Recent Development
Increasing cyber threats in recent years have led countries to implement cybersecurity measures in their national security strategies. In this framework, legislative activities were carried out to determine the principles to mitigate the possible effects of cyber incidents, to make regulations for the protection of organizations and institutions against cyberattacks and to determine strategies and policies to strengthen Türkiye’s position relating to cybersecurity. In this regard, the Draft Cybersecurity Law (“Draft Law“) was submitted to the Grand National Assembly of Türkiye on 10 January 2025. Accordingly, the Draft Law was adopted by the Grand National Assembly of Türkiye on 12 March 2025 and became effective upon its publication in the Official Gazette dated 19 March 2025 and numbered 32846.
The Cybersecurity Law (“Law“) is available here (in Turkish).
Scope of the Law
The Law applies to (i) public institutions and organizations, (ii) professional organizations with public institution status, (iii) real persons and legal persons and (iv) organizations without legal personality that exist, operate and provide services in cyberspace. Pursuant to the Law, the term “cyberspace” refers to all composite systems that are directly or indirectly connected to the internet, electronic communication or computer networks and the environments consisting of the networks that connect these systems. In this regard, considering that the provisions envisaged under the Law cover a wide range of actors, the Law is expected to have a comprehensive impact on the cybersecurity ecosystem.
What the Law introduces
- Cybersecurity Presidency. The Law sets forth the responsibilities of the Cybersecurity Presidency (“Presidency“) established by the Presidential Decree No. 177 on the Cybersecurity Presidency published in the Official Gazette dated 8 January 2025 and numbered 32776. Accordingly, the Presidency has duties such as (i) conducting operations to strengthen the cyber resilience of critical infrastructures and information systems, as well as conducting penetration tests, vulnerability tests and risk analysis for assets to combat cyber threats within this scope; (ii) identifying critical infrastructures, institutions and their status; (iii) ensuring that public institutions and organizations and critical infrastructures, keep an inventory of all their assets, including data inventory, conduct risk analysis for assets and provide security measures according to the criticality of these assets; (iv) conducting legislative works; (v) ensuring coordination in cybersecurity activities; (vi) preparing emergency plans; (vii) conducting testing and managing certification procedures for software, hardware, products, systems and services; (viii) conducting R&D and technology activities on cybersecurity; (ix) requesting information and documents regarding the sale of cyber security products and the companies that produce these products.
- Cybersecurity Board. The Law establishes the Cybersecurity Board (“Board“), which is composed of the President, the Vice President, the Head of Cybersecurity and various ministers and heads of public institutions. The main duties of the Board include (i) taking decisions on regulatory actions, such as action plans and policies on cybersecurity; (ii) taking decisions on the implementation of the roadmap on cybersecurity technology issued by the Presidency; (iii) identifying critical infrastructure sectors and (iv) taking decisions on disputes that may arise between the Presidency and public institutions and organizations.
- Those Who Provide Services, Collect Data, Process Data and Carry Out Similar Activities Through the Use of Information Systems. The Law also regulates the duties and responsibilities regarding cybersecurity of those who provide services, collect and process data using information systems. Accordingly, these real and/or legal persons are required to (i) submit the information and documents requested by the Presidency; (ii) take the measures stipulated under the legislation and notify the Presidency without delay of any vulnerabilities or cyber incidents they detect in the areas where they provide services; (iii) procure cybersecurity products, systems and services to be used in critical infrastructures from cybersecurity experts and companies authorized and certified by the Presidency; (iv) obtain the Presidency’s approval within the framework of the existing regulations before starting operations carried out by cybersecurity companies that are subject to certification, documentation or authorization; (v) fulfill the requirements provided under the documents such as policies, strategies and action plans determined by the Presidency and (vi) comply with the official recommendations and similar documents published by the Presidency.
- Inspection. The Law further stipulates that the Presidency may inspect all kinds of actions and operations falling within the scope of the Law and may conduct on-site inspections for this purpose, when deemed necessary. The inspections in question will be conducted in accordance with the program to be established within the scope of the significance, priority principles and risk assessments to be determined by the Presidency; however, it is also possible to conduct inspections beyond the program, if the Presidency deems necessary. The Law sets forth that for the purposes of national security, public order, prevention of crime or cyber-attacks, on-site searches may be conducted in residences, workplaces, and non-public indoor areas upon a judgeship decision or upon the written order of the public prosecutor in cases where the delay is deemed impermissible. Accordingly, it is also possible to perform copying and seizure operations in such cases, provided that it does not cause long-term service disruption. However, search, copying and seizure operations to be carried out in the data centers belonging to authorized data center operators may only be conducted upon a judgeship’s decision.
Pursuant to the Law, those being inspected are required to keep the relevant devices, systems, software and hardware available for inspection within the given periods, to provide the necessary infrastructure for inspection and to take the necessary measures to keep them in working condition.
