Presidential Circular on Information and Communication Security Measures (“Circular”) is published in the Official Gazette of July 6, 2019. The aim of the Circular is reducing of security risks and governing measures to be taken to ensure safety of information which is critical to national security and public order.
The Circular imposes several security obligations on public institutions regarding (i) storage and transfer of critical information (i.e. health, contact and biometric information), confidential information and corporate information, (ii) cyber threat notifications and (iii) industrial check systems.
According to the Circular, “Information and Communication Security Guidelines” (“Guidelines”) will be prepared and published by the Presidency’s Digital Transformation Office (“Office”) in light of the national and international standards on information security on the Office’s website at www.cbddo.gov.tr.
All public institutions and operators providing critical infrastructure services will be obliged to (i) comply with the procedures and rules in the Guidelines when setting up new information systems and (ii) review and revise the existing systems to ensure compliance with the Guideline.
The Circular also obliges public institutions to set up internal reviewing mechanisms and examine compliance with the Guidelines at least once a year. Public institutions will be reporting the examination results and corrective and preventative actions taken by the relevant institution to the Office.
While the Circular generally imposes information security obligations on public institutions, the following measures listed in the Circular and which are new to this regulatory landscape can be relevant for the providers of cloud services and electronic communication services:
- Information pertaining to public institutions shall not be stored in cloud services. The exception to this is the storage on relevant institutions’ private systems or on the systems provided by local service providers which are under the control of the relevant public institution.
- Authorized electronic communication service providers (operators) are obliged to set up internet exchange points in Turkey. According to the Circular, measures will be taken in order to prevent the cross-border transmission of domestic communication traffic which needs to be exchanged domestically.
(First published by Mondaq on July 9, 2019)
By Gonenc Gurkaynak, Partner; Ceren Yıldız, Counsel; Burak Yesilaltay, Associate and Ekin Ince, Associate ELIG Gürkaynak Attorneys-at-Law