Legal AlertRegulation on Cyber Security Competency Model in the Energy Sector Has Been Published in the Official Gazette.

12 June 2023

The Regulation on Cyber Security Competency Model in the Energy Sector (“Regulation”) has been published in the Official Gazette dated 06.06.2023 and numbered 32213.

The Regulation on Cybersecurity Competency Model in the Energy Sector published by the Energy Market Regulatory Authority (“EMRA”) aims to improve the cybersecurity of industrial control systems used in the energy sector according to continuously evolving needs and threats, to define the minimum acceptable security level and to regulate the procedures and principles regarding the cyber resilience, competence and maturity of these control systems.

The Regulation includes the provisions to be applied to ensure the safety and reliability of industrial control systems of legal entities such as electricity transmission license holder, electricity distribution license holder, natural gas transmission license holder transmitting by pipeline, natural gas storage license holder (LNG, underground), crude oil transmission license holder and refinery license holder.

Distribution and/or generation license holders of organized industrial zones are excluded from the scope of the Regulation.

Although the competency model established by the Regulation differs for energy sub-sectors, it may consist of titles such as industrial network security, industrial client and server security, industrial threat and vulnerability management, industrial cyber security risk management, industrial asset, change and configuration management, industrial identity and access management, industrial incident management and continuity, smart device security, industrial operation security, supplier management and PLC security.

In addition to these titles, three basic competency levels have been determined by the Regulation within the scope of the competency model. The competency levels that liable organizations should have will be determined by the sectoral criticality levels determined by EMRA. It is also stated that these competency levels can be changed by EMRA in three-year periods.

The Regulation sets targeted completion periods of 12, 18 and 24 months for the implementation of the controls at each level, varying according to the energy sub-sectors. The obligation to implement the competency model will start when EMRA determines the criticality levels and notifies the liable organizations.

Firms that apply to EMRA to conduct audits on whether the competency model is implemented or not can be evaluated and appointed as auditor firms by EMRA.

Authorized audit firms will conduct sectoral audits within twelve months following the completion of the level processes in accordance with the competency model and submit their audit reports to EMRA via the energy market notification system within one month at the latest.

You can access the full Turkish text of the Regulation from the link below.