TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
abroad under some conditions (eg, the Agree - ment Between the Government of the Republic of Türkiye and the Government of the United States of America to Improve International Tax Compliance requires Turkish financial institu - tions to report US citizens and residents’ data for tax compliance purposes). In these cases, the treaties will have precedence over the local laws according to Article 90(3) of the Constitution. If the transferred data is personal data, the reser - vation under the DP Law may also be applicable. 3.6 Threat-Led Penetration Testing The Financial NIS imposes penetration testing obligations for their respective financial sector institutions as detailed below. The By-Law ISBEBS Banks must have penetration tests performed at least once a year by independent teams that are not involved in the design, development, imple - mentation or execution of the services provided through information systems. The Institutional CERTs of banks are also required to conduct routine penetration tests on IT assets, routinely monitor trace records and check for correlations that may lead to meaning - ful results. The Communiqué on Payment Services The Communiqué provides the following pen - etration testing requirements for payment and electronic money institutions. • They must have regular penetration tests per - formed at least once a year for scenarios cov - ering possible internal and external threats. The procedure to be followed for penetration testing is provided under the Annex 5 therein. • They must submit a report to TRCB at least annually, detailing security breaches, penetra -
tion test results, and critical vulnerabilities identified, measures taken to eliminate them
and the results thereof. The CMB Communiqué
The information systems of the related institu - tions and organisations must have penetration tests performed at least once a year. The pro - cedure to be followed for penetration testing is provided under the Annex 1 therein. 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation There is no general legislative instrument on cyber resilience in Türkiye. Currently, the main regulations on managing cyber incidents are the Communiqué on the Pro- cedures and Principles Regarding the Establish - ment, Duties and Activities of CERTs and MTI’s guidelines on establishing institutional and sec - toral CERTs. For further information on CERTs, see 1.3 Cybersecurity Regulators . However, the Presidency Program for 2025 includes a plan to enact legislative regulations in line with the EU’s Cyber Resilience Act (CRA). It is possible to expect a cyber resilience regula - tion in the following years, since cyber resilience is listed as one of the six main objectives of the NCS 2024. In this regard, “establishing princi- ples to mitigate the possible impacts of cyber incidents” objective of the Cybersecurity Act indicates at cyber resilience. According to the Cybersecurity Act, cybersecuri - ty “encompasses a set of activities aimed at pro- tecting from attacks the information systems that constitute cyberspace, ensuring the confidenti - ality, integrity, and availability of data processed
312 CHAMBERS.COM
Powered by FlippingBook