On March 12, 2025, the Grand National Assembly of Turkey enacted the Cybersecurity Law No. 7545 ("Law"), which was published in the Official Gazette No. 32846 on March 19, 2025, and thereby entered into force.
The Law aims to identify and eliminate threats directed at or potentially targeting cyberspace, to establish policies for strengthening national cybersecurity, to mitigate the possible effects of cyber incidents, to protect entities targeted by cyberattacks, and to set forth the principles for the establishment of the Cybersecurity Board ("Board").
Public institutions and organizations, professional organizations with public institution status, natural persons, legal entities and unincorporated entities that operate, provide services, or maintain a presence in cyberspace fall within the scope of the Law.
To ensure cybersecurity, the Law adopts several fundamental principles, recognizing cybersecurity as an integral part of national security. Accordingly, cybersecurity-related efforts will be conducted based on the principles of institutionalization, continuity and sustainability. Another fundamental principle is the prioritization of domestic and national products in these efforts. The Law also encourages initiatives aimed at enhancing the skills and capacity of the qualified workforce in this field and seeks to promote cybersecurity awareness across society. It is envisioned that the Law will uphold the rule of law, fundamental human rights and freedoms, and privacy as fundamental principles.
The Law also regulates the duties, authorities, responsibilities, and oversight powers of the Cybersecurity Directorate ("Directorate"). The Directorate is tasked with conducting or commissioning vulnerability and penetration tests, performing risk analyses on assets, combating cyber threats, obtaining, generating and sharing cyber threat intelligence and conducting malware analysis activities. Additionally, the Directorate will be responsible for maintaining an inventory of all assets of public institutions and organizations, conducting risk analyses and implementing security measures based on asset criticality. The Directorate will also carry out cybersecurity audits and establish cyber incident response teams.
Among the authorities granted to the Directorate under the Law are the implementation of necessary measures to protect against cyberattacks and deter their sources, the assignment of personnel as needed in cybersecurity matters and the collection, storage, evaluation and reporting of log records from information systems, which will then be shared with relevant institutions and organizations. The Directorate is authorized to audit all acts and transactions within the scope of the Law, with personnel of the Directorate, authorized and certified independent auditors, and independent audit firms designated to carry out these inspections. These auditing activities will be conducted in accordance with a program developed based on significance, priority and risk assessments.
Another key aspect regulated by the Law pertains to the Cybersecurity Board. The Board will be composed of the President, Vice President, Ministers of Justice, Foreign Affairs, Interior, National Defense, Industry and Technology, Transport and Infrastructure, Secretary-General of the National Security Council, the Head of the National Intelligence Organization, the President of Defense Industry Agency and the Head of the Cybersecurity Directorate. The Board will be responsible for making decisions on cybersecurity-related policies, strategies, action plans and other regulatory measures, determining institutions and organizations that will be exempt from such decisions, approving the nationwide implementation of the cybersecurity technology roadmap prepared by the Directorate, identifying priority areas eligible for cybersecurity incentives and making decisions regarding the development of the cybersecurity workforce.
Law No. 7545 also introduces various criminal sanctions and penalties. According to the following regulations below, if an offense is committed by a public official, the penalty will be increased by one-third; if committed by multiple persons, it will be increased by half; and if committed within the framework of an organized crime group, the penalty may be increased from half to twice the original amount.
| Criminal Sanctions | Penalty |
|---|---|
| Failure to provide information, documents, software, data, and hardware requested by authorized bodies and inspectors under the Law, or preventing their acquisition (excluding public institutions and organizations) | 1 to 3 years of imprisonment and a judicial fine of 500 to 1,500 days |
| Conducting activities without obtaining the required approvals, authorizations, or permits under the Law | 2 to 4 years of imprisonment and a judicial fine of 1,000 to 2,000 days |
| Breach of confidentiality obligations | 4 to 8 years of imprisonment |
| Unauthorized disclosure, sharing, or sale of leaked personal or critical public service data, even if previously exposed in cyberspace | 3 to 5 years of imprisonment |
| Creating public fear, anxiety, or panic by falsely claiming a data breach | 2 to 5 years of imprisonment |
| Conducting cyberattacks against elements constituting Türkiye's national power in cyberspace or storing any data obtained from such attacks | 8 to 12 years of imprisonment (unless the act constitutes a more severe offense) |
The Law stipulates that administrative fines will be imposed in cases constituting a violation of its provisions. Entities within the scope of the Law that provide services, collect data, process information, or engage in similar activities using information systems and fail to fulfill their duties and responsibilities will be subject to administrative fines ranging from 1 million to 10 million Turkish liras. If an approval required under the Presidency's authority is not obtained, an administrative fine between 10 million and 100 million Turkish liras will be imposed. Additionally, entities subject to audits under the Law must keep relevant devices, systems, software, and hardware available for inspection within the specified timeframes, ensure the necessary infrastructure for audits, and maintain their operability. Failure to comply with these requirements will result in administrative fines ranging from 100,000 to 1 million Turkish liras.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
