The New Legal Framework for Cyber Security in Turkey: Cyber Security Law Numbered 7545

15.05.2025

Introduction
I. Legal Infrastructure and General Purpose
II. New Institutional Structures
III. Main Obligations Introduced
1. Obligations Imposed on Critical Infrastructure Facilities
2. Obligations Imposed on the Private Sector
3. Supervision and Sanction Mechanism
IV. International Harmonization and Strategic Significance of the Law
Conclusion

Introduction

The impact of cyber threats on national security, economic stability and continuity of public services necessitated a comprehensive legislative regulation in the field of cyber security in Turkey, as in all countries around the world. As a result of this need, the Cyber Security Law No. 7499 (“Law”), published in the Official Gazette No. 32494 dated March 19, 2025, introduced a systematic legal framework for the first time in this field and introduced an important innovation by envisaging obligations and administrative structures covering the public and private sectors.

In today's world, the concept of cyber security has an extremely current and critical importance due to the technological structure of the age we live in. In addition to smartphones and computers that individuals use extensively in their daily lives, smart home systems, internet-connected white goods, electronic household appliances and even children's toys that make up living spaces operate over a certain network and continuously collect data. This networked structure creates a vulnerability that can affect not only individual privacy and data security, but also the social order. As a matter of fact, even the recent large-scale power outages in Europe, which caused serious disruptions in public services, are considered to be caused by a possible cyber-attack, and such incidents clearly demonstrate how vital cybersecurity is for national security and public order. In this context, it has become a necessity to subject the field of cyber security to legal regulations. The main purpose of the Cyber Security Law is to protect public order, fundamental rights and freedoms of individuals and economic stability by ensuring the security of these network-based systems and preventing possible cyber threats.

Pursuant to the Law, “cyberspace” is defined as all composite systems directly or indirectly connected to the internet, electronic communication or computer networks and the environments consisting of the networks connecting them, and certain regulations have been introduced covering (i) public institutions and organizations, (ii) professional organizations in the nature of public institutions, (iii) real and legal persons and (iv) organizations without legal personality that exist, operate and provide services in cyberspace.

However, secondary regulations to concrete the implementation of the law have not yet been put into force. In this framework, it is envisaged that the implementing regulations will be issued by March 19, 2026, at the latest, followed by a harmonization period of approximately one year and the gradual implementation of the regulation. This transition period is considered as a preparation period for both public authorities and the private sector to ensure the applicability of the norms.

I. Legal Infrastructure and General Purpose

The main purpose of the Law is to ensure the protection of the information systems of public institutions, critical infrastructure sectors and strategically important private enterprises and to establish national cyber security. In this context it is intended to

- take preventive measures,

- respond to cyber incidents in a timely and effective manner,

- establish post-cyber incident recovery mechanisms.

II. New Institutional Structures

1. Cyber Security Presidency: The Law imposes various duties on the Cyber Security Presidency, which was established by the Presidential Decree No. 177 on the Cyber Security Presidency published in the Official Gazette dated 8 January 2025 and numbered 32776, such as combating cyber threats, carrying out legislative work, ensuring coordination in cyber security activities, preparing emergency plans, and ensuring that the inventory of all assets of public institutions and organizations and critical infrastructures, including data inventory, is kept and risk analysis for assets is carried out and security measures are provided according to the criticality of these assets.

The Law also stipulates that the Presidency may, when deemed necessary in relation to its duties, inspect any act or transaction falling within the scope of the Law, and may conduct or have conducted on-site inspections for this purpose.

2. Cyber Security Council: The Law establishes the Cyber Security Board, which will operate under the Presidency (Art. 5). The Board is equipped with critical powers such as determining national cyber security policies, preparing action plans and ensuring coordination between the public and private sectors.

3. National Cyber Incident Response Center (USOM): The Law expanded the powers and duties of USOM, which currently operates under the Information Technologies Authority, and supported its duties of technical coordination, incident analysis, sectoral warnings and execution of response protocols.

III. Main Obligations Introduced

1. Obligations Imposed on Critical Infrastructure Facilities

The Law defines critical infrastructures as information system infrastructures that can cause serious damage when the confidentiality, integrity or accessibility of the information/data they process is compromised. In this context, it has become mandatory for public and private sector institutions operating in critical infrastructure areas such as energy, water, transportation, banking and health to take minimum security measures for their information systems. These institutions must also conduct internal audits, testing and risk analyses related to cyber incidents.

