When a foreign-owned company sets up in Türkiye, cybersecurity expectations stack from two directions. Headquarters expects ISO 27001 / SOC 2 / NIS2 / national equivalents. Türkiye adds KVKK (Law 6698 — personal data protection), telecom and electronic communications obligations under BTK for certain service categories, and growing expectations around data localization — particularly for personal data of Turkish residents. This guide explains where the two systems intersect, where they diverge, and what the ERP layer needs to support.

Note: Cybersecurity and data protection regulations are dynamic. Confirm specific obligations with your Turkish privacy / IT counsel and your group CISO for your circumstances.

The two demands

1. Group-side (ISO 27001, SOC 2, NIS2)

Headquarters typically asks for:

Documented information security management system (ISMS)
Vendor risk assessments
Annual penetration tests
Incident response plans
Encryption at rest and in transit
Role-based access control with periodic recertification
Audit logs retained per group standard

If HQ is in the EU and operates as essential or important entity under NIS2, additional incident reporting obligations may apply across the group.

2. Türkiye-specific (KVKK, BTK, sectoral)

KVKK (Law 6698) — broad personal data protection regime, with notification, consent, and data subject rights provisions
VERBİS — controller registry (registration may be mandatory depending on size and processing scope)
Sectoral rules — banking (BDDK), insurance (SEDDK), telecom (BTK), health (Ministry of Health) each layer additional requirements
Data localization expectations — for several data categories, Turkish authorities have shown a preference (and in some cases statutory requirement) for in-country storage and processing of Turkish residents' data

Where the two meet at the ERP layer

The ERP holds and processes most of the personal and operational data, so it sits at the intersection.

Access control & SoD

Both systems demand role-based access, but Türkiye also wants:

Bilingual access logs (Turkish user names, evidence in Turkish)
Inspector-friendly audit reports (CSV/PDF, Turkish formatting)
Demonstrable segregation of duties

Audit log integrity

Append-only is the global norm
Cryptographic chaining (hash-of-previous) is increasingly expected
Retention periods: VUK (typically 5 years), KVKK (relationship + reasonable period), other sector frameworks may extend further

Personal data lifecycle

Lawful basis tracking (consent, contract, legal obligation, legitimate interest)
Retention schedules per data category
Automated deletion or anonymization at end of retention
Data subject rights (access, rectification, deletion, objection) workable through self-service or short-cycle processes

Encryption

TLS for transit (universally expected)
Encryption at rest for sensitive fields (especially personal IDs, financial data, health)
Key management documentation (HSM / KMS)

Localization options

Türkiye does not currently have a Microsoft Azure region; major hyperscalers serve Türkiye from European regions (Netherlands, Ireland)
Cloud providers offer Turkish data residency on specific services and through partner setups
Some sectors (banking, public, certain health) have strict in-country requirements; others are more permissive but still expect enterprise-grade controls

The ERP should give you transparent control over where data lives, especially for personal data.

What HQ vendor reviews typically ask

When the parent's procurement runs vendor risk on a Turkish ERP, expect questions like:

ISO 27001 certification (or equivalent)
SOC 2 Type II report
Pen test summary (recent)
Subprocessor list
Hosting region and data residency policy
Encryption at rest and in transit
Incident response & SLA
KVKK compliance attestation
Data subject rights workflow capabilities
Backup, recovery and disaster recovery (RPO/RTO)

A vendor that can produce these in under a week passes; longer means delays.

Common compliance gaps

1. Audit log retention shorter than data retention Logs deleted after 2 years while underlying tax records kept for 5+ creates an inspection gap.

2. Read operations not logged Many ERPs only log writes. KVKK access auditing wants reads too — at least for sensitive fields.

3. Bulk data exports not tracked If a user can dump customer database to CSV and there's no log entry, you cannot defend against alleged data leakage.

4. Sub-processor visibility If your ERP uses a downstream cloud / processor, the agreement chain must be transparent.

5. Incident response not tested A documented plan that has never been rehearsed fails on day one of a real incident. Annual tabletop exercises are increasingly expected.

6. Encryption policy without key custody discipline Encrypting at rest with a key the cloud provider also holds doesn't satisfy the harder cases. Customer-managed keys (CMK) come up often in HQ reviews.

ERP-level checklist

Birasyo's compliance posture

Birasyo ERP:

Hosted on Microsoft Azure European regions (Netherlands / Ireland) with documented data flow
ISO 27001 aligned controls, with formal certification roadmap
KVKK compliant: VERBİS support, lawful basis tracking, retention configurable, data subject rights workflows
Append-only audit log with cryptographic chaining; read-logging configurable per field
Encryption at rest and in transit, customer-managed key option for enterprise tier
Incident response: documented plan, annual tabletop, notification SLAs
Sub-processor list maintained; transparent
Pen test summary available under NDA

If your group needs to vendor-onboard Birasyo, book a session — we'll provide the security pack and answer your CISO's questionnaire within 5 business days.

Sources

KVKK (Law No. 6698) — Turkish Data Protection Authority guidance
ISO/IEC 27001 — international information security standard
BTK (Information and Communication Technologies Authority) sectoral guidance
NIS2 Directive (EU 2022/2555) for EU-headquartered groups

Cybersecurity and Data Localization Compliance in Türkiye: ISO 27001, KVKK and the ERP Layer