Siber Güvenlik Alanında Paralel Bildirim Yükümlülüklerinin Hukuki Çerçevesi: Eşgüdümlü Yönetişim Modeli Önerisi

Yıl 2025, Cilt: 7 Sayı: 2, 435 - 501, 30.12.2025

Muhammed Furkan Akıncı

https://doi.org/10.59933/tauhfd.1851344

https://izlik.org/JA73YU86KN

Öz

Türkiye'de siber güvenlik alanındaki bildirim yükümlülükleri, Siber Güvenlik Başkanlığı Kanunu'nun yürürlüğe girmesiyle yeni bir evreye girmiştir. Ancak mevcut sektörel bildirim rejimleri (BTK, BDDK, SPK, EPDK, SHGM) varlığını sürdürmekte, bu durum paralel ve çakışan yükümlülükler ortaya çıkarmaktadır. Bu çalışma, çok-merkezli bildirim mimarisinin teorik temellerini risk yönetişimi ve merkezsiz regülasyon literatürü çerçevesinde incelemekte, Türkiye'deki mevcut durumu haritalandırmakta ve Avrupa Birliği'ndeki NIS2, DORA, CRA gibi düzenlemelerle karşılaştırmalı analiz sunmaktadır. Makale, farklı kurumların eşzamanlı bildirim taleplerinin oluşturduğu mükerrerlik, uyum maliyetleri ve koordinasyon eksikliğinden kaynaklanan sorunları tespit etmektedir. AB'nin NIS2 Uygulama Tüzüğü'nde standardize edilen şablon ve süre yaklaşımları, DORA'nın EU Hub modeli ve CRA'nın ENISA tek platform çözümü, Türkiye için model teşkil edebilecek örneklerdir. Çalışma, tek giriş-çok çıkış prensibiyle işleyen, ortak veri sözlüğü kullanan ve risk temelli kademeli raporlama sunan eşgüdümlü bir bildirim çerçevesi önermektedir. Bu model, sektörel uzmanlığı korurken mükerrer raporlamayı azaltacak, hukuki öngörülebilirliği artıracak ve siber risk yönetişiminde etkinlik-yük dengesini optimize edecektir.

Anahtar Kelimeler

Siber güvenlik hukuku , paralel yükümlülükler , risk yönetişimi , NIS2 , siber güvenlik kanunu , eşgüdümlü bildirim , meta-regülasyon , çok-merkezli yönetişim

Der Rechtliche Rahmen Paralleler Meldepflichten in der Cybersicherheit: Ein Modellvorschlag Zur Koordinierten Governance

https://izlik.org/JA73YU86KN

Öz

Legal Framework of Parallel Notification Obligations in Cybersecurity: A Coordinated Governance Model Proposal

https://izlik.org/JA73YU86KN

Öz

Turkey's cybersecurity notification obligations have entered a new phase with the enactment of the Cybersecurity Presidency Law. However, existing sectoral notification regimes (BTK, BDDK, SPK, EPDK, SHGM) continue to operate, creating parallel and overlapping obligations. This study examines the theoretical foundations of polycentric notification architecture within the framework of risk governance and decentered regulation literature, maps the current situation in Turkey, and provides comparative analysis with European Union regulations such as NIS2, DORA, and CRA. The research identifies problems arising from duplication caused by simultaneous notification requests from different authorities, compliance costs, and lack of coordination. The standardized template and timeline approaches in the EU's NIS2 Regulation, DORA's EU Hub model, and CRA's ENISA single platform solution provide exemplary models for Turkey. The study proposes a coordinated notification framework operating on a single-entry-multiple-exit principle, utilizing a common data dictionary, and offering risk-based tiered reporting. This model would preserve sectoral expertise while reducing duplicate reporting, enhance legal predictability, and optimize the efficiency-burden balance in cyber risk governance.

