Presidential Circular on Information and Communication Security Measures

ELIG Gürkaynak Attorneys-at-Law | View firm profile

Circular on Information and Communication Security Measures ("Circular") is
published in the Official Gazette of July 6, 2019. The aim of the Circular is
reducing of security risks and governing measures to be taken to ensure safety
of information which is critical to national security and public order.

The Circular
imposes several security obligations on public institutions regarding (i)
storage and transfer of critical information (i.e. health, contact and
biometric information), confidential information and corporate information,
(ii) cyber threat notifications and (iii) industrial check systems.

According to
the Circular, "Information and Communication Security Guidelines" ("Guidelines")
will be prepared and published by the Presidency's Digital Transformation
Office ("Office") in light of the national and international standards on
information security on the Office's website at

All public
institutions and operators providing critical infrastructure services will be
obliged to (i) comply with the procedures and rules in the Guidelines when
setting up new information systems and (ii) review and revise the existing
systems to ensure compliance with the Guideline.

The Circular
also obliges public institutions to set up internal reviewing mechanisms and
examine compliance with the Guidelines at least once a year. Public
institutions will be reporting the examination results and corrective and
preventative actions taken by the relevant institution to the Office.

While the
Circular generally imposes information security obligations on public
institutions, the following measures listed in the Circular and which are new
to this regulatory landscape can be relevant for the providers of cloud
services and electronic communication services:

Information pertaining to public institutions shall not be stored in cloud
services. The exception to this is the storage on relevant institutions'
private systems or on the systems provided by local service providers which are
under the control of the relevant public institution.

– Authorized
electronic communication service providers (operators) are obliged to set up
internet exchange points in Turkey. According to the Circular, measures will be
taken in order to prevent the cross-border transmission of domestic
communication traffic which needs to be exchanged domestically.  

Authors: Gönenç Gürkaynak Esq.,
Ceren Yıldız, Burak Yeşilaltay and Ekin Ince, ELIG Gürkaynak

(First published
by Mondaq on July 9, 2019

More from ELIG Gürkaynak Attorneys-at-Law