May 27, 2025

A New Era in Cybersecurity in Turkey: Law No. 7545 on Cybersecurity

Introduction               :

  1. Cybersecurity in Turkey has long been shaped by sector-specific regulations and fragmented policies, developing in the absence of a comprehensive and centralized legal framework. With the growing prevalence of digitalization, cybersecurity has become critically important across many domains, including public services. Although various regulations have been introduced in sectors such as banking, electronic communications, and healthcare, common standards and oversight mechanisms have not been established.

 

  1. As of 2025, a new and holistic legal era has begun in the field of cybersecurity in Turkey. Within this framework, Law No. 7545 on Cybersecurity (“the Law”) has entered into force, constituting Turkey’s first comprehensive cybersecurity legislation. The implementation of the law designates two principal actors. The Cybersecurity Council is responsible for setting Turkey’s national cybersecurity strategy, policies, and action plans, while the Cybersecurity Directorate (“the Directorate”) oversees their execution and supervision.

 

  1. The Law introduces authorization and certification obligations for individuals and legal entities operating in the field of cybersecurity, along with requirements for products placed on the market and services offered. Moreover, the Directorate is granted administrative oversight powers over relevant actors and is authorized to impose export restrictions on certain types of products, services, and technologies. The identification of critical infrastructures and the definition of cybersecurity measures specific to those infrastructures are also included among the Directorate’s duties and powers. Secondary regulations related to the implementation of the Law are expected to enter into force in the near future.

 

Administrative and Organizational Structure                     :

  1. Cybersecurity Directorate: Under the Law, the Cybersecurity Directorate has been established as the first centralized public body in the field of cybersecurity in Turkey. The Directorate is structured as a public institution with a strong technical mandate. The Law grants the Directorate the power to issue regulatory acts, conduct inspections, impose administrative sanctions, and manage authorization and certification processes related to cybersecurity products and services. The Directorate is also authorized to identify critical infrastructures and to define technical and administrative obligations specific to those infrastructures. Its inspection powers go beyond mere information gathering and include monitoring compliance with legal obligations, requesting technical data, including log records, when necessary, and imposing administrative sanctions in case of violations. In addition, the Directorate is responsible for setting the procedures and principles for the export of cybersecurity-related products and technologies, as well as approving the export of certain products abroad (these aspects are detailed below).

 

  1. Cybersecurity Council: The Cybersecurity Council, chaired by the President of the Republic, serves as a strategic decision-making body that sets the direction of national cybersecurity policies. It is authorized to approve action plans, designate institutions that fall under exceptions, and resolve inter-agency authority conflicts.

 

  1. USOM and SOMEs: The National Cyber Incident Response Center (USOM) and Cyber Incident Response Teams (SOMEs) have been placed within a formal legal framework. SOMEs are designated as the primary units responsible for the initial response to cyberattacks within public institutions and the private sector. The Directorate has been granted powers to establish, mandate the establishment of, and supervise SOMEs; to assess and enhance their maturity levels; and to conduct cybersecurity exercises to evaluate the incident response capabilities of these teams.

 

Critical Infrastructures                                 :

  1. The Law introduces more sensitive and comprehensive regulations regarding critical infrastructures compared to other areas. The Law defines critical infrastructure as systems that process information or data, the compromise of which whether in terms of confidentiality, integrity, or availability, could lead to loss of life, large-scale economic damage, security vulnerabilities, or disruption of public order. However, the Law does not specify which infrastructures fall into this category. As of now, the sectors and systems that will be designated as critical infrastructures remain unclear. Nevertheless, the Presidency’s Guide on Information and Communication Security identifies critical infrastructures as those operating in sectors such as energy, transportation, electronic communications, essential public services, and finance. It is anticipated that forthcoming secondary regulations will extend the scope of critical infrastructure to include similar sectors and systems.

 

Asset Inventory, Risk Analysis, and Security Measures                  :

  1. The Law imposes an obligation on public institutions and entities designated as critical infrastructure to maintain a detailed inventory of all their assets, including data inventories. These organizations are also required to conduct comprehensive risk analyses for their assets and implement, or ensure the implementation of, appropriate security measures based on the criticality of each asset. Creating an asset inventory, identifying risks, and taking necessary precautions are of vital importance for individuals within the organization who are assigned specific duties and responsibilities in this area. This is because the law stipulates that individuals who, by failing to fulfill their duties related to the protection of critical infrastructure against cyberattacks, cause a data breach may be sentenced to imprisonment for a term of one to three years.

