ARTICLE
31 December 2025

Newsletter On The Capital Markets Board's Principal Decision On Information Systems Management

BO
Bener Law Office

Contributor

Bener Law Office logo
Explore Firm Details
With its Principle Decision dated 25.12.2025 and numbered i-SPK 128.26 (67/2412 s.k.) (the "Principle Decision"), the Capital Markets Board (the "Board")...
Turkey Corporate/Commercial Law
Bahar Ülgen Hasşerbetçi and Oya Türeoğlu
Bahar Ülgen Hasşerbetçi’s articles from Bener Law Office are most popular:
  • within Corporate/Commercial Law topic(s)
Bener Law Office are most popular:
  • within Media, Telecoms, IT, Entertainment and Employment and HR topic(s)
  • with readers working within the Retail & Leisure industries

With its Principle Decision dated 25.12.2025 and numbered i-SPK 128.26 (67/2412 s.k.) (the "Principle Decision"), the Capital Markets Board (the "Board") has provided certain clarifications in order to eliminate practical uncertainties regarding information security responsibility and internal audit activities within the scope of the Communiqué No. VII-128.10 on the Procedures and Principles Regarding the Management of Information Systems (the "Communiqué"), and has granted temporary exemptions for certain institutions and partnerships.

The key regulations introduced by the Principle Decision are summarized below:

  • Clarifications Regarding the Appointment of the Information Security Officer: Pursuant to paragraph 5 of Article 7 of the Communiqué titled "Oversight and Responsibility of Senior Management", an information security officer must be designated within institutions, organizations and partnerships falling within the scope of the Communiqué.

    With the Principle Decision, it has been clarified that the relevant information security officer may be designated:
  • through outsourcing,
  • under service agreements to be executed among group companies, and/or
  • via joint employment or part-time working models.

    Nevertheless, the requirement that the information security officer must work under and reporting to senior management, as envisaged under the Communiqué, continues to apply, and the relevant institution, organization or partnership remains responsible for fulfilling this obligation. In case outsourcing is preferred, the provisions of Article 19 of the Communiqué titled "Outsourcing in Relation to Information Systems" must also be complied with.

  • Temporary Exemptions Introduced to Article 7/5 of the Communiqué: Within the framework of paragraph 6 of Article 30 of the Communiqué titled "Exemptions", the Board has introduced temporary exemptions, valid until 30 June 2026, for certain institutions and partnerships in relation to the application of paragraph 5 of Article 7 of the Communiqué.

    • In Terms of Financial Institutions:

      The institutions and organizations listed below are exempt from the application of Article 7/5 of the Communiqué until the relevant date:
    • portfolio management companies subject to subparagraphs (a), (b) and (c) of paragraph 1 of Article 28 of the Communiqué No. III-55.1 on Portfolio Management Companies and the Principles Regarding the Activities of These Companies,
      • narrowly authorized intermediary institutions,
      • asset leasing companies,
      • mortgage finance institutions,
      • asset finance funds,
      • collective investment undertakings (without prejudice to the exception set out in the relevant subparagraph),
      • pension investment funds, and
      • housing finance funds.
    • In Terms of Publicly Held Companies:

      Within the framework of the grouping made under the Communiqué No. II-17.1 on Corporate Governance and the Board's Principle Decision No. i-SPK. II-17.6 (dated 15.10.2020 and numbered 64/1284 s.k.);

    • publicly held companies whose shares are traded on Borsa İstanbul A.Ş. Star Market, Main Market or Sub Market, other than those in the first group, and
    • companies transferred to the Pre-Market Trading Platform due to the ratio of their shares in free float falling below 5%, which do not fall within the first group,

are exempt from the application of Article 7/5 of the Communiqué until 30 June 2026.

In the event of a change in the group in which a publicly held company is classified, compliance with Article 7/5 of the Communiqué must be ensured by the end of June of the relevant year.

  • Clarifications Regarding Internal Audit Activities: With the third article of the Principle Decision, it has been clarified, in relation to the application of paragraph 2 of Article 29 of the Communiqué titled "Internal Audit", that:
    • performing internal audit activities under service agreements to be executed among group companies and through joint employment or part-time working models, and
    • in companies that are subsidiaries of a bank, carrying out such activities by the relevant bank's information technologies inspectors/internal auditors, or conducting them as a joint audit activity at the bank and company level,

shall not be deemed as non-compliance with the Communiqué.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Bahar Ülgen Hasşerbetçi
Bahar Ülgen Hasşerbetçi
Photo of Oya Türeoğlu
Oya Türeoğlu
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More