"A New Era in Cybersecurity in Türkiye: The Law Has Entered into Force"

The Cybersecurity Law No. 7545 (“Law”) was published in the Official Gazette on 19.03.2025 and entered into force on the same date.
Details regarding the purpose, scope, and new regulations introduced by the Law are presented below.
Key highlights of the Law are summarized as follows:

• A comprehensive legal framework has been established to ensure consistency in national cybersecurity policies, provide binding standards for public institutions, the private sector, and individuals, and to restructure the concept of cybersecurity.
• Definitions have been made for critical concepts such as information systems, critical infrastructure, critical public service, cybersecurity, cyber incident, cyberattack, cyber threat, and cyberspace.
• Eleven fundamental principles have been set regarding the execution of cybersecurity-related activities based on institutionalization, continuity, and sustainability.
• The authorities and responsibilities of the Cybersecurity Presidency (“Presidency”) have been detailed, emphasizing its audit powers.
• The structure and duties of the Cybersecurity Council have been defined.
• Companies that produce cybersecurity products, systems, software, hardware, and services must notify the Presidency regarding mergers, demergers, share transfers, or sales.
• Personal data must be processed lawfully, accurately, for clear and legitimate purposes, limited to the extent necessary, stored only as long as required, and must be deleted, destroyed, or anonymized once the purpose or access requirement no longer exists.
• Administrative fines have been introduced for cybersecurity violations.

What are the key concepts defined in the Law?

• Information systems: All hardware, software, systems, and components (active or passive) used in delivering services, transactions, and data through information and communication technologies.
• Cyberspace: The environment consisting of all information systems directly or indirectly connected to the internet, electronic communications, or computer networks.
• Cybersecurity: The activities aimed at protecting information systems in cyberspace from attacks, ensuring confidentiality, integrity, and accessibility of data, detecting attacks and cyber incidents, activating response mechanisms, and restoring systems to their pre-incident state.
• Cyber incident: Breach of the confidentiality, integrity, or accessibility of information systems or data.
• Cyberattack: Intentional acts targeting individuals or systems in cyberspace to compromise the confidentiality, integrity, or accessibility of information systems or data.
• Cyber threat: Potential risks that could compromise the confidentiality, integrity, or accessibility of information systems or data.

Who is subject to the Law?

All public institutions and organizations, professional organizations with public status, natural and legal persons, and unincorporated entities operating or providing services in cyberspace are subject to the Law.
The Law thus applies to a broad and diverse group.

What is the purpose of the Law?

• To detect and neutralize internal and external threats against all elements of cyberspace,
• To set principles for mitigating potential impacts of cyber incidents,
• To introduce regulations ensuring the protection of entities such as public institutions, professional organizations, legal and natural persons against cyberattacks,
• To strengthen national cybersecurity through strategies and policies,
• To establish the Cybersecurity Council.

Responsibilities of those who offer services, collect or process data via information systems:

• Provide the Presidency with any data, information, documents, hardware, software, and other contributions upon request,
• Take required cybersecurity measures as per legislation and promptly report detected vulnerabilities or cyber incidents to the Presidency,
• Procure cybersecurity products, systems, and services for public institutions and critical infrastructure only from certified experts and companies authorized by the Presidency,
• Obtain Presidency approval before starting operations subject to certification, authorization, or accreditation,
• Implement the policies, strategies, and action plans issued by the Presidency and take necessary precautions.

What are the duties and powers of the Presidency?

• Enhancing cyber resilience, preventing and detecting cyberattacks on critical infrastructure and information systems,
• Establishing, commissioning, and supervising Cyber Incident Response Teams (“SOME”),
• Setting out rules and standards for cybersecurity activities,
• Conducting testing, certification, and auditing of cybersecurity software, hardware, systems, and services, and imposing sanctions when necessary,
• Auditing any actions or procedures falling within the Law, including on-site inspections when deemed necessary.

Criminal and administrative penalties are set out in case of violations of obligations under the Law. The table below summarizes the violation types and corresponding penalties.

Before imposing administrative fines, individuals or entities will be given the opportunity to provide a defense. If no response is received within thirty days from the notification date, it will be deemed that the right to defense has been waived.