ARTICLE
9 May 2025

A New Era In Cybersecurity In Türkiye: The Law Has Entered Into Force

Universal Hukuk | Law & Consultancy

Contributor

Specializing in electronic money and payment systems, cryptographic technologies, corporate, insurance, healthcare, health tourism, automotive, and IT law, Universal Law & Consultancy delivers customized legal solutions for businesses and individuals. Our experienced attorneys provide reliable guidance with a commitment to excellence, confidentiality, and client satisfaction on a global scale.
The newly enacted Cybersecurity Law No. 7545 (the "Law"), which entered into force on March 19, 2025, marks a significant shift in Türkiye's approach to cybersecurity by establishing a comprehensive legal framework.
Turkey Technology

Summary

The newly enacted Cybersecurity Law No. 7545 (the "Law"), which entered into force on March 19, 2025, marks a significant shift in Türkiye's approach to cybersecurity by establishing a comprehensive legal framework. The Law introduces binding cybersecurity standards applicable to public institutions, private entities, and individuals alike, while also redefining the scope and meaning of cybersecurity within the national context.

Among its key provisions, the Law defines essential concepts such as information systems, critical infrastructure, cyber incidents, and cyberattacks. It also outlines eleven foundational principles aimed at ensuring the continuity and long-term sustainability of national cybersecurity initiatives. Furthermore, the Law sets out the authorities and responsibilities of the newly empowered Cybersecurity Authority, with particular emphasis on its inspection and supervisory powers—signaling a more centralized and robust governance structure in the digital domain.

Under the new legislation, the structure and duties of the Cybersecurity Council (the "Council") have been formally set out, reinforcing its role in the national cybersecurity ecosystem. A key regulatory development is the introduction of a mandatory notification requirement for companies operating in the cybersecurity sector: any mergers, demergers, share transfers, or sales involving such entities must now be reported to the Cybersecurity Authority.

The Law also brings personal data protection into sharper focus by mandating that data be processed lawfully, accurately, and in a manner that is up to date and purpose specific. Data must be retained only for as long as necessary, and once the justification for holding it ceases to exist, any collected personal data or trade secrets must be deleted, destroyed, or anonymized by default. To ensure compliance, the Law imposes administrative fines for violations related to cybersecurity obligations -signaling a heightened regulatory environment and stricter oversight across all relevant sectors.

What Are the Key Concepts Defined in the Law?

  • Information systems refer to the hardware, software, and other components used in delivering services, processing transactions, and presenting data through information and communication technologies.
  • Cyberspace encompasses all information connected to the internet, electronic communications, or computer networks, as well as the networks that connect them.
  • Cyber security is the activity of protecting the information systems that constitute cyberspace, ensuring the confidentiality, integrity, and availability of data, detecting attacks and cyber incidents, creating response and alert mechanisms to these detections, and then restoring the system to its pre-incident state.
  • A cyber incident is the violation of the confidentiality, integrity, or availability of information systems or data.
  • A cyber attack refers to intentional actions aimed at disrupting the confidentiality, integrity, or availability of information systems and data in cyberspace.
  • A cyber threat defines potential dangers that could jeopardize the confidentiality, integrity, or availability of information systems and the data within them.

Who Is Covered by the Regulations in the Law?

The regulations in the law cover a broad group, including public institutions and organizations, professional bodies with public institution status, natural and legal persons, as well as entities without legal personality operating in cyberspace.

What Is the Purpose of the Law's Entry into Force?

  • Identifying and eliminating current and potential threats directed at all components of cyberspace from both internal and external sources,
  • Establishing principles aimed at reducing the possible impact of cyber incidents,
  • Introducing necessary regulations to protect public institutions and organizations, professional bodies with public institution status, natural and legal persons, and entities without legal personality against cyber-attacks,
  • Defining strategies and policies to strengthen the country's cybersecurity,
  • Establishing the Cybersecurity Council.

What Are the Cybersecurity Duties and Responsibilities of Those Who Provide Services, Collect or Process Data, or Engage in Similar Activities Through Information Systems?

