Turkey: Cybersecurity 2024 - Turkiye

1. Basic National Regime

1.1 Laws

According to the International Telecommunication Union's Global Cybersecurity Index, published in 2020, Türkiye is ranked 11th in the world on commitment to cybersecurity. Hence, it is fair to say that Türkiye is one of the most cybersecure countries in the world, and it is keen on making further significant improvements in this area. Increasing this rank up to ninth is part of Türkiye's Development Plan for 2024–2028.

Currently, Türkiye does not have a standalone legal framework governing cybersecurity; the legal framework, in fact, is quite fragmented. It is possible to find relevant provisions related to cybersecurity, security, and confidentiality of electronic communications ("e-communication"), data breach notifications and incident response under various legislative pieces.

The most relevant legal instruments, as well as policy documents, are as follows.

General Regulations

The Constitution of the Turkish Republic (the "Constitution")

The Constitution does not directly set out any provision on cybersecurity. However, as cybersecurity is an umbrella term covering data protection, whether it is personal or non-personal data, it can be considered that cybersecurity is partly and indirectly set out under:

• Article 20(3), which provides the right to protection of personal data; and
• Article 22, which provides the freedom of communication as an individual right to any person.

The Law on Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications No 5651 (the "Internet Law")

The Internet Law aims to regulate the obligations and responsibilities of content providers, hosting providers, internet service providers, social network providers and access providers to combat crimes committed via the internet.

The Internet Law directs the Turkish Information and Communication Technologies Authority (ICTA) to establish co-ordination between the relevant public institutions, law enforcement agencies, above-mentioned providers and other related institutions and organisations to ensure the safe use of the internet, raise public awareness, and carry out necessary activities (such as conducting activities on taking necessary measures within the scope of national cybersecurity policies).

The Law on Electronic Communication No 5809 (the "E-Communication Law")

As Türkiye does not yet have a general cybersecurity law, introduction of a network and information security regulation is planned, modelled mostly after the EU's Network and Information Security (NIS) Directive (the "NIS Directive"). To establish the normative background for cybersecurity and institutional framework for overseeing cybersecurity, a special rule was incorporated into the E-Communication Law.

Information security is among the basic principles in the E-Communication Law, which provides the main framework for network security, confidentiality of communication, and protection of personal data. Detailed provisions concerning each may be found under the several secondary pieces of legislation enacted based on this law for the same purpose.

Although this law almost entirely regulates e-communication sectors, its Article 60(11) empowers ICTA to take measures or to ensure that all measures are taken to protect public institutions and organisations, and natural and legal persons, from cyber-attacks, and to provide deterrence against this.

Hence, not only is ICTA the authorised regulatory body in the e-communications sector, but it also has comprehensive authority over private and public organisations in relation to cybersecurity.

The Council of Ministers Decision on Carrying Out, Managing and Co-ordinating National Cybersecurity Activities, dated 11 June 2012 (the "Council of Ministers Decision on Cybersecurity")

This decision is one of the landmarks of Türkiye's cybersecurity policy.

It defines national cybersecurity as: "security of all services, transactions and data provided via information and communications technologies as well as systems used for provision thereof".

This decision empowers the Ministry of Transport and Infrastructure (MTI) to oversee the national cybersecurity in Türkiye and to prepare policy, strategy and action plans to ensure cybersecurity on a nationwide scale (among other powers). The MTI carries out these tasks through ICTA and other public institutions.

The Communiqué on Procedures and Principles of the Establishment, Duties and Activities of Cyber-Incidents Response Centres (CERTs) (the "Communiqué on CERTs")

The purpose and scope of this communiqué is to ensure CERTs carry out their services effectively and efficiently by determining the procedures and principles of their establishment, duties and work.

The Guideline for Establishment and Management of Institutional CERTs (the "Institutional CERT Guideline") and the Guideline for Establishment and Management of Sectoral CERTs (the "Sectoral CERT Guideline")

These guidelines, published by the National Cyber Incidents Response Centre (TR-CERT), provide guidance on:

• establishing and managing institutional CERTs and sectoral CERTs in relevant organisations;
• their relationship with each other and the TR-CERT;
• capacity planning;
• qualifications of the personnel (education level and experience);
• mandatory training; and
• the steps that personnel must take before, during and after a cybersecurity incident.

They also include the principles for communication with internal/external stakeholders and regarding establishment of institutional and sectoral CERTs.

The Decree on Information and Communication Security Measures No 2019/12 issued by the Presidency of Türkiye (the "Presidency Decree")

The Presidency Decree has set specific measures that were deemed appropriate to diminish and neutralise security risks – in particular, ensuring the security of critical data that may jeopardise national security or deteriorate public order, especially when its confidentiality, integrity or accessibility is compromised. The Presidency Decree provides an obligation to securely store critical data such as population, health and communication records, as well as genetic and biometric data, within Türkiye.

The Decree covers public institutions and organisations as well as businesses providing critical infrastructure services (ie, energy, electronic communications, banking and finance, critical public services, water management, transportation) for 2020–2023. The Information and Communication Security Guide details the obligations in the Decree. The Guide is extensive and defines asset groups (eg, network and systems, apps, devices, physical places, personnel), their criticality level, measures, application process, the compliance plan they must follow, and so on.

The Turkish Data Protection Law No 6698 (the "DP Law") and its secondary legislation

The DP Law covers all personal data-processing activities in Türkiye. From a cybersecurity perspective, it also regulates security of personal data and full or partly automated and non-automated data-processing systems. According to the DP Law, controllers are obliged to take all necessary technical and organisational measures to provide a sufficient level of security to:

• prevent unlawful processing and accessing of personal data; and
• ensure the safekeeping of personal data.

A personal data breach notification duty for controllers is also set forth in the same provision.

The Turkish Criminal Code (TCrC)

The TCrC criminalises several actions in connection to cybersecurity and sets out criminal sanctions of imprisonment between six months and eight years for these actions. Some are as follows:

• unlawful access to a cyber-system;
• blocking or bricking the cyber-system or destroying, modifying or making inaccessible the data within a cyber-system;
• misuse of debit or credit cards;
• manufacturing, importing, dispatching, transporting, storing, accepting, selling, offering for sale, purchasing, giving to others or keeping forbidden devices and software that are used to break a computer program's password or such a code in order to commit a crime described in the bullet points above;
• committing theft or fraud via cyber-systems;
• unlawful recording of personal data;
• unlawful transfer, publication or acquisition of personal data; and
• failure to destroy personal data after the retention period set forth in the applicable laws.

The Policy Framework

National cybersecurity strategy and action plans

2013–14 term

In accordance with this action plan, the TR-CERT, whose main task is to oversee cybersecurity incident response activities and reporting, was established.

