Türkiye adopts first Cybersecurity Law

On 19 March 2025, the Cybersecurity Law (No. 32846) went into force in Türkiye after being introduced into the Turkish parliament, the Grand National Assembly, on 10 January.

Passage of this law is considered a milestone in Türkiye’s effort to make cybersecurity a critical component of the national security framework, enhance cyber resilience and safeguard the public and private sectors against cyberattack amid the escalating risks posed by cyber threats worldwide.

The Cybersecurity Law introduces a comprehensive regulation aimed at strengthening the country’s digital infrastructure. The Law defines concepts such as “cybersecurity”, “cyber incident”, “cyber-attack”, “cyber threat”, “cyber threat intelligence” and “cyberspace” and sets out the basic principles for ensuring cyber security. In accordance with these principles, cybersecurity is considered an integral part of national security with the objective of protecting critical infrastructure and information systems, and creating a secure cyberspace. The Law emphasises institutionalisation, continuity, and sustainability with security measures to be applied throughout the entire lifecycle of services and products.

Scope and regulatory powers

The regulations included in the Law apply to public institutions and organisations, professional organisations with public institution status, individuals and legal entities, and entities without legal personality that operate, provide services, or engage in activities in cyberspace.  The Law envisages broad regulatory powers that cover all individuals and legal entities operating in cyberspace, regardless of whether they are in the public or private sector.

The Law establishes two key regulatory bodies:

1. Cybersecurity Presidency: As the key authority responsible for ensuring cybersecurity as an integral part of national security, the Presidency’s primary duties include protecting critical infrastructure and information systems from cyber threats, identifying critical infrastructure sectors, establishing and managing secure systems for public institutions, and overseeing Cyber Incident Response Teams (SOME). The Presidency is also tasked with setting cybersecurity standards, conducting testing and certification, implementing preventive measures, providing remote or on-site incident response support, collecting and analysing cyberattack data, and ensuring coordination with relevant authorities. Detailed procedures for these activities will be outlined in regulations. 
   The Cybersecurity Law grants the Presidency extensive powers for inspections and audits, including:
   • Risk-based audits and on-site inspections of critical infrastructures;
   • Authority to enforce immediate compliance measures if cybersecurity risks are detected;
   • Power to search, copy, and seize data and systems with judicial authorisation or public prosecutor’s approval in urgent cases; and
   • Data centre inspections, which require judicial approval.
2. Cybersecurity Board: Comprised of the President, Vice President, relevant ministers and heads of public institutions, the Board is tasked with setting cybersecurity policies and strategies, overseeing the implementation of the national cybersecurity technology roadmap, identifying critical infrastructure sectors, and resolving disputes between the Presidency and public institutions.

Key obligations under the Law

Responsibilities for service providers and data processors

The law imposes strict obligations on entities that provide services, collect data, process data, or perform similar activities using information systems. These responsibilities include:

• Submitting requested information and documents to the Presidency;
• Implementing mandated cybersecurity measures and reporting any detected vulnerabilities or cyber incidents without delay;
• Procuring cybersecurity products and services only from certified professionals and companies authorised by the Presidency;
• Seeking presidential approval before initiating operations subject to certification or authorisation;
• Adhering to cybersecurity policies, strategies, and action plans set forth by the Presidency; and
• Complying with official cybersecurity recommendations and guidelines.

Protection of critical infrastructure

Under the Law, critical infrastructure is defined as information systems that, if compromised in terms of confidentiality, integrity, or availability, could cause significant damage. Both the Presidency and the Board have key roles in protecting this infrastructure:

i. The Board is responsible for identifying the sectors that contain critical infrastructure. 

ii. The Presidency has a broader role, including:

• Identifying the critical infrastructure, the institutions they are linked to, and their status;
• Ensuring that critical infrastructure maintains an inventory of their assets and implement security measures according to the criticality of these assets;
• Determining the cybersecurity products and services for use in these infrastructures, establishing technical criteria, and setting principles for notifications to the Presidency; and
• Ensuring that critical infrastructure is protected from cyber threats and complies with specific cybersecurity standards and protocols.

Regulation of cybersecurity products and companies

The key points regarding the regulations for cybersecurity products, systems, software, hardware, and services are:

• The export of cybersecurity products, systems, software, hardware, and services must follow procedures set by the Presidency, and approval is required for certain products.
• Companies producing cybersecurity products must notify the Presidency about mergers, splits, share transfers, or sales. Any changes that grant control or decision-making rights over the company need Presidential approval.
• Transactions carried out without Presidential approval are legally invalid.
• The Presidency can request information and documents related to these transactions, and will publish detailed procedures.

Sanctions and penalties

Legal entities and individuals who violate the Law will be subject to various administrative and penal sanctions:

• Individuals who refuse or obstruct requests from authorised authorities may face between one and three years in prison and fines.
• Those who operate without required approvals can face between two and four years in prison and fines.
• Failure to maintain confidentiality may lead to between four and eight years in prison.
• Sharing personal or critical data due to a data breach without permission can lead to between three and five years in prison.
• Creating or spreading false information about a data leak can result in between two and five years in prison.
• Attacks on national cyber assets or distributing stolen data can lead to between eight and 12  years in prison; distributing or selling data may result in between ten and 15 years in prison.
• Penalties increase by one-third for public officials, one-half if multiple people are involved, or double if done as part of an organisation.
• Violations can lead to between three and five years in prison.
• Those misusing authority or causing data breaches in critical infrastructure protection may face between one and three years in prison.
• Those who fail to take necessary cybersecurity measures required by law for national security, public order, or public services, and not promptly reporting identified vulnerabilities or cyber incidents to the relevant authorities (i.e. the Presidency) or who fail to source cybersecurity products, systems, and services for public institutions and critical infrastructures from authorised and certified cybersecurity experts, manufacturers, or companies as required by the Presidency, may face administrative fines of between TRY 1 million and TRY 10 million,
• Those who fail to meet responsibilities with respect to regulation of cybersecurity products and companies may face fines of between TRY 10 million and TRY 100 million.
• Those who fail to fulfil the obligation to cooperate with inspectors will be subject to administrative fines of between TRY 100,000 and TRY 1 million. The Law stipulates that the administrative fine for companies that fail to fulfil this obligation will not be less than TRY 100,000 and up to 5% of the gross sales revenue in a company’s independently audited annual financial statement.

Conclusion

The Cybersecurity Law introduces comprehensive regulations aimed at enhancing Türkiye’s digital security. While imposing serious obligations and sanctions on both individuals and legal entities, it foresees strict oversight for critical infrastructure entities and cybersecurity firms. In the light of these, it is crucial to achieve compliance in the IT and cybersecurity industries.

For more information on the new legal framework of cross-border transfer of personal data and its impact on your company or business, you can contact Alican Babalioglu, Melis Celik and Ezgi Bahar.