Türkiye’s First Cybersecurity Law Entered into Force

On 19 March 2025, Law No. 7545 on Cybersecurity (the “Law”) was published in the Official Gazette and came into force. Designed to enhance cybersecurity in Türkiye and provide robust protection against cyberattacks, the Law introduces comprehensive regulations that impose substantial obligations and responsibilities on public and private sector organisations, individuals, and all digital platforms. Its primary aim is to regulate the activities of these entities from a cybersecurity standpoint.

New Obligations and Regulations

Management of Cybersecurity Risks: Public institutions and private sector organisations are now obligated to ensure the security of their critical infrastructures in the field of cybersecurity. They are also required to conduct risk analyses to identify vulnerabilities. Furthermore, institutions must establish cybersecurity incident response teams and work towards enhancing the maturity of these teams.

Information Systems Security:The Law mandates that all information systems be secured and their resilience against cyberattacks be strengthened. As part of this, organisations must implement cybersecurity measures at every stage of their operations. This includes activities such as gathering cyber threat intelligence and investigating malware.

Certification of Cybersecurity Products and Services: Products, software, hardware, and services in the cybersecurity field must adhere to specific standards. The import, sale, and distribution of these products will be subject to approval by the Cybersecurity Presidency.

Duties and Powers of the Cybersecurity Presidency

The Cybersecurity Presidency (“Presidency”) holds both regulatory and executive responsibilities aimed at strengthening Türkiye’s cybersecurity defence capabilities. It is tasked with implementing necessary measures to protect against cyberattacks, ensuring the integration of software and hardware products, and transferring data from these products to its own information systems. Additionally, the Presidency may provide on-site or remote intervention support to organisations subjected to cyberattacks, track the origins of attacks, collect evidence, and share it with the relevant authorities.

The Presidency is authorised to collect, evaluate, and store information and data, ensuring that these are processed for specified periods before being securely destroyed. It also has the authority to represent Türkiye in international forums and foster global cybersecurity collaborations.

Furthermore, the Presidency holds the power to audit the activities of institutions, organisations, and individuals under the scope of the Law. It may carry out on-site inspections or audits through independent audit firms where necessary. During such audits, the Presidency may review and copy any digital documents, request clarifications, and observe facilities. Public institutions and security units are required to fully cooperate with the audit process. In cases involving national security or public order, search, data copying, and seizure procedures can be conducted with a court order (or, in urgent cases, a prosecutor’s order); these actions must follow specific procedures and time constraints.

Duties and Powers of the Cybersecurity Board

The Law establishes the Cybersecurity Board (“Board”), chaired by the President and comprising relevant ministers and senior security officials. Under the Law, the Board is responsible for overseeing decision- making processes in cybersecurity, which includes establishing technical commissions and working groups when necessary. The Board’s duties encompass defining national cybersecurity policies, strategies, and action plans; implementing the technology roadmap; identifying priority areas for support; defining critical infrastructures; and resolving disputes between public institutions.

Criminal Provisions and Administrative Sanctions

Under the Law, individuals who fail to provide the information, documents, and data requested by the Presidency or who engage in unauthorized activities will be subject to imprisonment for up to 3 years, along with judicial fines ranging from 500 to 1,500 days. Acts such as data leakage, sharing confidential information, or producing misleading content for the public will result in severe imprisonment sentences of up to 5 years. Attacks targeting Türkiye’s cybersecurity infrastructure are punishable by up to 12 years of imprisonment, while those involved in distributing the data may face sentences of up to 15 years. Penalties are increased if the offence is committed by a public official or as part of an organised group. Institutions that fail to comply with notification and certification obligations may incur fines ranging from TRY 1 million to TRY 100 million. Commercial companies that fail to take the necessary precautions during audits may be subject to an administrative fine of up to 5% of their annual gross sales revenue.