2. Obligations Imposed on the Private Sector

The Law imposes various obligations not only on public institutions but also on private sector organizations. From the perspective of the private sector, the main obligations imposed by the law and their legal implications are analyzed below.

a-) Obligation to Submit Information and Documents: The Law obliges private sector organizations to submit the information, documents, software, data and hardware requested by the Cyber Security Board or authorized auditors in a timely and complete manner. In case of breach of this obligation, the responsible persons are liable to imprisonment of 1 to 3 years and a judicial fine of 500 to 1,500 days. This regulation was introduced to ensure that the private sector acts in accordance with the principles of transparency and cooperation.

b-) Prohibition of Unauthorized Activities: Private sector organizations operating in the field of cyber security must obtain approval from the Cyber Security Directorate before selling related products and services abroad. In addition, merger, division, share transfer or sale transactions of these companies must also be notified to the Directorate. Companies that fail to comply with these obligations are liable to imprisonment of 2 to 4 years and a judicial fine of 1,000 to 2,000 days. This regulation aims to protect national security and prevent the uncontrolled transfer of strategic technologies.

c-) Obligation to Take Measures Regarding Cyber Security and Notification of Cyber Incidents: Private sector organizations are obliged to take the measures stipulated by the legislation for the purposes of national security, public order or the proper execution of public services regarding cyber security and to immediately notify the Cyber Security Presidency of the cyber-attacks they detect. Taking these measures in a timely manner and making timely and accurate notifications are of great importance for the effectiveness of the national cyber security strategy. Violation of this obligation may result in administrative fines and other sanctions.

d-) Use of Certified Products and Services: It has been made mandatory for public institutions and critical infrastructures to use only products and services authorized by the Cyber Security Presidency. This situation reveals that private sector organizations should carefully select their solution partners and work only with certified products and service providers.

e-) Prevention of Unauthorized Access, Sharing and Sale of Data: Article 12, paragraph 4 of the Cybersecurity Law penalizes the unauthorized access, sharing or sale of personal and critical public service data, whether paid or unpaid, with severe criminal sanctions, unless the data has been expressly approved by the individuals or institutions in question. The Law takes a harsh approach by prescribing a prison sentence of three to five years for such data breaches. However, this regulation has a structure that may indirectly affect not only natural people but also private sector organizations.

In particular, private sector organizations could be interpreted as facing an obligation to take appropriate measures to ensure that their employees and managers do not commit such breaches. This can be ensured by the managers and IT departments of private individuals through continuously updated systems and procedures to ensure data security, and obligations may be imposed on companies in this regard. Therefore, companies will need to strengthen their data protection policies, provide regular cybersecurity training and take effective measures against cyber threats to protect their employees and managers from such criminal liabilities. Otherwise, if companies fail to prevent such breaches, they may face both legal liability and potentially large-scale financial losses.

3. Supervision and Sanction Mechanism

The Law makes a distinction in the sanction mechanism according to the severity of the acts committed. Accordingly, the Law provides for imprisonment for some acts such as cyber-attacks, leaking personal or corporate data, dissemination of leaked data, etc., and for some other acts such as failure to take the measures stipulated by the legislation and obstruction of audit activities, the ICTA will exercise its supervisory authority and may impose various administrative sanctions on institutions. In this context, fines up to 1 million TL are regulated in the Law.

Another regulation that should be emphasized here is the inspection provision in Article 8. The supervisory authority stipulated in the fifth paragraph of Article 8 of the Law allows for searches, digital data copying and seizure in residences, workplaces or closed areas on broadly interpretable grounds such as national security, public order, prevention of crime or cyber-attacks. Although at first glance, the use of this authorization resembles protection measures specific to criminal procedure law, it is seen that the purpose and scope of the regulation is a preventive administrative measure. In particular, the provision in the last sentence of the regulation stating that “a judge's decision is not required for public institutions and organizations” makes it possible to carry out search and seizure procedures in areas belonging to public legal entities such as municipalities without judicial supervision. In order to prevent the article from causing victimization in terms of legal security and fundamental rights and freedoms, the criteria to be determined in the regulations to be issued should be clear, foreseeable and determinable.

IV. International Harmonization and Strategic Significance of the Law

The Law is generally in line with the European Union NIS 2 Directive and NATO Cyber Defense Policies. Indeed, the notification-based classification system, the definition of critical infrastructure and national coordination mechanisms are significantly in line with these international texts. In this respect, the Law is not only a national regulation but also strengthens Turkey's position in the field of digital diplomacy and cyber solidarity.

Conclusion

The Cyber Security Law No. 7545, as the first comprehensive legal text enacted in this field in Turkey, introduced significant structural changes and obligations. New institutions and strengthened oversight mechanisms are intended to ensure a more organized and coordinated response to cyber incidents. However, the preparation of secondary legislation and implementation guidelines that are transparent and sensitive to sectoral differences will be decisive for the effectiveness of the Law.

