TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
or the USA’s Cyber Incident Reporting for Criti - cal Infrastructure Act. However, enacting regula - tions in line with the EU’s “NIS2 Directive” is a policy goal identified by the 12th Development Program. The Cybersecurity Act delegates to the Direc - torate and the Cybersecurity Board the duty to determine critical infrastructures and the organ - isations and locations to which they belong. Currently, there is no precise scope for critical infrastructure cybersecurity regulation, and the relevant sectoral legislation must be consulted. The applicable legal texts are policy documents published by authorised institutions and sector- specific by-laws. The DTO’s Information and Communication Security Guide (the “ICS Guide” ) The ICS Guide published by DTO defines “criti- cal infrastructure” as “infrastructures that incor- porate information technologies which may cause loss of life, economic harm of large-scale, national security gaps and public disorder when the confidentiality, integrity and availability of data/information therein are disrupted” . The ICS Guide applies to public institutions, organisations and businesses providing critical infrastructure services. It sets out general secu - rity measures and those specific to the energy and e-communication sectors. The ICS Guide defines, among other things, the asset groups (eg, network and systems, apps, devices, physi - cal places, and personnel), their criticality level, measures, the application process, and their respective compliance plan. Guidance of the MTI The MTI is tasked with identifying critical infra - structures along with the institutions they belong to and their locations. (However, this duty will be
transferred to the Directorate when it is opera - tional.) There are six critical infrastructure sec - tors: • e-communications;
• energy; • finance; • transport;
• water management; and • critical public services.
The Sectoral CERT Guideline published by the MTI defines critical public services as services provided by critical systems with which citizens frequently interact, and mentions the following:
• civil registration; • land registration; • taxation; • commerce; • social security;
• health (emergency services, medical services, blood and organ donation and public health); • food; • security (police, gendarmerie, – a police force that is part of the armed forces in Türkiye that is affiliated to the Ministry of Interior and car - ries out duties related to safety, public order and security assigned to it by certain laws and regulations – and coast guard); • roads and bridges; • dams; and • services provided via critical systems where salary and judicial transactions are performed and their records are kept. The MTI also published: “Document for Mini- mum Security Measures for Critical Information System Infrastructure” and “Minimum Informa- tion Security Criteria for Public Institutions to Comply” .
303 CHAMBERS.COM
Powered by FlippingBook