A New Era in Cybersecurity Law in Türkiye

The acceleration of digitalization has resulted in many critical fields being conducted through information technology systems, transforming cybersecurity from a purely technical matter into a strategic area directly linked to national security, economic stability, and corporate sustainability. In particular, the increasing cyberattacks targeting critical infrastructures, financial systems, energy facilities, and public institutions have prompted states to reshape their legal and institutional frameworks in the field of cybersecurity.

In parallel with this transformation, Türkiye has likewise witnessed significant developments in its institutional and regulatory infrastructure in the field of cybersecurity in recent years. The most important turning point of this process has been Cybersecurity Law No. 7545 (the “Law“), published in the Official Gazette dated 19 March 2025, Wednesday, numbered 32846, and entered into force on the same date. With this Law, cybersecurity has been defined as an integral part of national security, and for the first time in Türkiye, a systematic, comprehensive, and centralized legal framework has been established in the field of cybersecurity. The Law expressly covers public institutions and organizations, professional organizations of a public nature, as well as real and legal persons and all relevant parties operating in and providing services through cyberspace—including entities without legal personality—and sets out various technical and managerial obligations for all such stakeholders.

Newly Established Institutional Structures

With Law No. 7545, the cybersecurity architecture has been restructured into a more centralized and institutional model. In this context, the Cybersecurity Directorate (Siber Güvenlik Başkanlığı), affiliated with the Presidency of the Republic, has been established. The Directorate has been vested with broad regulatory, supervisory, and coordinating powers, including combating cyber threats, conducting legislative work, ensuring coordination in cybersecurity activities, determining standards, security criteria, procedures and principles, managing certification, authorization, and accreditation processes, conducting audit activities, and imposing sanctions.

The Law has also established the Cybersecurity Board (Siber Güvenlik Kurulu), which will operate under the Presidency. The Board has been granted high-level powers regarding the preparation of policies, strategies, and action plans relating to cybersecurity; ensuring the nationwide implementation of the cybersecurity technology roadmap prepared by the Directorate; identifying priority areas to be incentivized; designating critical infrastructure sectors; resolving inter-institutional disputes; and, more broadly, determining national cybersecurity policies, ensuring coordination among public institutions, and conducting strategic decision-making processes.

Obligations, Audit Mechanism, and Sanctions

Cybersecurity Law No. 7545 sets forth comprehensive obligations not only for public institutions and organizations, but also for the private sector, and establishes a centralized audit and sanctions regime in the field of cybersecurity. The principal obligations and sanctions are as follows:

• Private sector entities are required to provide, fully and in a timely manner, the information, documents, software, data, and hardware requested by the authorities and audit officials authorized in the field of cybersecurity. Those who fail to do so, or who prevent such items from being obtained, shall be punished with imprisonment from 1 to 3 years and a judicial fine of 500 to 1,500 days.
• Those who carry out activities without obtaining the requisite approvals, authorizations, or permits under the Law shall be subject to imprisonment from 2 to 4 years and a judicial fine of 1,000 to 2,000 days.
• A duty of confidentiality has been imposed in respect of confidential information, personal data, trade secrets, and related documents belonging to the public, relevant parties, and third parties, obtained within the scope of the duties and activities carried out by the Directorate. Those who fail to comply shall be punished with imprisonment from 4 to 8 years.
• Persons who, without authorization, make personal data and institutional data falling within the scope of critical public services accessible—whether for a fee or free of charge—or who share or offer such data for sale, shall be subject to imprisonment from 3 to 5 years.
• Persons who create or disseminate false content alleging a cybersecurity-related data leak, with the aim of creating concern, fear, or panic among the public, or of targeting institutions or individuals, shall be subject to imprisonment from 2 to 5 years.
• Persons who carry out cyberattacks against the elements constituting Türkiye’s national power in cyberspace, or who retain the data obtained therefrom in cyberspace, shall be subject to imprisonment from 8 to 12 years; those who disseminate, transmit, or offer such data for sale shall be subject to imprisonment from 10 to 15 years.
• Entities that provide services, collect or process data, or carry out similar activities through information systems are required to take the measures prescribed by the legislation in respect of cybersecurity, for the purposes of national security, public order, or the proper conduct of public services, and to notify the Directorate without delay of any vulnerabilities or cyber incidents identified within their fields of operation. Cybersecurity products, systems, and services to be used in public institutions and organizations, as well as in critical infrastructures, must be procured exclusively from cybersecurity experts, manufacturers, or companies authorized and certified by the Directorate. Non-compliance with these obligations shall be subject to an administrative fine between TRY 1,000,000 and TRY 10,000,000.
• Private sector entities operating in the field of cybersecurity are required to obtain prior approval from the Directorate before selling relevant products, systems, software, hardware, and services abroad, and to notify the Directorate of any merger, demerger, share transfer, or sale transactions. Failure to do so shall be subject to an administrative fine between TRY 10,000,000 and TRY 100,000,000.
• Where entities subject to audit fail to make the relevant devices, systems, software, and hardware available for inspection within the prescribed timeframes, fail to provide the necessary infrastructure for the audit, or fail to take the measures required to keep such infrastructure operational, an administrative fine between TRY 100,000 and TRY 1,000,000 shall apply; commercial companies may, in addition, be subject to an administrative fine of up to 5% of the gross sales revenue reflected in their annual financial statements.

In this framework, the Directorate has been empowered to audit all manner of acts and transactions, to appoint independent auditors or independent audit firms, to conduct or commission on-site inspections to that end, and to impose sanctions. Furthermore, for the purposes of safeguarding national security and public order, and preventing the commission of offenses or cyberattacks, the Directorate is also authorized—upon a judge’s decision, or upon the written order of the public prosecutor in cases where delay would be detrimental—to conduct searches in residences, workplaces, and closed areas not open to the public, and to make copies and seize items in a manner that does not cause prolonged service disruption and is carried out without interruption.

Conclusion

With Law No. 7545, Türkiye’s cybersecurity approach has been transformed from a traditional model based solely on responding to cyberattacks into a holistic framework grounded in risk management, cyber resilience, critical infrastructure security, institutional coordination, audit mechanisms, and regulation—aligned with international instruments such as the EU NIS 2 Directive, the EU Digital Operational Resilience Act (DORA), and NATO Cyber Defence Policies.

However, the Law sets out only a general framework in the field of cybersecurity; the secondary legislation that will give concrete shape to the Law’s scope of application has not yet entered into force. Accordingly, matters such as technical standards, audit criteria, critical infrastructure classifications, incident notification procedures, certification systems, and sector-specific obligations are expected to be shaped through forthcoming secondary legislation.