In addition, sectoral CERTs were established for co-ordinating cybersecurity incident response activities for critical sectors, and institutional CERTs were established for carrying out cybersecurity incident response activities within certain organisations, such as governmental bodies and companies working in critical sectors.

2016–19 term

This action plan resulted from the need to update the previous one due to the development of information and communication technologies, the increasing need for cybersecurity and the experience gained.

The updated action plan set out:

• cybersecurity risks, such as unauthorised access and disclosure of citizens' personal data or public information following an attack targeting the information systems used by public institutions or critical infrastructure; and
• the strategic objectives and actions for cybersecurity.

In this action plan, actions are grouped under five categories:

• strengthening cyber defence and protecting critical infrastructures;
• fighting against cybercrimes;
• improvement of awareness and human resources;
• developing the cybersecurity ecosystem; and
• integration of cybersecurity into national security.

2020–23 term

This action plan recognised international co-operation as an important part of national cybersecurity strategy due to the inherently cross-border nature of cybersecurity. Thus, the government pledges to show efforts to increase bilateral and multilateral co-operation, improve information sharing and contribute to the activities that are carried out for establishing international common norms and standards in cyberspace.

In this action plan, actions are grouped under eight categories:

• protecting critical infrastructure and increasing resilience;
• building national capacity;
• organic cybersecurity network;
• security of new generation technologies;
• fighting against cybercrime;
• developing and fostering national and domestic technologies;
• integrating cybersecurity into national security; and
• improving international co-operation.

For other legislation (eg, sectoral and specific legislation), please see 2.1 Key Laws.

Strategy and Budget

12th Development Plan (2024–2028)

Apart from certain sector-specific policies and measures (eg, financial markets, education and health), this plan sets out the following general policy goals for information technologies:

• strategic, regulatory and technological efforts to ensure national cybersecurity and strengthening institutional structures;
• updating the National Cyber Security Strategy and Action Plan in the context of new-generation cyber-threats and technological developments;
• enacting regulations in line with the EU's "NIS2 Directive" and the best international practices;
• administrative structuring for high-level co-ordination of national cybersecurity activities;
• strengthening cybersecurity threat intelligence through the development of AI and big data analytics applications;
• strengthening the national cybersecurity infrastructure;
• enacting and implementing procedures and principles on the establishment of an information security system in critical infrastructures;
• introducing cybersecurity standards in the needed fields;
• improving the domestic cybersecurity ecosystem, spreading national solutions, and boosting competitiveness on an international scale;
• supporting domestic solutions to be developed in ways that enable them to have a competitive presence on international markets;
• developing test infrastructures for cybersecurity;
• increasing the use of domestic cybersecurity products, primarily in public institutions;
• raising cybersecurity awareness and training a competent workforce in Türkiye;
• building programmes aimed at cybersecurity training and betterment of career opportunities;
• making new business models to preserve the competent workforce;
• improving the content, quality and environment for training personnel fit for the sectoral needs; and
• activities for raising public awareness on cybersecurity.

1.2 Regulators

The Ministry of Transport and Infrastructure (MTI)

According to the Council of Ministers Decision on Cybersecurity, the MTI has been authorised for the implementation, administration and co-ordination of national cybersecurity actions and preparation and co-ordination of policy, strategy and action plans regarding the governance of national cybersecurity.

The MTI is the government agency overseeing all other cybersecurity organisations throughout Türkiye. It oversees and conducts cybersecurity activities at the strategic level through the TR-CERT.

The MTI's responsibilities on cybersecurity include:

• preparing strategy and action plans to ensure national cybersecurity;
• preparing the procedures and principles necessary for ensuring the security and privacy of the information and data belonging to public institutions and organisations; and
• monitoring the establishment of the technical infrastructures in public institutions and organisations, ensuring verification, and testing the applications' efficiency.

Information and Communication Technologies Authority

While policymaking is the responsibility of the MTI, the regulatory function is assigned to ICTA.

ICTA is an independent administrative institution and has administrative and financial autonomy.

In addition to its regulatory role in telecommunications, ICTA closely monitors cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns private companies concerning specific cybersecurity threats and technical vulnerabilities.

For this purpose, ICTA works in co-ordination with public and private organisations. In its "2024 External Business Plan", ICTA lists measures for reducing the likelihood and potential impacts of cyber-incidents, and for ensuring the continuity of services and data security of critical infrastructures in Türkiye, such as:

• capacity building (training qualified personnel);
• implementing technological measures (early detection, alarm generation, preventative actions and other technical solutions);
• developing effective collaboration and ensuring efficient co-ordination; and
• protecting critical infrastructure and data (expansion of the identification of assets belonging to critical infrastructures, regulation, supervision, etc).

The Digital Transformation Office (DTO)

The DTO has played an active role in cybersecurity, big data, artificial intelligence, and digital transformation since its establishment in 2018.

Among other duties, the DTO focuses on developing projects supporting national cybersecurity and information security, monitoring the implementation of policies, strategies and action plans on cybersecurity throughout the country, and carrying out studies to identify critical infrastructures.

In July 2020, the DTO published an Information and Communication Security Guide. Please see 3.3 Legal Requirements and Specific Required Security Practices for the details and content of this guide.

TR-CERT

In 2013, the TR-CERT was established under ICTA to identify emerging threats, take measures to reduce and eliminate the effects of possible attacks and incidents on the national cyberspace, and share them with the relevant actors.

The TR-CERT oversees management of response to cybersecurity incidents from beginning until the resolution. It co-ordinates with CERTs who are required to report cybersecurity events to the TR-CERT.

The TR-CERT also carries out awareness-raising and guidance activities to increase the awareness of public institutions and organisations against cyber-attacks.

CERTs

Sectoral CERTs

Sectoral CERTs are established under:

• the regulatory and supervisory bodies; or
• the relevant ministries of critical sectors.

Sectoral CERTs are responsible for co-ordination, regulation and supervision of cybersecurity in their respective critical sectors.

Sectoral CERTs act in co-ordination with the TR-CERT and institutional CERTs operating in the sectors concerned.

Institutional CERTs

Institutional CERTs are established within public and private organisations.

All organisations operating in the critical infrastructure sectors must establish an institutional CERT thereunder. Nonetheless, ICTA has the authority to order a public or private organisation to establish and maintain a CERT, even if such organisation does not operate in critical infrastructure sectors.

Institutional CERTs also act in co-ordination with the TR-CERT and sectoral CERTs operating in the concerned sector, as applicable.

The personnel working in CERTs are under the obligation to maintain confidentiality of the information they have obtained owing to their duties. This obligation continues after the duty ends.

