“Cybersecurity is no longer an IT task — it’s an organizational culture.”
The Regulation on Banks’ Information Systems and Electronic Banking Services issued by the BDDK
marks a new era for cybersecurity in Turkish banking.
It turns compliance into culture — and makes every employee part of the security chain.
What the Regulation Introduces
Secure Software Development (Article 20)
Developers must follow secure coding standards,
run vulnerability scans, and maintain version control.
Train your teams with:
Application Security for Developers
Certified Java and Web Application Security
Certified C# and Web Application Security
Change Management (Article 22)
Every change — even a small one — must be tested, logged, and approved.
This is where DevSecOps becomes essential.
DevSecOps Training
Continuous Security Testing (Article 23)
Penetration tests, static and dynamic scans must be ongoing, not occasional.
Security is now a continuous integration process.
Information Security Management (Article 25)
Awareness programs, governance policies, and a measurable security culture are mandatory.
Secure by Design Training
Programming Foundations
“The BDDK regulation redefines cybersecurity as a shared responsibility across the institution.”
Case Example
A financial institution faced a breach due to missing API security scans.
After implementing a DevSecOps pipeline, vulnerabilities were detected early,
and compliance was achieved without disruption.
FAQ
Who must comply?
Banks, subsidiaries, and fintechs operating under Turkish financial law.
Are trainings mandatory?
Yes. Developers must demonstrate secure software knowledge.
Where to start?
Begin with DevSecOps and Secure by Design trainings.
From Regulation to Resilience
BDDK’s regulation is more than compliance —
it’s about building resilient systems and teams ready for the future of banking.
“Security is not a task — it’s a culture.”