This new legal regulation, which aims to strengthen Turkey's digital security infrastructure, is a positive step in response to an important need in a changing and evolving digital world. However, it should be kept in mind that the broad scope and implementation of the regulation may have direct impacts on fundamental rights and freedoms, particularly the protection of personal data and freedom of expression. Therefore, it is imperative to establish a legal infrastructure that clearly limits the impact on private individuals and does not allow for arbitrary practices. The scope of the use of the authorization should be clearly defined and the possibility of arbitrariness should be eliminated by narrowing the administrative discretion.

Although the regulations on the Prevention of Unauthorized Access, Sharing and Sale of Data can be applied to the person who commits the act in accordance with the principle of individuality of punishment, it is foreseen that these penalties may lead to an increase in the obligations of companies and other legal entities in the medium term. These penalties will strengthen the data security practices of the private sector and provide motivation for companies to improve their cyber security infrastructure. Moreover, taking appropriate managerial and technical measures for companies to fulfill this obligation may pose a significant challenge, especially for companies that do not process large-scale data. This will indirectly impose additional obligations on the private sector and require further investments in cybersecurity.

On the other hand, the obligation for organizations to set minimum cyber security criteria and manage certification processes creates new and important obligations for the private sector. In this context, it becomes inevitable for companies to implement continuously updated internal audit mechanisms and organizational restructuring regarding compliance processes in order to comply with the legislation. Moreover, the severity of the sanctions imposed is also noteworthy. In particular, those who fail to provide or obstruct information, documents, software, data or hardware are subject to imprisonment for 1 to 3 years and a judicial fine of 500 to 1500 days, while those who operate without the necessary permits and authorizations are liable to imprisonment for 2 to 4 years and a judicial fine of 1000 to 2000 days. These sanctions have the potential to have a serious impact on private sector actors and their practical implications should be carefully considered.

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.

Sermaye Piyasası Kurulu’nun Piyasa İstikrarını Sağlamak Amacıyla Aldığı Tedbir ve Uygulamaların Devamına İlişkin İlke Kararı Yayımlandı

SPK’dan Yeni Karar: Açığa Satış Yasağı ve Pay Geri Alım Kolaylığı Süresi Uzatıldı

The Capital Markets Board's Announcement on the Continuation of Measures and Practices Taken to Ensure Market Stability Has Been Published

Limitation of Pre-emptive Rights in Joint Stock Companies

Establishing a Joint Stock Company in Türkiye: Strategic Legal Framework for Foreign Investors

Bağımsız Denetim Eşiklerinde ve Esas Alınacak Finansal Dönemlerde Güncelleme Yapıldı

Definition and Limits of Technology Undertaking from the Perspective of Competition Law

Two-minute Recap of Competition Law Matters Around the Globe May 2025

Rekabet Kurumu Yerinde İnceleme Süreçlerinin Etkin Yönetimi: Teşebbüsler için Rehber

Construction Law Wrap Up 2024

Construction Arbitration: Türkiye - Part 4

Construction Arbitration: Türkiye - Part 3

Two-Minute Recap of Data Protection Law Matters Around the Globe - May 2025

Mandatory Legal Systems for Compliance in Türkiye – Part I: Understanding VERBİS

Veri Koruma ve Gizlilik Bülteni - Mayıs 2025

The Constitutional Court Published Its Decision No. 2024/169 E. and 2025/72 K., Ruling a Violation of the Right to Property Based on the Principles of Public Interest and Proportionality

2025 Yılı Nisan Ayı İçtihat Raporlaması

April 2025 Legal Precedent Report

Elektronik Ticaret ve Tüketici Hukuku Mevzuatında Yakın Zamanda Yapılan Kapsamlı Değişiklikler

Mesafeli Sözleşmeler Yönetmeliği’nde Değişiklik: Cayma Hakkında İade Masrafları Artık Tüketicilere Yüklenemeyecek

Amendment to the Distance Contracts Regulation: Consumers Will No Longer Bear Return Costs

Elektrik Piyasasında Toplayıcılık Yönetmeliği Ne Getiriyor?