The Personal Data Protection Authority (the "DP Authority")

The primary supervisory and regulatory authority for data protection matters in Türkiye is the DP Authority. It is an independent administrative institution that has administrative and financial autonomy.

The DP Authority has the power to regulate data protection activities and to take measures for protecting the rights of data subjects. The DP Authority is competent to receive data breach notices according to the DP Law.

The National Intelligence Agency

The National Intelligence Agency is entitled to collect, record and analyse information, documents, news and data by using any technical intelligence and human intelligence method, tool and system regarding foreign intelligence, national defence, counterterrorism, international crimes and cybersecurity, and to deliver the produced intelligence to the necessary institutions.

The Turkish National Police Department of Cybercrime Prevention

Established in 2011, this department provides support in the investigation of crimes committed using information technology. It gathers forensic data to fight cybercrime effectively and efficiently.

The Ministry of National Defence, the Presidency of Defence Industries, and the Turkish Armed Forces Cyber Defence Command

These entities ensure cybersecurity from a perspective of military and national defence.

Please see 2.4 Data Protection Authorities or Privacy Regulators and 10.2 Public Disclosure for further information.

The Ministry of Interior Disaster and Emergency Management Presidency

The Ministry of Interior Disaster and Emergency Management Presidency is responsible for crisis co-ordination and management to protect critical infrastructure in the event of a disaster.

Others

Apart from the above, sector-specific administrative institutions such as the Banking Regulation and Supervision of Agency (BRSA), the Capital Markets Board (CMB), the Turkish Republic Central Bank (TRCB), the Energy Market Regulatory Authority (EMRA) and the Turkish Atom Energy Agency are entitled to regulate cybersecurity-related issues in their respective sectors.

1.3 Administration and Enforcement Process

The Information and Communication Technologies Authority (ICTA)

ICTA has broad powers to administrate and enforce the rules on cybersecurity. ICTA was given the unique authority to take measures or compel public institutions, organisations, natural and legal persons to take all precautions against cyber-attacks and to establish deterrence against this.

For this, ICTA is entitled to request any information, documents, data and records from relevant organisations, as well as to request access to archives, databases and the communication infrastructure thereof. Natural persons or private organisations cannot avoid fulfilling the requests of ICTA on grounds of being subject to certain legal instruments.

ICTA has a special regulation dealing with administrative fines – ie, the By-Law on Information Technologies and Communications Administrative Sanctions, which lays down special procedures for issuing administrative fines.

The administrative fines related to network and information security breaches are as follows:

• an administrative fine of up to 1% of its net sales in the previous calendar year may be imposed if the operator does not comply with the legislation on e-communications security, including network security;
• administrative fines ranging from TRY7,962 to TRY7,962,042 million are imposed on natural persons and private legal entities other than operators who fail to fulfil the obligations or to implement the measures that are determined by ICTA within the scope of its duties for the protection against cyber-attacks; and
• in cases where ICTA detects a violation of law, depending on the nature thereof, it may adopt other concrete measures in addition to these sanctions.

The Personal Data Protection Board (the "DP Board")

The DP Board's investigations may be initiated based on a data subject's complaint or ex officio if it becomes aware of an alleged violation.

If the DP Board identifies a DP Law violation, it can impose administrative fines from TRY47,303 to TRY9,463,213 depending on the nature of the violation.

Criteria for administrative fines

The criteria which must be sought by ICTA when imposing administrative sanctions are:

• the presence of damage;
• the existence of unfair economic gain;
• the presence of recurrence; and
• administrative sanctions imposed on the operator in the last five years regarding the violation of the same article and presence of good will (or lack thereof).

As per the Misdemeanours Law No 5326, when determining the amounts of administrative fines, the DP Board must consider:

• the severity of the breach;
• the fault of the breaching party; and
• its economic condition.

Appeal to decisions of ICTA and the DP Board

The sanctioned party has a right to appeal against DP Board or ICTA decisions.

All decisions of ICTA, including administrative fines, can be appealed before the administrative courts.

On the other hand, if the DP Board's decision includes only an administrative fine, the controller may object to this decision before the Magistrate Criminal Court within 15 days from the receipt of the decision. The decisions of the Magistrate Criminal Court can be appealed to another Magistrate Criminal Court in the same district.

Where the decision includes an administrative order bundled with or without an administrative fine, the controller can object to the decision before the administrative courts, whose decisions may be appealed to the Council of State.

From 1 June 2024, the appellate courts against DP Board decisions will be Administrative Courts instead of Magistrate Criminal Courts. Please see 1.8 Significant Pending Changes, Hot Topics and Issues for details.

Criminal Sanctions

As stated in 1.1 Laws, the TCrC criminalises certain actions that involve personal and non-personal data processing.

The investigation may commence without any complaint – ie, ex officio by public prosecutors. The final judicial sentence is held by courts. Under certain circumstances, it is possible to appeal the judgment of the first-tier court to the second-tier court, the Regional Criminal Court. As a final step, it is possible to appeal against the Regional Criminal Court's judgment before the Court of Appeals if the sentence of the court meets specific criteria.

1.4 Multilateral and Subnational Issues

The Budapest Convention on Cybercrime of the Council of Europe ("CETS 185")

Türkiye signed the Budapest Convention (with a few reservations) on 10 November 2010. The Convention was ratified on 29 September 2014 and came into force on 1 January 2015.

After accepting and ratifying the Convention, Türkiye amended related legislative instruments in line with the Convention, such as the TCrC. For instance, crimes against the confidentiality, integrity and accessibility of computer data or systems, which are regulated in the first title of the Convention, were reflected in the TCrC.

European Convention on Mutual Assistance in Criminal Matters

Türkiye is a party to the European Convention on Mutual Assistance in Criminal Matters. Furthermore, Türkiye has specific legislation in this regard – the Law on International Judicial Co-operation in Criminal Matters No 6706, dated 23 April 2016.

Convention No 108

Türkiye was one of the first countries to become a member of the Council of Europe and to sign Convention No 108. Although Türkiye signed the Convention on 28 January 1981, it did not ratify the Convention until 17 March 2016, shortly before Türkiye's adoption of the DP Law. However, Türkiye has not yet signed the Modernised Convention (also known as 108+).

Other

Türkiye has signed many co-operation agreements and memorandums with foreign countries – eg, Azerbaijan, Belarus, China, Georgia and Greece – to provide mutual assistance in the realm of cybersecurity.

1.5 Information Sharing Organisations and Government Cybersecurity Assistance

Data Protection

The DP Authority works collaboratively with public and private organisations to share information on privacy issues and encourage privacy compliance.

