Turkish Cybersecurity Law: A New Dawn for Cybersecurity in Turkey

Across the globe, digital security has become a growing concern for many governments. With AI enhancements, evolving algorithms, and the commodification of user data across every platform, it has become imperative for countries to protect their citizens from cyber threats and data mismanagement. This could be seen in the steady implementation of cybersecurity laws and policies, such as the Personal Data Protection Act of Thailand or the Network and Information Security 2 Directive seen in Europe.

In this blog article, we look into Cybersecurity Law No. 7545 recently implemented to elevate Turkish cybersecurity regulations. We also look at the main highlights, penalties, and boundaries of the law itself and how the law can be used to mitigate threats to cybersecurity in Turkey while exploring the general feedback and criticisms from the public. For now, let’s get a better understanding of the latest Turkish cybersecurity law as it stands today.

Latest Turkish Cybersecurity Law

After much anticipation, Cybersecurity Law No. 7545 came into force in Türkiye following its publication in the Official Gazette on 19 March 2025. To protect digital rights, Turkey has introduced this law to protect public institutions, individuals, and private sector entities from cyber threats. The Turkish Cybersecurity Law Proposal was accepted and passed into law by the Turkish Grand National Assembly (TBMM) with 246 votes in favor and 102 votes against. The law itself outlines comprehensive policies and strategies meant to enhance national cybersecurity.

The new Turkish cybersecurity law introduces several provisions for businesses, with stricter penalties and advanced policies in place for industries deemed critical. This includes finance, healthcare, energy, and telecommunications. Before getting further into the specifics of the Turkish cybersecurity regulations, let’s look back at why the law is necessary in the first place.

History of Turkish Cybersecurity Regulations

When it comes to cybersecurity law, Turkey has always tried to remain ahead to keep up with its expanding digital infrastructure. The country has suffered from its share of cyber-attacks in the past as well. According to Bıçak Law, the previous legal framework was fragmented, relying on multiple laws such as the Turkish Penal Code, Personal Data Protection Law (KVKK), and the Law on Electronic Communications.

However, the evolving nature of cyber risks necessitated a comprehensive cybersecurity law to provide clear guidelines for protection, monitoring, and enforcement. While the digital landscape evolved heavily, cybersecurity in Turkey was still a dreaded vulnerability. The new law has also been heavily attributed to an admission by Turkey’s online authority BTK in September 2024 that the personal data of 108 million people had been stolen from government servers.

Now, Cybersecurity Law No. 7545 has provided a more comprehensive and far-reaching set of policies that protect users across the country. So, let’s look further into who exactly this new legislature is going to affect.

Scope of Cybersecurity Law No. 7545

The new law covers all public institutions and organizations, professional associations, and real and legal people operating in cyberspace. The scope of information systems is broadly defined in the Law as well. Accordingly, information systems include hardware, software, systems, and all other active or passive components used in the provision of all kinds of services, transactions, and data provided by information and communication technologies.

The activities carried out by the National Intelligence Organization, the General Directorate of Security, and the Gendarmerie General Command, as well as the activities carried out in accordance with the Law on State Intelligence Services, the National Intelligence Organization, and the Law on Internal Service of the Turkish Armed Forces are all excluded from the scope of the Law.

Key Points of Cybersecurity Law No. 7545

According to the Turkish Law Blog, the main purpose of the 7545 Law is to determine strategies and policies to strengthen cyber security in the Republic of Türkiye. While you can access the law here, it is only available in Turkish. However, we have taken the liberty of writing out some of the key highlights of the law and how it serves Turkish citizens and businesses alike:

