The Cybersecurity Law Has Entered into Force

Öykü Su Sabancı co-authored this article.

The acceleration of digitalization worldwide has led to the widespread adoption of artificial intelligence, blockchain, big data, quantum computing, and cloud technologies. As these fields develop, the complexity of cyber threats has increased, necessitating the evolution of cybersecurity defense mechanisms. Ensuring cybersecurity is not only a technical requirement but also a strategic necessity for the sustainability of the digital economy and societal welfare.

The National Technology Initiative launched in our country represents a significant step towards Turkey's strategic goals in this field. The National Technology Initiative consists of five (5) main components: (i) High Technology and Innovation, (ii) Digital Transformation and Industrial Movement, (iii)Entrepreneurship, (iv) Human Capital, and (v) Infrastructure. A prerequisite for success in this process is to create awareness across society to ensure the sustainability of the "education, R&D, and production" processes. While the goal is to achieve international success in technology across all sectors, these objectives are also supported by cybersecurity initiatives.

The Cybersecurity Draft Legislation, presented on January 10, 2025, addresses the identification and elimination of existing and potential threats directed at the Republic of Turkey, both internally and externally. It sets the principles for mitigating the potential impacts of cyber incidents, establishes necessary regulations to protect public institutions, professional organizations with the nature of public institutions, individuals, legal entities, and entities without legal personality from cyberattacks, and defines strategies and policies to strengthen the country's cybersecurity. Additionally, the Cybersecurity Draft Legislation outlines the establishment of the Cybersecurity Board.

Multiple factors have contributed to the drafting of the Cybersecurity Draft Legislation, with key considerations outlined below:

- The increasing number of connected devices and smart applications worldwide has led to a significant rise in the amount of data produced. While the total data volume was approximately five (5) exabytes in 2004, it is estimated to have reached one hundred eighty (180) zettabytes as of 2024. This indicates a 36,000-fold increase in data volume over the past twenty (20) years.

- Similarly, the growth rate of cyber threats has followed a parallel trajectory. In the third quarter of 2024, organizations worldwide faced an average of 1,871 cyberattacks per week, reflecting a 75% increase compared to 2023.

- According to the Global Cybersecurity Index published by the International Telecommunication Union (“ITU”) in 2024, Turkey is among the forty-six (46) countries categorized as "Role Model Countries. "However, the absence of a comprehensive cybersecurity framework law remains a significant gap. The aim of addressing this deficiency is to assist Turkey in achieving its strategic objectives in digital security and to strengthen its position on the global stage.

Within Turkey’s cybersecurity structure, various public institutions, including the Ministry of Transport and Infrastructure, the Ministry of Industry and Technology, the Information and Communication Technologies Authority, and the Presidential Digital Transformation Office, hold different responsibilities concerning cybersecurity. The objectives and justifications of the Draft Legislation are structured as follows:

Within the framework of the regulations outlined above, the primary goal is to implement action plans and secondary legislation, with the aim of establishing an effective protection mechanism on both national and international levels by strengthening the cybersecurity ecosystem. Additionally, through the regulation of standardization, certification, and authorization processes, efforts will be made to harmonize technical infrastructures and minimize security vulnerabilities. Finally, to increase the effectiveness of combating cybercrimes, the penalties for cybercrimes are intended to be raised. All these regulations are designed to ensure the establishment of a comprehensive legal and technical infrastructure aimed at preventing cyber threats, with a focus on aligning with the security standards required in the digital age.

Due to its importance, the current lack of overarching legislation creates numerous coordination issues, including data security, ecosystem collaborations, regulatory arrangements, directing incentives and support, international partnerships, macro policy development, and more. By preparing and regulating the overarching legislation, the existing gap in this regard will be addressed, which will contribute to overcoming the lack of such legislation in our country and help improve Turkey’s position in global indices.

On the other hand, “critical infrastructure” has been mentioned in Turkish legislation for the first time.

Additionally, we would like to note that the Cybersecurity Law Proposal with twenty (21) articles, discussed in the General Assembly of the Turkish Grand National Assembly on Thursday, March 13, 2025, has been accepted. The provision in Article 8, which granted the Chairman of the Cybersecurity Board, to be established under the law, the authority to conduct searches, make copies, and seize property, was removed from the proposal following an amendment. Furthermore, the term "data leakage" in the 5th paragraph of Article 16, which was also a point of discussion, was amended to "data leakage related to cybersecurity. The Cybersecurity Law Proposal, which had been frequently criticized for potentially imposing restrictions and arbitrary practices regarding the protection of personal data, privacy, and freedom of expression, was approved by the Turkish Grand National Assembly with two hundred forty-six (246) votes in favor, while one hundred two (102) members of parliament voted against it.

The Cybersecurity Law (“Law”) was published in the Official Gazette and entered into force on March 19, 2025. The Law mandates the prioritization of domestic and national products in ensuring cybersecurity. Within the scope of the Law, personal data and trade secrets obtained by the competent authorities shall be deleted, destroyed, or anonymized once the necessity for their access ceases to exist. Additionally, a Cybersecurity Board, composed of the President and relevant ministers, has been established, allowing expert opinions to be sought when necessary. The Law explicitly defines criminal sanctions, imposing severe penalties for cybersecurity violations. Accordingly, individuals who carry out cyberattacks against Türkiye’s national assets in cyberspace shall be sentenced to eight (8) to twelve (12) years of imprisonment. Those who disseminate, transfer, or sell data obtained through such attacks shall be subject to ten (10) to fifteen (15) years of imprisonment. Furthermore, individuals who obstruct the sharing of information, documents, software, data, and hardware requested within the scope of the duties of the authorized bodies shall face one (1) to three (3) years of imprisonment along with a judicial fine. Additionally, those who fail to comply with the obligation to maintain confidentiality shall be sentenced to four (4) to eight (8) years of imprisonment.

The Presidential Decree on the Cybersecurity Presidency (Decree No. 177), published in the Official Gazette No. 32766 on January 8, 2025, and thereby entering into force, establishes the Cybersecurity Presidency and sets forth the procedures and principles governing its organization, duties, powers, and responsibilities. Please find here the legal brief that we have prepared regarding the Presidential Decree.

You can access the text of the Law here.