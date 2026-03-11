Over the past decade, cyber operations have increasingly been used as instruments of geopolitical competition and statecraft, particularly in ways that avoid open...

I. Introduction

Over the past decade, cyber operations have increasingly been used as instruments of geopolitical competition and statecraft, particularly in ways that avoid open confrontation while still producing strategic pressure.

They often remain below the threshold of armed conflict, yet still disrupt services, weaken public confidence, and influence decision-making during crises. This shifts critical infrastructure protection from a technical issue to one of national resilience and corporate risk.

In this context, cybersecurity obligations in Türkiye, which have been shaped through secondary legislation and supervisory practice across sector-specific regulatory frameworks, have been consolidated under Cybersecurity Law No. 7545 ("the Law"), which entered into force on March 19, 2025.

The new statutory framework consolidates inspection authority and enforcement mechanisms under a single regime, placing cybersecurity within corporate governance and board-level risk oversight for organisations operating in or alongside critical infrastructure.

This article examines the legal definition of critical infrastructure ("CI") under the Law and outlines the principal obligations imposed on operators within the new regulatory structure.

II. Scope of the Law and Key Definitions

The Law applies broadly to public institutions and organisations, professional organisations with public institution status, and natural and legal persons, including entities without legal personality, that operate, conduct activities, or provide services in cyberspace. Activities carried out by intelligence and security authorities pursuant to sector-specific legislation are expressly excluded from its scope.

The terminology used in this article follows the definitions set out in Law No. 7545. A cyber incident is defined as any event resulting in a breach of the confidentiality, integrity, or availability of information systems or data. A cyber-attack refers to deliberate actions carried out through cyberspace to neutralise, disrupt, or compromise information systems or their security components.

Although the Law does not expressly define the term "critical infrastructure operator", this article uses the term to describe real and legal persons that operate, manage, or provide services within critical infrastructure sectors and are therefore subject to the obligations set out in the Law.

In addition, the Law defines cyberspace and information systems in a manner that extends its material scope beyond traditional IT environments. Operational technology, industrial control systems, and hybrid IT–OT infrastructures commonly used in critical infrastructure operations fall clearly within the regulatory perimeter.

III. Critical Infrastructure: Legal Definition and Real Risk

There is no single, universal definition of CI that applies across all jurisdictions. Nevertheless, regulatory practice across many jurisdictions treats energy generation and distribution, water and wastewater systems, financial services, healthcare and emergency services, transportation networks, telecommunications, and government digital services as critical sectors.

Major cyber incidents affecting Estonia's public digital infrastructure, Ukraine's electricity grid, the NotPetya malware outbreak, and the Colonial Pipeline fuel network illustrate the evolving risk profile of critical infrastructure. While some incidents directly targeted traditionally recognised infrastructure, others propagated through software supply chains or corporate networks and still produced systemic disruption across energy, logistics, public services, and cross-border supply chains. These cases demonstrate how cyber incidents rarely remain sector-bound and often generate cascading effects across jurisdictions.

The Law adopts a consequence-based approach consistent with this experience but does not enumerate specific critical sectors. Article 3 of the Law defines critical infrastructure as infrastructure that hosts information systems where a breach of the confidentiality, integrity, or availability of the information or data processed may lead to loss of life, large-scale economic damage, security vulnerabilities, or disruption of public order.

In Türkiye, the concept of critical infrastructure predates Law No. 7545. Decision No. 2 of 20 June 2013, issued by the former Cyber Security Board, identified sectors such as electronic communications, energy, banking and finance, transportation, water management, and critical public services as critical infrastructure for cybersecurity purposes, and the Ministry of Transport and Infrastructure has also published sectoral classifications for cybersecurity planning purposes. Although the former Board was abolished by Decree Law No. 703, this decision remains a relevant historical reference.

International practice increasingly evaluates cyber operations affecting critical infrastructure by their systemic effects on public order, safety, and economic stability alongside sectoral classification. Operations targeting energy, water, healthcare, or transportation systems raise questions of sovereignty, due diligence, non-intervention, and state responsibility, even when they fall below the threshold of armed conflict.

Under the current framework, the Cyber Security Board is responsible for identifying critical infrastructure sectors, while the Cyber Security Presidency is authorised to designate specific institutions, systems, and locations. Designation is expected to occur through formal administrative decisions rather than implicit classification.

Notably, the Law does not create a fully separate regulatory regime exclusively applicable to critical infrastructure operators. Most operational obligations introduced by the Law apply broadly to actors operating in cyberspace, while CI designation primarily affects the intensity of supervision, inspection, and security measures applied by the Cyber Security Presidency.

IV. Core Obligations for CI Operators

While most obligations under the Law apply broadly to entities operating in cyberspace, certain provisions explicitly refer to critical infrastructure and impose heightened expectations for CI operators.

1. Risk Management and Asset Inventory Obligations for Critical Infrastructure

Article 5 of the Law grants the Cyber Security Presidency the authority to maintain asset inventories, including data inventories, and to conduct risk analyses in public institutions, organisations, and critical infrastructure. The Presidency is also empowered to impose or ensure the implementation of security measures based on asset criticality.

