1. Techno-Entrepreneurship Badge

Regulation on the Identification and Certification of Technology and Innovation-Based Startups, published in the Official Gazette dated July 3, 2025, issued by The Ministry of Industry and Technology, introduced the procedures and principles for identifying startups engaged in technology and innovation-based activities with scalable business models, and for granting them the Techno-Entrepreneurship Badge (“Badge”).

To qualify for the Badge, a startup must (i) be a sole proprietorship or capital company established in Türkiye, (ii) meet the criteria of a SME (Small and Medium-sized Enterprise), (iii) qualify as an independent enterprise, (iv) have been established for no more than fifteen years, (v) operate a technology and innovation-based, scalable business model.

This last criterion is deemed to be fulfilled if the startup is accepted by a technology development zone, technology development center, or has participated in TÜBİTAK’s 1512 or 1812 programs. Otherwise, whether the criterion is met will be determined at the discretion of the General Directorate of National Technology.

The Badge is expected to be taken into consideration particularly in administrative processes such as taxation, incentives, grants, loans, and investments. Ultimately, the Badge will be referenced in legislative provisions applicable to startup companies, such as those introduced in the context of amendments to the taxation of shares acquired through employee stock option plans.

2. Guideline on Transfer of Personal Data Abroad Published

Significant amendments were introduced to the Personal Data Protection Law (“PDPL”) regarding the transfer of personal data abroad, and subsequently, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad was published. The Personal Data Protection Authority (“Board”) published the Guideline on the Transfer of Personal Data Abroad (“Transfer Guideline”) on 02.01.2025 in order to present its expectations regarding the safeguards stipulated by the aforementioned amendments and to eliminate the uncertainties in practice.

The Transfer Guideline explains by giving examples whether the transfer of personal data will be subject to the provisions of the PDPL according to the location of the data transferor and data recipient. Accordingly, if the data controller in the foreign country obtains personal data directly from the data subject, this transaction does not constitute a data transfer abroad. However, if the data controller in the foreign country transfers the data obtained directly from Türkiye to a data processor in a foreign country, the provisions of the PDPL on data transfer abroad shall apply. On the other hand, the transfers to be made by (i) the Turkish data controller to the foreign data controller, (ii) the Turkish data controller to the foreign data processor, (iii) the Turkish data processor to the foreign data controller, and (iv) the Turkish data processor to the foreign sub-processor are subject to the provisions of the PDPL on data transfer abroad.

Pursuant to the aforementioned amendments, a three-stage compliance mechanism was introduced for the transfer of personal data abroad. Standard contractual clauses stipulated under the appropriate safeguards attracted attention in practice as a practical tool. The Transfer Guideline includes some explanations to eliminate the uncertainties in practice in the preparation of standard contractual clauses. For instance, it is stated that it is possible to prepare the standard contractual clauses in more than one column in Turkish and in another language, provided that Turkish version shall prevail. Pursuant to the Transfer Guideline, although it is not explicitly stated in the draft standard contractual clauses, the group or groups of data subjects to whom the transferred personal data relate should be specified based on each personal data. In addition, not only the category of data (e.g. contact) but also the type of data (e.g. e-mail address) should be included in the standard contractual clauses. The Authority has also published a public announcement regarding the provisions to be approached carefully in standard contractual clauses. Accordingly, the agreement must be duly signed by the parties; if prepared in two languages, the parties’ signatures must appear beneath the Turkish text; where signed by proxy, the documents evidencing the signatory’s authority must be submitted; when required, the agreement and other documents must be submitted together with an apostille; any foreign-language documents attached must be accompanied by a notarized translation; and, finally, the content must remain unaltered.

Pursuant to the aforementioned amendments, in the absence of an adequacy decision issued by the Authority, or of appropriate safeguards, personal data may be exceptionally transferred abroad without any authorization or notification, provided that it is incidental. The Transfer Guideline states that incidental transfer must take place outside the ordinary course of business, irregularly, once or a few times, under unforeseen circumstances, and at indefinite intervals. Further details regarding the transfer of personal data abroad can be found here.