Cybersecurity

ICTA

ICTA closely monitors cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns companies concerning specific cybersecurity threats and technical vulnerabilities.

TR-CERT and CERTs

The TR-CERT and CERTs are vital structures in eliminating cyber-incidents; prioritising or reducing possible damages and performing cyber incident management at the national level. The co-ordination and co-operation between the TR-CERT and institutional CERTs and/or sectoral CERTs contribute greatly to Türkiye's national cybersecurity.

1.6 System Characteristics

Cybersecurity

As mentioned in 1.1 Laws, Türkiye's legal framework regarding cybersecurity is quite fragmented.

Sector-specific regulations (such as the By-Law on Information Systems Management of Capital Markets Board of Türkiye, the By-Law on Cybersecurity Competency Model in Energy Sector, the By-Law on Management Systems in Nuclear, Radiation and Radioactive Waste Facilities, and the By-Law on Internet Domain Names) mostly follow international information security standards. They require a risk-based approach and mandate notification of cyber-incidents. However, lack of a general law covering all sectors is a shortcoming of Turkish law.

Turkey also has and continues to adopt cybersecurity regulations for state institutions such as ministries – eg, the Ministry of Internal Affairs, the Ministry of Work and Social Security, the Ministry of Education and other public institutions.

Data Protection

Türkiye follows the EU's omnibus model for data protection. As the DP Law was enacted only eight years ago, Türkiye's data protection practice can be considered as a developing practice. However, Türkiye has made significant progress so far. Furthermore, data breaches continue to be a major threat, along with an escalation in ransomware attacks targeting critical infrastructure and businesses. The DP Authority's decisions imposing a relatively high administrative fine are almost always based on controllers' failure to ensure an adequate level of data security while processing personal data.

E-commerce

In 2021, ICTA published a guideline for information security measures to be adopted by e-commerce web operators. ICTA has not made this guideline publicly available. Rather, the guideline was directly sent to the Turkish e-commerce operators. The guideline covers:

• application security;
• system security;
• network security;
• audit and log control procedures;
• test procedures; and
• digital forensics procedures.

1.7 Key Developments

Cybersecurity

On 4 January 2023, the Information and Communication Security Compliance and Audit Monitoring System was launched as the centralised monitoring mechanism for compliance with the Information and Communication Security Guideline (the "ICS Guideline").

Digital Governance

The OECD has published its "Digital Governance Review of Türkiye: Towards a Digitally-Enabled Government", which includes an overview of the public sector organisation mandated to lead the digital government agenda, including cybersecurity. Based on this report, 86 of the 120 public sector organisations have professional specialists on cybersecurity available in their workforce.

Türkiye was ranked tenth out of 35 countries in the European Commission's e-Government Benchmark 2023 Report.

Energy

The By-Law on Cybersecurity Competency Model in the Energy Sector

The purpose of this By-Law, which entered into force in June 2023, is to improve cybersecurity and define the minimum acceptable level of security of industrial control systems used in the energy sector, and to establish the procedures and principles related to the cyber-resilience, proficiency and maturity thereof.

The By-Law covers industrial control systems of organisations comprised of the licence holders specified in the By-Law.

The competency model sets out three basic competency levels. The applicable competency level will be identified with sectoral criticality degrees determined by the Energy Market Regulatory Authority. The obligated organisations must implement the competency model after EMRA determines the respective criticality degrees and notifies them.

Banking and Finance

Amendments to the Communiqué on Data-Sharing Services in the Payment Services Area of Payment and Electronic Money Institutions' Information Systems and Payment Service Providers (the "Communiqué on Data-Sharing in Payment Services")

The October 2023 amendment to the Communiqué introduces a criterion to be considered by institutions that engage external service providers for critical information systems and security: the service must either be developed or have R&D centres in Türkiye. These providers or developers are obliged to have response teams in Türkiye.

Additionally, if one of the parties of the payment transaction is abroad, the institution may only transfer data abroad with the following conditions:

• data must be stored domestically;
• the transferred data must be limited to what is necessary for the proper processing of the transaction and in compliance with the proportionality principle; and
• the transfer must be subject to the request or order received from the customer.

The Central Bank of Türkiye is authorized to stop or further restrict such transfers if, in its consideration, the payments area is deemed to be negatively affected.

Finally, the amendments provide further specifications for remote identity verification systems to be used by the institutions and for such to be identified as critical information systems.

1.8 Significant Pending Changes, Hot Topics and Issues

Cybersecurity

Türkiye, as a candidate country for EU membership, is closely monitoring any legal developments of the EU acquis. Türkiye has a plan to adopt the provisions of the NIS2 Directive into the Turkish Law as stated under Section 581.2 of the 12th Development Plan.

In the medium term, Türkiye is expected to have a standalone network and information security legislation.

Data Protection

The bill amending the DP Law was published in the Official Gazette on 12 March 2024. The bill includes some long-awaited amendments for the purpose of aligning the DP Law with the GDPR.

The amendments concern the following articles.

• Article 6 "Conditions for processing special categories of personal data": the amendment extends the legal bases for processing special categories of personal data.
• Article 9 "Conditions for transfer of personal data": for the cross-border data transfers, the amending bill introduces a new regime which is similar to that under the GDPR (ie, adequacy decision, BCRs, Standard Contractual Clauses, written undertaking and DP Board approval; and if these safeguards are inapplicable and the transfer is incidental, other legal bases legitimising the transfer). The previous cross-border data transfer rules will continue to be applicable until 1 September 2024.
• Article 18 "Appealing against the DP Board's decisions and administrative fines": the decisions of the DP Board may be appealed against before the Administrative Courts instead of Criminal Magistrate Courts. Files that are still before the Criminal Magistrate Judges as of 1 June 2024 will be resolved by them.

2. Key Laws and Regulators at National and Subnational Levels

2.1 Key Laws

Some important sector-specific pieces of legislation are as follows.

Electronic Communications Sector

The By-Law on Network and Information Security in the Electronic Communications Sector (the "By-Law NIS in the E-Communications Sector")

The purpose of this By-Law is to regulate the procedures and principles to be followed by operators, and to ensure network and information security.

E-communications service providers must take measures for network and information security set forth in this By-Law, such as establishing an information security management system and a reporting and feedback mechanism to ensure that information security breach incidents and security vulnerabilities are reported without any delay.

Energy Sector

The By-Law on Cybersecurity Competency Model in the Energy Sector

Please see 1.7 Key Developments.

The By-Law on Management Systems in Nuclear, Radiation and Radioactive Waste Facilities

The purpose of this By-Law is to establish a management system that prioritises the security of the organisation and its facilities. The security policy (which includes personnel training, adopting security measures, organisational and systematic structure) is determined and monitored by the top management. The management systems in these organisations are subject to internal and external audits.