• Prioritization of domestic and national products to ensure cybersecurity.
• Ensuring that any personal data or commercial secrets obtained under the defined powers will be deleted, destroyed, or anonymized if the reasons for accessing the data no longer exist.
• The establishment of the Cyber Security Board and its duties and powers. The Cybersecurity Board will consist of the President of Türkiye, Vice President, Minister of Justice, Minister of Foreign Affairs, Minister of the Interior, Minister of National Defense, Minister of Industry and Technology, Minister of Transport and Infrastructure, Secretary-General of the National Security Council, Director of the National Intelligence Organization (MIT), President of the Defense Industry, and the Cybersecurity President.
• The new cybersecurity authority and cybersecurity commission will have legal access to any kind of digital information stored in Turkey when approved by a court order. An earlier draft of the bill proposed giving the newly founded bodies this authority without a court order.
• Measures stipulated by the legislation should be taken for the purposes of national security, public order, or the proper execution of public service for cyber security, and vulnerabilities or cyber incidents detected in the area where service is provided should be notified to the Presidency without delay.
• Increasing the cyber resilience and maturity levels of public institutions and critical infrastructure organizations.
• Cyber security products, systems, and services to be used in public institutions and organizations and critical infrastructures should be obtained from cybersecurity experts who are authorized and certified by the Presidency.
• The sale abroad of cyber security products, systems, software, hardware, and services and the merger, division, share transfer, or sale transactions of the companies producing them will be subject to the approval of the Presidency. Any actions taken in the absence of presidential approval will be unlawful.
• While the law will enter into force on its date of publication, companies operating in the field of cybersecurity are obliged to complete their certification processes within one year. Entities failing to comply will be prohibited from operating in the cybersecurity sector.
• At the end of the transition period, non-compliant commercial companies must remove any cybersecurity-related terms from their corporate names and cease related business activities, or initiate liquidation proceedings for deregistration from the trade registry.
• Ensuring centralized monitoring, detection, and elimination of cyber security incidents.
• Implementation of deterrent sanctions through audit processes.
• Regulation of standardization, certification, and authorization processes.

The new law also includes several penalties for cybercrimes and incidents, which we’ll now explore further.

Penalties Implemented by the Turkish Cybersecurity Law

The new Turkish cybersecurity law imposes penalties for several acts:

• One million to ten million Turkish liras for those who fail to fulfill their duties and responsibilities according to this law.
• Individuals who carry out cyberattacks on components that constitute Türkiye’s national power in cyberspace or who possess any data obtained through such attacks in cyberspace will face imprisonment ranging from eight to 12 years in prison.
• Anyone who fails to provide information, documents, software, data, or hardware requested by authorized authorities or inspection officers, or prevents access to these materials will be punished with imprisonment from one to three years, along with a judicial fine ranging from 500 to 1500 days.
• Two to four years in prison and fines for operating without the required licenses and permits.
• Four to eight years in prison for failing to comply with confidentiality obligations or misusing their duties and powers.
• Three to five years in prison for sharing or selling personal or sensitive government data obtained through a cybersecurity breach.
• Two to five years in prison for falsely claiming that a cybersecurity-related data leak has occurred to cause public panic or defame institutions or individuals.

While these penalties may be enough to deter cyber criminals, the new Turkish cybersecurity law also has a dedicated authority to ensure the implementation of these policies as well.

Duties Allocated to Uphold Cybersecurity Law No. 7545

Paksoy went into detail about the duties allocated by the latest cybersecurity law in Turkey. Accordingly, the Cybersecurity Directorate, established under Presidential Decree No. 177, has been designated as the primary authority for regulating and auditing individuals and entities operating in the cybersecurity sector.

The Cybersecurity Directorate

This body assumes the previous powers of both the Information and Communication Technologies Authority and the Digital Transformation Office. Its main duties include:

• The determination of critical infrastructure and relevant institutions.
• Establishing and coordinating cyber incident response teams.
• Regulating procedures and principles for individuals and entities operating in the cybersecurity field.
• Conducting relevant audits and imposing sanctions in case of incompliance.
• Preparing standards for the cybersecurity sector.
• Testing and certification of software, hardware, products, systems, and services related to cybersecurity.
• The determination of security criteria for the use of cybersecurity software, hardware, products, and services in public institutions and critical infrastructure.

The Cybersecurity Directorate is also given extensive authority to audit cybersecurity-related matters within the scope of the Cybersecurity Law on-site. This can be done through its own experts or authorized independent auditors. It also has the right to examine and collect copies and digital images of all relevant data, documentation, electronic infrastructure, devices, systems, software, and hardware within this scope.

Anyone subject to these audits is required by the law to make their devices, systems, software, and hardware accessible, and to ensure that the necessary infrastructure and necessary measures are in place for this purpose. Failure to comply may result in administrative fines ranging from 100,000 to 1,000,000 Turkish lira. For commercial companies, these obligations carry an administrative fine of up to 5% of the gross sales revenue.

