ARTICLE
2 June 2026

Designation Of Critical Infrastructure Sectors Under Cybersecurity Law No. 7545 And Key Compliance Obligations

E
Egemenoglu

Contributor

Egemenoglu logo
Egemenoglu is one of the largest full-service law firms in Turkey, advising market-leading clients since 1968. Egemenoğlu who is proud to hold many national and international clients from different sectors, is appreciated by both his clients and the Turkish legal market with his fast, practical, rigorous and solution-oriented work in a wide range of fields of expertise. Egemenoğlu has been considered worthy of various rankings by the world’s most leading and esteemed rating institutions and legal guides. We have been ranked as Recognized in “Project and Finance” and “Mergers and Acquisitions” areas by IFLR 1000. We also take place among the top- tier law firms of Turkey at the rankings of Legal 500, at which world’s best law firms are regarded, in “Employment Law” and “Real Estate / Construction” areas. Also our firm is regarded as significant by Chambers& Partners in “Employment Law” area as well.
Explore Firm Details
Cybersecurity Law No. 7545, which introduces comprehensive and far-reaching rules governing cybersecurity in Türkiye, was enacted on 12 March 2025.
Turkey Technology
Sena Uykan and Ecem Kus
Your Author LinkedIn Connections
Egemenoglu are most popular:
  • within Technology, Accounting and Audit and Transport topic(s)
  • in Turkey

Cybersecurity Law No. 7545, which introduces comprehensive and far-reaching rules governing cybersecurity in Türkiye, was enacted on 12 March 2025. The Law regulates the powers of the Cybersecurity Authority, the rules to be observed by public institutions and private companies, supervisory mechanisms, and applicable sanctions.

One of the most significant steps taken in this context is the designation of sectors recognised as “critical infrastructure sectors”. Critical infrastructure is defined as infrastructure housing information systems whose compromise affecting the confidentiality, integrity, or availability of the information and data processed therein may lead to loss of life, large-scale economic damage, or disruption of public order. At its meeting held on 5 May 2026, the Cybersecurity Board designated 15 sectors as “Critical Infrastructure Sectors”. This designation demonstrates that entities operating in these sectors are considered strategically significant from a cybersecurity perspective and will be subject to more stringent obligations.

The Critical Infrastructure Sectors designated by the Board are as follows:

  • Digital Infrastructure
  • Digital Services
  • Electronic Communications
  • Energy
  • Finance
  • Food and Agriculture
  • Manufacturing Industry
  • Public Services
  • Media and Crisis Communications
  • Postal and Cargo Services
  • Health
  • Defence Industry
  • Water Management
  • Transportation
  • Space

Whilst the sectors have been designated, secondary legislation is still awaited with respect to which sub-activities and entities will fall within the scope of each sector, including applicable thresholds, scoping criteria, and exemptions. Nevertheless, entities are required to commence preparations now in relation to the primary obligations set out under the Law.

The principal obligations arising under the Law may be summarised as follows:

  • Procurement requirements: Cybersecurity products, systems, and services to be used in critical infrastructure must be procured exclusively from persons and entities authorised and certified by the Authority. This necessitates a review of procurement and supplier management processes.
  • Conformity assessment and approval requirements: Compliance with the conformity assessment and approval procedures to be prescribed by the Authority is required for software, hardware, products, and services to be used in the information systems of critical infrastructure that may affect cybersecurity. Secondary legislation to be issued in due course should therefore be monitored closely.
  • Security measures: Entities are required to assess their cyber risks on a regular basis and implement appropriate technical and administrative measures accordingly. Cybersecurity is not a one-off exercise, but rather a process requiring continuous vigilance.
  • Incident and vulnerability reporting: Detected cyber incidents and security vulnerabilities must be reported to the Authority without delay. Accordingly, it is of paramount importance to establish internal reporting mechanisms capable of operating swiftly and effectively.
  • Provision of information and cooperation: Data, information, documents, software, hardware, and other items requested by the Authority must be submitted in a timely manner, and entities are required to cooperate fully with the Authority.
  • Audit readiness: During audits, entities must make their systems available for inspection, provide the necessary technical support, and maintain the infrastructure required to facilitate the audit process.
  • Record-keeping and logging: Access records, system logs, incident records, and similar data must be maintained and retained on a regular basis and managed in a manner that ensures accessibility for audit purposes.
  • Special provisions applicable to cybersecurity companies: Companies producing cybersecurity products or services may be subject to notification and/or approval obligations in relation to overseas sales, changes in corporate structure (including mergers, spin-offs, demergers, restructurings, and share transfers), and changes of control. Transactions carried out without obtaining the requisite approval may give rise to legal risks.

With the designation of the critical infrastructure sectors, the obligations prescribed by the Law for entities operating in these sectors have become more visible and practically significant. The framework governing the scope of the sectors and the details of the requisite compliance steps is expected to be clarified further through secondary legislation to be issued in the forthcoming period.

The sanctions prescribed for non-compliance with the Law are severe. Administrative fines may amount to TRY 100 million and, for commercial companies, up to 5% of their annual gross turnover. Moreover, the Law is not limited to financial penalties; individuals found responsible may face imprisonment of up to 15 years. In addition, specific to critical infrastructure, imprisonment of between 1 and 3 years is prescribed for persons who, by acting in breach of their duty to protect critical infrastructure against cyberattacks, cause a data breach to occur.

In light of the foregoing, we strongly advise entities whose activities intersect with these sectors to review their cybersecurity compliance processes without delay and to initiate the necessary preparations today in order to ensure timely compliance once the relevant statutory obligations and secondary legislation become fully operational.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Sena Uykan
Person photo placeholder
Ecem Kus
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More