3. Guideline on the Processing of Special Categories of Personal Data Published

Significant amendments have been introduced to the PDPL regarding the processing of special categories of personal data. These amendments abolished the previous classification among special category of personal data and expanded the legal grounds for processing of special category of personal data in a manner that aligns with the general principles of data processing and the provisions under the GDPR. Guideline on the Processing of Special Categories of Personal Data (“Guideline on Special Categories of Personal Data”), issued by the Board, provides clarity on these changes and their implementation.

Firstly, since the classification among special categories of personal data has been abolished and the legal grounds for processing have been expanded, data controllers are required to update their records in the Data Controllers’ Registry (VERBIS). Secondly, in light of the changes to the legal grounds for processing, data controllers must assess whether a legal basis other than explicit consent is applicable and, where possible, rely on such alternative grounds. Thirdly, if the legal ground for data processing has changed, then the clarification text and data storage and destruction policies must also be revised accordingly to ensure consistency with the updated legal framework. Finally, data controllers must review and, where necessary, update the additional technical and organizational measures required for the secure and lawful processing of special categories of personal data.

4. Guideline on Good Practice on the Protection of Personal Data in the Payment and Electronic Money Sector Published

The Board has published the Guideline on Good Practice for the Protection of Personal Data in the Payment and Electronic Money Sector (“Good Practice Guideline”), which provides assessments under the PDPL and examples of good practices regarding personal data processing activities carried out in the context of electronic money issuance, money transfer services, POS services, bill payment intermediary services, and mobile payment services.

The Guideline provides examples identifying which parties may act as data controllers and data processors during the provision of the aforementioned services. It also emphasizes the joint responsibility of both data controllers and processors in implementing appropriate data security measures. The Guideline further provides examples of the categories of personal data processed in the course of delivering the services listed above and specifically highlights the types of data that are required to be processed under the applicable Financial Crimes Investigation Board (“MASAK”) legislation. The Guideline emphasizes that explicit consent should not be obtained where the processing of personal data is based on a legal ground other than explicit consent. It also provides examples of situations in which the conditions for processing personal data and special categories of personal data may be deemed fulfilled, depending on the nature of the service provided. Finally, the Guideline assesses the obligations of data controllers in the context of the aforementioned services and highlights, for example, that if a change in MASAK regulations results in the removal of a legal ground explicitly requiring data processing, then the personal data previously processed on that legal ground must be erased in accordance with the data controller’s data destruction obligations.

The types of personal data processed during the provision of the above-mentioned services are identified through examples, and reference is made to the data that must be processed under the legislation of the Financial Crimes Investigation Board (MASAK). The Guideline emphasizes that explicit consent must not be obtained where the processing is based on a legal ground other than explicit consent and provides examples of circumstances in which the legal conditions for the processing of personal data and special categories of personal data may be deemed fulfilled, depending on the nature of the service provided.

5. Implementation of the AI Act

On 13.03.2024, the European Parliament adopted the EU Artifical Intelligence Act and introduced the first legal framework to regulate the artificial intelligence. As of 02.02.2025, the provision prohibiting unacceptable-risk AI systems has entered into force. Within this scope, an AI system is considered prohibited if it employs subliminal or manipulative techniques, exploits physical or psychological vulnerabilities, conducts social scoring, or enables real-time biometric identification in publicly accessible spaces, including the detection of emotions or mental states in the workplace or the categorization of individuals based on sensitive characteristics. Additionally, the AI literacy obligation has also become effective as of 02.02.2025. In this context, organizations are required to design and implement a comprehensive AI literacy program. The training curriculum must be modular, tailored to both technical and administrative personnel, and all training activities must be documented, regularly updated, and provided in accessible formats to ensure accountability. Finally, it should be noted that as of 02.08.2025, the compliance obligations for general-purpose AI systems will enter into force, and administrative fines and other enforcement mechanisms will begin to apply.

6. The Cybersecurity Law Entered into Force

The Cybersecurity Law entered into force upon its publication in the Official Gazette dated 19.03.2025. The Law aims to identify and eliminate threats in cyberspace, mitigate the possible effects of cyber incidents, protect various actors against cyber-attacks and strengthen the country’s cyber security. The Law applies to public institutions and organizations, professional organizations with public institution status, real and legal persons, and organizations without legal personality that directly or indirectly exist, operate and provide services on the internet, electronic communication or all information systems connected to computer networks and networks connecting them (cyberspace).

