- See All
- Infrastructure & Project Finance
- Mergers & Acquisitions
- Banking & Finance
- Real Estate
- Energy & Natural Resources
- Global Trade & Customs
- Intellectual Property
- Employment & Labor
- Wealth Management
- Capital Markets
- Competition & Anti-Trust
- Data Protection
- Corporate Support
- White Collar Crime & Investigations
- Dispute Resolution
As published[1] in the Official Gazette dated 25 November 2025 and numbered 33088, the Energy Market Regulatory Authority has introduced amendments to the Regulation on Cybersecurity Competency Model in the Energy Sector (“Regulation“). With these amendments, important rules have been set regarding the qualifications of auditors and audit firms within the scope of sectoral cybersecurity audits, and alignment with international standards is aimed for. In this respect, certain qualifications now expressly refer to the Certified Information Systems Auditor (“CISA“) Certificate and the International Accreditation Forum (“IAF“).
Under the amendment, auditors and lead auditors who are part of the audit team will now be required to (i) hold a bachelor’s degree from at least a four-year undergraduate program, (ii) hold either an ISO/IEC 27001 Information Security Management Standard (“ISO 27001“) Lead Auditor Certificate or a CISA Certificate, and (iii) have at least seven years of full-time professional experience for lead auditors and at least five years for auditors. The amendment also introduces an additional requirement for the auditing firm that will conduct cybersecurity audits in the energy sector: it must have performed at least five information security audits within the last five years.
In addition, at least one of the lead auditors or auditors in the audit team must still hold a certificate of success (“EKS Certificate“) in the field of audits following completion of the EKS trainings provided by the Critical Infrastructures National Testbed Center.
Furthermore, it is stipulated that the audit cannot be performed by the same firm if the auditor firm and the audited entity are group companies under the the same holding company and/or to have a controlling–subsidiary company relationship in between. Finally, an audit firm in which an investor is a shareholder will not be allowed to audit an obliged entity in which the same investor has invested.
Although the Regulation enters into force on the date of its publication, a grace period is envisaged in terms of authorisations of firms within the scope of competency model audits. In this respect, for authorisations to be granted until March 1, 2026, it will be sufficient for firms either to meet the criteria set out in Article 11 of the Regulation, as discussed above, or to meet the criteria determined for the audit team established through service procurement in the Information and Communication Security Audit Guide[2], provided that the audit personnel also hold an EKS Certificate.
[1] Official Gazette, date: November 25, 2025, number: 33088, https://www.resmigazete.gov.tr/eskiler/2025/11/20251125-3.htm. (Only available in Turkish)
[2] Article 3.1.1. Determination of the Audit Team, https://cbddo.gov.tr/SharedFolderServer/Projeler/File/BG_Denetim_Rehberi.pdf, p. 19 ff. (Only available in Turkish)
Yazarlar: