The Regulation on the Authorization of Participants within the Scope of Public IT Service Procurement (“Regulation”) has been published on the Official Gazette dated June 29, 2022 and numbered 31881. The Regulation is prepared by the Turkish Ministry of Industry and Technology (“Ministry”) and will enter into force on September 29, 2022.
The Regulation covers the procurement of IT services to be made by public administrations. These procurements correspond to the procurement of consultancy services and services realized within the scope of the Public Procurement Law and the procurement of goods, services, consultancy, and construction works within the scope of other legislation and public-private cooperation projects. In this context, it is set forth that the subject of purchases is all kinds of software development, software integration and software maintenance services, IT system installation and maintenance services, IT consultancy services and IT security services.
There are three types of authorization certificates under the Regulation: (i) Public IT Authorization Certificate, (ii) Software Authorization Certificate, (iii) Penetration Test Authorization Certificate.
Accordingly, the parties that will provide IT services to public administrations will be obliged to hold at least one of these authorization certificates, depending on the nature and subject of the procurement to be made.
A definite period is not stipulated for the duration of such authorization certificates (the validity period of the submitted documents will be taken into account) and the duration of the authorization certificates can be extended by submitting the renewed documents to the Ministry through a re-application no later than one month before the expiration date of the document.
Within the scope of the Regulation, the application requirements are expressed in a very limited way and internationally accepted documents showing the necessary security and competence are requested:
(i) For Public IT Authorization Certificate, TS EN ISO/IEC 27001 certificate (Information Security Management System Certificate issued by accredited organizations with ISO/IEC 17021-1 accreditation) for at least one of the IT service procurements.
(ii) For Software Authorization Certificate, TS EN ISO/IEC 27001 certificate covering software development, software integration and software maintenance services and at least one of the documents of TS ISO/IEC 15504 Level 2 (Information Technology Process Assessment Certificate issued by accredited organizations conducting audits in accordance with the Software Process Improvement and Capability Determination (SPICE) method) or CMMI (Capability Maturity Model Integration) Level 3.
(iii) For Penetration Test Authorization Certificate, TS EN ISO/IEC 27001 certificate covering penetration testing services and Type A or B TSE Penetration Test Company Certificate (document expressing the conditions for participants providing penetration testing services within the scope of TS 13638 standard).
On the other hand, various additional information and documents may be requested by the Ministry.
The Ministry has the authority to audit the participants with the authorization certificate on whether they act in accordance with the authorization certificate or not.
In the event that a discrepancy is detected during these audits, (i) a written warning shall be given, (ii) remedy period up to 6 months shall be granted, (iii) the authorization certificate shall be suspended until the discrepancy is corrected. During the suspension period, the participant in question will not be able to obtain a new authorization certificate of the same type.
The authorization certificate will be canceled if the discrepancy is not corrected within the given period. In case of cancellation, the same type of authorization certificate will not be issued for 1 year. In case of repetition of the cancellation of the authorization certificate, the same type of authorization certificate will not be issued for 3 years.