Banking and Finance Sector

The By-Law on Information Systems of Banks and Electronic Banking Services (the "ISBEBS By-Law")

The purpose of this By-Law is to regulate the minimum procedures and principles to be taken as a basis in the management of the information systems used by banks in:

• the performance of their activities;
• the provision of electronic banking services and the management of the risks related thereto; and
• the necessary information systems controls that must be established.

The Communiqué on Management and Auditing of Information Systems of Financial Lease, Factoring and Finance Companies

The purpose of this Communiqué is to regulate the procedures and principles regarding the management of information systems used by financial leasing, factoring and financing companies in the performance of their activities within the scope of the Financial Lease, Factoring and Finance Companies Law and independent auditing thereof.

The Communiqué on Data Sharing in Payment Services

The purpose of this Communiqué is to regulate the procedures and principles regarding the management and auditing of the information systems used by payment and electronic money institutions and the data-sharing services of payment service providers. The Communiqué includes detailed provisions on data security measures to be adopted by payment and electronic money institutions and on security vulnerabilities and breaches.

It obliges institutions to ensure the security of information systems and to hold the board of directors (BoD) accountable for the management thereof. Additional measures are required for information systems containing sensitive customer data. The Communiqué requires organisations to notify the customers and the DP Authority when such sensitive customer information is leaked.

E-governance

The By-Law on Procedures and Principles Regarding Carrying out e-State Services

According to this By-Law, while carrying out e-governance services, each public institution and organisation must:

• adopt cybersecurity measures for their own information systems;
• keep access records; and
• ensure the accuracy, integrity and confidentiality of this information.

The By-Law on Internet Domain Names

The domain registrars providing services for the Turkish top-level domain-name system are subject to the Internet Domain Names Regulation published by ICTA. As per this Regulation, the registrars are required to ensure the cybersecurity of their operations and notify ICTA of any security breach accordingly.

2.2 Regulators

Please see 1.2 Regulators and 2.4 Data Protection Authorities or Privacy Regulators.

2.3 Over-Arching Cybersecurity Agency

Currently, there is no overarching cybersecurity agency in Türkiye. ICTA, as explained previously, has general cybersecurity powers besides its role as the regulatory body of the telecommunications sector.

The DTO also performs a wide range of tasks in relation to digital transformation, which includes cybersecurity-related matters.

2.4 Data Protection Authorities or Privacy Regulators

The primary supervisory and regulatory authority in Türkiye is the DP Authority.

The decision-making body of the DP Authority is the DP Board. The main duties and powers of the DP Board are as follows:

• conducting investigations upon the complaints of the data subjects or ex officio if it becomes aware of the alleged violation, and taking temporary measures, where necessary;
• concluding the complaints of those who claim that their rights concerning personal data protection have been violated;
• maintaining the Data Controllers' Registry (VERBIS);
• imposing administrative sanctions that are provided in the DP Law;
• determining and announcing those countries with adequate levels of protection of personal data for the purpose of international data transfers; and
• approving the written undertaking of controllers in Türkiye and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for the purpose of international data transfers.

2.5 Financial or Other Sectoral Regulators

The BRSA, CMB and TRCB are entitled to regulate cybersecurity-related issues in their respective sectors.

Please see 1.2 Regulators, 4.3 Critical Infrastructure, Networks, Systems and Software and 5.8 Reporting Triggers for security and reporting requirements under certain financial and other sectoral legislation.

2.6 Other Relevant Regulators and Agencies

Please see 1.2 Regulators.

3. Key Frameworks

3.1 De Jure or De Facto Standards

ISO/IEC 27001 is an international standard for management of information security. It is translated into Turkish by the Turkish Standards Institute (TSI), and the TS EN ISO/IEC 27001 standard has been drafted under the name of "Information Technology – Security Techniques – Information Security Management Systems – Requirements".

ISO/IEC 27001 is a frequently used international standard in Türkiye which indicates an institution's qualifications with regard to establishing and maintaining cybersecurity measures.

Obtaining an ISO/IEC 27001 certificate is a de jure standard in several sectors, especially in the e-communications sector and energy sector, and for e-invoice service providers. However, many organisations have chosen to voluntarily comply with the ISO 27001 standard as a good practice to improve cybersecurity.

Another standard that draws attention to information security in Türkiye, especially in the banking sector, is Control Objectives for Information and Related Technologies (COBIT). All banks are required to meet COBIT standards thanks to the BRSA's communiqués and by-laws which have been published since 2006 and have made COBIT-based auditing mandatory for all banks.

COBIT process management is used not only in banks but also in the finance and production sectors.

In the banking sector, Payment Card Industry Data Security Standards (PCI DSS) is another set of standards created to ensure the security of credit card transactions.

The Centre for Internet Security Critical Security Controls (CIS CSC) is also another global standard focused on reducing cybersecurity risks and protecting organisations against cyberattacks, which is increasingly implemented among public institutions and large-scale private sector companies in Türkiye.

According to the CMB's Communiqué on Independence Audit of Information Systems, auditors who audit public companies must have a CISA certificate.

ICTA's National Occupational Standards for Cybersecurity Personnel, published in the Official Gazette in 2020, defines the scope of the job and minimum requirements for the working conditions thereof.

Also, the DP Authority has published guidelines on personal data security, which provide helpful advice on security compliance with the DP Law.

3.2 Consensus or Commonly Applied Framework

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.

3.3 Legal Requirements and Specific Required Security Practices

Cybersecurity

On 27 October 2021, the DTO published the Information and Communication Security Audit Guideline, which set forth the steps to be taken to comply with the ICS Guideline (published on 27 July 2020), which mainly adopts ISO 27001-like certification criteria.

The ICS Guideline elaborates on cybersecurity measures that must be taken by public organisations, as well as by companies that provide critical infrastructure services.

The issues regulated by the Guideline are as follows:

• security measures for the groups of assets (network and system security, application and data security, portable devices and platform security, security of IoT devices, personnel security, security of physical environments);
• security measures towards areas of application and technology (personal data security, instant messaging security, cloud computing security, security of crypto applications, security of critical infrastructures, new development and supply); and
• consolidation measures concerning operating systems, databases and servers.

Data Protection

The DP Authority issued the Guideline on Personal Data Protection (Technical and Organisational Measures) (the "Measures Guideline") in 2018.

Technical measures that were laid out in the Measures Guideline are as follows:

• authorisation matrix;
• authorisation control;
• access logs;
• user account management;
• network security;
• application security;
• encryption;
• penetration test;
• attack detection and prevention systems;
• log records;
• data masking;
• data loss prevention software;
• back-up;
• firewalls;
• up-to-date antivirus systems;
• deleting, destroying or anonymising; and
• key management.

