Cybersecurity Law Has Been Published

Cybersecurity Law No. 7545 Entered into Force on 19 March 2025. The Law Contains Regulations Regarding the Prevention of Cyber Threats and the Protection of Critical Infrastructures

1. Cybersecurity Directorate

The Cybersecurity Directorate (“Directorate”) was established by Presidential Decree No. 177, which was published in the Official Gazette on 8 January 2025. With the enactment of the Law, the scope of duties, responsibilities, and powers of the Directorate have been defined.

Cybersecurity Audit and Incident Response Mechanisms to be Carried Out by the Directorate:

• Cyber Incident Response Teams (SOME) will be established, and these teams will promptly respond to security breaches within public institutions and critical infrastructure.
• Penetration testing and security analyses have been made mandatory; institutions with critical infrastructure and public bodies are required to undergo regular security audits.
• Independent auditors and audit firms will be authorized to ensure the implementation of cybersecurity policies.
• The scope includes sectors deemed essential for national security and those in which critical public services must remain uninterrupted. Within this scope, data security, network infrastructure, and system security have been prioritized.
• Cyber threat intelligence will be provided to establish early warning mechanisms, and preventive measures will be taken against potential attacks.
• It has been stipulated that standards must be established and certification processes implemented to ensure the security of information systems in both the public and private sectors.
• The responsibilities of public institutions regarding information systems and data management have been increased, and continuous updates are now mandatory to ensure the security of such systems.

2. Service Providers Within the Scope of the Law

The Law also defines the scope of duties and responsibilities of those who provide services, collect or process data, and carry out similar activities through the use of information systems:

• To submit to the Directorate, fully and in a timely manner, all requested data, information, documents, hardware, software, and other contributions within the scope of activities falling under the Directorate’s authority.
• To promptly notify the Directorate of any vulnerabilities or cyber incidents detected in the areas where services are provided.
• Prior to commencing operations, to obtain approval from the Directorate in accordance with existing regulations, in cases where cybersecurity companies require certification, authorization, or accreditation.
• To comply with regulations aimed at enhancing cybersecurity maturity and to take the necessary measures in line with the policies, strategies, and action plans determined by the Directorate.

3. Cybersecurity Council

The Law provides a detailed regulation of the establishment, structure and powers of the Cybersecurity Council (“Council”). Composed of the President, relevant ministers, and senior officials, the Council undertakes key responsibilities such as determining cybersecurity policies, formulating strategies and action plans, identifying critical infrastructure sectors, and planning sector-specific incentives. In addition, the Council may establish commissions and working groups when necessary to carry out technical-level studies and involve relevant experts in the process.

4. Criminal Provisions and Sanctions

The Cybersecurity Law includes criminal sanctions aimed at enhancing deterrence against cyber threats. Accordingly:

• Those operating without the required authorization and approval shall be subject to imprisonment for a term of 2 to 4 years and an administrative fine ranging from TRY 1 million to TRY 10 million;
• Those causing damage to critical infrastructures as a result of cyberattacks shall be sentenced to imprisonment for a term of 8 to 12 years;
• Persons who unlawfully share personal data or data related to critical public services shall be sentenced to imprisonment for a term of 3 to 5 years, and those who sell or transfer such data elsewhere shall be sentenced to imprisonment for a term of 10 to 15 years;
• Persons disseminating misleading cybersecurity news or fabricating false data breaches shall be sentenced to imprisonment for a term of 2 to 5 years;
• Persons who abuse the powers and duties arising from the Law, or who cause a data breach by acting contrary to the requirements of their duty in protecting critical infrastructures against cyberattacks, shall be subject to imprisonment for a term of 1 to 3 years;
• Institutions that fail to take the necessary measures prescribed under the Law for the protection of national security, public order, or the proper functioning of public services, or that fail to promptly notify the Directorate of identified vulnerabilities or cyber incidents, shall be subject to administrative fines ranging from TRY 1 million to TRY 10 million;
• In cases where cybersecurity products, systems, software, hardware, and services are not produced in accordance with the procedures and principles determined by the Directorate; where companies operating in the field of cybersecurity fail to notify the Directorate of mergers, demergers, or share transfers; and where approval is not obtained from the Directorate in the event of a change resulting in direct or indirect control over the company, administrative fines ranging from TRY 10 million to TRY 100 million shall be imposed;
• Commercial companies that fail to comply with cybersecurity rules may be subject to administrative fines of up to 5% of their gross annual revenue audited by independent auditors.

5. Regulations on Cybersecurity Products and Companies

The Law subjects the export of cybersecurity products, software, and services to specific rules. The export process must be conducted in accordance with the procedures and principles determined by the Directorate, and Directorate approval must be obtained for products subject to authorization. Additionally, companies operating in the field of cybersecurity are required to notify the Directorate of any mergers, demergers, share transfers, and sales transactions. If such transactions result in a change of direct or indirect control over the company, the change shall be subject to the approval of the Directorate. Transactions carried out without such approval shall be deemed null and void.

6. Compliance and Transition Process

The Law provides for specific transition processes to ensure that existing cybersecurity systems align with the new regulations.

• The cybersecurity functions of the Information and Communication Technologies Authority (ICTA) and the Digital Transformation Office shall be transferred to the Cybersecurity Directorate within six months.
• Companies operating in the field of cybersecurity are required to complete the certification and authorization processes in accordance with the established principles within one year.
• The regulations regarding the implementation of the Law are expected to enter into force within one year. During this period, provisions of the existing legislation that are not in conflict with the Law shall remain in effect.

The Law defines the duties and responsibilities of the Directorate and relevant institutions, regulating mechanisms for risk analysis, intelligence, and oversight against cyber threats. Furthermore, it establishes the scope of cybersecurity regulations, ensuring that institutions take necessary precautions and that a coordinated structure is formed to counter digital threats.

You may access the relevant Law through this link (only avaliable in Turkish).