Kamuda Enerji Performans Sözleşmesi Uygulaması

Ulusal Taşıt Tanıma Sistemi Uygulama Genel Tebliği Hakkında Bilgilendirme

Green Claims Under Scrutiny - Legal Consequences and Compliance Risks

İklim Kanunu Teklifi TBMM Çevre Komisyonu'nda Kabul Edildi

Türkiye Sürdürülebilirlik Raporlama Standartları Uygulama Kapsamında Değişiklikler Yapıldı

Kripto Varlık Merkezi Kayıt Sistemi: MKK ile Kripto Varlık Hizmet Sağlayıcılar Entegre Oluyor

Kripto Varlık İşlemleri Kayıt Altına Alınıyor: MKK Entegrasyonu ve Kayıt Sistemi Faaliyete Geçti

Crypto Asset Central Registry System – Central Securities Depository and CASPs Integrating

Sigorta Şirketlerinin Sermaye Yükümlülükleri ve Mali Bünyelerinin Zayıflaması Halleri

Insurance Litigation 2025 in Turkey

Capital Obligations of Insurance Companies and Circumstances of Financial Weakening

Reklam Mevzuatı Uygulamaları I Seri 1: 16.01.2025 Tarihli Reklam Bülteni Işığında Sektör Paydaşları Bakımından Kimi Reklam İlkeleri

Anayasa Mahkemesi’nin 2024/176 E. ve 2025/42 K. Sayılı Kararı Sınai Mülkiyet Hakkı ve Net Kazanç Seçimlik Hakkına İlişkin Değerlendirme

Advertising Law Principles and Practices I Series 2: Not Just an “Advertising”; But Communication, Strategy, Economic Growth, and Stability

The BR International Trade Report: June 2025

Court of International Trade Sets Aside Presidential IEEPA Tariffs and Federal Circuit Postpones Nationwide Injunction

Gradual Lifting of the Syria Sanctions

Key Updates Under Turkish Labour Law in 2025

Yapay Zeka Çağında Algoritmik Yönetim ve Çalışan Hakları

Choice of Law in Employment Agreements With a Foreign Element Found Unconstitutional

Notification Obligation in Case of Supply Interruption of Medical Devices

Panic: Trump’s Attempts to Reduce Drug Prices Will Impact the Rest of the World

Panik: Trump’ın İlaç Fiyatlarını İndirme Çabaları Dünyanın Kalanını da Etkileyecek

RTÜK'ün Son Açıklamaları Çerçevesinde Yayıncılıkta Denetim Yaklaşımı

RTÜK’s Recent Announcements: A Shift in Regulatory Approach In Broadcasting

Reklam Kurulu Kararları Işığında Örtülü Reklamın Tanımı, Unsurları ve Hukuki Çerçevesi

Amendments to the Capital Movements Circular

M&A Essentials: A Practical Guide for Buyer, Seller, and Advisors

Legal Due Diligence in M&A Deals: Key Areas and Compliance Focus

Taşınmaz Ticareti Hakkında Yönetmelikte Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

The Regulation Amending the Regulation on Real Estate Trade Has Been Published

Kat Mülkiyetine Tabi Yapılarda Riskli Yapı Tespiti Sonrası Alınan Karara Karşı Azınlığın Hakları

İpoteğin Paraya Çevrilmesi Yolu İle İlamsız ve İlamlı İcra Takip Türleri ve İpotek Kat İhtarnamesi: Hukuki ve Uygulamalı Analiz

İcra ve İflas Kanunu Uyarınca Yapılacak Satışların İlanlarına İlişkin Parasal Limitlerin Güncellenmesi Hakkında Tebliğ Yayımlandı

Communiqué on the Update of Monetary Limits for Announcements of Sales to Be Made Under the Enforcement and Bankruptcy Law is Published

Startup Investments: A Handbook for Investors and Entrepreneurs

TEKMER (Teknoloji Geliştirme Merkezi) Nasıl Kurulur ve Girişimcilere Hangi Destekleri Sunar?

Ters Hak Ediş (Reverse Vesting) Nedir?

Pillar One – Amount B will not Apply to Transactions of Distributors, Sales Agents and Commissioners Operating in Türkiye

9487 Sayılı Cumhurbaşkanı Kararı ile Gelir Vergisi Kanunu Geçici 67. Maddesi Kapsamında Değişiklikler

Amendments Enacted Under Presidential Decree No. 9487 within the Scope of Provisional Article 67 of the Income Tax Law

Two-Minute Recap of Recent Developments in IT Law Around the Globe - May 2025

Algorithmic Management and Employee Rights in the Age of AI

How the Provisions of the AI Act Will Impact Turkish Companies

Liability Regulations in Cargo Damage During Sea Transport: A Comparative Analysis of Turkish and English Maritime Law

Regulation on Pilotage and Towage Services Published

Limanlar Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik Yayımlandı

Gizli Kahramanları Destekleyin!

Dokunduğunuz Paraya Dikkat Edin!

Delik Terlikte mi Yoksa İtibarda mı? Crocs’un Satış Kanallarını Şişirme Krizi