A New Era in Cybersecurity in Turkey: The Law is Now in Effect
The Cybersecurity Law No. 7545 (“Law”) was published in the Official Gazette on 19.03.2025 and came into effect on the same date.
The purpose, scope, and regulations introduced by the Law are detailed below for your information.
Key highlights of the Law are summarized as follows:
- A comprehensive legislative framework has been established to ensure the consistency of national cybersecurity policies, provide binding standards for public institutions, the private sector, and individuals, and address the need to restructure the concept of cybersecurity.
- Definitions have been provided for key concepts such as information systems, critical infrastructure, critical public services, cybersecurity, cyber incidents, cyber-attacks, cyber threats, and cyberspace.
- Eleven fundamental principles have been established regarding the institutionalization, continuity, and sustainability of cybersecurity-related activities.
- The powers and responsibilities of the Cybersecurity Directorate ("Directorate") have been elaborated, with particular emphasis on its audit authority.
- The structure and duties of the Cybersecurity Board have been outlined.
- It has been stipulated that companies producing cybersecurity products, systems, software, hardware, and services must notify the Directorate of any mergers, divisions, share transfers, or sales transactions.
- Under the Law, personal data must be processed in accordance with legal and ethical principles, accurately and in an up-to-date manner, for specific, clear, and legitimate purposes, and must be retained only for as long as necessary in connection with the purpose for which it is processed, in a limited and proportionate manner. It is stipulated that, once the grounds for access no longer exist, personal data and trade secrets obtained must be deleted, destroyed, or anonymized ex officio.
- Administrative fines for cybersecurity violations have been established.
What are the key concepts in the Law?
- Information systems: Hardware, software, systems, and all other components, whether active or passive, used in the provision of any service, transaction, or data through information and communication technologies.
- Cyber space: All information systems directly or indirectly connected to the internet, electronic communication, or computer networks, and the environment consisting of the networks that connect them.
- Cyber security: The entire set of activities aimed at protecting the information systems that constitute cyberspace from attacks, ensuring the confidentiality, integrity, and availability of data processed in this environment, detecting attacks and cyber incidents, activating response and alert mechanisms against these detections, and restoring the system to its state prior to the cyber incident.
- Cyber incident: The violation of the confidentiality, integrity, or availability of information systems or data.
- Cyber-attack: Intentional actions directed at a person or information system anywhere in cyberspace, aimed at eliminating the confidentiality, integrity, or availability of information systems in cyberspace and the data processed by these systems.
- Cyber threat: Potential threats that could lead to the violation of the confidentiality, integrity, or availability of information systems, or the data contained in or processed by these systems.
Who do the regulations in the Law apply to?
It covers public institutions and organizations operating and providing services in cyberspace, professional organizations with the status of public institutions, natural and legal persons, as well as organizations without legal personality.
At this point, it can be mentioned that the regulations in the Law encompass quite a broad group.
What is the purpose of the Law's enactment?
- Identification and elimination of existing and potential threats directed at all elements in cyberspace, both from internal and external sources.
- Establishing principles to mitigate the potential effects of cyber incidents.
- Establishing necessary regulations for the protection of public institutions and organizations, professional organizations with the status of public institutions, natural and legal persons, and organizations without legal personality against cyberattacks.
- Determining strategies and policies to strengthen the country's cybersecurity.
- Establishment of the Cybersecurity Board.
What are the cybersecurity duties and responsibilities of those who provide services, collect data, process it, and engage in similar activities through the use of information systems?
- To provide the Directorate with any data, information, documents, hardware, software, and other contributions requested within the scope of the Directorate's duties and activities,
- To take the measures required by the cybersecurity regulations and report any identified vulnerabilities or cyber incidents to the Directorate without delay,
- To procure cybersecurity products, systems, and services to be used by public institutions and organizations, as well as critical infrastructure, from cybersecurity experts and companies authorized and certified by the Directorate,
- To obtain approval from the Directorate before starting operations, in accordance with the existing regulations, by cybersecurity companies subject to certification, authorization, and documentation,
- To comply with the provisions in the policies, strategies, action plans, and other regulatory measures developed by the Directorate, and to take the necessary precautions.
What are the duties and powers of the Directorate?
- Enhancing the cybersecurity resilience of critical infrastructures and information systems, protecting against cyberattacks, preventing potential attacks, and detecting executed attacks,
- Establishing, having established, and overseeing the Cyber Incident Response Team ("SOME"),
- Regulating the procedures and principles that those operating in the cybersecurity field must adhere to, and preparing standards related to cybersecurity,
- Carrying out testing and certification processes for software, hardware, products, systems, and services related to cybersecurity, conducting cybersecurity audits, and applying sanctions based on the results,
- Monitoring any acts and transactions falling within the scope of the Law, as deemed necessary in relation to the duties specified in the Law; conducting or having on-site inspections for this purpose.
The penal provisions and administrative fines to be applied in case of violation of the obligations set forth in the Law have been regulated, and the violations and corresponding sanctions are outlined in the table.
Reason for Violation | Penalty |
Failure to provide or obstructing the provision of information, documents, software, data, and hardware requested by the competent authorities and inspection officers within the scope of their duties and powers | Imprisonment from one to three years and judicial fines ranging from five hundred to one thousand five hundred days |
Conducting activities without obtaining the necessary approvals, authorizations, or permits | Imprisonment from two to four years and judicial fines ranging from one thousand to two thousand days |
Violation of the confidentiality obligation | Imprisonment from four to eight years |
Unauthorized disclosure, sharing, or offering for sale of personal/institutional data, whether for a fee or free of charge | Imprisonment from three to five years |
Causing public concern, fear, and panic, or creating or publishing false content suggesting a data breach despite no actual data breach having occurred | Imprisonment from two to five years
|
Carrying out a cyberattack targeting elements of the Republic of Türkiye in cyberspace, or storing in cyberspace, disseminating, transferring, or offering for sale any data obtained as a result of such an attack | Unless it constitutes another offense requiring a heavier penalty: imprisonment from eight to twelve years/imprisonment from ten to fifteen years |
Failure to take the measures prescribed by the legislation, failure to promptly report vulnerabilities or cyber incidents to the Presidency, or failure to procure cybersecurity products, systems, and services to be used in public institutions, organizations, and critical infrastructures from cybersecurity experts, manufacturers, or companies authorized and certified by the Presidency.
| An administrative fine ranging from one million Turkish lira to ten million Turkish lira
|
The sale of cybersecurity products, systems, software, hardware, and services abroad without the approval of the Presidency, failure to notify the Presidency about mergers, divisions, share transfers, or sales of companies producing cybersecurity products, systems, software, hardware, and services, and carrying out transactions under which real or legal persons individually or jointly gain direct or indirect control or decision-making authority over the company without obtaining the approval of the Presidency. | An administrative fine ranging from ten million Turkish lira to one hundred million Turkish lira
|
Those subject to inspection failing to keep the relevant devices, systems, software, and hardware open for inspection within the specified timeframes, failing to provide the necessary infrastructure for inspection and not taking the required measures to keep them in working condition. | An administrative fine ranging from one hundred thousand Turkish lira to one million Turkish lira (In case commercial companies do not fulfill these obligations, an administrative fine will be imposed, not less than one hundred thousand Turkish lira, up to 5% of the gross sales revenue reported in their audited annual financial statements) |
It is stipulated that the relevant party’s defense will be taken before administrative fines are imposed. If no defense is provided within thirty days from the date of delivery of the notice requesting the defense, it will be assumed that the party has waived their right to defense.
