Cyber Security Legislation

In the framework of the Council of Ministers Decree No. 2012/3842 on “The Execution, Management and Coordination of National Cyber Security Work” the Ministry of Transportation, Maritime and Communication has been given authority to determine policies and prepare action plans concerning Cyber Security.

Cyber Security Institutions

Also in line with the addition of Annex Article 1 (Annex:6/2/2014-6518/106) to  Electronic Communication Law No. 5809 in 2014, a Cyber Security Council, comprised of senior level administrators from public agencies, has been established under the chairmanship of the Minister of Transportation, Maritime and Communication.

The measures that need to be taken in the field of cyber security, duties and authorizations have been assigned by law as one of the duties and authorities of MTMC:

“Article 5(1) h) (Annex: 6/2/2014-6518/102) To determine policies, strategies and aims regarding provision of national cyber security, determining procedures and principles on provision of cyber security related to public agencies and institutions and all the natural and legal persons, preparing action plans, conducting secretarial works of Cyber Security Council, coordinating related activities, determining critical infrastructure and relevant agencies and locations, establishing necessary combatting centers, enable it to be established and inspecting it, studying, enabling to study and encouraging to study on production and development of all kinds of cyber response devices and national solutions, conducting education and awareness activities on cyber security, preparing procedures and principles which natural and legal persons operating in cyber security should comply with.”

Pursuant to Article 4 of the action plan in question, the Directorate of Telecommunication Communications has established the National Computer Emergency Response Center (USOM, TR-CERT) to conduct national and international work concerning threats and preventive measures.

Also, within the scope of the Communiqué on Procedures and Principles for the Establishment, Duties and Work of Teams Combating Cyber Incidents published in the Official Gazette No. 28818 dated November 11, 2013 the establishment of an Institutional CERTs (Computer Emergency Response Team) and their duties were specified. This Communiqué has made it possible to develop units to take the necessary measures or have them taken against direct, indirect or probable cyber-attacks within the Ministries structure, to establish or have established the necessary mechanisms to combat such attacks and establish or have established an incident record system, to conduct or have conducted work on ensuring the information security of agencies.

Law of Protection of Personal Data No. 6698 regarding protection of personal data which is a fundamental issue for cyber security, was published in April 7, 2016. The purpose of the law is to regulate the procedures and principles binding for natural and legal persons and liabilities of those processing personal data and to protect fundamental rights and freedoms, especially confidentiality of private life. Agency on Protection of Personal Data was established to perform the duties given by law. 

Ongoing work:

In line with the action of 2016 65th Government Action Plan, “35. Legal arrangements concerning cyber security will be activated” action and the action of “37. A Cyber Security Law will be released” in the 2015-2018 Information Society Strategy and Action Plan  , the needs for regulations concerning cyber security will be determined and the legislation will be developed within the scope of the National Cyber Security Strategy and Action Plan.

Also in line with the action of “8. Regulations on protecting personal data will be implemented” in the 65th Government Program 2016 Action Plan and the action of “38. Legislation on the Protection of Personal Information will be Issued” in the 2015-2018 Information Society Strategy and Action Plan, implementing the necessary legal regulations concerning cyber security structure and personal data privacy was targeted. International documents, comparative legal applications and the applications in Turkey will be taken into account to issue a regulation in 2016 for personal data to be processed and protected according to modern standards.