TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
therein, detecting attacks and cyber incidents, activating response and alert mechanisms, and restoring the situation to its state prior to the cyber incident” . The last part of this definition seems to include cyber resilience thereunder. 4.2 Key Obligations Under Legislation The Cybersecurity Act delegates a specific duty to the Cybersecurity Directorate for “increasing the cyber resilience of critical infrastructures and information systems through vulnerability and penetration tests and risk analysis, cyber-threat intelligence, and malware inspection opera- tions” . Currently, the Institutional CERTs are subject to the following resilience-related obligations dur - ing and after a cyber incident: • carrying out their activities to prevent cyber incidents or mitigate damages in co-ordina - tion with their sectoral CERTs, if any. • notifying the TR-CERT of the situation without delay; • reporting cyber incidents to their institutions, notifying the TR-CERT and their sectoral CERTs without delay; • primarily trying to eliminate a cyber incident with their own means and capabilities, and requesting assistance from the TR-CERT and their sectoral CERT, as applicable; • reporting to the competent authorities and the TR-CERT without delay, if there is doubt that a crime has been committed during the intervention of a cyber incident; • having 24/7-accessible contact information and notifying their sectoral CERTs and the TR-CERT thereof; • identifying and keeping record of the vulner - ability that led to the incident immediately; • measuring and monitoring the types, quanti - ties and costs of cyber incidents; and
• submitting to the management of the institu - tion for corrective/preventive actions that can be taken in relation to the incident. The Sectoral CERTs, on the other hand, have the following obligations: • carrying out activities for preventing cyber incidents or mitigating their damages in co- ordination with the TR-CERT; • notifying the TR-CERT of cyber incidents experienced by their CERTs without delay; • having 24/7-accessible contact information and notifying their CERTs and the TR-CERT thereof; • supporting their CERTs in cyber incidents; and • reporting to the competent authorities and the TR-CERT without delay, if there is doubt that a crime has been committed during the intervention of a cyber incident. 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation Currently, there is no general legal framework for certification requirements of ICT products and services. However, there are sector-specific leg - islation with certification requirements. The Cybersecurity Act provides certain certifi - cation requirements. According to the Cyberse - curity Act, cybersecurity products, systems and services to be used in public institutions and organisations and critical infrastructures have to be procured from cybersecurity experts and companies who will be certified by the Cyber - security Directorate. Procurement from uncerti - fied experts or companies will be subject to an
313 CHAMBERS.COM
Powered by FlippingBook