TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
Sector sets out three basic competency levels. The applicable competency level will be identi - fied with sectoral criticality degrees determined by the EMRA. The obligated organisations must implement the competency model after EMRA determines the respective criticality degrees and notifies them. Banking and Finance Sector Banks and other financial institutions under the authority of the BRSA must take the measures outlined in the By-Law on Information Systems of Banks and Electronic Banking Services. Moreover, personal data specific to banking rela - tionships are also considered customer secrets under the Banking Law. For specific require - ments and restrictions thereto, see 3. Financial Sector Operational Resilience Regulation . Health Sector See 6.3 Cybersecurity in the Healthcare Sector . Civil Aviation Sector The Cybersecurity Directive for Civil Aviation Enterprises (the “Directive” ) outlines the follow - ing measures to be taken by civil aviation enter - prises against cyber threats: • effective oversight of use of information sys - tems; • regular cybersecurity risk and threat assess - ments for operational assets; • implementation of policies, procedures, and process documents; • mechanisms to detect, prevent, and respond to potential cybersecurity breaches; • testing, auditing, and monitoring cybersecu - rity controls and structures, and reporting the results; and • developing a continuity management process and continuity plan for IT systems to ensure
critical cybersecurity processes remain operational. 2.3 Incident Response and Notification Obligations General Notification Duties One of the main obligations provided under the Presidency Decree for public institutions is adopting the necessary measures regarding cyber threat notifications. “cybersecurity event” is defined in the Com- muniqué on CERTs as “breach or attempted breach of confidentiality, integrity, or accessibil - ity of industrial control or information systems or data processed thereby” . If an organisation is required to establish a CERT, in principle, its CERT must report any cybersecurity event to the TR-CERT and the relevant sectoral CERT (if applicable). See 1.3 Cybersecurity Regulators for more details. Conversely, an organisation that is not required to establish a CERT, is not under obligation to report (although, voluntary reporting is allowed). In addition, when the Directorate becomes oper - ational, institutions and persons using informa - tion systems will be required to notify the Direc - torate of any vulnerability or cyber incidents that they detect in their service area. Also, those who fail to fulfil their duties and responsibilities by not reporting cyber incidents and vulnerabilities to the Directorate will be subject to an admin - istrative fine between TRY1 million and TRY10 million. Personal Data Breach Notification to the DPA Controllers must report to the DPA within 72 hours and notify the relevant data subjects within the shortest time possible if third parties unlawfully acquire personal data (regardless of
306 CHAMBERS.COM
Powered by FlippingBook