Recent Developments
The Capital Markets Board of Türkiye (the “CMB”) published the Communiqué on Principles and Procedures on Management of Information Systems numbered VII-128.10 (the “Information Systems Communiqué”) in the Official Gazette, dated March 13, 2025 and numbered 32840.
What’s New Under the Information Systems Communiqué?
Pursuant to the Information Systems Communiqué
- Various terms which were used in the previous regulations but were not fully defined were defined. Accordingly, “information systems” are defined as the software, hardware and communication infrastructure where information is processed, transmitted and stored, as well as the human resources, activities and processes that interact with them.
- The information security policy will be announced not only to personnel but also to other relevant parties and will be reviewed at least once a year.
- Various criteria to be met by information security officers were determined. Accordingly, the information security officer must have sufficient technical knowledge and at least five years of experience in any of the fields of information systems’ internal control, information systems’ audits, information systems’ governance and controls, or information security. The information security officer must have no duties related to the fulfillment of the requirements for information systems management and will report to senior management.
- Minimum content to be recorded in the inventory of information assets is determined. In addition, a service inventory will be created for the services provided for information systems, and a process inventory will be created for information systems processes. These inventories will include the minimum content specified in the Information Systems Communiqué.
- With the expansion of regulations on physical and environmental security, additional requirements, such as the conclusion of confidentiality agreements with third parties performing maintenance, 24/7 monitoring of data centers with motion-detection cameras, and the storage of these camera recordings for various periods of time, will be complied with.
- Various additional security measures, such as multi-factor authentication, network partition isolation, white and black list practices, and regulations to increase network security, will be taken into account for remote access.
- Non-critical services to be outsourced in relation to information systems can be procured through standard form agreements, in cases where it is not possible to include the minimum content provided in the Information Systems Communiqué in the service agreements, by justifying the rationale in writing.
- Entities subject to the Information Systems Communiqué will be able to use cloud services for all or part of their activities. Cloud service procurement, use and management will be considered outsourcing. Within the scope of the cloud service, the obligation to keep the primary and secondary systems in Türkiye will be complied with. Crypto asset trading platforms will be able to receive cloud services from abroad for the venues where customer orders are matched, provided that the cloud service provider has a representative office in Türkiye and all records created abroad are transferred to Türkiye by the end of the day.
- An undertaking will be obtained from the distributor, supplier or manufacturer, stating that the outsourced software, hardware, operating system or device/systems containing one or more of these components do not contain gaps or vulnerabilities that are specifically designed and/or intentionally included to provide access by bypassing existing security measures.
- Provisions that aim to reduce information security breaches and regulate in more detail the actions to be taken after a breach occurs, including provisions for the preparation of a response plan that includes the measures to be taken in case of an information security breach, will be complied with.
- Checks will be put in place to ensure the secure operation of applications and the detailed provisions introduced to ensure application security will be complied with.
- The location of secondary systems will be selected so that they are not exposed to the same natural and environmental disaster risks as the primary systems.
- At least once a year, at a minimum, a backup recovery test of critical systems will be carried out and information on the participants, date, details and results of the test will be recorded.
- Internal audit activities for information systems will be carried out at least once a year by persons with an independent audit license for information systems.
- As was the case in previous regulations, certain institutions within the scope of the Communiqué on Information Systems were granted broad exemptions. Accordingly, brokerage firms with limited authorization, portfolio management companies subject to certain capital requirements, and public companies will not be required to have an internal audit of their information systems. In addition, in line with the CMB’s principle decision numbered i-SPK.62.1 (dated March 1, 2018 and numbered 9/327), public companies will be exempt from the obligation to maintain their primary and secondary systems in Türkiye.
- Crypto asset service providers will also comply with the criteria set out in the document prepared by the Scientific and Technological Research Council of Türkiye regarding the information systems and technological infrastructure of crypto asset service providers.
Transition Period
The Information Systems Communiqué will enter into force on June 30, 2025. Accordingly, crypto asset service providers must comply with the provisions on the resilience of information systems, especially the obligation to maintain primary and secondary systems in Türkiye, until the end of 2025; and the provisions on the conduct of internal audits by persons with independent audit licenses for information systems until the end of 2026.
On the other hand, entities other than crypto asset service providers must comply with the provision on the conduct of internal audits by persons with independent audit licenses for information systems until the end of 2026; and other provisions of the Information Systems Communiqué until the end of 2025. These entities will continue to comply with the Communiqué VII-128.9 on Information Systems Management to be abrogated until the end of 2025.
Conclusion
With the Information Systems Communiqué, the number of entities subject to the CMB’s information systems regulations and the obligations they must comply with are increasing.