Organisational measures laid out in the Measures Guideline are as follows:

• preparing a personal data-processing inventory;
• establishing institutional policies (access, information security, usage, retention and destruction, etc);
• data processing and confidentiality agreements (between controllers and between controllers and processors);
• privacy undertakings by employees;
• periodic and/or random inspections within the institution;
• risk analyses;
• adding legislation-compliant provisions to employment contracts and disciplinary regulations;
• institutional communication (crisis management, informing the DP Board and data subjects, reputation management, etc);
• training and awareness-raising activities regarding information security and legislation; and
• registering with VERBIS.

If the personal data is kept on the cloud, the following measures are recommended:

• encryption of data with cryptographic methods;
• encrypted transfer of data to cloud environments;
• where possible, using encryption keys specifically for each cloud solution service; and
• deleting/destroying all copies of encryption keys when the cloud computing service expires or is terminated.

Moreover, the DP Board introduced stricter requirements for processing of special categories of data.

3.4 Key Multinational Relationships

Please see 1.4 Multilateral and Subnational Issues.

4. Key Affirmative Security Requirements

4.1 Personal Data

According to Article 12(1) of the DP Law, controllers are obliged to take all necessary technical and organisational measures to provide an appropriate level of security for the purposes of:

• preventing unlawful processing of personal data;
• preventing unlawful access to personal data; and
• ensuring the protection of personal data.

Controllers are jointly responsible with processors for implementing these measures.

Controllers must carry out necessary internal audits to ensure the implementation of provisions of the DP Law.

Controllers and processors shall have a confidentiality agreement for an unlimited time.

For more information about the security measures that the DP Board considers as adequate, please see 3.3 Legal Requirements and Specific Required Security Practices. For data breach notification requirements, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers.

4.2 Material Business Data and Material Non-public Information

There are no specific security requirements on material business data or material non-public information.

According to the TCrC, those who give or disclose to unauthorised persons information or documents constituting a commercial secret, banking secret or customer secret, which are obtained as a matter of their title or duty, occupation or profession, shall be subject to imprisonment from one year to three years and a judicial fine (corresponding to) up to 5,000 days upon complaint. Judicial fines are calculated and imposed on a daily basis, with the amount varying from TRY20 to TRY100 per day. The judge decides on the specific amount to be paid for each day depending on the economic and personal circumstances of the defendant.

According to Article 82(7) of the Turkish Commercial Code (TCC), merchants may ask the court to be issued a document if the books and documents that the merchant must keep are lost due to a disaster such as fire, flood, earthquake or theft.

According to Article 7(1) of the Electronic Ledger General Communiqué, if a force majeure event in the context of the Turkish Tax Procedure Law occurs which affects e-ledgers, e-bookkeepers are obliged to apply to the Turkish Revenue Administration within 15 days from the date of the event and demand a certificate of loss. A cyber-attack may be considered as a force majeure situation within the meaning of this Communiqué.

4.3 Critical Infrastructure, Networks, Systems and Software

Critical infrastructure sectors include the following:

• e-communications;
• energy;
• water management;
• critical public services;
• transportation; and
• banking and finance.

Some important security requirements for these sectors are as follows.

E-communications Sector

According to Article 37 of the By-Law on NIS in the E-Communications Sector, the report on NIS must be prepared by the operator every year until the end of March and kept for five years to be sent to ICTA upon request and/or submitted during the inspections made by ICTA. The report includes certain information, such as:

• risk assessment and processing methods, and details of transactions made according to these methods;
• business continuity plans; and
• information on information security breach incidents that have occurred.

Per the By-Law, operators may not allow unlicensed software and software going against Information Security Management Systems Policy rules, and must take measures to protect information and software against harmful codes and identify security measures for downloading files or software via external networks.

Operators is also obligated to define and document rules related to the transfer of software from the development environment to the production environment.

Energy Sector

Please see the By-Law on Cybersecurity Competency Model in the Energy Sector in 1.7 Key Developments.

Banking and Finance Sector

Banks and other financial institutions under the authority of the BRSA must take the measures set forth in the ISBEBS By-Law.

Moreover, personal data specific to banking relationships are also considered as customer secrets under the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Türkiye or abroad without receiving a request or explicit instruction from the customer to do so, even if the customer's explicit consent to transfer personal data to a third party is obtained as per the DP Law. Please also see the Amendments to the Communiqué on Data Sharing in Payment Services in 1.7 Key Developments.

The following entities must keep their primary and secondary information systems in Türkiye:

• banks;
• payment institutions and electronic money institutions;
• insurance and private pension companies (except for services such as email, teleconference or videoconference);
• certain public companies, as well as certain capital markets institutions; and
• financial lease, factoring and finance companies.

Other

In addition to these, the Minimum-Security Measures Document for Critical Information System Infrastructures, prepared by the Scientific and Technological Research Council of Türkiye, defines and categorises critical infrastructure in Türkiye. In addition, it determines the minimum-security measures required for critical infrastructure systems, including institutions and organisations operating critical infrastructures.

4.4 Denial of Service Attacks

Distributed denial of service (DDoS) is defined under Article 3(1)(g) in the By-Law on NIS in the E-Communications Sector.

This By-Law requires operators to establish mechanisms such as signal-processing control, user authentication control and access control in their IP addresses, communication ports and application protocols to protect their servers, routers and other network elements against cyber-attacks such as DoS/DDoS attacks.

4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems

The sectors with information security rules and the relevant legislation are as explained in 1.1 Laws, 1.2 Regulators and 4.3 Critical Infrastructure, Networks, Systems and Software. Although there are special provisions in the above-mentioned legislation, there is no general security requirement for the internet of things, software development, or other data or systems.

4.6 Ransomware/Extortion

In Türkiye, there are no specific legislative rules on reporting ransomware attacks, extortion or making ransom payments, or co-operation with law enforcement authorities, so the general data protection, cybersecurity regulations and the TCrC apply.

Please see 1.1. Laws, 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers.

5. Data Breach or Cybersecurity Event Reporting and Notification

5.1 Definition of Data Security Incident, Breach or Cybersecurity Event

Cybersecurity Event

A "cybersecurity event" is defined in the Communiqué on CERTs as a "breach or attempted breach of confidentiality, integrity or accessibility of industrial control or information systems or data processed by these systems".

If an organisation is required to establish a CERT, in principle, its CERT must report any cybersecurity event to the TR-CERT and the relevant sectoral CERT (if applicable).

Conversely, an organisation which is not required to establish a CERT does not have such reporting duty (voluntary reporting is allowed).

