The Regulatory Landscape of Cybersecurity in Türkiye

As digital transformation leads to increased use of information and communication technologies, companies and individuals must be prepared for the inevitable cybersecurity risks and threats that accompany it. In Türkiye, the regulatory landscape surrounding cybersecurity is evolving to address these challenges, particularly in the context of personal data protection. This article provides an overview of the current regulations, recommended measures for data controllers, the extraterritorial reach of the NIS 2 Directive, as well as recent developments and future changes in the cybersecurity framework in Türkiye.

1. Recent Developments and Future Changes

Türkiye has been making strides in enhancing its national cybersecurity framework. Strategic, regulatory and technological efforts are being undertaken to ensure an appropriate national level of cybersecurity. Within the Strategic Plan, 12th Development Plans aim to achieve strategic objectives by addressing global trends and the current state of digital transformation. These plans outline six main objectives: (1) cyber resilience; (2) proactive cyber defence and deterrence; (3) a human-centred cybersecurity approach; (4) secured use of technology and its contribution to cybersecurity; (5) domestic and national technologies in the fight against cyber threats; and (6) increase Türkiye's active role on "cyber diplomacy".

Among these developments, the presidential decree published on 8 January 2025 established the Cybersecurity Directorate. This newly formed directorate is tasked with establishing policies, strategies and objectives in order to ensure the required level of cybersecurity. Additionally, it will carry out legislative works and conduct initiatives to raise awareness through training. The directorate is expected to collaborate with public institutions and the private sector to achieve its goals.

Furthermore, a proposal for a Cybersecurity Law was submitted to the National Defence Committee of the Grand National Assembly of Türkiye on 10 January 2025 and was approved on 15 January 2025. Its primary aim is to regulate the activity of public institutions and organisations, professional organisations in the nature of public institutions, natural and legal persons, as well as organizations without legal personality that operate, provide services or are active in cyberspace. It delineates the duties of the Cybersecurity Directorate and establishes penalties for certain acts, including imprisonment for up to 15 years and administrative fines of up to TRY 100 million, ensuring stringent measures against cybersecurity breaches. In addition, in case of violations of the supervision obligation, penalties will be imposed according to turnover.

2. Legal Framework for Cybersecurity

2.1 Regulations under Law No 6698 on the Personal Data Protection

Until the entry into force of the proposed Cybersecurity Law and the enactment of the related secondary legislation, the main legislative source for cybersecurity regulation is the Law No 6698 on the Personal Data Protection (the "Law) which sets out general requirements regarding the security of personal data. Cybersecurity breaches can potentially lead to a breach of the Law. According to the Law, the protection of personal data security consists of three fundamental elements:

• Confidentiality: Data should be accessible only to authorised individuals.

• Integrity: The completeness and accuracy of the data should be ensured.

• Availability: Data should be accessible and usable by authorised individuals whenever needed.

Article 12 of the Law states that data controllers are obliged to take all necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of and access to personal data, while also safeguarding the preservation of such data.

If a data controller faces a data breach, it is required to notify the Turkish Personal Data Protection Authority (the "DPA") and, when necessary, the data subject, as soon as possible in accordance with Article 12 (5) of the Law. The requirements to be followed by the data controller in such cases are as follows:

• The DPA must be informed of the data breach within 72 hours (Decision No 2019/10 of the DPA).

• The notification to be made to data subjects must be clear and simple and include:

• Information on the affected personal data and the potential consequences of the data breach;

• Information about the measures taken or required to mitigate the negative effects of the data breach;

• Contact information of the data controller.

The DPA has set out guidelines on technical and organisational measures that are not binding in order to clarify the practice required by data controllers to ensure the appropriate security level. It also aims to prevent any violation of personal data such as unlawful process of or access to the latter.

2.2 Sector-Specific Regulations

Certain sector-specific legislation also applies to companies operating in such sectors. Banking, health, insurance and telecommunications sectors have sector-specific legislation, making them more affected by cybersecurity issues.

• Banking: Law No 5411 on Banking Law and the Regulation on Information Systems of Banks and Electronic Banking brought a focus on the protection of personal data and cybersecurity in the banking sector. According to the Regulation, banks must provide 90 hours of mandatory training for bank personnel annually, along with having penetration tests¹ carried out by independent firms.

• Healthcare and Insurance: The Regulation on Personal Health Records creates a new category of personal data and requires an enhanced level of security. The Regulation sets out several obligations for the processing of personal health data, including provisions governing the processing of health data by insurance companies.

• Telecommunication: Law No 5809 on Electronic Communications Law and the Regulation on Processing Personal Data and Protection of Privacy in the Electronic Communications Sector brought a focus on the protection of personal data and cybersecurity in the telecommunications sector. According to the Regulation, companies subject to the regulation are expected to take all appropriate technical and administrative measures; retain records of actions related to access to personal data and associated systems for two years; notify users of a breach or a potential breach of personal data as soon as possible; and obtain explicit consent under the conditions specified in the Regulation when required.

