The Cyber Security Law ("Law"), which determines strategies to protect cyber assets in Türkiye against cyber-attacks and strengthens cyber security through centralized supervision and regulatory power bill, was adopted, published in the Official Gazette, and entered into force on 19 March 2025. The bill was submitted to the Grand National Assembly of Türkiye on January 10, 2025. Pursuant to the Law, the Cyber Security Board ("Board") and Cyber Security Presidency ("Presidency") will be established.
The Scope
The term cyberspace, which refers to an environment consisting of all information systems that are directly or indirectly connected to the internet, electronic communications, or computer networks, as well as the networks that interconnect them, constitutes the scope of application of the Law. The Law holds all public institutions and organizations, as well as private natural and legal persons, responsible for implementing cybersecurity policies and strategies, preventing cyberattacks, and taking measures to mitigate their impact.
Presidency of Cyber Security: Broad Responsibilities
The Law establishes the Presidency, which is vested with numerous duties, primarily to ensure that public institutions and organizations, as well as other critical infrastructure, are not affected by cyber incidents. The Presidency is tasked with comprehensive duties such as carrying out activities to protect against cyber-attacks; identifying critical infrastructures along with their respective institutions and locations; maintaining data inventories; establishing and overseeing Cyber Incident Response Teams ("CIRT"s); regulating the procedures, principles, and standards that must be followed by entities operating in the cybersecurity field; and conducting testing and certification processes for software, hardware, products, systems, and services related to this sector.
The Law grants the Presidency a wide range of supervisory powers. The Presidency is authorized to conduct searches, copy, and seize items in residences, workplaces, and non-public closed areas based on a judge's decision for the purposes of national security, public order, crime prevention, or preventing cyber-attacks. In cases where delay poses a risk, these actions can also be carried out upon a written order from the public prosecutor.
Sectoral Regulations and Cybersecurity Companies
Entities falling within the scope of the Law that provide services, collect and process data, and carry out similar activities through the use of information systems have various responsibilities. These duties and responsibilities, which are primarily based on cooperation with the Presidency, are summarized below:
- Promptly reporting any vulnerabilities or cyber incidents identified within their field of service to the Presidency.
- Procuring cybersecurity products, systems, and services to be used by public institutions, organizations, and critical infrastructure exclusively from cybersecurity experts, manufacturers, or companies authorized and certified by the Presidency.
- Obtaining the Presidency's approval before commencing operations for cybersecurity companies subject to certification, authorization, and accreditation in accordance with existing regulations.
The Law also sets forth specific obligations for cybersecurity companies. Accordingly, the sale of cybersecurity products, systems, software, hardware, and services to foreign markets must comply with the procedures and principles to be determined by the Presidency. Additionally, cybersecurity companies producing such products and services are required to notify the Presidency in cases of mergers, demergers, share transfers, or sales transactions. Transactions that grant individuals or legal entities direct or indirect control or decision-making authority over the company—either individually or jointly—are subject to the Presidency's approval. The Law explicitly states that transactions carried out without the Presidency's approval will not have legal validity. These obligations are expected to be further detailed in secondary regulations to be prepared by the Presidency.
Those already operating in the field of cyber security must complete certification, authorization, and certification procedures within one year from the entry into force of the secondary regulations.
Sanctions
Violations of the Law may result in three different types of sanctions: imprisonment, judicial fines in addition to imprisonment, and administrative fines.
|
Subject to Criminal Sanctions |
Subject to Administrative Fines |
|---|---|
|
Failing to provide or obstructing the provision of information, documents, software, data, and hardware; |
Failing to report identified vulnerabilities or cyber incidents to the Presidency (up to ten million Turkish lira); |
|
Engaging in activities without obtaining the necessary approval, authorization, or permits; |
Not procuring cybersecurity products, systems, and services for critical infrastructures from cybersecurity experts, manufacturers, or companies authorized and certified by the Presidency (up to TRY 10 million); |
|
Failing to fulfill the obligation of confidentiality; |
Non-compliance with the specific duties and responsibilities of cybersecurity companies (up to TRY 100 million); |
|
Making personal data or institutional data classified as critical public service information accessible, sharing, or selling it; |
Failing to fulfill audit-related obligations (up to to TRY 1 million, and for commercial enterprises a fine of no less than TRY 100,000 and up to 5% of the gross sales revenue stated in their independently audited annual financial statements). |
|
Creating false content regarding a cybersecurity-related data breach; |
|
|
Carrying out cyberattacks; storing, disseminating, transferring, or selling any data obtained from such an attack in cyberspace; |
|
|
Causing a data breach by failing to fulfill duties. |
Conclusion
The lack of regulation in the field of cybersecurity had been a long-standing issue. However, the scope of the authorities and obligations defined in the Law may raise many concerns in practice. It is expected that the regulations regarding the implementation of this Law will come into force within a year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