IT Companies

Under the new Turkish law, companies that provide services, collect and process data, and perform relevant activities through information systems are subject, among others, to the following obligations:

• Providing all kinds of data, information, documentation, hardware, software, and any other support requested by the Cybersecurity Directorate as part of its duties and activities in a timely and prioritized manner.
• Adopting legal cybersecurity measures for national security as well as public order and promptly notifying the Cybersecurity Directorate of any vulnerabilities or cyber incidents in their service areas.
• The procurement of cybersecurity products, systems, and services to be used in public institutions and critical infrastructure from cybersecurity experts, manufacturers, or companies authorized and certified by the Cybersecurity Directorate.
• Complying with cybersecurity-related policies, strategies, action plans, and other secondary regulations of the Cybersecurity Directorate.

Failure to comply may result in administrative fines ranging from 1,000,000 to 10,000,000 Turkish lira.

Cybersecurity Companies

The Turkish Cybersecurity Law imposes the following additional obligations on cybersecurity companies manufacturing cybersecurity products, systems, software, hardware, and services:

• Obtaining approval from the Cybersecurity Directorate before starting operations, for cybersecurity companies subject to certification, authorization, and documentation.
• Securing export permission from the Cybersecurity Directorate for certain cybersecurity products subject to export controls.
• Notifying the Cybersecurity Directorate of legal transactions involving mergers, spin-offs, or share transfers or sales.
• Obtaining prior approval from the Cybersecurity Directorate for any such transactions that result in a direct or indirect change of control.

Failure to comply may result in administrative fines ranging from 10,000,000 to 100,000,000 Turkish lira. Moreover, the transactions subject to the Cybersecurity Directorate’s approval will be deemed legally void if such approval is not obtained.

It should be noted that prior to the imposition of an administrative fine, the parties concerned will be given the opportunity to provide defense statements within 30 days of notification by the Cybersecurity Directorate. The administrative fines which are imposed by the Cybersecurity Directorate must be paid within one month from the date of their notification. Decisions of the Cybersecurity Directorate regarding administrative fines can be challenged before the administrative courts.

Within one year of the publication of the Cybersecurity Law, secondary legislation will be issued that will detail the implementation principles and procedures for the obligations set forth under the Cybersecurity Law. These regulations will play a crucial role in defining how the Cybersecurity Law will be applied in practice, including compliance and certification procedures for entities in the cybersecurity sector.

The Impact and Benefits of Turkish Cybersecurity Law

The implementation of this law represents a stronger approach to cybersecurity in Türkiye. With these policies in effect and a focus on digital rights, Turkey is allowed to drastically expand its technology accessibility, distribution, and advancements. The AKP lawmakers who created the bill have also argued that the law will enhance the country's defenses against cyber threats, strengthen national security, and safeguard both public institutions and private sector entities.

AKP lawmakers further believe that the current disinformation law, enacted in 2022, fails to adequately address cybersecurity threats – asserting that the new law will enhance the effectiveness of efforts to combat cybercrimes. The law – much like the US HIPPA regulation – serves the interests of the people.

Based on the various penalties in effect, the new law also imposes greater responsibilities on businesses in particular. The law requires a significant investment in cybersecurity infrastructure and that businesses comply with stricter risk management policies. Companies are now pushed to conduct regular cybersecurity assessments and penetration tests. The law has also pushed many businesses to invest in secure cloud storage policies and encryption protocols while providing training for employees on cybersecurity awareness and best practices.

Overall, the new Turkish Cybersecurity Law has created a more proactive and intentional culture around cybersecurity in the country. However, the law did not come to pass without its share of valid criticism and controversy.

Public Reaction to Cybersecurity Law No. 7545

According to Global Voices, several Turkish experts, civil society groups, and international observers saw the law as “a potential tool to restrict independent reporting and stifle dissent.” While the law may have pure intentions in mind, many were concerned that it could be used to prevent free speech and access to information. One of the main causes for concern was the law’s “vague and far-reaching language” that places disproportionate emphasis on controlling online narratives rather than securing digital infrastructure.

Of the 21 articles in the legislature, two were singled out by critics in particular. In the original iteration of the bill, Article 8 of the law called for broad powers and authority to be handed to the head of the Cybersecurity Directorate. This included the ability to conduct searches, seize materials, and copy digital content without needing prior court approval. Many people felt that this type of access could violate the freedom of expression and privacy of many civil society groups within the country – stoking civil tensions and putting targets on vulnerable groups. After backlash, the law was amended and the authority to search, copy, and seize data was removed from the text of the law and given to the prosecutor.