Anahtar Kelimeler

Cybersecurity law , parallel obligations , risk governance , NIS2 , CSA , coordinated notification , meta-regulation , polycentric governance

Kaynakça

• ADAMS, S. vd. “The Governance of Cybersecurity : A Comparative Quick Scan of Approaches in Canada, Estonia, Germany, the Netherlands and the UK”. Tilburg University / WODC, Lahey.
• AKGÜN, Mustafa. “Bağımsız İdari Otoritelerin Anayasal Statüsünün Belirlenmesi İhtiyacı: Teorik ve Pratik Gerekçeler”. Amme İdaresi Dergisi 57/2 (2024), 29-60.
• AKTAN, Coşkun Can - Yay, Serdar. “REGÜLASYON İKTİSADINA GİRİŞ”. Ekonomi Bilimleri Dergisi 8/1 (31 Aralık 2016), 59-72.
• AYRES, Ian - Braithwaite, John. Responsive Regulation: Transcending the Deregulation Debate. Oxford University Press, 1992. https://doi.org/10.1093/oso/9780195070705.001.0001
• BALDWIN, Robert vd. LSE Research Online Documents on Economics. “Risk Management and Business Regulation”. LSE Research Online Documents on Economics. https://ideas.repec.org//p/ehl/lserod/35975.html
• BALDWIN, Robert vd. (ed.). The Oxford handbook of regulation. Oxford, U. K: Oxford University Press, 1st pbk. ed., 2012.
• BALDWIN, Robert vd. Understanding Regulation: Theory, Strategy, and Practice. New York: Oxford University Press, 2nd ed., 2012.
• BECK, Ulrich vd. Reflexive Modernization: Politics, Tradition and Aesthetics in the Modern Social Order. Stanford University Press, 1994.
• BECK, Ulrich. Risk Society: Towards a New Modernity. London: Sage, Repr., 2009.
• BECK, Ulrich. World at Risk. Polity, 2009.
• BLACK, Julia. “Constructing and Contesting Legitimacy and Accountability in Polycentric Regulatory Regimes”. Regulation & Governance 2/2 (2008), 137-164. https://doi.org/10.1111/j.1748-5991.2008.00034.x
• BLACK, Julia. “Decentring Regulation: Understanding the Role of Regulation and Self-Regulation in a ‘Post-Regulatory’ World”. Current Legal Problems 54/1 (01 Ocak 2001), 103-146. https://doi.org/10.1093/clp/54.1.103
• BLACK, Julia. “Regulatory Conversations”. Journal of Law and Society 29/1 (2002), 163-196. https://doi.org/10.1111/1467-6478.00215
• BLACK, Julia. “The Emergence of Risk-Based Regulation and the New Public Risk Management in the United Kingdom”. Public Law, 510-546.
• BLACK, Julia - Baldwin, Robert. “Really Responsive Risk-Based Regulation”. Law & Policy 32/2 (15 Mart 2010), 181-213. https://doi.org/10.1111/j.1467-9930.2010.00318.x
• BURNUKARA, Simay. 2001 krizi sonrası Türk bankacılık sisteminde BDDK’nın rolü ve fonksiyonu. İstanbul Ticaret Üniversitesi, 2012. https://acikerisim.ticaret.edu.tr/items/72bcbae1-3f64-47ce-85f5-2f1a47c72515
• CARTER, David P. - Mahallati, Nadia. “Coordinating Intermediaries: The Prospects and Limitations of Professional Associations in Decentralized Regulation”. Regulation & Governance 13/1 (2019), 51-69. https://doi.org/10.1111/rego.12167
• COEN, David - Thatcher, Mark. “Network Governance and Multi-Level Delegation: European Networks of Regulatory Agencies”. Journal of Public Policy 28/1 (Nisan 2008), 49-71. https://doi.org/10.1017/S0143814X08000779
• COGLIANESE, Cary - Lazer, David. “Management-Based Regulation: Prescribing Private Management to Achieve Public Goals”. Law & Society Review 37/4 (Aralık 2003), 691-730. https://doi.org/10.1046/j.0023-9216.2003.03703001.x
• COGLIANESE, Cary - Mendelson, Evan. “Meta‐Regulation and Self‐Regulation”. The Oxford Handbook of Regulation. ed. Robert Baldwin vd. 0. Oxford University Press, 2010. https://doi.org/10.1093/oxfordhb/9780199560219.003.0008
• DEIBERT, Ronald J. - Rohozinski, Rafal. “Risking Security: Policies and Paradoxes of Cyberspace Security”. International Political Sociology 4/1 (01 Mart 2010), 15-32. https://doi.org/10.1111/j.1749-5687.2009.00088.x
