Legal Shield for Digital Security: Turkey's First Cyber Security Law

Introduction

The Cyber Security Law No. 7545 (“Law”) entered into force upon its publication in the Official Gazette dated March 19, 2025 and numbered 32846.[1] The purpose of the Law is to prevent cyber threats, reduce the impact of cyber threats, protect individuals and authorities from cyberattacks, determine national cyber security strategies and policies, and establish the Cyber Security Board (“Board”).

Persons within the Scope of the Law

The scope of the Law is broadly defined. It applies to public authorities and institutions, professional institutions with public authority status, natural and legal persons, and institutions without legal personality that exist, operate, or provide services in cyberspace.

The Law defines cyberspace as the environment encompassing all information systems directly or indirectly connected to the internet, electronic communications, or computer networks, as well as the connections between such networks. and the networks connecting them, it follows that everyone conducting commercial activities today must comply with the Law. However, intelligence activities, are expressly excluded from its scope.

Regulations Introduced by the Law

(i) Basic Principles:

The Law establishes a set of fundamental principles governing cybersecurity. For example, it includes basic principles for providing cybersecurity, such as conducting institutional, continuous, and sustainable work, paying attention to the principle of accountability, and protecting basic rights and liberties, the rule of law, and privacy. The Law also emphasizes the creation of a secure cyberspace, the pursuit of continuous improvement, and efforts to increase qualified human resources in this field have been listed among the basic principles.

All public authorities and institutions, as well as natural and legal persons, are responsible for implementing cybersecurity policies and strategies and taking the necessary measures to prevent cyberattacks or mitigate their effects. The Law further provides that domestic and national products shall be prioritized in efforts to ensure cybersecurity and underscores that cybersecurity constitutes an integral component of national security.

(ii) Those who provide services, collect data, process data, and carry out similar activities using information systems:

The obligations and responsibilities of those who provide services, collect and process data, and carry out similar activities using information systems within the scope of the law, in other words, all persons operating in cyberspace within the scope of their activities, have been determined. These obligations and responsibilities are summarized as follows:

• Providing the Cyber Security Presidency (“Presidency”) with all requested data, information and documents, etc. relevant to its duties and activities in a timely and prioritized manner.
• Complying with the precautions required by legislation regarding cybersecurity, immediately reporting any vulnerabilities or cyber incidents detected in the area where they provide services to the Presidency,
• Supplying cybersecurity products, systems, and services to be used in public authorities and institutions and critical infrastructure from cybersecurity companies authorized and certified by the Presidency,
• Obtain the approval of the Presidency within the framework of existing regulations before starting operations, as required by relevant cybersecurity companies, and
• Fulfilling the requirements and taking the necessary precautions in the policies, strategies, action plans developed by the Presidency, and other regulatory procedures published to increase cyber maturity.

Accordingly, all public authorities and institutions operating in cyberspace in Turkey, as well as natural persons, legal persons, and entities without legal personality, are required to comply with these responsibilities.

(iii) Presidency and Board:

The Presidency was established by Presidential Decree and its responsibilities are defined in the relevant Law. The Presidency is responsible for increasing the cyber resilience of critical infrastructure and information systems, establishing a cyber incident response team, setting security standards, and conducting testing and certification. It also has audit authority, as well as has a right to request information and documents from relevant individuals and institutions when necessary. Those from whom information and documents are requested will not be able to refuse to provide them by claiming that they are not subject to the relevant legislation.

It is also provided that personal data processed in the scope of the Law shall be processed in accordance with the basic principles set forth in the Personal Data Protection Law No. 6698. In addition, it is stated that personal data and trade secrets obtained shall be destroyed ex officio when the reasons requiring access to such data no longer exist.

The Law also sets out that a Board will be established. The Board's responsibilities and authorities include making decisions regarding regulatory procedures related to cyber security and the implementation of the roadmap prepared by the Presidency.

(iv) Audit:

The Law states that the Presidency may, when necessary, audit the acts and transactions under the Law and conduct on-site inspections. However, the Law does not define the situations in which such audits are considered necessary.

It is also regulated that local authorities, law enforcement officers, and officials of other public institutions are obligated to provide every kind of convenience and assistance to those assigned to conduct investigations or inspections.

Those assigned to conduct audits may, but only within the scope of the audit activity, examine electronic data, documents, infrastructure, devices, systems, software, and hardware; take copies or samples; request written or verbal explanations; prepare reports; and inspect the relevant facilities. Those subject to inspection are obligated to provide all information and documents, keep relevant systems and devices accessible for inspection, and provide the necessary infrastructure.

Searches can only be conducted in homes, workplaces, and non-public enclosed areas with a court order or, in urgent cases where delay would cause harm, with a written order from the public prosecutor, for the purposes of national security, public order, or preventing crime or cyberattacks. During searches, copying and seizure of items may be executed. The procedures for searches, copying, and seizure are explained in the Law.

Penal Provisions and Fines

Within the scope of the Law, many violations are subject to different penal provisions and fines ranging from TRY 100,000 to TRY 100,000,000. In addition, the Law provides for administrative fines of up to 5% of gross sales revenue in a certain case. These are listed below:

Before the application of administrative fines, a letter is notified to the parties concerned, informing them that they have 30 days from the date of notification to present their defense. If no defense is presented within the specified period, the party concerned is considered to have waived their right to defense.

Administrative fines shall be paid within one month from the date of notification. Administrative fines that remain unpaid and become final shall be collected by tax offices Appeals may be lodged with the administrative courts against decisions imposing administrative fines issued in accordance with the law.

Compliance and Transition Process

Regulations to be implemented under the Law will come into effect within one year. Authorities such as associations and commercial companies operating in the field of cybersecurity must complete their authorization procedures within one year. Otherwise, they will not be able to operate in this field. Legal entities that fail to fulfill their obligations by the end of the period may be terminated by court order. Commercial companies that fail to fulfill their obligations within the same period must remove references to cybersecurity from their company contracts or enter into liquidation proceedings for the purpose of being removed from the commercial register.

Conclusion

Considering that the scope of the Law is broad and that regulations regarding its implementation will come into force within a year, those operating in cyberspace, providing services using information systems, and conducting similar activities must bring their systems into compliance with the Law without delay. In today's world, where cyber threats are increasing, compliance with the Law is not only an obligation but also a necessity for the sustainability of digital assets. Furthermore, it is important for institutions to comply with the Law in order to protect their reputation, avoid high administrative fines and sanctions, and achieve a resilient structure against cyber-attacks.