THE CYBERSECURITY LAW HAS BEEN PUBLISHED

Law No. 7545 on The Cybersecurity Law (“Law”) was published in the Official Gazette on 19/03/2025.

The Law, which covers public institutions and organizations operating in cyberspace, public professional organizations, natural and legal persons, as well as organizations without legal personality, aims to strengthen Turkey’s cybersecurity infrastructure, ensure the protection of digital data, and create a more effective defense against cyberattacks.

FUNDAMENTAL PRINCIPLES
The Law sets out the fundamental principles to be followed in the field of cybersecurity.
Cybersecurity is directly related to national security.

·         Cybersecurity is directly related to national security.

·         Protecting critical infrastructures is a priority.

·         Domestic products should be preferred in cybersecurity measures.

·         The goal is to spread the cybersecurity culture throughout society.

·         Cybersecurity policies should be implemented with a continuous development approach.

CYBERSECURITY PRESIDENCY
The Law defines the duties of the Cybersecurity Presidency (“Presidency”) in strengthening Turkey’s cybersecurity framework, as follows: 

·         To fulfill the duties specified in the relevant legislation.

·         To enhance the cybersecurity resilience of critical infrastructures and information systems.

·         To create an asset inventory for public institutions and critical infrastructures.

·         To establish and oversee Cyber Incident Response Teams (CIRT).

·         To set standards in the field of cybersecurity.

·         To conduct certification, auditing, and testing processes.

The Presidency is granted the following authorities while carrying out its duties in the field of cybersecurity.
 

·         To exercise powers based on the legislation.

·         To take necessary measures for protection against cyberattacks and ensure deterrence.

·         To provide support for cyber incident response.

·         To audit cybersecurity products and engage in international cooperation when necessary.

·         To authorize independent auditors conducting cybersecurity audits and store personal data obtained during these audits for a certain period.

Following responsibilities related to cybersecurity have been imposed on those providing services and processing data using information systems. 

·         To provide the data, information, documents, hardware, and software requested by the Presidency in a timely manner.

·         To implement cybersecurity measures as required by the legislation and immediately report any identified vulnerabilities or cyber incidents.

·         To procure authorized and certified cybersecurity products.

·         To obtain the Presidency’s approval before the operations of cybersecurity companies subject to certification.

·         To comply with the cybersecurity policies set by the Presidency.

The Presidency will carry out these activities in cooperation with public institutions and other relevant organizations.
The Presidency is authorized for auditing under the Law, as follows: 

·         The Presidency may audit any transactions within the scope of the Law. Audits are conducted by the Presidency staff or authorized auditors. Audits in public institutions are conducted by the Presidency staff.

·         The Presidency determines the criteria for audits based on priority and risk assessments and may conduct off-program audits if necessary..

·         Public officials are required to assist those assigned to audits.

·         Auditors are authorized to examine data, devices, software, take copies, and request explanations. Those being audited must provide the necessary infrastructure for the audit.

·         For national security or preventing cyberattacks, searches, copying, and seizures can be carried out with a court order or prosecutor’s written instruction. No court order is required for public institutions.

CYBERSECURITY COUNCIL
With the Law, it has been decided to establish the Cybersecurity Council (“Council”), consisting of the President and various ministers, with the aim of strengthening Turkey’s cybersecurity, taking measures against cyber threats, and creating processes for responding to cyber incidents.
The duties of the Council include:

• Determining cybersecurity policies,

• Implementing the technology roadmap,

• Defining critical infrastructure sectors,

• Developing human resources, among other activities.

APPLICATION OF PENAL SANCTIONS AND ADMINISTRATIVE FINES
With the law, various penal sanctions and administrative fines have been regulated to strengthen the regulations in the fields of cybersecurity and digital data management. Some of these are as follows:

·         Those who fail to fulfill the confidentiality obligation will be punished with imprisonment for 4 to 8 years.

·         Unauthorized sharing or selling of personal or critical data will result in imprisonment for 3 to 5 years.

·         Those who create false content to cause panic or fear, despite no data breach, will be sentenced to imprisonment for 2 to 5 years.

·         Attacks on Turkey’s cybersecurity assets will lead to imprisonment for 8 to 15 years.

·         Those who misuse their duties or violate protection measures against cyberattacks will be sentenced to imprisonment for 1 to 3 years.

·         Commercial companies that fail to fulfill their auditing obligations will be subjected to administrative fines ranging from at least 100.000 Turkish lira up to 5% of their gross sales revenue in the most recent audited financial statements.

ENFORCEMENT
The above-mentioned issues will enter into force on the date of publication.
Please feel free to reach us if you have any questions.