The Cybersecurity Law regulates the duties of the Cybersecurity Presidency (“Presidency”) and the establishment of Cybersecurity Board. The Cybersecurity Law regulates the duties and responsibilities of those who provide services, collect data, process data and carry out similar activities by using information systems. Accordingly, the aforementioned parties are obliged to; (i) submit all kinds of information and documents requested by the Presidency, (ii) take the necessary measures for the purposes of national security, public order or proper performance of public service regarding cyber security and notify the Presidency without delay of the vulnerabilities and cyber incidents they detect in the area where they provide services, (iii) purchase products and services to be used in public institutions and organizations and critical infrastructures from authorized and certified cyber security experts, manufacturers or companies, (iv) comply with the policies and strategies developed by the Presidency. The Cybersecurity Law provides for a range of strict and severe sanctions, including imprisonment and administrative fines, in cases of non-compliance with the obligations it prescribes. Further details regarding the Cybersecurity Law can be found here.

7. Establishment and Operational Principles of Crypto Asset Service Providers Regulated

The Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1) (“Communiqué on CASPs”) was published by the Capital Markets Board of Türkiye (“CMB”) in the Official Gazette dated 13.03.2025. The Communiqué on CASPs sets out the procedures and principles governing the establishment of crypto asset service providers, as well as provisions relating to their founders, executives, shareholders, and personnel; their operational principles and organizational structure; obligations; share transfers; information systems and technological infrastructure; outsourcing arrangements; prohibited activities; recordkeeping requirements; and their internal audit, internal control, and risk management systems, along with the procedures for the temporary or permanent suspension of their activities.

Pursuant to the Communiqué on CASPs, crypto asset service providers (“CASPs”) are required to be established as joint stock companies, with all shares issued in registered form, and paid in cash. Their initial capital and equity must comply with the relevant regulations, their articles of association must conform to legal requirements, and their authorized activities must align with their actual operations. In addition, founders must meet the eligibility criteria set out in the legislation, and the shareholding structure must be transparent and clearly identifiable. The regulation also sets forth in detail the qualifications required for CASP founders and shareholders, and stipulates that the trade name of a CASP must include the phrases “crypto asset trading platform” or “crypto asset custody institution”.

Following the approval of their establishment by the CMB, CASPs are required to apply for an operating license within six months. In order to obtain such license, (i) the establishment conditions must still be met, (ii) the minimum initial capital must have been fully paid in cash, (iii) the capital adequacy requirements must have been fulfilled, (iv) the organizational structure must be established, (v) the general manager, deputy general managers, and personnel must meet the required qualifications, (vi) the security infrastructure as well as internal audit, control, and risk management systems must have been established, (vii) integration with the Turkish Central Securities Depository (Merkezi Kayıt Kuruluşu, “MKK”) must have been completed, and (viii) the infrastructure for the custody of storage of private keys and integration with distributed ledger networks must have been implemented. In addition to the above requirements, platforms must enter into an agreement and establish integration with a crypto asset custody institution, open a bank account for holding client funds, implement an effective complaint-handling and dispute-resolution mechanism, and establish a price surveillance system.

The Communiqué on CASPs refers to the general principles and rules applicable to investment institutions, thereby subjecting CASPs to similar obligations throughout their operations. In addition, CASPs are required to inform clients of associated risks, enter into a framework agreement with each client, publish their authorized services and corporate information on the Public Disclosure Platform (Kamuyu Aydınlatma Platformu, “KAP”), disclose various internal policies and procedures on their websites, and obtain prior approval for any share transfers.

CASPs are required to ensure that all advertisements and public announcements are objective and refrain from using misleading statements. Except in cases explicitly permitted by the applicable legislation, CASPs are prohibited from making guarantees of absolute returns or promises to cover potential losses. Moreover, it is forbidden to advertise by targeting specific segments of society or by promising additional income or an increase in existing income. Advertisements and announcements must not include statements suggesting that transactions are guaranteed, risk-free, or require no knowledge, nor may they contain any claims that promote a CASP without substantiated data. The content of promotional campaigns organized by CASPs is also subject to specific restrictions.

