A First in Turkey: Cyber Security Law Published

Turkey has reached an important milestone in the field of cyber security: The Cyber Security Law (Law) was published in the Official Gazette on 19 March 2025.

Until now, there was no comprehensive framework legislation regulating the field of cyber security under Turkish law, such as the “Law on the Protection of Personal Data” or the “Law on the Regulation of Electronic Commerce”. With the Law, an important gap in the field of cyber security has been fulfilled.

The main purpose of the Law is to determine strategies and policies to strengthen cyber security in the Republic of Türkiye. 

The Law covers all public institutions and organisations, professional associations, real and legal persons operating in cyberspace. The activities carried out by the National Intelligence Organisation and the activities of the General Directorate of Security and the Gendarmerie General Command, as well as the activities carried out in accordance with the Law on State Intelligence Services and the National Intelligence Organization and the Law on Internal Service of the Turkish Armed Forces are excluded from the scope of the Law.

The outstanding regulations in the Law are as follows:

- Establishment of the Cyber Security Board and its duties and powers,

- Increasing the cyber resilience and maturity levels of public institutions and critical infrastructure organisations,

- Centralised monitoring, detection and elimination of cyber security incidents,

- Implementation of deterrent sanctions through audit processes,

- Regulation of standardisation, certification and authorisation processes,

- Implementation of severe penalties for cybercrimes and incidents.

Significant definitions and novelties brought with the Law are as follows:

the Cyber Security Presidency assumes a proactive role against cyber threats. This role includes vital responsibilities such as increasing the cyber resilience of critical infrastructures, detecting, preventing and mitigating cyber attacks.

The scope of information systems is broadly defined in the Law. Accordingly, information systems include hardware, software, systems and all other active or passive components used in the provision of all kinds of services, transactions and data provided by information and communication technologies.

Cyberspace is defined as “the environment consisting of information systems connected to the Internet or electronic networks and the networks connecting these systems.” This definition makes it clear that everyone operating in the digital world will be subject to the Law.

For “SOME”, the Cyber Incident Response Team, the Presidency has the authority to establish, ensure and supervise the establishment of SOMEs, to carry out studies to determine and increase their maturity levels, and to measure the cyber incident response capabilities of SOMEs by organising cyber security practices.

Although not included in the definitions section, the Cyber Security Board (Board) was also established under the Law. The purpose of the Board is to take decisions on policies, strategies, action plans and other regulatory actions related to cyber security and to determine the institutions and organisations that will be exempted from all or some of the decisions taken.

The main duties and responsibilities regarding cyber security of those who are covered by the Law and who provide services, collect, process data and carry out similar activities by using information systems are as follows:

- All kinds of data, information, documents, hardware, software and any other contribution requested by the Presidency within the scope of its duties and activities should be transmitted to the Presidency primarily and on time. This point is quite critical. Because violation of this regulation brings imprisonment and administrative fines.

- Measures stipulated by the legislation should be taken for the purposes of national security, public order or the proper execution of public service for cyber security, and vulnerabilities or cyber incidents detected in the area where service is provided should be notified to the Presidency without delay.

- Cyber security products, systems and services to be used in public institutions and organisations and critical infrastructures should be obtained from cyber security experts, producersor companies authorised and certified by the Presidency.

- Cyber security companies subject to certification, authorisation and certification must obtain the approval of the Presidency before commencing operations.

In this context, the Presidency may inspect all kinds of acts and transactions falling within the scope of the Law when it deems necessary in relation to its duties specified in the Law; for this purpose, it may conduct on-site inspections or have them conducted.

The criminal sanctions in the Law are as follows:

- Three to five years imprisonment for those who unauthorisedly access, share or offer for sale personal or critical public service data as a result of data leaks in cyberspace,

- Those who commit a cyber-attack against the elements constituting Turkey's national power in cyberspace or who keep any data obtained as a result of this attack in cyberspace shall be sentenced to imprisonment from eight to twelve years, unless the act constitutes another offence requiring a heavier penalty; those who disseminate, send elsewhere or offer for sale any data obtained as a result of this attack in cyberspace shall be sentenced to imprisonment from ten to fifteen years.

- From one million Turkish liras to ten million Turkish liras for those who fail to fulfil their duties and responsibilities to take the measures stipulated by the legislation for the purposes of national security, public order or proper execution of public service regarding cyber security, to notify the Presidency without delay of the vulnerabilities or cyber incidents they detect in the field they provide services, and to procure cyber security products, systems and services to be used in public institutions and organisations and critical infrastructures from cyber security experts, producersor companies authorised and certified by the Presidency,

- Those who fail to fulfil the obligations imposed on companies offering cyber security products and services will be fined an administrative fine of ten million Turkish Liras to one hundred million Turkish Liras.

- Those who create misleading content regarding data leaks in cybersecurity, or disseminate such content for this purpose, in order to create anxiety, fear and panic among the public or to target institutions or individuals, despite being aware that there is no data leak in cyberspace, will be sentenced to imprisonment from two to five years. The relevant regulation has caused widespread resonance within the public opinion. This is mainly the case due to the broad interpretation of the article. This part of the Law should be interpreted in a way that does not prejudice freedom of expression.

The sale abroad of cyber security products, systems, software, hardware and services and the merger, division, share transfer or sale transactions of the companies producing them will be subject to the approval of the Presidency. Any actions taken in the absence of presidential approval will be unlawful.

Although the law will enter into force on its date of publication, companies operating in the field of cyber security are obliged to complete their certification processes within one year from the entry into force of the relevant regulations.

Secondary regulations are expected to be completed within one year.

Developments in the field of cyber security and the regulations to be introduced by the Law are eagerly awaited.

You can access the Law here. (Only avaliable in Turkish).