The Law No. 7518 Amending the Capital Markets Law”which amends various provisions of the Capital Markets Law No. 6362 (“Law”), was published in the Official Gazette No. 32590 on 02.07.2024 and has entered into force. With this regulation, cryptocurrency asset service providers have been brought under the regulation and supervision of the Capital Markets Board (“Board”) within the scope of the Law. The Communique on Procedures and Principles Regarding Information Systems Management (VII-128.10) (“Communique”), prepared within the framework of the secondary regulations carried out by the Board, was published in the Official Gazette No. 32840 on 13/03/2025 and has entered into force. The Communique on Information Systems Management (VII-128.9) published in the Official Gazette No. 30292 on 05/01/2018 has been repealed. Compliance with the provisions of the Communique has become mandatory for institutions, organizations, and partnerships defined in Article 2 of the Communique.
The key topics that require attention and compliance under the Communique are as follows:
- Management of information systems
- Principles of control and supervision of information systems
- Outsourcing and relationships with third parties
- Information security breaches and intervention plans
- Development and application security of information systems
The institutions, organizations, and partnerships defined in Article 2 of the Communique and subject to compliance with the Communique are as follows:
- Borsa İstanbul A.Ş.
- Stock exchanges and market operators, and other organized marketplaces
- Pension investment funds
- İstanbul Takas ve Saklama Bankası A.Ş.
- Merkezi Kayıt Kuruluşu A.Ş.
- Portfolio custodians
- Sermaye Piyasası Lisanslama Sicil ve Eğitim Kuruluşu A.Ş.
- Capital market institutions
- Public companies
- Association of Capital Markets in Türkiye
- Turkish Association of Valuation Experts
- Cryptocurrency Asset Service Providers
- Management of Information Systems
Organizations must align the management of information systems with business objectives and create strategies for this purpose. These strategies should be within the management hierarchy and aim at aspects such as security, performance, and continuity. Controls related to the management of information systems must be documented, regularly reviewed, and approved. Responsibilities should be determined based on the principle of segregation of duties.
- Information Security Policy:
The information security policy is prepared by top management and approved by the board of directors. The approved information security policy is communicated to staff and relevant parties. This policy covers information security processes, risk management, and control measures. The information security policy is reviewed at least once a year and updated according to business needs, emerging threats, and risks.
- Oversight by Top Management:
Top management is responsible for implementing the information security policy and strategy. Ensuring that information systems controls are established, evaluated, and monitored effectively, adequately, and in compliance with the policy is the responsibility of the board of directors. Critical projects for the deployment of new information systems are reviewed by top management, and risks are managed accordingly. Regardless of whether these projects are carried out with internal resources or through outsourcing, the expertise of the staff must meet the technical requirements of the projects. Roles and responsibilities supporting this structure must be clearly defined.
At a minimum, an information systems continuity plan, which is part of the business continuity plan, must be prepared to ensure the continuity of information systems that support critical business processes and activities.
- Information Systems Risk Management
Organizations must establish and maintain risk management processes and procedures to identify, measure, monitor, manage, and report risks related to information systems. Risk analysis, risk handling, and monitoring processes must be implemented. Risk analysis should be conducted at least once a year and repeated when significant changes occur in the information systems. All information assets must be assessed during risk analysis.
The risks related to information systems processes and the services offered to users must be assessed at least once a year and repeated when significant changes occur in processes and services. Appropriate measures must be taken against information security threats, and information systems must undergo penetration testing at least once a year by individuals or entities with national or international certification in penetration testing.
- Principles Regarding Information Systems Controls
- Establishment and Management of Information Systems Controls
Top management is responsible for managing information security risks and ensuring the effective operation of information systems. The owner and responsibilities of each process must be clearly defined, performance must be measured, and staff qualifications should be ensured through training. Processes and controls are continuously monitored and assessed, and any significant deficiencies are reported to top management at least once a year.
- Asset Management
Information assets must be identified, and an inventory must be created and maintained. Each asset in the inventory must include details such as description, acquisition date, and security classification. The security classification of assets must be determined and approved by top management based on the confidentiality, integrity, and accessibility requirements of the assets. Portable devices and media containing high-security data must be protected against related risks.
- Segregation of Duties Principle
To reduce the risk of errors, deficiencies, or misuse in information systems, duties and responsibilities must be segregated. Segregation of duties should be determined, reviewed at least once a year, and updated to ensure that critical operations are not dependent on a single person or external service provider.
- Physical/Environmental Security and Network Security
The critical information systems’ locations must be protected from unauthorized physical access, changing environmental conditions, infrastructure service disruptions, and disasters. A minimum set of controls, as specified in Article 12 of the Communique, should be implemented. Controls should be established and effectively managed to protect corporate networks from internal and external threats and ensure the security of systems, databases, and applications using the network.
- Operation of Information Systems
Organizations must establish the necessary controls to provide required information system services at the desired level and with continuity. The service levels should be agreed upon with business units in alignment with business requirements. Mechanisms must be established to log users’ issues and requests regarding information systems, respond to them, and resolve underlying root causes.
- Data Privacy
Measures must be taken to ensure the confidentiality of data transmitted, processed, and stored during information systems activities, including the protection and processing of personal data. For issues not covered by the Communique, the provisions of the Law No. 6698 on the Protection of Personal Data and related legislation will apply.
