Cyber Security Bill is at the National Assembly: Turkey's New Era in Cyber Security

Turkey has reached a crucial milestone in the field of cyber security: The Cyber Security Bill (Bill) was proposed to the Grand National Assembly of Turkey (Assembly) on 10 January 2025. However, it is also expected that there will be provisions that may be subject to change until publication.

Until now, there was no comprehensive framework legislation regulating the field of cyber security under Turkish legislation, such as the “Law on the Protection of Personal Data” or the “Law on the Regulation of Electronic Commerce”. Now, with the Bill, a ground-breaking era will be entered in the cyber security area.

The main purpose of the Bill is to determine strategies and policies to strengthen cyber security in the Republic of Türkiye.

The Bill covers all public institutions and organizations, professional associations, real and legal persons operating in cyberspace. The activities carried out by the National Intelligence Organisation and the General Directorate of Security and the Gendarmerie General Command, which are of an intelligence nature, are excluded from the scope of the Bill.

The outstanding regulations in the Bill are as follows:

▪️ Establishment of the Cyber Security Board and its duties and powers,

▪️ Increasing the cyber resilience and maturity levels of public institutions and critical infrastructure organizations,

▪️ Centralised monitoring, detection, and elimination of cyber security incidents,

▪️ Implementation of deterrent sanctions through audit processes,

▪️ Regulation of standardization, certification and authorization processes,

▪️ Implementation of severe penalties for cybercrimes and incidents.

Significant definitions in the Bill are as follows:

The President refers to the Cyber Security President, and the Presidency refers to the Cyber Security Presidency. At this point, the Presidency assumes a proactive role against cyber threats. This role includes vital responsibilities such as increasing the cyber resilience of critical infrastructures, detecting, preventing and mitigating cyber attacks.

The scope of information systems is broadly defined in the Bill. Accordingly, information systems include hardware, software, systems and all other active or passive components used in the provision of all kinds of services, transactions and data provided by information and communication technologies.

Cyberspace is defined as “the environment consisting of information systems connected to the Internet or electronic networks and the networks connecting these systems.” This definition makes it clear that everyone operating in the digital world will be subject to the Bill.

“SOME” is defined as Cyber Incident Response Team. The Presidency has the authority to establish, ensure and supervise the establishment of SOMEs, to carry out studies to determine and increase their maturity levels, and to measure the cyber incident response capabilities of SOMEs by organizing cyber security practices.

Although not included in the definitions section, the Bill calls for the establishment of a Cyber Security Board (Board). The purpose of the Board is to make decisions on policies, strategies, action plans and other regulatory actions related to cyber security and to determine the institutions and organizations that will be exempted from all or some of the decisions taken.

The main duties and responsibilities regarding cyber security of those who are covered by the Bill and who provide services, collect, process data and carry out similar activities by using information systems are as follows:

▪️ All kinds of data, information, documents, hardware, software and any other contribution requested by the Presidency within the scope of its duties and activities should be transmitted to the Presidency primarily and on time. This point is quite critical since the violation of this regulation brings imprisonment and administrative fines.

▪️ Measures stipulated by the legislation should be taken for the purposes of national security, public order or the proper execution of public service for cyber security, and vulnerabilities or cyber incidents detected in the area where service is provided should be notified to the Presidency without delay.

▪️ Cyber security products, systems and services to be used in public institutions and organizations and critical infrastructures should be obtained from cyber security experts and companies authorized and certified by the Presidency.

▪️ Cyber security companies subject to certification, authorization and certification must obtain the approval of the Presidency before commencing operations.

In this context, the Presidency may inspect all kinds of acts and transactions falling within the framework of the Bill when it deems necessary in relation to its duties specified in the Bill; for this purpose, it may conduct on-site inspections or have them conducted.

The criminal sanctions within the scope of the Bill are as follows:

▪️ Three to five years imprisonment for those who unauthorisedly access, share, or offer for sale personal or critical public service data as a result of data leaks in cyberspace,

▪️ Those who commit a cyber-attack against the elements constituting Turkey's national power in cyberspace or who keep any data obtained as a result of this attack in cyberspace will be sentenced to imprisonment from eight to twelve years, unless the act constitutes another offense requiring a heavier penalty; those who disseminate, send elsewhere or offer for sale any data obtained as a result of this attack in cyberspace shall be sentenced to imprisonment from ten to fifteen years.

▪️ From one million Turkish liras to ten million Turkish liras for those who fail to fulfill their duties and responsibilities to take the measures stipulated by the legislation for the purposes of national security, public order or proper execution of public service regarding cyber security, to notify the Presidency without delay of the vulnerabilities or cyber incidents they detect in the field they provide services, and to procure cyber security products, systems and services to be used in public institutions and organizations and critical infrastructures from cyber security experts and companies authorized and certified by the Presidency,

▪️ Those who fail to fulfill the obligations imposed on companies offering cyber security products and services will be fined an administrative fine of ten million Turkish liras to one hundred million Turkish liras.

▪️ Those who carry out activities aimed at targeting institutions or individuals by creating a perception of data leakage in cyberspace, even though there is no data leakage, will be sentenced to imprisonment from two to five years. The relevant regulation has caused widespread resonance within public opinion. The main reason for this is that the expression “creating a perception as if a data leak had occurred” in the article is open to broad interpretation.

The sale abroad of cyber security products, systems, software, hardware and services established or developed with public support, and the merger, division, share transfer or sale transactions of the companies producing them will be subject to the approval of the Presidency.

In addition, if the Bill passes through the Assembly, companies in the field of cyber security will have to complete their certification processes within one year from the publication of the passed Bill in the Official Gazette.

Developments in the field of cyber security and the regulations to be introduced by the Bill are eagerly awaited. You can access the Bill here. (Only avaliable in Turkish).