Cybersecurity 2025

TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal

2.2 Critical Infrastructure Cybersecurity Requirements General According to the Cybersecurity Act, one of the duties of the Directorate is to determine techni - cal criteria for cybersecurity products and ser - vices to be used in public institutions and criti - cal infrastructures. However, these criteria are not determined yet as the Directorate has not become fully operational. The Presidency Decree provides the following security measures for critical infrastructure secu - rity of public institutions and organisations: • conducting security clearances for personnel of critical importance; and • requiring communication service providers to establish internet exchange points in Türkiye. For comprehensive measures, the Presidency Decree refers to the ICS Guide, which provides the following for critical infrastructure security in public institutions and organisations and busi - nesses providing critical infrastructure services: • network and system security measures (eg, protection against malware, penetration tests, and cybersecurity management); • application and data security measures (eg, secure software development, error handling and log management, and database and record management); • portable device and media security measures (eg, securing smartphones and tablets, port - able computers and portable media); • IoT devices security measures (eg, internal data storage, authentication and authorisa - tion, and API and connectivity security); • personnel security measures (eg, training and awareness programmes, and suppliers’ relationship security); and

E-Communications The By-Law on NIS in the E-Communications Sector is the main regulation for the e-commu - nications sector, with the purpose to provide the procedures and principles of operators to ensure network and information security. It applies to the operators within the scope of the E-Com - munications Law. Energy The main regulation on cybersecurity in the energy sector is the By-Law on Cybersecurity Competency Model in the Energy Sector. It aims to improve cybersecurity and define the mini - mum acceptable level of security of industrial control systems used in the energy sector, and establish the procedures and principles related to the cyber-resilience, proficiency, and maturity thereof. The By-Law covers industrial control systems owned by legal entities with the following licences: electricity transmission licence, elec - tricity distribution licence, electricity generation facility licence, natural gas transmission licence for pipeline transmission, natural gas distribu - tion licence, natural gas storage licence (LNG, underground), crude oil transmission licence, By-Law on Information Systems of Banks and Electronic Banking Services aims to man - age information systems used by banks in the performance of their operations and set forth the minimum procedures and principles to be applied in the offer of electronic banking ser - vices and management of risks related thereto. It covers the entities falling within the scope of the Banking Law (eg, deposit and participation banks, branches of foreign institutions within Türkiye, etc). and refinery licence. Banking and Finance

304 CHAMBERS.COM

Powered by