CASPs are required to establish internal audit, internal control, and risk management units that are appropriate to the nature and scope of their activities, and are sufficiently qualified, capable, and effective to respond to changing conditions. They must also develop workflow procedures and a business continuity and recovery plan. Additionally, CASPs are obligated to undergo an independent audit of their information systems at least once per year, as well as a proof-of-reserves audit. CASPs are also subject to the Communiqué on the Procedures and Principles Regarding the Management of Information Systems and the Communiqué on Independent Audit of Information Systems. Accordingly, CASPs must fulfil their obligation to ensure information systems continuity by 31.12.2025, and must ensure that internal audits are conducted by authorized independent auditors by 31.12.2026. Furthermore, CMB’s resolution no. i-SPK.35/B.2 (dated 8 May 2025, numbered 30/846) introduced the principles and procedures for conducting proof-of-reserves audits. In line with the obligation of CASPs to ensure integration with the MKK, the Crypto Asset Central Registry System (“CACRS”) was launched by MKK on 27 May 2025. CASPs are now required to report to CACRS all transactions related to crypto asset trading, initial offerings or distributions, clearing, transfers, and the associated custody and related operations, along with client account balances and custody balance data held on the platform. Investors, on the other hand, will be able to verify their crypto asset records by using MKK’s e-Investor platform, where they can compare the data held by the platform with the information stored in the CACRS.

8. Operating Procedures and Principles of Crypto Asset Service Providers Regulated

The Communiqué on Operating Procedures and Principles and Capital Adequacy of Crypto Asset Service Providers numbered III-35/B.2 (“Communiqué on CASP Operating Principles”) was published by the CMB in the Official Gazette dated 13.03.2025. The Communiqué on CASP Operating Principles sets out the principles and procedures governing the services and activities that CASPs are permitted to offer, the rules applicable to such services, the criteria for the listing of crypto assets, the reconciliation framework, and the capital and capital adequacy requirements to which CASPs are subject.

Pursuant to the Communiqué on the CASP Operating Principles, CASPs can, upon obtaining authorization from the CMB, provide the following services: (i) receipt and execution of orders related to crypto assets, clearing and settlement, transfer, and custody of crypto assets; (ii) intermediation in the initial offering or distribution of crypto assets; (iii) custody and management of crypto assets or the private keys associated with such assets; and (iv) investment advisory services related to crypto assets. CASPs are not required to obtain a license in order to engage in the purchase, sale, or transfer of crypto assets for their own wallets, provided that such transactions are not conducted for the purpose of providing crypto asset services to third parties other than their customers. On the other hand, transactions involving the purchase, sale, initial offering or distribution, clearing, transfer, and custody of non-fungible and unique digital assets used to represent ownership or value, as well as in-game virtual items used solely for the creation or acquisition of elements within digital games, are subject to notification rather than prior authorization. The same applies to services involving financial analysis and general advice related to crypto assets. Such services may be provided by CASPs following notification to the CMB, unless the CMB raises an objection within twenty business days of the notification.

Transactions carried out by foreign-based CASPs shall fall outside the scope of the Communiqué on the CASP Operating Principles, provided that they do not engage in advertising or promotional activities targeting persons resident in Türkiye, do not establish a place of business in Türkiye, do not launch a Turkish-language website, and do not provide investment services and activities through persons or institutions based in Türkiye.

Pursuant to the Communiqué on the CASP Operating Principles, activities such as receiving customer orders related to crypto assets, executing them either through matching or as a counterparty, clearing, initial offering or distribution, transfer, and the related custody operations are defined as platform activities. In addition, the operation of peer-to-peer digital marketplaces that allow customers to directly buy, sell, and exchange crypto assets among themselves is also considered within the scope of platform activities. These activities must be conducted in compliance with the provisions of the Communiqué on CASP Operating Principles and the provisions related to know-your-customer (KYC) requirements regulated under the Communiqué on CASPs.

Although investment advisory services related to crypto assets are listed among the activities subject to prior authorization by the CMB, such services are not classified as platform activities under the Communiqué on CASP Operating Principles. Activities carried out by entities whose primal function is to provide liquidity by quoting prices to platforms and executing transactions based on those prices, without offering any external services to investors in a manner that would fall within the definition of a “platform” under the Capital Markets Law (“CML”), shall not be considered platform activities. Activities of entities whose sole function is to carry out the purchase, sale, initial offering or distribution, clearing, transfer, and custody of non-fungible and unique digital assets used solely to represent ownership or identity, or of digital assets used exclusively for the creation or acquisition of in-game virtual items, shall not be considered platform activities.

