Purpose and Scope
The Cyber Security Law, which came into force on March 19, 2025, aims to protect the national assets of the Republic of Türkiye in cyberspace from internal and external existing and potential threats, to minimize the impact of cyber incidents, and to increase the security of all natural and legal persons against cyber attacks. The Law covers public institutions, professional organizations with public institution status, private sector organizations, and non-incorporated entities, including their information systems. In this framework, the protection of not only individuals or companies but also national security is targeted. Establishing a comprehensive legal basis against new threats brought by technological developments, the Law introduces framework regulations for both the public and private sectors to determine cyber security strategies, detect threats in a timely manner, and reduce the effects of attacks. Thus, while digital infrastructures are secured, it is also envisaged that new employment opportunities will be created in the field of cyber security. On the other hand, intelligence activities related to internal security and military duties are excluded from the scope of this Law.
Cyber Security Presidence
The Law envisages the establishment of a Cyber Security Presidency (“the Presidency”) to prepare, implement, and coordinate national cyber security policies. The Presidency, which will assume the role of a central authority in managing cyber threats, ensures that both the public and private sectors are prepared against these threats. The Law, which regards cyber security and national security as an inseparable whole, grants the Presidency significant responsibilities and powers in this regard.
Under the Cyber Security Law, critical infrastructures are first identified and strategies are developed for their protection. In this context, vulnerability tests, risk analyses, and malicious software analyses are carried out; threat intelligence is shared, and security measures are taken for priority assets. On the other hand, it is aimed to establish an effective intervention network at both national and international levels by establishing, supervising, and enhancing the intervention capabilities of Cyber Incident Response Teams SOMEs. The Presidency provides support to institutions by taking preventive and protective measures, analyzing information and log records, and conducting risk assessments. In addition, the Presidency has the presidency to determine technical criteria for cyber security products and services and to conduct certification processes in these areas. Pursuant to Article 7 of the Law, cyber security duties and responsibilities have been determined by the Presidency, and all data, information, documents, and equipment requested within the scope of the Presidency’s duties and activities must be delivered on time. Vulnerabilities and cyber incidents must be reported to the Presidency immediately. Only authorized individuals or companies can provide services in public institutions and critical infrastructures. Certified companies must obtain approval from the Presidency before commencing operations. Compliance with strategy and action plans must be ensured, and the Presidency must work in cooperation with all stakeholders.
Cyber Security Board
With the Law, the Cyber Security Board was established, tasked with determining strategy and resolving inter institutional disputes. Secretariat services are carried out by the Presidency, and working procedures are determined by the President.
Regulations on Cyber Security Products and Companies
The sale of cyber security products, systems, software, hardware, and services abroad will be carried out in accordance with the procedures and principles to be determined by the Cyber Security Presidency. In this context, for the export of products subject to permission, approval from the Presidency is mandatory.
In addition, under the provisions of the relevant Law, companies operating in the field of cyber security must notify the Presidency of:
- Mergers,
- Divisions,
- Share transfers, or
- Sale transactions.
If, as a result of these transactions, any natural or legal person directly or indirectly obtains the right of control or decision making authority, these transactions will be subject to the approval of the Presidency. Such transactions carried out without the approval of the Presidency will not have legal validity.
Sanctions and Penal Provisions
In case of violation of the obligations stipulated under the Cyber Security Law No. 7545, various criminal sanctions and administrative fines are foreseen.
Article 16 of the Law details the penalties applicable in the event of a breach of the obligations prescribed in the field of cyber security. Accordingly, those who refrain from providing the information, documents, software, data, or equipment requested by the supervisory authorities, excluding public institutions and organizations, or who obstruct their acquisition, are subject to imprisonment from one to three years and a judicial fine of five hundred to one thousand five hundred days. Those who operate without obtaining the permits, approvals, or authorizations required by law are subject to imprisonment from two to four years and a judicial fine of one thousand to two thousand days. Those who violate the obligation to maintain confidentiality are sentenced to imprisonment from four to eight years, while those who unauthorizedly access, share, or offer for sale personal or critical public service data are punished with imprisonment from three to five years.
Those who create false data breach allegations in cyberspace in order to cause public panic and concern are subject to imprisonment from two to five years; those who attack Türkiye’s national cyber power face imprisonment from eight to twelve years, and those who disseminate data obtained through such attacks face imprisonment from ten to fifteen years. If the offense is committed by a public official, with multiple persons, or within the scope of an organization’s activities, the penalty is increased respectively by one-third, by half, or by up to two times. Furthermore, violation of the obligations in Article 12 of the Law is punishable by imprisonment from three to five years; those who cause data breaches in critical infrastructure through misconduct are subject to imprisonment from one to three years. If the responsibilities stipulated under subparagraphs (b) and (c) of Article 7 are not fulfilled, administrative fines between one million and ten million Turkish Liras apply; if the obligations under Article 18 are violated, fines between ten million and one hundred million Turkish Liras are imposed; in case of a violation of the fourth paragraph of Article 8, fines range between one hundred thousand and one million Turkish Liras, and for commercial companies, an administrative fine up to 5% of their gross sales revenue is foreseen.
Article 17 of the Law regulates the procedure for administrative fines. Before an administrative sanction is imposed, the relevant individual or institution is requested to present a defense; if no defense is submitted within thirty days from the notification, it is deemed that the right to defense has been waived. If the same offense is committed more than once before the administrative decision is made, a single administrative fine is imposed; the fine may be increased up to twice the amount, and if a benefit was obtained or damage was caused from the offense, the amount may be set between three to five times the benefit or damage. Administrative fines imposed by the Presidency must be paid within one month from notification; if not paid, they are collected by tax offices in accordance with the provisions of Law No. 6183 on the Procedure for the Collection of Public Receivables. 50% of the collected fine is transferred to the Presidency, and 50% is transferred to the general budget revenue. These shares are transferred to the relevant budgets by the end of the month following collection. The Law grants the right to apply to the administrative judiciary against administrative fine decisions, providing both a defense opportunity and judicial review assurance to those concerned.
