- Introduction
The regulatory process concerning the crypto asset market, which has long been discussed in Türkiye, began in 2024 with the amendments and additions introduced to the Capital Markets Law through the Law on the Amendment of the Capital Markets Law (published in the Official Gazette dated 02.07.2024 and numbered 32590). Through these amendments to the Capital Markets Law, crypto asset service providers operating or intending to operate in Türkiye were brought within the scope of the Capital Markets Law No. 6362 and placed under the regulatory and supervisory authority of the Capital Markets Board.
As of 2025, the implementation framework has been clarified through the following Communiqués issued by the Capital Markets Board:
- Communiqué III-35/B.1 on the Establishment and Operating Principles of Crypto Asset Service Providers (Official Gazette dated 13.03.2025 and numbered 32840),
- Communiqué III-35/B.2 on the Operating Procedures and Principles and Capital Adequacy of Crypto Asset Service Providers (Official Gazette dated 13.03.2025 and numbered 32840).
In addition to these regulations, within the scope of the Capital Markets Law No. 6362, the Scientific and Technological Research Council of Türkiye (TÜBİTAK), which has been entrusted with ensuring the security of the crypto asset market, through its Informatics and Information Security Advanced Technologies Research Center (BİLGEM), has published the criteria that crypto asset service providers are required to comply with in order to ensure the security of their information systems and technological infrastructures (the “Criteria on the Information Systems and Technological Infrastructures of Crypto Asset Service Providers”, TÜBİTAK Criteria, 2025).
- Importance of the TÜBİTAK Criteria
While previous regulations primarily emphasized financial and organizational obligations, the criteria published by TÜBİTAK have set out the technical infrastructure and information security dimension in a detailed manner. These criteria constitute not only minimum technical requirements, but also a security framework aimed at compliance with international standards.
The objective is to minimize cybersecurity risks during the storage and transfer of crypto assets and the processing of user information, and to ensure the protection of customer assets.
The new Communiqués and TÜBİTAK Criteria regulate the systemic and technical infrastructures of crypto asset service providers in a much more comprehensive manner than before.
- Innovations Introduced in Technological Infrastructure and Information Systems by TÜBİTAK
The Information Systems and Technological Infrastructure Criteria published by TÜBİTAK BİLGEM are now directly integrated into the regulatory framework. This clearly indicates that an entirely new era in security has begun for crypto asset service providers.
The Criteria on Information Systems and Technological Infrastructures published by TÜBİTAK do not merely serve as a “good-faith guideline”; rather, together with the Communiqués, they concretize the technical requirements applicable to the crypto asset sector.
- Key Technical Requirements Highlighted in the TÜBİTAK Criteria
4.1. Hot and cold wallet segregation
The Guidelines clearly state that there must be a difference in security levels between hot wallets (online, connected to the internet) and cold wallets (offline, maintained within isolated systems). Devices containing private keys in cold wallets must not have direct internet access; data exchange should only be conducted through air-gapped systems, isolated gateway mechanisms, or secure transfer protocols.
4.2. Key management and cryptographic mechanisms
The TÜBİTAK Criteria require the implementation of high-level security measures at every stage, from the generation of private keys to their storage. These measures include the use of HSMs (Hardware Security Modules) in key generation, storage, and backup processes, multi-factor access controls, distribution of key shares, cryptographic protocols, and secure backup requirements. In addition, the Criteria emphasize that these mechanisms must operate in a manner that produces “non-repudiable records” and “auditable traces.”
4.3. Transaction Approval Procedures (Transfer Orders):
According to the TÜBİTAK Criteria, certain conditions must be met by systems before any crypto asset transfer order is signed. First, the identity of the transfer order initiator must be verified, and the transfer order must comply with platform policies, approved address lists, and the customer agreement. Where multi-signature or threshold signature mechanisms are used, impact analyses must be conducted, and appropriate risk controls must be implemented.
4.4. Access Control and Authentication
Access rights for each system component must be defined on a role-based basis, and unauthorized access must be prevented. The Guidelines particularly emphasize additional authentication layers and session limitations for privileged access. Moreover, re-authentication of users is required for certain critical transactions.
4.5. Audit Logs and Traceability
All activities performed within the system (including who accessed the system, when access occurred, what actions were taken, under which parameters, and with what outcomes) must be securely recorded. These records must be immutable and maintained in a manner that is ready for audit. The Guidelines foresee that such records may be used for both internal analysis and external audit processes.
4.6. System Continuity, Disaster Recovery, and Backups
The platform must operate on a continuous basis; business continuity and disaster recovery plans are mandatory for cases of malfunction, cyberattacks, or disasters. In addition, data must be backed up periodically, backups must be stored in secure environments, and rapid restoration must be possible in unforeseen circumstances. The Guidelines recommend testing backed-up systems and conducting regular scenario-based simulations.
4.7. Protection Profiles and Security Testing
The TÜBİTAK Criteria explicitly state that system components (in particular wallets and key modules) must be tested based on national and international protection profiles (e.g., Common Criteria, EAL levels), with test reports obtained and documented. In particular, wallet signing components and key storage systems must utilize tested and certified hardware modules.
4.8. Distributed Ledger Integration and Auditable Data Flow
System components that interact with blockchain networks, including verification processes, network connections, and data transfer mechanisms, must be subject to security controls. The Guidelines envisage that transaction fee calculations, fork detection, and transaction verification processes should be carried out under the control of the platform.
- Conclusion
With the publication of the TÜBİTAK Criteria, it is clearly observed that a new era has begun for crypto asset service providers in terms of security, transparency, and supervision.
These Criteria have made it mandatory to establish security infrastructures compatible with international standards, requiring companies in the sector to possess not only financial strength but also robust technological and operational structures.
In line with these new regulations, it is of critical importance for crypto asset service providers to continue their operations in compliance with both the Capital Markets Board Communiqués and the TÜBİTAK Criteria, in order to ensure reliability and sustainability within the sector.
Attorney At Law Ezginaz Çalışır