ARTICLE
4 April 2025

Building Cyber Strength: Turkey's Landmark Cybersecurity Legislation In Focus

BS
Balcıoğlu Selçuk Eymirlioğlu Ardıyok Keki Attorney Partnersh

Contributor

Balcıoğlu Selçuk Eymirlioğlu Ardıyok Keki Attorney Partnersh logo
Balcioglu Selcuk Eymirlioglu Ardiyok Keki Attorney Partnership is an Istanbul based full service law firm with exceptional practices in corporate, M&A, banking and finance, real estate, energy, competition and litigation. BASEAK has gained an outstanding reputation and valued clientele by tailoring effective legal solutions to a broad spectrum of clients.
Explore Firm Details
On 12 March 2025, the Turkish Parliament adopted a landmark Cybersecurity Law, officially published in the Official Gazette on 19 March 2025, marking its formal entry into force
Turkey Technology
Safa Cenanoğlu and Ömer Faruk Çelik
Your Author LinkedIn Connections

Introduction

On 12 March 2025, the Turkish Parliament adopted a landmark Cybersecurity Law, officially published in the Official Gazette on 19 March 2025, marking its formal entry into force. This significant legislative advancement represents a pivotal moment for Turkey's cybersecurity landscape, aiming to streamline and enhance the nation's cyber resilience through a consolidated regulatory framework.

Previously, Turkey's cybersecurity governance suffered from fragmented responsibilities distributed among multiple authorities, including the Information and Communication Technologies Authority ("ICTA"), the Presidency's Digital Transformation Office, the Ministry of Industry and Technology, the Ministry of Transport and Infrastructure, and the Presidency of Defense Industries. This dispersed structure resulted in inefficiencies, overlaps, and inadequate coordination.

With the establishment of the Cybersecurity Directorate ("CSD") by a presidential decree earlier in 2025, Turkey has begun transitioning toward centralized oversight. The newly enacted Cybersecurity Law solidifies this structural reform by mandating a unified coordination mechanism, ensuring that all cybersecurity efforts by governmental and sectoral stakeholders are harmonized effectively.

Purpose and Scope of the Law

The Law primarily aims to identify, mitigate, and manage cyber threats, protect entities from cyber-attacks, and strengthen Turkey's cybersecurity through clear strategies, effective policies, and structured guidelines for the Cybersecurity Board, which consists of members from various ministries and other governmental bodies, authorized to establish national cybersecurity priorities and oversee their implementation by the CSD.

The Law covers public institutions and organizations, professional public institutions, natural and legal persons, as well as entities without legal personality, operating or providing services in cyberspace. It broadly defines cyberspace as the environment comprising all information systems directly or indirectly connected to the internet, electronic communication, or computer networks and the networks interconnecting these systems. Consequently, the Law's scope includes all IT infrastructure covering both public and private entities comprehensively.

CSD Duties and Authorities

The CSD is tasked with enhancing cybersecurity resilience, protecting critical infrastructure, conducting vulnerability assessments and penetration tests, managing cyber threat intelligence, and overseeing the establishment and maturity of cyber incident response teams. Additionally, the CSD is responsible for developing cybersecurity standards, overseeing certification processes, managing audits and enforcement, and ensuring compliance through rigorous technical criteria and legislative measures. However, the specific criteria underlying these cybersecurity standards have not yet been clearly defined, and pursuant to the timeline envisaged in the Cybersecurity Law these details will be clarified through secondary regulations and guidelines that will be announced by the CSD within 1 year, by March 2026. Until then, the existing regulations, such as TR personal data protection law, e-communication law and criminal law, that do not conflict with the Cybersecurity Law will remain in force.

The CSD possesses extensive authority, including taking preventive measures against cyber-attacks by integrating appropriate software and hardware into IT systems and managing collected data and log records. It provides cyber incident response support, either onsite or remotely, tracks cyber incidents, analyzes evidence, and coordinates with national and international stakeholders. The Directorate is authorized to request and evaluate necessary information, documents, and data from entities under its jurisdiction, conduct cybersecurity audits, authorize independent auditors, and classify entities based on cybersecurity risks. It also defines technical criteria for cybersecurity products and services used by public institutions and critical infrastructures, ensures compliance with established cybersecurity standards, and can implement preventive measures against non-compliant products and services. Furthermore, the CSD rigorously manages data privacy, ensuring personal data and commercial secrets are securely processed, stored, and lawfully disposed of when no longer necessary. It is noteworthy that such broad audit powers will require careful oversight to balance security needs with privacy concerns.

The CSD holds significant audit authority, allowing it to inspect all activities and operations within its scope as deemed necessary, including on-site inspections conducted by authorized personnel or independent auditors. Audits are prioritized based on risk assessments and importance criteria. The CSD may carry out unscheduled inspections when required. Audit personnel have the authority to access, copy, and examine electronic data, documents, infrastructure, devices, systems, and software, request explanations, and prepare necessary documentation. Audited entities must facilitate these processes. However, the application and enforcement of these regulatory audit powers remain unclear, pending clarification through implementing regulations from the CSD, as most powers, including audit rights, rely on guidelines, priority principles, and risk assessments yet to be established, making their immediate use unlikely. Also, in cases related to national security, public order, prevention of crimes, or cyber-attacks, the CSD is authorized, upon judicial approval or a prosecutor's written order in urgent cases, to perform searches, confiscation and copying of archive and records in private residences, workplaces, and non-public closed areas. Judicial approval must be obtained within 24 hours following actions initiated without prior authorization, otherwise, all copies and seized materials must be destroyed immediately. The Law also grants a crucial exemption for data centers of authorized operators, requiring a judge's decision to conduct such judicial actions. However, ambiguities in the Law extend here as well, as "authorized data center operators" could be interpreted in various ways, a point that the CSD may clarify in the future.

