Cybersecurity 2025

TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal

3.3 Key Operational Resilience Obligations

mechanisms for the same (eg, approval of senior staff). Cyber Incident Management and Reporting Obligations The measures to be taken in the event of a cyber incident include keeping a detailed record there - of, preventing the recurrence of a similar inci - dent, establishing internal mechanisms for cyber incident management, and identifying the root causes of cyber incidents. Certain details of cyber incidents must be report - ed to the internal senior staff as well as the rel - evant institutions (eg, the BRSA, TRCB and Insti - tutional CERTs). Additionally, since the financial sector is one of the critical infrastructure sectors, financial sector institutions must also follow the notification obligations mentioned in 2.3 Inci- dent Response and Notification Obligations . Other Obligations For other crucial obligations see 3.2 ICT Ser- vice Provider Contractual Requirements , 3.5 International Data Transfers and 3.6 Threat-Led Penetration Testing . 3.4 Operational Resilience Enforcement The enforcement of the operational resilience obligations outlined above is shared by the BRSA, TRCB, and CMB. The Banking Regulation and Supervision of Agency (the BRSA) The BRSA is authorised to carry out examina - tion of all books, records, and documents, and conduct on-site audits and ex officio inspections concerning the support service organisations. The By-Law ISBEBS also authorises BSRA to carry out inspections concerning the ICT provid - ers of banks and requires them to provide the

As outlined above, there is no overarching digital operation resilience regulation, and the applica - ble legal requirements are fragmented across several legislative pieces. The Financial NIS imposes several obligations on the institutions of their respective areas to increase the resilience of financial sector institu - tions’ information systems. Financial NIS aims to establish the standards for strengthening these systems. It provides measures to be taken for information security as well as the management of cyber incidents. Localisation Obligations The following entities must keep their primary and secondary information systems in Türkiye: • banks; • payment institutions and electronic money institutions; • insurance and private pension companies (except for services such as email, teleconfer - ence or videoconference); • certain public companies, as well as certain capital markets institutions; and • financial lease, factoring and finance compa - nies. For outsourced products or services, the Com- muniqué on Payment Services requires use of local products, or the manufacturers thereof to have R&D centres and response centres in Tür - kiye. Risk Management Obligations Financial sector institutions are required to pre - pare a plan and policy for the detection, analy - sis, and management of risks related to informa - tion systems. They also impose internal control

309 CHAMBERS.COM

Powered by