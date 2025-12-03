The long-anticipated Cybersecurity Law No.7545 came into force in Türkiye following its publication in the Official Gazette on 19 March2025. Aimed primarily at protecting public institutions, individuals, and private sector entities from cyber threats, the law establishes comprehensive policies and strategies to enhance national cybersecurity. Its broad scope applies to all public institutions, private legal entities, professional associations, and individuals operating in cyberspace.

Duties and powers of the Cybersecurity Directorate

The Cybersecurity Directorate, established under Presidential Decree No.177 (published in the Official Gazette on 8January 2025), has been designated as the primary authority for regulating and auditing individuals and entities operating in the cybersecurity sector. It assumes the previous powers of both the Information and Communication Technologies Authority and the Digital Transformation Office.

The main duties of the Cybersecurity Directorate include the following:

determination of critical infrastructure and relevant institutions;

establishment and coordination of cyber incident response teams;

regulating procedures and principles for individuals and entities operating in the cybersecurity field;

conducting relevant audits and imposing sanctions in case of incompliance;

preparation of standards for the cybersecurity sector;

testing and certification of software, hardware, product, system and services related to cybersecurity; and

determination of security criteria for use of cybersecurity software, hardware, product, and services in public institutions and critical infrastructure.

The Cybersecurity Directorate is granted extensive authority to audit cybersecurity-related matters. It is entitled to audit all kinds of operations within the scope of the Cybersecurity Law on-site through its own experts or authorised independent auditors; and to examine and collect copies and digital images of all relevant data, documentation, electronic infrastructure, devices, systems, software, and hardware within this scope.

Persons subject to such audits of the Cybersecurity Directorate are required to make their devices, systems, software and hardware accessible, and to ensure that the necessary infrastructure and necessary measures are in place for this purpose. Failure to comply may result in administrative fines ranging from TRY100,000 to TRY1,000,000 (approx. EUR2,440 to EUR24,400). For commercial companies, these obligations carry an administrative fine of up to 5% of the gross sales revenue.

The Cybersecurity Directorate is also entitled to investigate cyber incidents and provide intervention support to the affected persons; collect information, documentation, data and records from the persons subject to the Cybersecurity Law; appoint and authorise independent auditors to conduct cybersecurity audits and inspections; and determine principles and procedures regarding exportation of cybersecurity products, systems, software, hardware and services outside Türkiye.

Obligations of IT and cybersecurity companies

IT companies

Under the Cybersecurity Law, companies providing services, collecting and processing data, and performing relevant activities through information systems are subject, among others, to the following obligations:

providing all kinds of data, information, documentation, hardware, software and any other support requested by the Cybersecurity Directorate as part of its duties and activities in a timely and prioritised manner;

adopting legal cybersecurity measures for national security as well as public order and promptly notifying the Cybersecurity Directorate of any vulnerabilities or cyber incidents in their service areas;

procurement of cybersecurity products, systems and services to be used in public institutions and critical infrastructure from cyber security experts, manufacturers or companies authorised and certified by the Cybersecurity Directorate; and

complying with cybersecurity-related policies, strategies, action plans and other secondary regulations of the Cybersecurity Directorate.

Failure to comply with the obligations described in the second and third items above may result in an administrative fine ranging from TRY1,000,000 to TRY10,000,000 (approx. EUR24,400 to EUR244,000).

Cybersecurity companies

The Cybersecurity Law imposes the following additional obligations on cybersecurity companies manufacturing cybersecurity products, systems, software, hardware and services:

obtaining approval from the Cybersecurity Directorate before starting operations, for cybersecurity companies subject to certification, authorisation and documentation;

securing export permission from the Cybersecurity Directorate for certain cybersecurity products subject to export controls;

notifying the Cybersecurity Directorate of legal transactions involving mergers, spin-offs, or share transfers or sales; and

obtaining prior approval from the Cybersecurity Directorate for any such transactions that result in a direct or indirect change of control.

Failure to comply with the obligations described in the last three items above may lead to an administrative fine ranging from TRY10,000,000 to TRY100,000,000 (approx. EUR244,000 to EUR2,440,000). Moreover, the transactions subject to the Cybersecurity Directorate's approval will be deemed legally void if such approval is not obtained.

Cybersecurity-related criminal offences and administrative fines

Criminal offences

The Cybersecurity Law introduces new criminal offences related to cybersecurity, with severe sanctions resulting in imprisonment and judicial fines:

imprisonment from one to three years and judicial fines varying from 500days to1500days for failure to provide, or preventing the provision, of information, document, software or hardware requested by authorised persons;

imprisonment from two to four years and judicial fines varying from 1000days to 2000days for conducting transactions without the required approvals, authorisations or licences set forth under the Cybersecurity Law;

imprisonment from three to five years for providing paid or free access to personal data or critical public service data upon a data breach, without the prior authorisation of the relevant individuals or entities; and

imprisonment from two years to five years for creating or disseminating false content related to cybersecurity breach incidents to cause public fear or to target individuals or institutions.

Administrative fines

The Cybersecurity Law establishes various administrative fines for incompliance with cybersecurity-related obligations, varying from TRY100,000 to TRY100,000,000 (approx. EUR2,440 to EUR2,440,000). Commercial companies may be imposed fines of up to 5% of their gross sales revenue for the breach of some of these obligations.

Prior to the imposition of an administrative fine, the concerned parties will be given the opportunity to provide defence statements within 30days of notification by the Cybersecurity Directorate. The administrative fines which are imposed by the Cybersecurity Directorate must be paid within one month from the date of their notification. Decisions of the Cybersecurity Directorate regarding administrative fines can be challenged before the administrative courts.

Transition period

The implementation principles and procedures for the obligations set forth under the Cybersecurity Law will be further detailed by the Cybersecurity Directorate through secondary legislation, to be issued within one year of the publication of the Cybersecurity Law. These regulations will play a crucial role in defining how the Cybersecurity Law will be applied in practice, including compliance and certification procedures for entities in the cybersecurity sector.

Entities operating in the cybersecurity field must complete all certification, authorisation, and licensing processes within one year from the publication of these regulations. Entities failing to comply will be prohibited from operating in the cybersecurity sector. At the end of the transition period, non-compliant commercial companies must remove any cybersecurity-related terms from their corporate names and cease related business activities, or initiate liquidation proceedings for deregistration from the trade registry.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.