Enerji Sektöründe Siber Denetim
November 28, 2025
Cybersecurity Audits in the Energy Sector
The Regulation Amending the Regulation on the Cybersecurity Competency Model in the Energy Sector (“Regulation”), prepared by the Energy Market Regulatory Authority, was published in the Official Gazette No. 33088 dated 25 November 2025 and entered into force on the same date.
With this Regulation, the qualifications sought for firms and personnel that will conduct cyber security audits in the energy sector, as well as the conditions for such audits, have been updated.
The Regulation mandates that the audit team must consist of at least two persons, one of whom must be a lead auditor. The Regulation stipulates the required attributes for lead auditors and auditors, including:
Being a citizen of the Republic of Turkey,
Holding a university degree, and
Possessing specific internationally valid certifications.
Furthermore, it is expected that at least one of the lead auditors or auditors within the audit team should hold a certificate regarding Industrial Control Systems (ICS) training issued by the Critical Infrastructures National Testbed Center.
Similar conditions regarding accreditation obligations have been introduced with respect to the audit firms.
In order to ensure independence and avoid conflicts of interest, auditor firms are prohibited from auditing the obligated entity if they are the group companies under the same holding structure as the obligated entity, or if there is a controlling–dependent company relationship within the meaning of Article 195 of the Turkish Commercial Code (TCC).
Additionally, an audit firm in which an investor holds shares may not audit an obligated entity in which the same investor has made an investment.
Regarding the obligations expected to be met by audit teams and audit firms within the scope of this Regulation, a compliance period until 1 March 2026 has been granted via Provisional Article 1. The transition process is structured to provide a gradual adaptation opportunity for firms currently conducting audit activities, to comply with the new conditions.