Responsibilities of Stakeholders and Possible Challenges

Entities operating under this Law and providing services via IT systems have specific cybersecurity obligations. In general, they must prioritize the timely submission of requested data, information, documents, software, and hardware to the CSD, and are required to promptly report cybersecurity vulnerabilities or incidents to the CSD. Whereas, cybersecurity firms are also required to obtain the CSD's approval before commencing cybersecurity activities, and adhere strictly to the policies, strategies, action plans, and regulatory measures issued by the CSD to enhance cybersecurity maturity, including holding certifications to be introduced by the CSD to demonstrate competence in this areas. Finally, public institutions and especially companies operating in the critical infrastructure sectors to be identified by the CSD, must specifically procure cybersecurity products, systems, and services only from CSD-certified cybersecurity experts, manufacturers, or companies. This mandatory requirement could potentially pose integration challenges and operational complexities when implementing such cybersecurity solutions into existing infrastructure systems.

Administrative Sanctions and Penalties

The Law introduces strict sanctions, notably including:

  • Imprisonment from 1 to 3 years and judicial fines for failure to provide requested information or obstruction of inspections.
  • Imprisonment from 3 to 5 years for unauthorized sharing or commercializing leaked personal or critical institutional data.
  • Imprisonment from 2 to 5 years for spreading false information about cybersecurity breaches to incite public panic or target individuals/institutions.
  • Imprisonment from 8 to 12 years for cyber-attacks against Turkey's national cybersecurity infrastructure, and 10 to 15 years for distributing or commercializing obtained data.
  • Imprisonment from 1 to 3 years for abusing cybersecurity responsibilities, negligence causing data breaches, or improper protection of critical infrastructures. This highlights the importance of maintaining accountability and integrity within cybersecurity management, especially concerning critical national assets.
  • Administrative fines ranging from 1 million to 10 million TRY for entities failing to report identified cybersecurity vulnerabilities or incidents immediately. This underscores the crucial need for swift action and transparency to mitigate risks effectively.
  • Administrative fines range from 100,000 to 1 million TRY or up to 5% of annual gross sales for commercial entities failing to maintain inspection readiness and provide necessary audit infrastructure. This sanction reinforces proactive compliance and cooperation as vital to maintaining national cybersecurity resilience.

Prior to imposing administrative fines, entities have the right to submit their defense within 30 days following notification. Notably, 50% of the collected administrative fines are allocated directly to the CSD's budget, raising concerns regarding the potential impact on the independence and impartiality of administrative decisions. We consider that measures should be introduced to safeguard against any potential conflicts of interest resulting from this funding mechanism.

Additionally, the Law introduces export controls on cybersecurity products, systems, software, hardware, and services developed or supported through public funding, aligning with international standards. This approach is particularly relevant for high-tech forensic IT tools commonly employed by law enforcement agencies, as these products typically require authorization from the respective national authorities before export. Furthermore, significant company law restrictions have been enacted for businesses producing cybersecurity products, systems, or services. Transactions such as mergers, acquisitions, spin-offs, or share transfers are now subject to prior approval from the CSD, mirroring regulatory frameworks seen in antitrust contexts. Particularly, the holistic regulatory surveillance brought by the Law over the direct or indirect change of control that may arise as a result of the aforementioned corporate transactions presents a significant consideration for investors, startups, and corporations' strategic planning. Monitoring the practical implementation and effectiveness of these controls will be crucial, especially in assessing whether they effectively support domestic cybersecurity innovation and growth without excessively restricting market dynamics.

Conclusion

The introduction of Turkey's Cybersecurity Law represents a critical step forward in addressing contemporary cyber threats through a centralized, comprehensive approach. By clearly defining roles and responsibilities, imposing robust compliance measures, and establishing stringent sanctions, the law enhances transparency and accountability across public and private sectors.

These legislative efforts also reflect Turkey's intention to align with global cybersecurity and digital resilience standards, such as the European Union's NIS2 Directive and DORA Regulation. These international regulations will most likely guide Turkey's forthcoming cybersecurity legislation, refining stakeholder responsibilities based on factors such as financial or operational scale, sectoral significance, or substitutability of relevant services. Such a tiered approach would also be consistent with existing Turkish legislation, such as E-Commerce Law No. 6563, which imposes graduated obligations tied to specific thresholds. As new regulations emerge in the coming days, stakeholders should stay alert for developments that clarify expectations and reinforce compliance.

Moreover, the integration of export controls and company law restrictions demonstrates Turkey's proactive stance on safeguarding sensitive technologies and maintaining digital sovereignty. The compliance obligations imposed on stakeholders, coupled with the stringent penalties for non-compliance, underscore the seriousness with which Turkey views cybersecurity threats. Although these rigorous measures may initially pose challenges for stakeholders in terms of integration and adaptation, they ultimately aim to foster a secure and resilient cybersecurity environment. While implementation challenges and uncertainties regarding specific cybersecurity standards remain, the anticipated secondary legislation should provide necessary clarity, further solidifying Turkey's cybersecurity posture and reinforcing its position as a resilient digital actor on the global stage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Safa Cenanoğlu
Safa Cenanoğlu
Photo of Ömer Faruk Çelik
Ömer Faruk Çelik
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More