Personal Data Breach

Unlike the GDPR, the DP Law does not include a definition of a personal data breach. Per the DP Board's resolution on data breaches, controllers must report to the DP Board within 72 hours and notify the relevant data subjects within the shortest time possible if personal data is unlawfully acquired by third parties.

Also, unlike the GDPR, all personal data breaches must be reported to the DP Board and communicated to the affected data subjects (regardless of unlikeliness to result in a risk to the rights and freedoms of natural persons).

5.2 Data Elements Covered

Reporting a cybersecurity event covers any data processed by ICSs and information systems.

Reporting a personal data breach to the DP Board covers only personal data affected by such breach.

5.3 Systems Covered

Reporting a cybersecurity event covers ICSs and information systems.

Reporting a personal data breach covers any information system that processes personal data affected.

5.4 Security Requirements for Medical Devices

The By-Law on Turkish Medical Devices states certain requirements for cybersecurity.

Appendix 1 of the By-Law provides mandatory security requirements to be taken by medical device manufacturers.

5.5 Security Requirements for Industrial Control Systems (and SCADA)

The minimum-security requirements applying to the ICSs (and SCADA) are as follows.

• Protecting the systems from unauthorised access:

1. management of physical access to the centre where the systems are located;
2. restricting access to the systems by computer networks; and
3. restricting portable storage platforms.

• Management of authorised personnel's access to the systems:
• 1. procedure for assigning the systems manager and operator;
  2. management of authorised personnel's user IDs and procedure of safe log-in;
  3. records management and separation of duties; and
  4. operating procedures, roles and responsibilities.
• Management of systems' procurement, development and maintenance:
• 1. management of application software's safety;
  2. management of technical deficits; and
  3. maintenance contract;
• Work continuity precautions:
• 1. back-up system centre, procedures and tests.
• Employment of information systems security manager and personnel:
• 1. security manager;
  2. personnel continuity; and
  3. personnel training and education.
• Documentation:
• 1. policy document; and
  2. management of records.
• Intervention in cybersecurity events.

• 5.6 Security Requirements for IoT

  The DTO's Information and Communication Security Guide recommends certain security measures for the internet of things (IoT) regarding:

  • network services and communication;
  • internal data storage;
  • authentication and authorisation;
  • API and connection security; and
  • other measures.

  As for the security of the personal data processed in IoT devices, please see 3.3 Legal Requirements and Specific Required Security Practices.

  5.7 Requirements for Secure Software Development

  There is no regulation that uniformly regulates the security software life cycle, patching and responsible disclosure of vulnerabilities, so the general data protection and cybersecurity regulations apply.

  However, there are certain international standards and best practices that are followed by organisations in Türkiye:

  • ISO/IEC 27034 – this standard provides guidelines for application security, covering the entire software development life cycle, from requirements definition to deployment;
  • the Open Web Application Security Project (OWASP) – OWASP is a global non-profit organisation that provides resources and guidance for developing secure web applications;
  • the Building Security in Maturity Model (BSIMM) – the BSIMM is a set of best practices for software security that helps organisations understand how to build and maintain a software security programme; and
  • the National Institute of Standards and Technology (NIST) – NIST provides a framework for improving cybersecurity and managing cybersecurity risk.

  Sector-specific requirements, if any, must also be considered.

  5.8 Reporting Triggers

  Cybersecurity Event

  Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

  Personal Data Breach

  Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

  Electronic Communication

  In the telecommunications sector, according to the By-Law on NIS in the E-Communication Sector, the operator must notify ICTA regarding network and information security breaches that affect more than 5% of its subscribers and the circumstances that interrupt the continuity of the business. The notification must include, as a minimum, the time, nature, impact and duration of the breach, as well as the measures taken.

  Banking and Finance

  In the banking sector, pursuant to Article 18 of the ISBEBS By-Law, banks must report cyber-events to the BRSA.

  Public Companies

  A cyber-attack affecting a public company must be disclosed to the public as per the Communiqué on Material Events Disclosure.

  5.9 "Risk of Harm" Thresholds or Standards

  There is no "risk of harm" threshold for reporting cybersecurity events or data breaches.

  6. Ability to Monitor Networks for Cybersecurity

  6.1 Cybersecurity Defensive Measures

  While there are no provisions that explicitly restrict network and website access monitoring, there are Turkish Constitutional Court decisions and DP Board resolutions that set forth principles for employers regarding accessing and/or monitoring their employees' work computers, work mobile phones and other electronic devices. For such access/monitoring to be performed:

  • employers must inform their employees beforehand;
  • employers must have a legitimate purpose for accessing/monitoring the devices; and
  • the accessing and/or monitoring must be proportionate to the legitimate purpose.

  These principles can be used by analogy to similar activities, network monitoring and other cybersecurity defensive measures.

  Moreover, the Internet Law requires hosting service providers and internet service providers to retain traffic data for one year at minimum (there is ambiguity regarding the retention period for hosting service providers in the relevant by-law).

  Access providers must retain access logs that are required records for two years.

  These entities are required to disclose this data to public prosecutors or other competent administrative authorities when requested.

  Restrictions on Accessing and Sharing Insurance Data

  The Insurance and Private Pension Regulatory and Supervisory Authority (the "Insurance Authority") issued the By-Law on Insurance Data in 2022. The measures determined for the specified insurance data are as follows:

  • data sharing with institutions, organisations and data centres other than member institutions is carried out through protocols signed by the Insurance Information and Surveillance Centre (the "Centre") and upon approval of the Insurance Authority; and
  • the Centre determines the authorised users with access to the data in the general database and the content of the data they can access upon approval of the Insurance Authority.

  For data protection-related measures, please see 3.3 Legal Requirements and Specific Required Security Practices.

  6.2 Intersection of Cybersecurity and Privacy or Data Protection

  Cybersecurity and data protection are fundamentally linked and compatible disciplines, since both work towards the same goals and implement similar regulations and techniques.

  However, there is always the risk of extreme cybersecurity precautions leaning towards excessive monitoring. Further down the line, this might cause damage to the data protection rights of the data subjects whose data is being processed within the scope of cybersecurity activities.

  Thus, related actors and institutions should aim to establish and maintain a balance between these two disciplines.

  7. Cyberthreat Information Sharing Arrangements

  7.1 Required or Authorised Sharing of Cybersecurity Information

  VERBIS is an open-to-public registry demonstrating the data-processing activities of controllers that have an obligation to register with this system.

  The information to be disclosed to VERBIS includes technical and organisational measures adopted by the controller with respect to data protection.

  Please also see 5.8 Reporting Triggers.

