TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
The Council of Ministers Decision on Carrying Out, Managing and Co-ordinating National Cybersecurity Activities, dated 11 June 2012 (the “Council of Ministers Decision on Cybersecurity” ) This decision is one of the landmarks of Türki - ye’s cybersecurity legislation. It defines national cybersecurity as: “security of all services, trans- actions, and data provided via information and communications technologies as well as sys- tems used for the provision thereof” . The Cybersecurity Act transfers the MTI’s cyber - security-related duties and powers to the Direc - torate; however, it does not explicitly annul this decision. The Presidential Decree No 177 on the Cybersecurity Directorate On 8 January 2025, the Presidential Decree No 177 on the Cybersecurity Directorate established the Directorate as a public legal entity affiliated with the Presidency with financial autonomy. The decree grants the Directorate general regulatory power on cybersecurity matters. Refer to 1.3 Cybersecurity Regulators for further explana - tions on the duties of the Directorate. The Communiqué on Procedures and Principles of the Establishment, Duties and Activities of Cyber-Incidents Response Teams (CERTs) (the “Communiqué on CERTs” ) The purpose and scope of this communiqué are to ensure CERTs carry out their services effec - tively and efficiently by determining the pro - cedures and principles of their establishment, duties and work.
The Guideline for Establishment and Management of Institutional CERTs (the “Institutional CERT Guideline” ) and the Guideline for Establishment and Management of Sectoral CERTs (the “Sectoral CERT Guideline” ) These guidelines, published by the National Cyber Incidents Response Centre (TR-CERT), provide guidance on: • establishing and managing institutional CERTs and sectoral CERTs in relevant organi - sations; • their relationship with each other and the TR- CERT; • capacity planning; • qualifications of the personnel (education level and experience); • mandatory training; and • the steps that personnel must take before, during and after a cybersecurity incident. They also include the principles for communi - cation with internal/external stakeholders and establishing institutional and sectoral CERTs. The Decree No 2019/12 on Information and Communication Security Measures issued by the Presidency of Türkiye (the “Presidency Decree” ) The Presidency Decree sets specific measures deemed appropriate to diminish and neutralise security risks – in particular, ensuring the secu - rity of critical data that may jeopardise national security or deteriorate public order when its confidentiality, integrity, or accessibility is com - promised. It provides an obligation to securely store critical data (eg, population, health and communication records, genetic and biometric data) within Türkiye.
298 CHAMBERS.COM
Powered by FlippingBook