- Outsourcing of Information Systems
An oversight mechanism is established by the senior management to ensure that the risks arising from outsourcing services within the scope of information systems are adequately assessed and managed and that relations with outsourcing organizations can be carried out effectively.
The senior management of the Institutions, Organizations and Partnerships shall designate responsible persons with sufficient knowledge and experience to closely monitor the accessibility, performance, quality and security breaches of outsourced critical services, as well as the security controls, financial conditions and contractual compliance of the outsourcing organization. These responsible persons shall prepare and submit to the senior management an assessment report at least once a year, including the matters listed in this article.
The conditions, scope and any other definitions regarding outsourcing shall be contracted in such a way that they are also signed by the organization providing the outsourced service.
Institutions, Organizations and Partnerships may use cloud services for all or part of their activities. Cloud service procurement, use and management shall be considered as outsourcing.
- Customer Notification
Customers benefiting from electronic services must be clearly informed about the terms, risks, and exceptional conditions of the services offered. This includes information security principles and methods to protect against risks. The organization is responsible for proving that such information has been provided to customers.
- Establishment of a registration mechanism
Institutions, Organizations and Partnerships shall establish an effective audit trail recording mechanism for the use of information systems, taking into account the risks on information systems, the complexity and scope of their systems or activities.
Audit trails are kept for at least 5 years. By protecting audit trails in environments with adequate security level and taking backups, it is ensured that they are accessible for the foreseen period after possible adverse events.
- Audit Trail Mechanism
Organizations must establish an effective audit trail mechanism for information systems’ usage, considering the complexity and scope of systems or activities. Audit trails must be stored for at least five years and be accessible in secure environments.
- Information Security Breach
Organizations determine the necessary controls for any information security breach or vulnerability and inform all personnel about it. Incidents are recorded and intervened as soon as possible. Criteria used in the evaluation of breaches include factors such as operational downtime, data leaks, number of affected users and loss of revenue. A plan is prepared to respond to incidents; this plan includes the assessment of the incident, informing the relevant parties and reporting processes. If the incident causes a critical outage or data leakage, the relevant organizations are immediately notified. After the incident, a detailed report is prepared and submitted to the senior management, and this report includes information such as the root cause of the incident, actions taken, time spent, and cost. In addition, regular trainings are conducted to increase the incident response competencies of the personnel. The effectiveness of the incident response plan is tested at least once a year and the results of this test are reported to senior management.
Necessary security controls are applied during the acquisition, development and maintenance of information systems. In these processes, the functional requirements, security requirements and testing phases of the systems are determined. The design and development of systems should be compatible with the size and activities of the organization. Software retention agreements are made for software that cannot be procured. Software developed or purchased is monitored through project management processes and these projects are approved by senior management. Compliance with security requirements is ensured in software development processes and software development personnel are trained on secure software development. In addition, new systems are subjected to tests and necessary security tests are performed before they are used. Access between development, test and real environments is segregated to minimize security risks. Systems can be run in parallel with the old system until they mature. Changes made during these processes are recorded using version control.
- Ensuring Security
Organizations, Institutions and Partnerships develop controls to ensure the secure operation of applications. These controls include input and output control, error handling, updates, access control, mobile application and API operation specific issues and are addressed at least in critical applications.
In applications, it is ensured that data inputs are complete, accurate and valid, operations on data produce correct results, data and transaction loss, unauthorized modification and misuse of data are prevented. In this context, input verification and filtering mechanisms are established. Inputs are verified to prevent harmful content. Compliance of inputs with predetermined length and format requirements is ensured.
- Continuity of Information Systems
Institutions, Organizations and Partnerships are required to have their primary and secondary systems domestically. The location of the secondary system is selected in such a way that it is not exposed to the same risks as the primary system against natural and environmental disasters.
The persons who will take part in the development and operation of the information systems continuity plan and their roles and responsibilities are determined and they are provided with the relevant trainings. The persons and situations that will decide on the activation of the plan are documented in writing. The information systems continuity plan is approved by senior management. It is ensured that the plan is accessible only by the relevant persons and that up-to-date physical copies are kept where necessary.
Institutions, Organizations and Partnerships shall conduct an internal audit of information systems at least once a year.
They notify Capital Markets Licensing Registry and Training Agency A.Ş. of the persons who will perform internal audit regarding information systems management within 10 business days following their appointment.
The Communiqué on Information Systems Management (VII-128.9) published in the Official Gazette dated 5/1/2018 and numbered 30292 has been repealed.
- Provisions Regarding Entry into Force
Cryptocurrency Asset Service Providers must comply with Article 27 concerning Information Systems Continuity by 31/12/2025. Compliance with Article 29, paragraph 3 regarding Change Management is required by 31/12/2026.
Institutions, organizations, and partnerships other than Cryptocurrency Asset Service Providers must comply with the provisions of this Communique by 31/12/2025 and with Article 29, paragraph 3 by 31/12/2026.
Institutions, Organizations and Partnerships other than Crypto Asset Service Providers are obliged to comply with the provisions of the Communiqué on Information Systems Management published in the Official Gazette dated 5/1/2018 and numbered 30292, which was repealed by Article 32 until 31/12/2025.
You may access the full text of Communiqué from the link below.
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