• ECKERT, Sandra - Börzel, Tanja A. “Experimentalist Governance: An Introduction”. Regulation & Governance 6/3 (2012), 371-377. https://doi.org/10.1111/j.1748-5991.2012.01163.x GİDDENS, Anthony. “Risk and Responsibility”. The Modern Law Review 62/1 (1999), 1-10.
• GREENBERG, Andy. Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. New York: Doubleday, 2019.
• HANCHER, L. - Moran, M. “Organizing Regulatory Space”. A Reader on Regulation. ed. Robert Baldwin vd. 0. Oxford University Press, 1998. https://doi.org/10.1093/acprof:oso/9780198765295.003.0005
• HOOD, Christopher vd. The Government of Risk: Understanding Risk Regulation Regimes. OUP Oxford, 2001.
• HUTTER, Bridget M. The attractions of risk-based regulation: accounting for the emergence of risk ideas in regulation. CARR London, 2005. https://web.actuaries.ie/sites/default/files/erm-resources/205_The_attractions_of_risk_based_regulation_accounting_for_the_emergence_of_risk_ideas_in_regulation.pdf
• IŞIK, Alper. İnternet Aktörleri ve Egemenliğin Değişen Boyutları. İstanbul: On İki Levha Yayıncılık, 2. Basım, 2025.
• JAMES, Oliver. “Regulation Inside Government: Public Interest Justifications and Regulatory Failures”. Public Administration 78/2 (2000), 327-343. https://doi.org/10.1111/1467-9299.00208
• KAYA, Mehmet Bedii. “Self-Disclosure or Burying the Evidence Dilemma: A Legal Review of the Data Breach Rules under the Turkish Personal Data Protection Law”. Annales de La Faculté de Droit d’Istanbul 70 (31 Aralık 2021), 195-241. https://doi.org/10.26650/annales.2021.70.0007
• KAYA, Mehmet Bedii. “Siber Güvenlik Hukuku”. Dijital Baskı. mbkaya.com/hukuk/siber-guvenlik-hukuku.pdf
• KOLİBA, Christopher J. vd. Governance Networks in Public Administration and Public Policy. New York: Routledge, 2. Basım, 2018. https://doi.org/10.4324/9781315268620
• LUHMANN, Niklas. Risk: A Sociological Theory. çev. Rhodes Barrett. Abingdon, Oxon New York, NY: Routledge, Taylor & Francis Group, 2017.
• MAGGETTİ, Martino. “De Facto Independence after Delegation: A Fuzzy-Set Analysis”. Regulation & Governance 1/4 (2007), 271-294. https://doi.org/10.1111/j.1748-5991.2007.00023.x
• OSTROM, Elinor. “Beyond Markets and States: Polycentric Governance of Complex Economic Systems”. The American Economic Review 100/3 (2010), 641-672.
• O’SULLİVAN, K.P.V. - Flannery, Darragh. “A Discussion on the Resilience of Command and Control Regulation within Regulatory Behavior Theories”. Journal of Governance and Regulation 1/1 (2012), 15-24. https://doi.org/10.22495/jgr_v1_i1_p2
• PAPADOPOULOS, Yannis. “How Does Knowledge Circulate in a Regulatory Network? Observing a European Platform of Regulatory Authorities Meeting”. Regulation & Governance 12/4 (2018), 431-450. https://doi.org/10.1111/rego.12171
• PARKER, Christine. The Open Corporation: Effective Self-Regulation and Democracy. Cambridge University Press, 2002.
• POWER, Michael. Organized Uncertainty: Designing a World of Risk Management. Oxford University Press, 2007. https://doi.org/10.1093/oso/9780199253944.001.0001
• RASBORG, Klaus. Ulrich Beck: Theorising World Risk Society and Cosmopolitanism. Cham: Springer International Publishing, 2021. https://doi.org/10.1007/978-3-030-89201-2
• SARI, Ömür Kadri. “TÜRK HUKUKUNDA DÜZENLEYİCİ VE DENETLEYİCİ KURUMLARIN TEMEL İLKELERİ”. Danıştay Dergisi 152 (2020), 277-298.
• YESILKAGIT, Kutsal. “Institutional compliance, European networks of regulation and the bureaucratic autonomy of national regulatory authorities”. Journal of European Public Policy 18/7 (01 Ekim 2011), 962-979. https://doi.org/10.1080/13501763.2011.599965
• YEUNG, Karen - Ranchordás, Sofia. An Introduction to Law and Regulation: Text and Materials. Cambridge, UK ; New York: Cambridge University Press, 2024.
• Data Protection: Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach. United State Government Accountability Office, 2018.