TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
by another Communiqué (The “New CMB- Communiqué” ) that will take effect on 30 June 2025. The new Communiqué will cover crypto-asset service providers as well. 3.2 ICT Service Provider Contractual Requirements There is no legal definition for ICT service provid - ers or cloud service providers. However, several sectoral regulations indicate different service providers for ICT services. Since they are regu - lated sectorally, there is no general classification of critical ICT services either. The By-Law ISBEBS, the Communiqué on Payment Services, and the CMB Communiqué (collectively, the “Financial NIS” ) The Financial NIS regulates the outsourcing of ICT services by the institutions it covers. Thus, it includes provisions concerning the financial sector institutions’ outsourced information sys - tems services. The Financial NIS aims to guarantee that finan - cial sector institutions retain their control over even the outsourced information systems and for them to remain accountable to the relevant parties (eg, their customers). For the scope of Financial NIS, see 3.1 Scope of Financial Sector Operation Resilience Regulation . The By-Law ISBEBS defines “outsourcing” as support services that banks acquire from external sources, which may potentially affect the confidentiality, integrity, and availability of banking data, continuity of banking services, and services involving access to or sharing of banking data. Banks must also follow the conditions set under the By-Law on Support Services for Banks,
which covers the banks’ outsourcing of any type of support services. Outsourcing contracts must include certain clauses, including: • the scope of the contract and the responsi - bilities of the parties; • the liability of the external outsourcing pro - vider with regard to information security; • the liability of the sub-contractors of the out - sourcing provider, which must be equivalent to thereof; and • terms for changes and termination. Classification of ICT Services The Financial NIS does not define any ICT ser - vices as “critical” . The By-Law ISBEBS and the Communiqué on Payment Services mention additional require - ments for “critical information systems” without providing any definition. However, the By-Law on Remote Identity Verification Methods to be Used by Banks and the Establishment of Con - tractual Relationships in Electronic Environment classifies the systems used in the context of remote identity verification as critical informa - tion systems in terms of the By-Law ISBEBS. The New CMB Communiqué (taking effect on 30 June 2025) does not define “critical information systems” either. However, it defines “criticality” as “the quality of the information asset that indi- cates its importance or necessity in achieving the business objectives of the institution, organisa- tion or company” . It also sets additional require - ments for critical information systems, such as establishing mechanisms to instantly monitor unauthorised access attempts.
308 CHAMBERS.COM
Powered by FlippingBook