 

Obligations of Certification, Authorization, and Accreditation

  1. The Law imposes authorization, certification, and accreditation obligations on commercial companies, associations, and foundations operating in the field of cybersecurity. These entities are required to complete the necessary processes within one year following the entry into force of the Law’s secondary regulations (which have not yet been published), in accordance with the procedures and principles to be determined by the Cybersecurity Directorate. Until these processes are completed, engaging in cybersecurity-related activities is not permitted. Furthermore, the Law provides that entities failing to fulfill these obligations may be subject to termination of operations by court order. For commercial companies, this may lead to the initiation of liquidation proceedings, including the removal of cybersecurity-related references from their articles of association and their deregistration from the trade registry.

 

  1. The technical details of the certification and authorization processes have not yet been defined. These operational procedures and requirements are expected to be clarified through secondary legislation. The Law further states that anyone operating without the required approvals, licenses, or authorizations may be punished with imprisonment from two to four years and a judicial fine ranging from 1,000 to 2,000 days.

 

Export Restrictions                :

  1. The Law subjects the export of cybersecurity products, systems, software, hardware, and services to procedures and principles to be determined by the Cybersecurity Directorate. The Directorate may introduce a requirement for prior authorization or evaluation for the export of specific product groups. In contrast, the Law does not contain an explicit provision regarding products imported from abroad. Nevertheless, it is acknowledged that imported products as well as the cybersecurity firms that sell them will also be bound by the limitations and responsibilities outlined in the law, given that it applies to all cybersecurity products sold in Turkey. In this context, restrictions related to export procedures are expected to be clarified through forthcoming secondary regulations.

 

  1. In parallel with export regulations, the Law also introduces specific provisions concerning the import of materials, software, systems, and equipment required by the Cybersecurity Directorate in the performance of its duties. All types of devices, equipment, and spare parts to be imported or received through grants from abroad along with systems and components intended for research, development, modernization, or maintenance purposes are exempt from customs duties, funds, fees, and stamp tax. Furthermore, the requirement to obtain any permits or certificates of conformity from public institutions or private sector entities for these transactions has been eliminated.

 

Equity Transfer Restrictions              :

  1. The Law stipulates that merger, demerger, equity/share transfer, or sales involving companies that produce cybersecurity products, systems, software, hardware, or services must be reported to the Cybersecurity Directorate. Within this scope, such transactions must be formally notified to the Directorate. Moreover, in certain cases, notification alone is not sufficient; prior approval from the Directorate is also required.

 

  1. Any transaction whether individually or jointly, directly or indirectly that grants natural or legal persons control or decision-making authority over a company is subject to the prior approval of the Cybersecurity Directorate. Therefore, not only symbolic or minority share transfers, but also any mergers, acquisitions, or equity transfers that may affect the company’s governance structure require advance approval from the Directorate. Companies must carefully assess the nature and impact of such transactions and comply fully with the relevant notification and approval processes outlined in the Law before proceeding.

 

Audit               :

  1. The Cybersecurity Directorate is authorized to conduct cybersecurity audits. These audits are generally carried out within the framework of a pre-established program determined by the Directorate, based on criteria such as significance, priority, and risk assessments. However, the Directorate may also conduct off-schedule audits in cases where serious security vulnerabilities emerge, notifications or reports are received, or urgent intervention is required. During an audit, the Directorate may conduct on-site inspections and perform technical and administrative controls over information systems, software, and hardware infrastructure. When deemed necessary, the Directorate may request information, documents, software, log records, and system data, and compliance with such requests is mandatory. Audits may be conducted either directly by the Directorate’s personnel or through authorized independent auditors or auditing firms. However, audits of public institutions and critical infrastructure operators must be carried out by Directorate personnel or under their supervision.

 

  1. Persons assigned to conduct audits are authorized, during the execution of their duties, to examine systems and data infrastructures, collect samples, and request written or verbal explanations. Entities subject to audit are obligated to provide the necessary infrastructure for these procedures and to ensure that their systems remain operational and accessible for auditing purposes.