  • Providing the Presidency with any data, information, documents, hardware, software, and all other forms of support it may request within the scope of its duties and activities,
  • Taking the measures prescribed by cybersecurity legislation and promptly reporting any identified vulnerabilities or cyber incidents to the Presidency,
  • Procuring cybersecurity products, systems, and services to be used in public institutions and organizations as well as critical infrastructures from cybersecurity experts and companies authorized and certified by the Presidency,
  • Obtaining approval from the Presidency, in accordance with existing regulations, before commencing operations by cybersecurity companies subject to certification, authorization, and accreditation,
  • Fulfilling the requirements and taking necessary measures set out in the policies, strategies, action plans, and other regulatory instruments developed and issued by the Presidency.,

What Are the Duties and Authorities of the Presidency?

  • Enhancing the cyber resilience of critical infrastructures and information systems, protecting them against cyber-attacks, preventing potential attacks, and detecting executed attacks,
  • Establishing, commissioning, and supervising Cyber Incident Response Teams ("SOME"),
  • Regulating the procedures and principles that must be followed by those operating in the field of cybersecurity, and preparing standards related to the cybersecurity domain,
  • Conducting testing and certification processes for cybersecurity-related software, hardware, products, systems, and services; carrying out cybersecurity audits and imposing sanctions based on the results,
  • Inspecting any act or transaction falling within the scope of the Law in relation to its duties specified therein, and, when deemed necessary, conducting or commissioning on-site examinations for this purpose.

The criminal provisions and administrative fines to be applied in case of violation of the obligations prescribed by the Law have been regulated, and the reasons for the violations and the corresponding sanctions are as follows:

  • Failure to provide or obstructing the acquisition of information, documents, software, data, and hardware requested by authorized authorities and inspectors within the scope of their duties and powers; will be punishable by imprisonment from one to three years and a judicial fine ranging from five hundred to one thousand five hundred days.
  • Operating without obtaining the necessary approvals, authorizations, or permits; will be punishable by imprisonment from two to four years and a judicial fine ranging from one thousand to two thousand days.
  • Violation of the confidentiality obligation; will be punishable by imprisonment from four to eight years
  • Unauthorized disclosure, sharing, or selling of personal or corporate data, whether paid or free; will be punishable by imprisonment from three to five years.
  • Creating public concern, fear, and panic, or generating and publishing false content suggesting a data breach when no such breach has occurred; will be punishable by imprisonment from two to five years.
  • Launching a cyber-attack against the elements of the Republic of Turkey in cyberspace or storing any data obtained as a result of such an attack in cyberspace / spreading, sending, or selling any data obtained from the attack, unless it constitutes another crime that requires a heavier penalty; will be punishable by imprisonment from eight to twelve years, or from ten to fifteen years.
  • Failing to take the measures prescribed by the legislation, not reporting vulnerabilities or cyber incidents to the Presidency without delay, or not procuring cybersecurity products, systems, and services for public institutions and organizations, as well as critical infrastructures, from cybersecurity experts, manufacturers, or companies authorized and certified by the Presidency; will be punishable by an administrative fine ranging from one million to ten million Turkish Liras.
  • The sale of cybersecurity products, systems, software, hardware, and services abroad without the Presidency's permission, failure to notify the Presidency about mergers, splits, share transfers, or sales of companies producing cybersecurity products, systems, software, hardware, and services, and conducting transactions that grant natural or legal persons individual or joint direct or indirect control rights or decision-making authority over the company without obtaining the Presidency's approval; will be punishable by an administrative fine ranging from ten million to one hundred million Turkish Liras.
  • Those subject to auditing failing to keep the relevant devices, systems, software, and hardware open for inspection within the given timeframes, not providing the necessary infrastructure for the audit, and not taking the required measures to keep them operational; will be punishable by an administrative fine ranging from one hundred thousand to one million Turkish Liras. (If these obligations are not fulfilled by commercial companies, an administrative fine will be imposed, not less than one hundred thousand Turkish Liras, and up to 5% of the gross sales revenue in the audited annual financial statements).

It is stipulated that the relevant party's defense will be taken before administrative fines are imposed. If the defense is not submitted within thirty days from the date of notification of the letter requesting the defense, it will be considered that the party has waived their right to defend.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More