Additionally, the 12th Development Plan of the Turkish Republic for 2024-2028 (the "Strategic Plan") states that, under Law No 5809, the Ministry of Transport and Infrastructure is entrusted with the duties and responsibilities of developing policies and strategies for ensuring national cybersecurity, preparing action plans, conducting monitoring and evaluation activities related to these and ensuring coordination.

Article 60 (11) of the same law underlines that the Information and Communication Technologies Authority (the "ICTA") is competent to impose sanctions on relevant parties who fail to fulfil their obligations in order to prevent cyberattacks and ensure deterrence.

2.3 Recommended Measures to be Taken by Data Controllers

In the light of the DPA's guidelines, companies processing data are expected to identify potential risks and adopt risk management measures that are common in cybersecurity in relation to Article 12 of the Law. It is necessary to accurately assess the likelihood of risks occurring and the potential infringement of rights that may arise in the event of a data breach, and to take appropriate measures accordingly. The measures to be implemented are classified into administrative and technical categories.

Administrative Measures:

• Policies and Procedures: Adopting a robust policy for the security of personal data will enable the identification of risks in advance and help to ensure that preventive measures are taken consistently. Data controllers must review existing security measures and act in compliance with their legal obligations. The management of potential security breaches must be clearly defined.

• Regular Training of Employees: Data breaches are primarily caused by internal factors. Therefore, it is essential to ensure that employees receive the necessary training on personal data protection, and the training must be supported by awareness campaigns.

• Management of Relations with Data Processors: The data controller must ensure the management of its relationship with the data processor in both operational and legal aspects. In this context, contracts must be prepared by professionals and the responsibilities of the data processor must be clearly specified.

• Minimisation of the Data: According to Articles 4(b) and (d), personal data must be accurate and up to date. Data must not be retained for a period longer than what is stipulated by the legislation, or necessary for the purpose for which it was processed.

• Access Control Policies: Access to data will be limited to employees who require it for work-related purposes.

Technical measures:

• Regular Backup: In the event of a potential cyberattack, regular data backups are necessary to prevent losses and ensure the continuity of operations. Additionally, storing personal data in cloud services results in such data being processed by those cloud service providers. The data controller must take necessary precautions with regard to personal data processing. For example, if the data is transferred abroad, the actions must comply with Article 9 of the Law.

• Reinforcement of Access to Systems: Double authentication systems must be implemented for employees logging into the company's systems.

• Regular Update of Information Systems ("IS"): companies must use "Software Patches" in order to operate a modification to their IS to improve its security, performance or other feature. Additionally, unused IS must be eliminated to decrease the potential risk.

• Encryption: Data controllers must encrypt personal data in their possession.

3. Extraterritorial Reach of NIS 2: Implications for Turkish Entities

Directive No 2022/2555 (known as "NIS 2") aims to achieve a high common level of cybersecurity across the European Union.² The European Commission (the "Commission") identified the following main issues with the previous Directive No 2016/1148 (the "NIS"): (i) an insufficient level of cyber resilience of businesses operating in the European Union; (ii) inconsistent resilience across Member States and sectors; (iii) insufficient common understanding of the main threats and challenges among Member States; and (iv) lack of a joint crisis response. It is expected that NIS 2 will help solve these pre-identified issues.

The Commission has expanded the scope of NIS by adopting NIS 2. Thus, a Turkish based company conducting business within the European Union and operating in the sectors outlined below may qualify as "essential" or "important" entity and be subject to its provisions, if it meets the applicability conditions of NIS 2,.³

Incompliance with NIS 2 may result in legal sanctions (if the company is an essential entity, in addition to administrative fines applicable to both important and essential entities, the authorities may impose a temporary suspension of activity as well as a temporary prohibition of exercising managerial functions).

4. Conclusion

In conclusion, the regulatory landscape of cybersecurity in Türkiye is undergoing significant changes to address the challenges posed by digital transformation. The recent establishment of the Cybersecurity Directorate and the approval of the Cybersecurity Law mark important steps towards strengthening Türkiye's national cybersecurity framework. Data controllers operating in Türkiye should carefully review their practices and agreements related to the protection of personal data to ensure that they provide the appropriate level of security and to avoid potential legal repercussions. Key areas of focus include adopting robust policies and procedures, regular employee training and effective management of potential security breaches. Additionally, Turkish entities operating within the European Union must be aware of the extraterritorial reach of NIS 2 and its implications.

Footnotes

1. A security exercise where a cyber-security expert attempts to find and exploit vulnerabilities in a computer system.

2. Recital 142 of NIS 2.

3. Article 26.3 of NIS 2.