The Cyber Security Law No. 7545, which came into force on March
19, 2025, aims to prevent cyber threats, determine national
strategies, and establish the Cyber Security Board for all public
and private individuals and institutions operating in cyberspace in
Turkey. The law sets out obligations for authorities to adopt
cybersecurity measures, report notifications, use authorized
products and be open to audits, while also imposing heavy prison
sentences and high administrative fines in the event of violations.
The law, which grants broad powers to the Cyber Security
Presidency, also regulates the protection of personal data. A
one-year compliance period has been granted, and individuals and
institutions that fail to fulfill their obligations by the end of
this period may face a ban on their activities.
Introduction
The Cyber Security Law No. 7545
(“Law“) entered into force upon its
publication in the Official Gazette dated March 19, 2025 and
numbered 32846.1 The purpose of the Law is to prevent
cyber threats, reduce the impact of cyber threats, protect
inpiduals and authorities from cyberattacks, determine national
cyber security strategies and policies, and establish the Cyber
Security Board (“Board“).
Persons within the Scope of the Law
The scope of the Law is broadly defined. It applies to public
authorities and institutions, professional institutions with public
authority status, natural and legal persons, and institutions
without legal personality that exist, operate, or provide services
in cyberspace.
The Law defines cyberspace as the environment encompassing all
information systems directly or indirectly connected to the
internet, electronic communications, or computer networks, as well
as the connections between such networks. and the networks
connecting them, it follows that everyone conducting commercial
activities today must comply with the Law. However, intelligence
activities, are expressly excluded from its scope.
Regulations Introduced by the Law
(i) Basic Principles:
The Law establishes a set of fundamental principles governing
cybersecurity. For example, it includes basic principles for
providing cybersecurity, such as conducting institutional,
continuous, and sustainable work, paying attention to the principle
of accountability, and protecting basic rights and liberties, the
rule of law, and privacy. The Law also emphasizes the creation of a
secure cyberspace, the pursuit of continuous improvement, and
efforts to increase qualified human resources in this field have
been listed among the basic principles.
All public authorities and institutions, as well as natural and
legal persons, are responsible for implementing cybersecurity
policies and strategies and taking the necessary measures to
prevent cyberattacks or mitigate their effects. The Law further
provides that domestic and national products shall be prioritized
in efforts to ensure cybersecurity and underscores that
cybersecurity constitutes an integral component of national
security.
(ii) Those who provide services,
collect data, process data, and carry out similar
activities using information systems:
The obligations and responsibilities of those who provide
services, collect and process data, and carry out similar
activities using information systems within the scope of the law,
in other words, all persons operating in cyberspace within the
scope of their activities, have been determined. These obligations
and responsibilities are summarized as follows:
- Providing the Cyber Security Presidency
(“Presidency“) with all requested data,
information and documents, etc. relevant to its duties and
activities in a timely and prioritized manner. - Complying with the precautions required by legislation
regarding cybersecurity, immediately reporting any vulnerabilities
or cyber incidents detected in the area where they provide services
to the Presidency, - Supplying cybersecurity products, systems, and services to be
used in public authorities and institutions and critical
infrastructure from cybersecurity companies authorized and
certified by the Presidency, - Obtain the approval of the Presidency within the framework of
existing regulations before starting operations, as required by
relevant cybersecurity companies, and - Fulfilling the requirements and taking the necessary
precautions in the policies, strategies, action plans developed by
the Presidency, and other regulatory procedures published to
increase cyber maturity.
Accordingly, all public authorities and institutions operating
in cyberspace in Turkey, as well as natural persons, legal persons,
and entities without legal personality, are required to comply with
these responsibilities.
(iii) Presidency and Board:
The Presidency was established by Presidential Decree and its
responsibilities are defined in the relevant Law. The Presidency is
responsible for increasing the cyber resilience of critical
infrastructure and information systems, establishing a cyber
incident response team, setting security standards, and conducting
testing and certification. It also has audit authority, as well as
has a right to request information and documents from relevant
inpiduals and institutions when necessary. Those from whom
information and documents are requested will not be able to refuse
to provide them by claiming that they are not subject to the
relevant legislation.
It is also provided that personal data processed in the scope of
the Law shall be processed in accordance with the basic principles
set forth in the Personal Data Protection Law No. 6698. In
addition, it is stated that personal data and trade secrets
obtained shall be destroyed ex officio when the reasons requiring
access to such data no longer exist.
The Law also sets out that a Board will be established. The
Board’s responsibilities and authorities include making
decisions regarding regulatory procedures related to cyber security
and the implementation of the roadmap prepared by the
Presidency.
