The Capital Markets Board (“CMB”) published the Principle Decision of its Decision-Making Body numbered i-SPK 128.26 (dated 25.12.2025 and numbered 67/2412) (“Principle Decision”) through Bulletin No. 2025/66 dated 25.12.2025. The Principle Decision clarifies the implementation of paragraph five of Article 7 of the Communiqué on the Principles and Procedures Regarding Information Systems Management (VII-128.10) (“Communiqué”), which regulates the supervision and responsibility of senior management.
In this context, the provision set forth under paragraph five of Article 7 of the Communiqué is as follows:
“An information security officer shall be appointed who is responsible for fulfilling and monitoring the requirements of controls regarding information systems security, reports to senior management on risks related to information systems security and the management of such risks, and who has sufficient technical knowledge and at least five years of experience in any of the fields of information systems internal control, information systems audit, information systems governance and controls, or information security. The information security officer shall have no duties regarding the fulfillment of requirements related to information systems management and shall report directly to senior management.”
With this provision, it became mandatory to appoint an information security officer—reporting directly to senior management and segregated from executive information technology functions—in order to ensure the effective and independent management of information systems security within Institutions, Organizations, and Partnerships as defined under the Communiqué.
However, as paragraph five of Article 7 of the Communiqué does not explicitly regulate the manner of employment of the information security officer, uncertainties arose in practice as to whether this role must necessarily be fulfilled by an in-house, full-time employee. The published Principle Decision resolves this ambiguity.
Accordingly, the Principle Decision includes the following regulation regarding the implementation of paragraph five of Article 7 of the Communiqué:
“With respect to the implementation of paragraph five of Article 7 of the Communiqué, it has been resolved that the information security officer may be designated through outsourcing arrangements or within the scope of service agreements to be concluded among group companies, and that the duties relating to information security may be fulfilled through shared employment or part-time working models.”
Through this regulation, the Capital Markets Board (“Board”) has adopted a flexible approach that preserves the managerial and independent nature of the information security function while taking into account organizational and human resource constraints encountered in practice. Accordingly, it has become possible for the information security function to be carried out through outsourcing or intra-group service agreements.
However, the Principle Decision explicitly emphasizes that the requirement for the information security officer to report directly to senior management remains fully applicable. In this respect, it is stated that, in any designation, the information security officer must report directly to senior management as stipulated under the Communiqué, and that the relevant Institution, Organization, or Partnership is responsible for ensuring compliance with this obligation. Furthermore, it is noted that where outsourcing is preferred, the provisions regarding outsourcing set forth under Article 19 of the Communiqué must be complied with. Therefore, even where the information security officer is designated through outsourcing, the obligation to establish a managerial structure that ensures de facto reporting to senior management remains with the relevant institution.
The Principle Decision also includes provisions regarding the deferral of the compliance obligation under paragraph five of Article 7 of the Communiqué for certain institutions and partnerships. Accordingly:
are exempted from the obligations set forth under paragraph five of Article 7 of the Communiqué until 30 June 2026.
Finally, the Principle Decision includes a clarification specific to companies that are bank affiliates. Accordingly, it is stated that, for companies that are bank affiliates, the conduct of information systems internal audit activities by the relevant bank’s information technology inspectors or internal auditors, or the execution of a joint audit activity at the bank and company level, shall not constitute a breach of the Communiqué. This regulation aims to prevent duplicative audit burdens within group structures.
NAZALI TAX & LEGAL