  The TR-CERT, operated by ICTA, requires covered bodies (particularly operators in critical sectors) to notify of cyber-incidents directly. The TR-CERT also publishes a list of known vulnerabilities through its official website.

  7.2 Voluntary Information Sharing Opportunities

  Controllers and processors are free to share information with other people and organisations, if it is necessary for performing their legal obligations or for carrying out their business activities.

  However, when sharing information, controllers and processors must comply with their obligations arising from relevant data protection and cybersecurity legislation and legal contracts, especially non-disclosure agreements (NDAs), if any.

  ICTA has an active contact point for accepting notification and denunciation from third parties. The authority welcomes voluntary information sharing.

  8. Significant Cybersecurity and Data Breach Regulatory Enforcement and Litigation

  8.1 Regulatory Enforcement or Litigation

  ICTA does not usually publish cybersecurity fines through public mediums and prefers to keep such information confidential. However, an administrative fine decision is publicly available, dated 2022, where ICTA fined:

  • a company operating in web design, trade mark registration and software services, in the amount of TRY1,142,902.20; and
  • a company operating in hosting services, in the amount of TRY2,133,417.44.

  This was for failure to take measures for the security precautions mentioned in ICTA's communications, and failure to fulfil the obligations determined by ICTA regarding national cybersecurity activities and protection against cyber-attacks.

  Furthermore, DP Authority decisions are not public unless the DP Authority publishes them or a summary thereof. The following are some recent summaries that the DP Authority published on its website related to lack of technical measures.

  Decision Regarding an Airline Business

  The data subject saw personal data of other passengers on the check-in page accessed with a surname and Passenger Name Record (PNR) combination owing to the airline company assigning the same PNR number to several passengers. The DP Board imposed an administrative fine of TRY300,000 for failure to adopt necessary technical and administrative measures and for failure to notify the data breach.

  Decision Regarding an E-commerce Company

  The address and contact information of a third party with a similar name to the data subject was on the package of the product delivered by the e-commerce company, owing to a "cross barcoding error". The DP Board imposed an administrative fine of TRY75,000 for failure to adopt necessary technical and administrative measures.

  8.2 Significant Audits, Investigations or Penalties

  Please see 8.1 Regulatory Enforcement or Litigation.

  8.3 Applicable Legal Standards

  Applicable legal standards are explained through the text where applicable.

  8.4 Significant Private Litigation

  There is no major publicly known private litigation concerning cybersecurity.

  8.5 Class Actions

  Class actions are not applicable in Turkish Law.

  9. Cybersecurity Governance, Assessment and Resiliency

  9.1 Corporate Governance Requirements

  Responsibilities of the Board of Directors (BoD)

  The TCC addresses the responsibilities of the BoD, which must act in the best interest of the company and its shareholders under a broad duty of care. These broad responsibilities are deemed to include overseeing and approving cybersecurity policies and strategies to protect the company's information assets and systems from cyber threats.

  The BoD is the competent and responsible body for adopting adequate technical and organisational measures under the DP Law in connection with the company's personal data-processing activities.

  In the payment services sector, the Communiqué on Data Sharing in Payment Services obliges organisations to ensure the security of information systems and to hold the BoD accountable for the management thereof. The BoD must conduct an annual risk assessment on information systems and submit the report on the results of this assessment to the TRCB by the end of January each year.

  Appointment of a Chief Information Security Officer (CISO)

  There are no specific provisions requiring the appointment of a CISO. However, in practice, companies occasionally appoint one.

  Appointment of a CISO may be regarded as an organisational measure under the DP Law to ensure the security of personal data, as well as falling within the broad responsibilities of the BoD.

  Training Requirements and Certifications

  There is no overarching legislation providing a cybersecurity training requirement for the BoD or company personnel in the private sector.

  However, in the public sector, public institutions (eg, especially regulatory bodies or sector-specific institutions) have specific regulations for the qualifications of their personnel.

  Guidelines for sectoral and institutional CERTs also involve capacity and qualification requirements for their personnel and list the mandatory training thereof.

  Risk Assessments

  For companies operating in critical infrastructure sectors, certain pieces of sectoral legislation require periodic risk analysis to ensure the safety of these infrastructures.

  For example, the By-Law on Cybersecurity Competency Model in the Energy Sector grants authority to the Energy Sector Regulation Board to define principles and procedures of the security analysis for industrial control systems risks. Regular vulnerability assessments and penetration tests are among the technical measures that are recommended by the DP Authority. Please see 3.3 Legal Requirements and Specific Required Security Practices.

  Standards for Recovery and Resiliency

  There are no required standards for recovery and resilience actions to be taken after a cyber-attack. However, as an international standard, the ISO/IEC 27031 has been translated into Turkish law by the TSI as the "Guidelines for information and communication technology readiness for business continuity".

  The By-Law on NIS in the E-Communications Sector sets forth an obligation to submit a report to ICTA that includes a business continuity plan. The DP Authority also recommends regular data back-up.

  Please see 3.3 Legal Requirements and Specific Required Security Practices and 4.3 Critical Infrastructure, Networks, Systems and Software.

  10. Due Diligence

  10.1 Processes and Issues

  <

  Carrying out due diligence over a target organisation is based on the legal basis of "legitimate interest".

  When requesting and sharing personal data during a due diligence process, "proportionality" and "data minimisation" principles must be taken into consideration.

  10.2 Public Disclosure

  The relevant capital markets regulations impose an obligation on companies carrying out a public offering to state the risks of the business beforehand. Although there is no specific requirement to state cybersecurity risks, they should be mentioned during a public offering, if known.

  The information submitted to VERBIS is publicly available, including "technical and organisational measures" adopted for the security of personal data.

  For information about notifying the affected persons, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

  11. Insurance, Artificial Intelligence and Other Cybersecurity Issues

  11.1 Further Considerations Regarding Cybersecurity Regulation

  In Türkiye, cybersecurity insurance has not been regulated as a mandatory obligation. However, some insurance companies residing in Türkiye issue cybersecurity insurance policies, and most warrant the following protections:

  • administrative fines regarding personal data;
  • data protection damage;
  • cyber-ransom damage;
  • information security and secrecy responsibility;
  • network security responsibility;
  • data breach costs;
  • business interruption insurance; and
  • legal expenses.

  The DTO's National Artificial Intelligence Strategy for 2021–2025 is a framework document outlining strategic priorities, goals and measures. The strategic priorities are as follows:

  • training AI experts and increasing employment in the field of AI;
  • supporting research, entrepreneurship and innovation;
  • broadening access opportunities to quality data and technical infrastructure;
  • taking regulatory actions to expedite socioeconomic compliance;
  • strengthening co-operation at the international level; and
  • expediting structural and workforce transformation.