According to Bianet, the Freedom of Expression Association (İFÖD) also criticized the law and argued that it “violates the principle of legality, lacks institutional clarity, and endangers privacy and personal data protection.” The association warned that the new law contradicts Constitutional Court rulings and would allow authorities to access private information without sufficient safeguards while threatening press freedom by imposing vague and arbitrary restrictions.

Özgür Ceylan, an MP from the main opposition Republican People’s Party (CHP), criticized the law’s vague definitions and lack of oversight. "The definition of 'critical infrastructure' is left entirely to a committee led by the Presidency," he noted. "There is no independent oversight mechanism. The law introduces penalties, but no accountability measures—this is a classic AKP approach. You want unchecked power without being monitored."

Ceylan also questioned the removal of warrantless search powers from Article 8 while similar provisions remained in Articles 6 and 7, calling it a legal contradiction. He stated that while the amendment to Article 8 was appreciated, the same authority still exists in Articles 6 and 7 – which he called a clear violation of the Constitution that will be overturned by the Constitutional Court.

Another revision made to the law was in the wording of Article 16, Section 5. Following amendments, the terms “data leak” and “those who spread content,” were replaced in its final version with “cybersecurity-related data leak,” and “those who create content.” On another point of debate, Article 16 also goes on to criminalize reporting about an online data leak or sharing that report unless the authorities have confirmed the incident. It imposes a prison sentence of two to five years for anyone who knowingly creates or spreads “false” content claiming that there is a cybersecurity data leak “in order to create anxiety, fear, and panic among the public, or to target institutions or individuals.”

To argue the fairness of this particular regulation, the Committee to Protect Journalists stated that Turkey’s new cybersecurity law could criminalize legitimate reporting on cybersecurity incidents because of its overly broad and vague language. “Turkey’s new cybersecurity law could not only stifle reporting on cybersecurity-related data leaks but empowering the government to decide whether a leak actually occurred or not raises the risk of broader censorship,” said Özgür Öğret, CPJ’s Turkey representative.

In criticism of Article 16 as well, Özgür Ceylan said that while his party supports stronger cybersecurity, the law would be introducing an unnecessary crime category that already exists under the Turkish Penal Code. He continued to state that instead of protecting cybersecurity, this law would restrict press freedom and public discourse. “If passed,” he warned in conclusion, “it will hang over society like a guillotine, suppressing fundamental rights and freedoms.”

Cybersecurity in Turkey and the Cybercrime Landscape

Turkey is not a stranger to the dangers of cyber-attacks. Türkiye Today reported that over 60,000 incidents of online fraud have been detected out of 76,000 reported cases – according to the Turkish National Police’s Cybercrime Department. A large emphasis was placed on phishing, fake product sales, and illegal betting, which are leading the surge in cyber offenses across the country. Turkish authorities have noted that these crimes typically involve the use of information systems and qualify as aggravated fraud under Turkish law. Some other notable Turkish cyber incidents that have transformed the country’s digital landscape include:

• A 2016 data breach in which the personal data of some 50 million Turkish citizens was leaked.
• The 2021 cyber-attack on the country's biggest food delivery app, Yemeksepeti, resulted in a leak of the data of 19 million customers - including login information, phone numbers, emails, and address information.
• The 2024 cyber-attack on the information management system of a local hospital in Istanbul leaked the medical records of millions of patients.
• Another 2024 data breach in which Turkish authorities revealed that a data breach during the pandemic led to the data theft of 100 million citizens , including those living abroad, refugees, and other individuals who were registered with official institutions.
• The 2025 breach of satellite data which reportedly includes five .sql files containing sensitive satellite information.

These are only a few of the major cyber incidents that have occurred in Türkiye and paint a picture of a country pushing toward digital transformation while still battling the repercussions of flawed cybersecurity. If enacted correctly, the Turkish Cybersecurity Law has the potential to pave the way to a secure and advanced country that values integrity and justice.

Conclusion

While it is important to implement strict laws against criminal behavior, the controversy surrounding Cybersecurity Law No. 7545 points to a critical element of any governing legislative process: a focus on the rights and needs of the people. Türkiye has a rich history of creating and adapting to innovative technologies and will remain a substantial point for digital transformation on a global scale. The latest Turkish cybersecurity law, and its amendments, can be seen as a testament to the country’s growth and capacity to put the needs of its people above all else – even in the pursuit of technological expansion.