When carrying out activities classified as platform activities, platforms must execute customer orders in accordance with the principles set out in their order execution policy and the framework agreement signed with the customer. The cash balance receivable of a customer must be transferred to the relevant bank on the same day the customer submits the withdrawal request. All buy, sell, and transfer transactions of customers, along with their cash and crypto asset balances, must be recorded separately from the platform’s own accounts, and tracked fully, accurately, and in real time on a client-by-client basis through a book-entry system. Platforms that intermediate the initial offering or distribution of a crypto asset are required to review the minimum elements to be embedded in smart contracts, depending on the type and legal nature of the relevant crypto asset, and must verify the accuracy of such contracts. Platforms are prohibited from listing crypto assets that do not meet the minimum criteria.

Crypto assets listed on platforms may not be traded on a leveraged basis, and may not be used as underlying assets in derivative contracts, or be subject to margin trading, short selling, or securities lending transactions within the meaning of the CMB’s regulations on credit transactions.

Platforms are required to have a minimum initial capital of TRY 150,000,000, while custody institutions must have a minimum capital of TRY 500,000,000. CASPs are also required to maintain at least 25% of their equity as paid-in or issued capital as of June of each year. The equity of platforms must not be lower than their liquidity reserve requirement. As for custody institutions, no additional equity will be required if the total value of client assets under custody does not exceed TRY 1,000,000,000. However, if this threshold is exceeded, the institution must maintain additional equity equal to 1.5% of the amount exceeding the threshold, in addition to its initial capital.

The principles and procedures regarding investment advisory and portfolio management activities by platforms, as well as the rules for the listing of crypto assets, are also specifically regulated under the Communiqué on CASP’s Operating Principles.

9. Enhanced Measures Introduced for Crypto Asset Transfers

The MASAK General Communiqué No. 29 (“Communiqué”), published on 28.06.2025, introduces stricter measures to be implemented by CASPs in relation to crypto asset transfers. Under the Communiqué, CASPs are required to implement enhanced due diligence measures, in line with the Regulation on the Compliance Program Regarding Obligations for the Prevention of Laundering Proceeds of Crime and Financing of Terrorism, particularly in the context of establishing business relationships and conducting transactions requiring customer identification. Accordingly, CASPs must (i) obtain information, to the extent possible, regarding the source of the customer’s funds and assets involved in the transaction; (ii) obtain information on the purpose of the transaction; and (iii) intensify the frequency and scope of monitoring, and identify transaction types that require additional scrutiny, in order to maintain enhanced oversight of the business relationship. In addition, CASPs must adopt appropriate measures under their risk management policies to establish transaction amount and volume thresholds.

Pursuant to the Communiqué, a transaction limit of USD 3,000 per day and USD 50,000 per month has been imposed on crypto asset transfers. These limits may be doubled if the travel rule obligations, as set out under Article 24/A of the Regulation on Measures Regarding the Prevention of Laundering Proceeds of Crime and Financing of Terrorism, are properly fulfilled.

The Communiqué also introduces withdrawal time restrictions for certain types of crypto asset transfers, including (i) transfers to or from wallets that are not registered with any CASP, and (ii) transfers between CASPs located abroad that are not subject to a legal obligation under their local regulations to share information about the sender and the recipient. In such cases, a minimum waiting period of 48 hours must elapse before the crypto assets can be withdrawn. For the first withdrawal transaction, this period is extended to 72 hours.

CASPs may be exempt from applying the above-mentioned time and transaction amount restrictions in cases where they are certain that a crypto asset transfer is being made for the purpose of providing liquidity, market making, or inter-market arbitrage on behalf of the customer. However, this exemption is subject to strict conditions: the CASP must have fully implemented all know-your-customer (KYC) measures, must periodically collect documentation and information regarding the source of the assets, including account details held at banks or other platforms, and must obtain individual approval from the board of directors for each such customer.

Platforms are required to obtain a transaction description of at least 20 characters from the customer for each individual transfer.

Transfers executed by custody institutions on behalf of platform customers are also subject to the measures set out in the Communiqué. However, transfers between platforms and custody institutions arising from obligations under capital markets legislation shall not be subject to these restrictions.

