The Cybersecurity Law (“Law”) entered into force upon its publication in the Official Gazette dated 19.03.2025 and numbered 32846. The Law aims to identify and eliminate threats in cyberspace, mitigate the possible effects of cyber incidents, protect various actors against cyber attacks and strengthen the country’s cyber security. The Law applies to public institutions and organisations, professional organisations with public institution status, real and legal persons, and organisations without legal personality that directly or indirectly exist, operate and provide services on the internet, electronic communication or all information systems connected to computer networks and networks connecting them (cyberspace). It is regulated that the regulations regarding the implementation of the Law, the details of which are given below, will come into force within one year.

1. Cybersecurity Presidency

The Law regulates the duties of the Cybersecurity Presidency (“Presidency”). Accordingly, the Presidency is responsible for (i) increasing the resilience of critical infrastructures and information systems and protecting them against cyber-attacks, detecting and combating cyber-attacks, collecting cyber threat intelligence, analysing malware; (ii) identifying critical infrastructures and the institutions and locations to which they belong; (iii) keeping the inventory of all assets, including data inventory, of public institutions and organisations and critical infrastructures and performing risk analysis for assets, taking security measures according to the criticality of the assets owned by public institutions and organisations and critical infrastructures and ensuring their security (iv) establishing a cyber incident response team; (v) determining the procedures and principles and standards to be complied with in the field of cyber security, conducting testing and certification procedures in this field, conducting audits in this field and imposing sanctions; (vi) determining the qualifications that cyber security products and services and the enterprises that will provide them should have and determining the rules regarding their supervision.

2. Cybersecurity Board

The Law regulates the establishment of Cybersecurity Board (“Board”). The Board consists of the President, the Vice President, the Minister of Justice, the Minister of Foreign Affairs, the Minister of Interior, the Minister of National Defence, the Minister of Industry and Technology, the Minister of Transport and Infrastructure, the Secretary General of the National Security Council, the President of the National Intelligence Agency, the President of the Defence Industry and the President of Cyber Security. The Board is authorised to (i) determine policies, strategies, actions and plans and other regulatory procedures and their exceptions regarding cyber security, (ii) implement the road map on cyber security prepared by the Presidency, (iii) determine incentives in the field of cyber security and take decisions to develop human resources, (iv) determine critical infrastructure sectors, and (v) take decisions on disputes between the Presidency and other public institutions and organisations.

3. Duties and Responsibilities of Those Who Provide Services, Collect Data, Process Data and Carry Out Similar Activities by Using Information Systems

The Law regulates the duties and responsibilities of those who provide services, collect data, process data and carry out similar activities by using information systems. Accordingly, the aforementioned parties are obliged to; (i) submit all kinds of information and documents requested by the Presidency, (ii) take the necessary measures for the purposes of national security, public order or proper performance of public service regarding cyber security and notify the Presidency without delay of the vulnerabilities and cyber incidents they detect in the area where they provide services, (iii) purchase products and services to be used in public institutions and organisations and critical infrastructures from authorised and certified cyber security experts, manufacturers or companies, (iv) comply with the policies and strategies developed by the Presidency.

In addition, cyber security companies subject to certification, authorisation and certification must obtain the approval of the Presidency within the framework of the existing regulations before commencing operations. The sale of cyber security products and services abroad will also be subject to the approval of the Presidency. The merger, spin-off, share transfer or sale transactions of cyber security companies will also be notified to the Presidency, and those of these transactions that individually or collectively grant direct or indirect control rights or decision-making authority over the cyber security company will be subject to the approval of the Presidency.

4. Penalties

The Law provides for various and severe sanctions in case of breach of the obligations stipulated by the Law. Accordingly, (i) failing to provide the information and documents requested by the authorities and auditors authorised by the Law, (ii) conducting activities without obtaining the necessary approvals, authorisations and permits, (iii) breaching the duty of confidentiality, (iv) disseminating leaked data, (v) creating false content that there is a data leak in order to cause anxiety and panic despite the information that there is no data leak, (vi) organising a cyber-attack, disseminating the data obtained as a result of the attack, (vii) abusing the duties and powers granted under the Law or violating the obligation to protect against attack due to this duty.

On the other hand, in the event that those who provide services, collect data, process data and carry out similar activities by using information systems do not notify the Presidency of cyber security vulnerabilities and cyber incidents, and in the event that cyber security services are not obtained from authorised and certified cyber security experts, manufacturers or companies, administrative fines from one million Turkish Liras to ten million Turkish Liras have been regulated. In case of violation of the obligations regulated for cyber security companies, administrative fines from ten million Turkish Liras to one hundred million Turkish Liras are regulated. Finally, in case of breach of the obligations regulated regarding the audit process of the Presidency, an administrative fine from one hundred thousand Turkish Lira to one million Turkish Lira is regulated. If the party violating the audit obligations is a commercial company, the upper limit is set as 5% of the gross sales revenue.

Should you have any inquiries, please do not hesitate to contact us.