 

Notification                :

  1. In the context of cybersecurity, any identified cybersecurity vulnerabilities or incidents must be reported without delay to the Cybersecurity Directorate. The Law defines a vulnerability as any weakness or security flaw in cyber assets that may be exploited by a cyber threat. A cyber incident refers to any breach of the confidentiality, integrity, or availability of information systems or data. Accordingly, the obligation to report may arise not only in cases of cyberattacks but also when security vulnerabilities are detected. Failure to fulfill the notification obligation may result in an administrative fine ranging from TRY 1 million to TRY 10 million.

 

Sanctions and Penalties                    :

  1. The Law introduces various levels of criminal and administrative sanctions depending on the severity of the violation. Prison sentences are imposed for serious offenses, while administrative fines are applied for technical or procedural non-compliance. The nature and scale of these sanctions aim to ensure deterrence for both individual and institutional actors. A summary of these sanctions is provided below:

 

Type of Violation

Type of Sanction

Explanation

Failure to provide information, documents, data, software, or hardware to the competent authority

1–3 years imprisonment + 500–1500 days judicial fine

Obstruction of audit or concealment of information

Operating without the necessary authorization or license

2–4 years imprisonment + 1000–2000 days judicial fine

Unauthorized cybersecurity operations

Breach of confidentiality obligation

4–8 years imprisonment

Disclosure of legally confidential information

Unauthorized access to, sharing, or sale of personal or institutional data

3–5 years imprisonment

Unauthorized exposure or distribution of data

Disseminating false information to incite fear or target institutions

2–5 years imprisonment

Spreading misleading content

Cyberattack against national digital infrastructures or possession of data resulting from such attack

8–12 years imprisonment

Targeting critical systems

Dissemination, sale, or cross-border transfer of data obtained through cyberattacks

10–15 years imprisonment

Transmitting stolen data to third parties

Causing a data breach by acting in violation of duty

1–3 years imprisonment

Failure to fulfill assigned responsibilities

Failure to use certified products or to comply with notification obligations

Administrative fine of 1,000,000–10,000,000 TRY

Violation of security and reporting obligations

Mergers, acquisitions, exports, or transfer of operations without Directorate approval

Administrative fine of 10,000,000–100,000,000 TRY

Failure to obtain prior institutional approval

Obstruction of audits or lack of cooperation

Administrative fine of 100,000–1,000,000 TRY
For companies: up to 5% of gross annual revenue

Active non-compliance during audit processes

 

 

Entry into Force and Transition Process                   :

  1. The Law entered into force on March 19, 2025, the date it was published in the Official Gazette. However, various transitional provisions have been established.

 

  1. Accordingly, all assets, systems, and responsibilities related to cybersecurity activities of the Information and Communication Technologies Directorate (BTK) and the Digital Transformation Office shall be transferred to the newly established Cybersecurity Directorate within six months from the date of publication of the Law.
  2. Associations, foundations, federations, and commercial companies operating in the field of cybersecurity are required to complete certification, authorization, and accreditation procedures within one year from the effective date of the secondary legislation, which will be issued based on Article 6 of the Law, and in accordance with the principles and procedures determined by the Cybersecurity Directorate.
  3. At the end of this period, associations, foundations, and federations that fail to fulfill their obligations may be subject to dissolution by court order. Commercial companies, on the other hand, will be required to either remove cybersecurity-related terms from their trade names or initiate liquidation proceedings.

 

  1. The secondary regulations for the implementation of the Law are expected to enter into force within one year. During this period, the provisions of existing regulations that are not in conflict with the Law will continue to be applied.

 

Conclusion                 :

  1. Law No. 7545 on Cybersecurity is the first fundamental piece of legislation in Turkey that consolidates previously fragmented sector-specific regulations into a unified cybersecurity framework. It establishes a new administrative structure, most notably through the creation of the Cybersecurity Council and the Cybersecurity Directorate. The Law introduces comprehensive obligations for companies and organizations operating in the field of cybersecurity, including authorization requirements, testing processes for cybersecurity products and services, and mandatory certification. It imposes particularly extensive compliance obligations on companies operating in sectors likely to be designated as critical infrastructure, such as energy, telecommunications, healthcare, and finance.

Examples of these obligations include maintaining a complete inventory of all assets, including data inventories, identifying risks for each asset, and determining corresponding protective measures. Given the broad scope of the Directorate’s inspection powers, it is recommended that all operations be conducted in a manner that is auditable and in line with a defined program. Violations of the Law may result in prison sentences of up to 15 years and administrative fines of up to TRY 100 million or up to 5% of a company’s gross annual revenue.