10. Regulations on Payment Service Providers and Digital Wallets

The Regulation Amending the Regulation on Payment Services, Electronic Money Issuance, and Payment Service Providers was published in the Official Gazette on 28.03.2025. Under this amendment, payment service providers that offer payment initiation and account information services are required to connect to the Bankalararası Kart Merkezi A.Ş. and provide the necessary infrastructure to all other authorized payment service providers upon request (“Infrastructure Obligation”). The scope of the Infrastructure Obligation has been limited to payment service providers that not only offer payment initiation and account information services but also provide direct online access to customers. Furthermore, the obligation applies only to payment service providers that are participants in the FAST System, as well as to non-participant institutions that rank among the top ten payment services providers in terms of annual transaction volume. The compliance deadline for fulfilling the Infrastructure Obligation has been extended to 31.12.2025.

The amendment dated 07.10.2023 introduced obligations regarding the provision of digital wallet services. The compliance deadline for these obligations has been further extended to 31.12.2025.

11. The Withholding Tax Rate on Earnings from Shares of Venture Capital Investment Fund Changed

The withholding tax rate was reduced to 0% for the income and gains derived by real person investors from the participation shares of venture capital investment funds, regardless of how long the participation shares were held. With the amendment, the withholding tax rate is increased to 7.5% for the participation shares acquired between 01.05.2024 and 31.10.2024 which are held for less than two years, and the withholding tax rate is increased to 10% for the participation shares to be acquired after 31.10.2024 which will be held for less than two years. With the amendment dated 01.02.2025, the withholding tax rate is increased to 15% for the participation shares acquired between 01.02.2025 and 08.07.2025 which are held for less than two years, and the withholding tax rate is increased to 17.5% for the participation shares to be acquired after 09.07.2025 which will be held for less than two years. On the other hand, the withholding tax rate will continue to be 0% for the income and gains to be derived from participation shares held for more than two years.

12. Foreign Currency Restriction on Goods Lifted

Pursuant to Communiqué No. 2008-32/34 on the Decree No. 32 on the Protection of the Value of the Turkish Currency, residents of Türkiye were previously prohibited from stipulating the contract price or other payment obligations in foreign currency or indexed to foreign currency in sale agreements of goods concluded among themselves. However, with the amendment dated 06.03.2025, this restriction has been lifted for all transactions except vehicle sale agreements, thereby allowing sales of goods, including the sale of company shares, to be denominated in foreign currency or indexed to foreign currency.

13. Regulation on Keeping Corporate Books in Electronic Form

The Communiqué on the Keeping of Commercial Books Not Related to the Accounting of the Business in Electronic Form was published in the Official Gazette dated 14.02.2025. The regulation covers the share ledger, board of directors’ resolution book, board of managers’ resolution book, and the general assembly meeting and negotiation book (“Books”). Companies which will be registered with the trade registry as of 01.01.2026 and joint stock companies whose incorporation or articles of association amendments are subject to the approval of the Ministry of Commerce, will be required to keep the Books in electronic form. No opening or closing approval will be required for the Books kept in electronic form. These Books will be stored and monitored within a system to be established by the Ministry of Commerce. One or more members of the board of directors, or third parties, can be authorized to carry out transactions within the relevant electronic ledger system.

14. 2025 Action Plan of the Coordination Council for the Improvement of the Investment Environment Announced

The Coordination Council for the Improvement of the Investment Environment announced its 2025 Action Plan (“Action Plan“) on 10.07.2025. The Action Plan, comprising 39 action items, includes the following key objectives: (i) completion of technical preparatory work for aligning the PDPL with the GDPR, (ii) provision of legal certainty for the use of digital tools in corporate HR processes, (iii) revision of corporate governance principles, (iv) dematerialization of shares of startups receiving investment from venture capital funds through registration with the MKK, (v) development of national data and cloud computing strategies, and review of legislation on data localization, (vi) update of the National Artificial Intelligence Strategy, (vii) revision of the definition of SMEs, (viii) improvement of legislation in line with the roadmap developed for EU digital economy regulations, and (ix) facilitation of company formation for new technology startups, including exemptions from certain formalities and financial obligations during the early stages.

Should you have any inquiries, please do not hesitate to contact us.