(iv) Audit:
The Law states that the Presidency may, when necessary, audit
the acts and transactions under the Law and conduct on-site
inspections. However, the Law does not define the situations in
which such audits are considered necessary.
It is also regulated that local authorities, law enforcement
officers, and officials of other public institutions are obligated
to provide every kind of convenience and assistance to those
assigned to conduct investigations or inspections.
Those assigned to conduct audits may, but only within the scope
of the audit activity, examine electronic data, documents,
infrastructure, devices, systems, software, and hardware; take
copies or samples; request written or verbal explanations; prepare
reports; and inspect the relevant facilities. Those subject to
inspection are obligated to provide all information and documents,
keep relevant systems and devices accessible for inspection, and
provide the necessary infrastructure.
Searches can only be conducted in homes, workplaces, and
non-public enclosed areas with a court order or, in urgent cases
where delay would cause harm, with a written order from the public
prosecutor, for the purposes of national security, public order, or
preventing crime or cyberattacks. During searches, copying and
seizure of items may be executed. The procedures for searches,
copying, and seizure are explained in the Law.
Penal Provisions and Fines
Within the scope of the Law, many violations are subject to
different penal provisions and fines ranging from TRY 100,000 to
TRY 100,000,000. In addition, the Law provides for administrative
fines of up to 5% of gross sales revenue in a certain case. These
are listed below:
|
Violation
|
Sanction
|
|
Except for public authorities and institutions, those who fail
|
Imprisonment for one to three years and a judicial fine of 500
|
|
Those who operate without obtaining the necessary approvals,
|
Imprisonment for two to four years and a judicial fine of 1000
|
|
Those who fail to fulfill their confidentiality obligation
|
Imprisonment for four to eight years*
|
|
Those who, without the permission of inpiduals or institutions,
|
Imprisonment for three to five years*
|
|
Those who create or spread false content about data leaks
|
Imprisonment for two to five years*
|
|
Those who commit cyber-attacks against the national power of the
|
Imprisonment for eight to twelve years*
|
|
Those who spread, send elsewhere, or sell any data obtained as a
|
Imprisonment for ten to fifteen years*
|
|
Those who have served in the Presidency and, without obtaining
|
Imprisonment for three to five years*
|
|
* If the crime described in the above
|
|
|
Those who violate the forbidden provisions in Article 12 of the
|
Imprisonment for three to five years
|
|
Those who abuse their duties and powers provided by law, or who
|
Imprisonment for one to three years
|
|
(i) Those who fail to take the precautions
(ii) Those who do not supply cybersecurity
|
Administrative fines ranging from TRY 1,000,000 to TRY
|
|
Those who fail to fulfill the duties and responsibilities
|
Administrative fines ranging from TRY 10,000,000 to
|
|
Those subject to inspection who fail to keep the relevant
|
Administrative fines ranging from TRY 100,000 to TRY
|
|
If the above-mentioned misdemeanour is committed by commercial
|
An administrative fine of up to 5% of the gross sales revenue
|
Before the application of administrative fines, a letter is
notified to the parties concerned, informing them that they have 30
days from the date of notification to present their defense. If no
defense is presented within the specified period, the party
concerned is considered to have waived their right to defense.
Administrative fines shall be paid within one month from the
date of notification. Administrative fines that remain unpaid and
become final shall be collected by tax offices Appeals may be
lodged with the administrative courts against decisions imposing
administrative fines issued in accordance with the law.
Compliance and Transition Process
Regulations to be implemented under the Law will come into
effect within one year. Authorities such as associations and
commercial companies operating in the field of cybersecurity must
complete their authorization procedures within one year. Otherwise,
they will not be able to operate in this field. Legal entities that
fail to fulfill their obligations by the end of the period may be
terminated by court order. Commercial companies that fail to
fulfill their obligations within the same period must remove
references to cybersecurity from their company contracts or enter
into liquidation proceedings for the purpose of being removed from
the commercial register.
Conclusion
Considering that the scope of the Law is broad and that
regulations regarding its implementation will come into force
within a year, those operating in cyberspace, providing services
using information systems, and conducting similar activities must
bring their systems into compliance with the Law without delay. In
today’s world, where cyber threats are increasing, compliance
with the Law is not only an obligation but also a necessity for the
sustainability of digital assets. Furthermore, it is important for
institutions to comply with the Law in order to protect their
reputation, avoid high administrative fines and sanctions, and
achieve a resilient structure against cyber-attacks.
Footnotes
1. (Only in Turkish) The Cyber Security Law No. 7545,
2025
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
link