“The regulation is here — but is the culture ready?”
Over the past few years, Turkey’s banking sector has heard one phrase repeatedly:
“The Information Systems Regulation.”
Some see it as paperwork. Others see it as the cybersecurity constitution of the financial world.
But as 2026 approaches:
“Are institutions truly secure, or just compliant on paper?”
What Does the Regulation Cover?
The Regulation on Banks’ Information Systems and Electronic Banking Services (published by BDDK) defines how financial institutions should manage software development, cybersecurity, and change management.
It’s not just an IT rulebook — it’s a holistic governance framework impacting every department, from developers to executives.
The 4 Key Articles You Need to Know
| Article | Focus | Meaning |
|---|---|---|
| 20 – Secure Software Development | Developers must follow secure coding standards. | “It works” isn’t enough — it must be securely developed. |
| 22 – Change Management | Every system change must be documented and tested. | Even small changes require full lifecycle tracking. |
| 23 – Security Testing | Regular penetration testing and code reviews. | Security is now continuous, not occasional. |
| 25 – Information Security Management | Organization-wide awareness and governance. | People matter as much as technology. |
Turkey’s Example in Cybersecurity
This regulation sets one of Europe’s most detailed cybersecurity frameworks.
While global standards like ISO 27001 and NIST focus on processes, BDDK goes further — it embeds security directly into the software lifecycle.
Training Pathway for Compliance
| Training | Regulation Article | Level |
|---|---|---|
| Programming Foundations | 20 | Fundamental |
| Application Security for Developers | 20–23 | Intermediate |
| DevSecOps Training | 22–23 | Advanced |
| Secure by Design Training | 25 | Intermediate |
| Certified Java and Web Application Security | 20 | Advanced |
| Certified C# and Web Application Security | 20 | Advanced |
These programs ensure developers, testers, and security teams move from “compliance” to resilience.
Expert Insight
“Compliance is not a checkbox. It’s a mindset.
Secure coding and awareness training are the foundation of lasting cybersecurity.”
FAQ
Who must comply with this regulation?
All banks, financial subsidiaries, payment institutions, and fintech companies operating in Turkey.
Are secure coding trainings mandatory?
Yes. Article 20 requires developers to apply secure software principles.
When will inspections intensify?
By 2026, BDDK audits will emphasize development and testing documentation.
How can we prepare?
Start with DevSecOps, Secure by Design, and Application Security for Developers.
From Compliance to Culture
The best institutions won’t just pass audits — they’ll resist attacks.
2026 is not the deadline for paperwork; it’s the launchpad for real security culture.