- Critical Infrastructures. The Law defines critical infrastructures as information system infrastructures that can cause serious damage if the confidentiality, integrity or availability of the information/data they process is compromised. Pursuant to the Law, both the Presidency and the Board have duties and powers regarding critical infrastructures. Accordingly, (i) the Board is responsible for identifying critical infrastructure sectors; on the other hand (ii) the Presidency is responsible for identifying critical infrastructures, institutions to which they are affiliated and their status, ensuring that the critical infrastructures keep an inventory of their assets and take security measures according to the criticality level of the assets they own, as well as determining the cybersecurity products and services to be used in critical infrastructures and the technical criteria that these infrastructures must meet and the principles and procedures regarding the notifications to submitted to the Presidency.
As per the existing rules under the Turkish law, sectors such as electronic communications, energy, water management, banking and finance, transportation and critical public services are considered critical infrastructure. Accordingly, considering the concept of a critical infrastructure institution accepted under the current rules, the definition of critical infrastructure provided under the Law and the Board’s authority to determine critical infrastructure sectors, companies operating in critical infrastructure sectors, whose scope will be specified in the future, may be subject to the regulations set forth under the Law.
- Cybersecurity Products and Companies. The sale of cybersecurity products, systems, software, hardware and services abroad will be subject to the approval of the Presidency. In addition, merger, spin-off, share transfer or sale transactions of companies producing cyber security products/services will be notified to the Presidency, and the approval of the Presidency will be required if these transactions provide real or legal persons individually or jointly with any control rights or decision-making authority over the company.
- Criminal Provisions and Administrative Fines. The Law differentiates between the severity of cybersecurity offenses to establish effective sanction mechanisms. The Law envisages imprisonment for certain offenses, such as cyberattacks, leaking of personal or corporate data, and dissemination of leaked data. Conversely, administrative fines will be imposed for other acts, such as failing to implement measures required by legislation and hindering the inspections. Among the penalties regulated under the Law, the striking provisions are as follows:
| Act Contrary to the Law | Envisaged Penalty |
| Failing to provide information, documents, software, data and hardware requested by the competent authorities | Imprisonment from 1 year to 3 years and a judicial fine from 500 days to 1,500 days will be imposed on those who fail to provide the requested information and documents. |
| Operating without obtaining the permits, authorizations or approvals stipulated under the Law | Imprisonment from 2 years to 4 years and a judicial fine from 1,000 days to 2,000 days will be imposed on those who carry out activities without obtaining the permits, authorizations or approvals specified in the Law. |
| Due to data leakage in cyberspace, making personal data or corporate data within the scope of critical public services, which was previously in the virtual environment, accessible, sharing these data and offering it for sale without the permission of individuals or institutions | Those who commit the act in question will be liable for imprisonment from 3 years to 5 years. |
| Creating / publishing inaccurate content in order to create anxiety, fear and panic among the public that there is a data leak in cyberspace or to target institutions or individuals | Those who commit the act in question shall be imprisoned from 2 years to 5 years. |
| Failing to fulfill the responsibilities within the scope of protecting critical infrastructures against cyberattacks and causing a data breach | Those who cause a data breach for the specified reason shall be imprisoned from 1 to 3 years. |
| For those providing services and collecting and processing data using information systems, failing to fulfill the obligation to report security vulnerabilities and cyber incidents to the Presidency or to procure cybersecurity products, systems and services to be used in public institutions and organizations and critical infrastructures from authorized/certified cybersecurity experts and companies | An administrative fine from TRY 1,000,000 to TRY 10,000,000 will be imposed on those who provide services, collect, process data and carry out similar activities using information systems if they fail to fulfill their relevant obligations. |
| Failure to apply for the opinion/approval of the Presidency in the sale of cyber security products/services abroad or in the merger, transfer or sale transactions of the company producing all kinds of products/services related to cyber security, or failure to respond to the Presidency’s requests for information | Administrative fines from TRY 10,000,000 to TRY 100,000,000 will be imposed on those who commit the act in question. |
| Failing to fulfill the obligation to cooperate in inspections conducted by inspectors authorized by the Law | Those who fail to fulfill the obligation to cooperate with inspectors shall be subject to administrative fines between TRY 100,000 to TRY 1,000,000. The Law stipulates that the administrative fine to be imposed in case of failure to fulfill this obligation by commercial companies shall not be less than TRY 100,000 and up to 5% of the gross sales revenue in the independently audited annual financial statements. |
The Law also regulates the process for enforcing administrative fines. Accordingly, the relevant party’s defense will be requested prior to the imposition of an administrative fine, and if the party in question fails to provide a response within 30 days from the date of notification, it will be deemed to have waived the right to defense.
Conclusion
The establishment of the Presidency, along with legislative activities in the field of cybersecurity, demonstrates Türkiye’s aim to establish a stronger framework on cybersecurity. In this regard, compliance efforts carried out by the stakeholders to fulfill their obligations set forth in the Law are of utmost importance.