CI operators are therefore expected to maintain comprehensive asset inventories, perform periodic risk assessments, and implement technical and organisational measures proportionate to identified risks.

The Law defines "asset" broadly to include not only data and information systems, but also personnel with data access, communication channels used for transmission, and physical locations where data is stored. Asset management obligations must therefore extend across operational, technical, and physical dimensions of infrastructure.

2. Mandatory Cyber Incident Reporting Requirements

Article 7(1)(b) of the Law establishes an obligation to notify the Cyber Security Presidency of cyber incidents and relevant vulnerabilities without delay. The reporting duty extends beyond malicious attacks and includes incidents arising from internal errors or technical failures.

3. Certified and Authorised Procurement Requirement for Critical Infrastructure

Article 7(1)(c) of the Law requires that cybersecurity products, systems, and services used by public institutions and within critical infrastructure be procured exclusively from experts, manufacturers, or companies authorised and certified by the Cyber Security Presidency.

This requirement directly affects procurement and outsourcing practices. Compliance verification must occur before contract execution, since post-contractual remediation may not cure regulatory non-compliance.

4. Alignment with National Cybersecurity Strategy

Article 7(1)(d) of the Law obliges CI operators to comply with national cybersecurity policies, strategies, action plans, and binding regulations issued by the Cyber Security Presidency.

Where applicable, preference should be given to the use of domestic and nationally produced products. For multinational groups operating shared or regional systems, this obligation may affect system architecture, vendor selection, and data localisation strategies, depending on future secondary legislation.

5. Audit Cooperation and System Accessibility

Article 8 of the Law grants the Cyber Security Presidency extensive inspection powers. Entities subject to audit must ensure the timely availability of relevant devices, systems, software, and hardware, provide appropriate infrastructure for inspection, and maintain operational continuity during the process.

Inspection powers may include on-site reviews, system-level testing, and examination or copying of logs. The practical scope of inspections will be shaped by secondary regulations and supervisory practice, particularly in balancing cybersecurity oversight with confidentiality and data protection obligations.

6. Data and Information Sharing Obligations

Article 7 of the Law also imposes obligations to share relevant data, software, hardware, and documentation upon request to the Cyber Security Presidency. These requests must be made in a timely and prioritised manner.

While personal data protection principles remain applicable, the Law provides a legal basis for data processing or disclosure where required for national security, public order, or critical infrastructure protection.

7. Corporate Transactions Involving Cybersecurity Technology Providers

Article 18 of the Law introduces a notification and approval regime for mergers, demergers, share transfers, and share sales involving companies that produce cybersecurity products, systems, software, hardware, or services.

Transactions conferring direct or indirect control or decision-making authority require prior approval from the Cyber Security Presidency. Transactions completed without approval risk severe legal consequences and potential invalidity.

Although this mechanism does not directly target CI operators, it indirectly affects infrastructure security through its impact on cybersecurity technology providers and the availability of trusted systems across critical sectors.

Cyber incidents affecting CI frequently trigger parallel obligations under data protection law, sector-specific regulation, and contractual arrangements. This layered exposure increases governance complexity and requires coordinated response planning.

V. Supervisory Framework and Forward Expectations

The Law designates the Cyber Security Presidency as the central supervisory and enforcement authority for cybersecurity across both public and private sectors. Its powers include the designation of critical systems, the issuance of binding measures, the conduct of audits, data and document requests, and the approval of certain corporate transactions.

For critical infrastructure operators, this reinforces the need to treat cybersecurity compliance as an ongoing governance function supported by documented processes and defined accountability, rather than as a one-off regulatory exercise.

VI. Sanctions and Liability

The Law provides for both administrative sanctions and criminal liability.

Administrative fines apply to failures such as non-reporting of incidents, use of unauthorised cybersecurity products, non-compliance with audit obligations, and failure to obtain transaction approvals. Fines range from TRY 125,490 to TRY 125,490,000, with turnover-based penalties of up to five percent of annual gross revenue applicable to commercial entities in certain cases.

Criminal liability applies to real persons and covers conduct including obstruction of audits, unauthorised activities, breaches of confidentiality, unlawful disclosure of leaked data, and cyber-attacks targeting national cyber assets.

Article 16 significantly elevates enforcement exposure for critical infrastructure by extending criminal liability to governance failures. It expressly criminalises abuse or misuse of duties arising from the Law and failures to safeguard critical infrastructure against cyber threats, resulting in data breaches. In such cases, responsible individuals face potential imprisonment. What stands out is not the level of fines, but the Law's direct attribution of personal responsibility at the governance level. This enforcement approach is also consistent with the principle set out in the Law that accountability is essential in the conduct of cybersecurity processes.

VII. Conclusion

In a period marked by geopolitical tension and increasingly sophisticated cyber operations, the protection of critical infrastructure has become a matter of institutional preparedness rather than technical preference. For operators, preparedness depends on clearly assigned responsibilities, established decision-making procedures, asset-based risk prioritisation, and consistent coordination between technical, legal, and executive functions.

At present, the practical implementation of the Law will largely be shaped by secondary legislation and by the regulatory policies and procedures to be issued by the Cyber Security Presidency. These instruments will determine how supervisory expectations develop and how the statutory obligations are applied in practice to critical infrastructure operators.

