Cybersecurity Law in Türkiye

The Cybersecurity Law No. 7545 (the “Law”) entered into force upon its publication in the Official Gazette No. 32846 on 19 March 2025.

With the Cybersecurity Law, the scope of the concept of cybersecurity has been expanded, and certain obligations have been imposed on both the public and private sectors. Failure to comply with these obligations under the Law is also subject to various sanctions.

The purpose of the Law is defined as: “to identify and eliminate existing and potential internal and external threats directed at all elements constituting the national power of the Republic of Türkiye in cyberspace; to establish principles aimed at mitigating the potential effects of cyber incidents; to make necessary arrangements to protect public institutions and organizations, professional organizations in the nature of public institutions, natural and legal persons, and non-incorporated entities against cyberattacks; to determine strategies and policies to strengthen the country’s cybersecurity; and to regulate the establishment of the Cybersecurity Board.”

Law No. 7545 also provides systematic definitions of certain concepts included in our legislation:

• Information systems: All hardware, software, systems, and all other active or passive components used in the provision of any service, transaction, and data through information and communication technologies.
• Critical infrastructure: Infrastructure that hosts information systems which may lead to loss of life, large-scale economic damage, security vulnerabilities, or disruption of public order if the confidentiality, integrity, or availability of the data processed is compromised.
• Critical public service: Services necessary for the continuation of national, social, or economic activities, which are provided nationwide with monopoly or limited substitution, and whose interruption or impairment may have a significant impact on national security, social or economic welfare, public order or health, or the provision of other services.
• Cybersecurity: The set of activities aimed at protecting information systems constituting cyberspace from attacks; ensuring the confidentiality, integrity, and availability of data processed in this environment; detecting attacks and cyber incidents; activating response and alert mechanisms against such detections; and restoring systems to their pre-incident state.
• Cyberattack: Intentional actions carried out against persons or information systems anywhere in cyberspace in order to compromise the confidentiality, integrity, or availability of information systems and the data processed by them.
• Cyber incident: A breach of the confidentiality, integrity, or availability of information systems or data.
• Cyber threat: Potential dangers that may lead to the violation of the confidentiality, integrity, or availability of information systems or the data contained in or processed by such systems.
• Cyber threat intelligence: Information regarding existing or potential cyber threats and cyberattacks targeting assets in cyberspace that has been collected, transformed, analyzed, interpreted, or enriched.
• Cyberspace: The environment consisting of all information systems directly or indirectly connected to the internet, electronic communication, or computer networks, and the networks connecting them.
• CSIRT (Cyber Incident Response Team): The team responsible for responding to cyber incidents.
• Asset: All information and information-processing capabilities containing data that can be transmitted via communication, including personnel using or carrying data and physical locations hosting such data.
• Vulnerability: Weaknesses and security gaps in assets located in cyberspace that can be exploited by any cyber threat.

Obligations of Companies under the Cybersecurity Law

Companies that fall within the scope of the Cybersecurity Law and provide services, collect and process data, or carry out similar activities through information systems are subject to certain obligations. The primary obligations include:

a) To provide all kinds of data, information, documents, hardware, software, and any other contributions requested by the Cybersecurity Presidency in a timely and prioritized manner,
b) To take the measures prescribed by the legislation for cybersecurity purposes to ensure national security, public order, or the proper functioning of public services, and to promptly report any vulnerabilities or cyber incidents identified in their field of activity to the Cybersecurity Presidency,
c) To procure cybersecurity products, systems, and services to be used in public institutions and organizations and critical infrastructures from cybersecurity experts, manufacturers, or companies authorized and certified by the Cybersecurity Presidency,
ç) For cybersecurity companies subject to certification, authorization, and accreditation, to obtain the approval of the Cybersecurity Presidency before commencing operations in accordance with existing regulations,
d) To implement the matters set out in policies, strategies, action plans, and other regulatory acts issued by the Cybersecurity Presidency to enhance cyber maturity, and to take the necessary measures.

Criminal Sanctions for Non-Compliance

Failure to comply with the obligations set forth in the Cybersecurity Law may result in criminal sanctions. In case of non-compliance, both imprisonment and administrative fines may be imposed.

• Those who fail to provide or prevent the provision of information, documents, software, data, or hardware requested within the scope of the duties and authorities of the authorized bodies and supervisory officials: imprisonment from one to three years and a judicial fine ranging from 500 to 1,500 days,
• Those who carry out activities without obtaining the required approvals, authorizations, or permits: imprisonment from two to four years and a judicial fine ranging from 1,000 to 2,000 days,
• Those who fail to fulfill confidentiality obligations: imprisonment from four to eight years,
• Those who, due to a data breach in cyberspace, make previously existing personal data or corporate data within the scope of critical public services accessible, share, or sell such data without authorization: imprisonment from three to five years,
• Those who create or disseminate false content claiming a cybersecurity data breach, despite knowing that no such breach has occurred, with the aim of causing public concern, fear, or panic or targeting institutions or individuals: imprisonment from two to five years,
• Those who carry out cyberattacks against elements constituting Türkiye’s national power in cyberspace or who retain data obtained as a result of such attacks: imprisonment from eight to twelve years (unless the act constitutes a more severe offense); and those who disseminate, transfer, or sell such data: imprisonment from ten to fifteen years,
• Those who abuse their duties and powers arising from the Law or act contrary to the requirements of their duties in protecting critical infrastructures, thereby causing a data breach: imprisonment from one to three years.

Additionally, the procedures regarding the imposition of administrative fines and the right of defense are also regulated under the Law.

Amendments to various laws have already begun within the scope of the Cybersecurity Law. It is of utmost importance for companies to ensure compliance not only with the Cybersecurity Law but also with other laws amended based on it. Otherwise, due to the severity of sanctions for non-compliance, companies may face not only administrative fines but also the risk of imprisonment.