The Information and Communication Technologies Authority ("ICTA") has published the Draft Regulation Amending the Regulation on Network and Information Security in the Electronic Communications Sector ("Draft Regulation"), which regulates and sets forth the procedures and principles that operators must comply with.
The major changes proposed by the Draft Regulation are listed below:
- The Draft Regulation states that the name of the Regulation on Network and Information Security in the Electronic Communications Sector ("Current Regulation") will be changed to the "Network and Information Security Regulation." Hence, the ICTA's supervisory authority will not be limited to authorized operators and it will now have the right to audit other real and legal persons as well, regardless of whether or not such real and legal persons are classified as operators.
- The Draft Regulation also expands the
purpose of the Current Regulation by adding the following sentence
to Article 1:
"The purpose of the regulation is to also regulate the protection of legal persons against cyberattacks and the elements providing deterrence against these attacks."
- The Draft Regulation also expands the legal basis of the Current Regulation by adding Article 10 of the Law No. 5651 on the Regulation of Broadcasts via the Internet and the Prevention of Crimes Committed through Such Broadcasts ("Law No. 5651") as one of the regulations that the Current Regulation is based on. By doing so, the ICTA aims to bring all real and legal persons within the scope of the Current Regulation.
- The Draft Regulation also amends Article 35(3) of the Current Regulation, which requires operators to take all the necessary and appropriate measures under the coordination of the Computer Emergency Response Team ("TRCERT") against DOS/DDos attacks and other types of cyberattacks. According to the Draft Regulation, operators are also required to establish the substructures requested by the ICTA in relation to the analysis, identification and prevention of cyber threats. However, the foregoing amendment has been criticized by some operators due to its lack of clarity, because it does not specify how such a substructure will be established and what it will include and which qualities it will encompass.
- The Draft Regulation adds a new provision to the Current Regulation, which is titled "Internet Traffic Management." According to this new provision, operators are not allowed to take internet traffic abroad.
- Another provision introduced by the Draft Regulation concerns information and document requests. According to this provision, the ICTA might obtain all information, documents, data and records from the relevant sources that relate to its duties on network, information and cyber security. This provision has also been criticized by some operators who have argued that a similar provision under the Law No. 5651 was voided by the Constitutional Court due to its vagueness with regard to the scope of the information that can be requested.
- The Draft Regulation includes another new provision that requires corporate Computer Emergency Response Teams ("CERTs") to conduct security tests on the companies' IT systems annually and to keep the relevant information and documents for two years. That being said, it should be noted that this provision has also been criticized by commentators who assert that this test requirement lacks a valid legal basis.
- According to another provision introduced by the Draft Regulation, the ICTA can audit operators or other real and legal persons to determine whether they are in compliance with respect to their obligations arising from the Regulation. The same provision also allows the ICTA to have third- party contractors carry out such audits.
This provision has been met with criticism regarding the practice of using third-party contractors to conduct such audits, as this may lead to security risks and flaws, according to critics.
The Draft Regulation was open for public comment until January 10, 2018, and may enter into force after the ICTA reviews the public opinions it received and incorporates them into the Current Regulation, where it deems necessary.
This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in June 2018. A link to the full Legal Insight Quarterly may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.