

As a recent development, TCMB updated Guideline 1.1 and published the new version on 4 September 2023 (Guideline 1.2).

We compiled the changes within the scope of Guideline 1.2 below:

  • The number of competent personnel required to be employed by an outsourced service provider wishing to offer community cloud services was increased.

The number of personnel to be employed in the operation/monitoring team, infrastructure team and information security teams who have at least 7 years of experience in similar fields was increased from 1 person in Guideline 1.1 to 2 people in Guideline 1.2.

  • Additional requirement introduced for external service providers that do not have their own data center ownership.

In case the external service provider that wants to offer community cloud service does not have its own data center ownership, it should only obtain hardware hosting or dedicated hardware services from external service providers that meet the data center standards in Guideline 1.2 for primary and secondary centers.

In Guideline 1.1, if the outsourced service provider did not have a TSE TS EN 50600 data center operation certificate with an Availability Class, Protection Class and Energy Detail Level of at least 3 for the secondary center, it was required to have met the requirements to meet these certifications.

As per Guideline 1.2, if the external service provider does not have a TSE TS EN 50600 data center operation certificate with an Availability Class, Protection Class and Energy Detail Level of at least 3 for the secondary center, it is sufficient to have a Tier 3 or Tier 4 data center infrastructure certificate. However, in the absence of both certificates, a TSE TS EN 50600 data center operation certificate with an Availability Class, Protection Class and Energy Detail Level of at least 3 must be obtained.

  • The requirement for community cloud service certificates to be obtained from a certification body that is a member of the International Accreditation Forum (IAF) was changed to a certification body accredited by the Turkish Accreditation Agency (TURKAK).

According to Guideline 1.2, the following certificates must be obtained from a certification body accredited by TURKAK:

  • TS ISO/IEC 27001 Information Security Management System certificate
  • TS EN ISO 22301 Business Continuity Management certificate
  • TS ISO/IEC 20000-1 Information Technology Service Management System certificate
  • TS ISO/IEC 27017 Information Security Management System for Cloud Services certificate
  • TS ISO/IEC 27701 Personal Data Management System certificate

  • A communication channel for the eligibility application process was established.

In Guideline 1.2, it is regulated that external service providers can contact [email protected] e-mail address in case they require information about the process.

Under the heading "Implementation of the Guidelines" in Guideline 1.2, it is stated that external service providers may be granted eligibility provided that they have a Tier certificate for the primary center, but that these external service providers are obliged to comply with Guideline 1.2 until 31 December 2024.

In addition, outsourced service providers that have already been granted eligibility by TCMB to offer community cloud services, as well as firms that have not yet applied, must comply with Guideline 1.2 until 31 December 2024.

You can reach the full text of Guideline 1.2 published by the TCMB here (only available in Turkish).

This website is available “as is.” Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

Popular Articles on Technology & Telecoms

Dijital Varlıklara İlişkin Özel Hukuk Taslak İlkeleri Kamuoyu Görüşüne Açıldı
Digital Transformation Office Announces the Commissioning of BIGDES
Dijital Dönüşüm Ofisi BİGDES’in Devreye Alındığı Duyurdu
Tasarımda Gizlilik ISO Standardı Olarak Kabul Edildi
NIS2 Direktifi: AB’de Yeni Siber Güvenlik Kuralları

Latest Insights from Gökçe

AB’den Devrim Niteliğinde Düzenleme: Yapay Zekâ Yasası Onaylandı
Revolutionary Regulation from EU: AI Act is Approved
Dijital Hizmetler Yasası Tamamen Yürürlükte
Digital Services Act is Now in Full Effect
Yapay Zeka Yasası Kabul Edildi
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent