Ortak
ANALİZ&GELİŞMELER
The Cybersecurity Law No 7545
The Cybersecurity Law No 7545 (the “Law”) was published in the Turkish Official Gazette No 32846 on 19 March 2025, marking its official entry into force. The Law aims to determine the principles of mitigating the possible effects of cyber incidents, introduce necessary regulations for the protection of various institutions and organisations against cyber attacks, and set out strategies and policies to strengthen cyber security in Türkiye.
SCOPE OF THE APPLICATION
The Law applies to (i) public institutions, (ii) professional organisations with the status of a public institution, (iii) individuals and legal entities, and (iv) organisations without legal personality active in cyberspace. Here, the term “cyberspace” refers to all information systems and networks connected to the internet or electronic communication networks. With its broad scope, the Law is expected to have far-reaching impact on the cybersecurity ecosystem.
DEFINITIONS AND CONCEPTS INTRODUCED BY THE LAW
Cybersecurity Presidency: refers to the Cybersecurity Presidency (the “Presidency”), established by Presidential Decree No 177 on 8 January 2025. The Law regulates the duties, authorities and responsibilities of the Presidency. The main duties of the Presidency include preventing cyber threats, making risk analyses, ensuring the implementation of cyber security standards, establishing cyber incident response teams (i.e. SOMA), managing standards and certification processes, and conducting international cooperation.
Cybersecurity Board: refers to the Cybersecurity Board (the “Board”) established by the Law, composed of key government officials responsible for making decisions on cybersecurity regulations, overseeing the implementation of the cybersecurity technology roadmap and resolving conflicts between the Presidency and public institutions.
Information Systems: broadly defined to include hardware, software, systems and all other components used in the provision of services, transactions and data via information and communication technologies.
Critical Infrastructure: refers to infrastructure hosting information systems that may lead to significant damage in the event that the confidentiality, integrity or accessibility of the information/data they process is compromised. The Law assigns both the Presidency and the Board to oversee such infrastructure, identify critical infrastructure sectors (e.g. energy, finance and public services) and implement appropriate security measures in this regard.
Cyber Incident: refers to a violation of the confidentiality, integrity or accessibility of information systems or data.
RESPONSIBILITIES UNDER THE LAW
General Requirements
Entities that are covered by the Law, including those providing services, collecting or processing data, and carrying out similar activities using information systems, have several key responsibilities:
- cooperating with the Presidency on all kinds of information and documents,
- taking the measures stipulated by the legislation on cyber security,
- reporting any vulnerabilities or emerging cyber incidents within their service area to the Presidency without delay,
- procuring cyber security products, systems and services to be used in public institutions and organisations and critical infrastructure from cyber security experts and companies authorised and certified by the Presidency,
- meeting the requirements of the policies, strategies, action plans and other regulatory actions developed by the Presidency and taking the necessary measures to that end.
Specific Requirements for Cyber Security Products and Companies
In addition to the requirements mentioned above, cybersecurity companies subject to certification and authorisation must obtain the approval of the Presidency before commencing their operations.
Cyber security products, systems, software, hardware and services must be provided in accordance with the procedures and principles to be determined by the Presidency and the approval of the Presidency must be obtained for their sales abroad.
Furthermore, it is mandatory to notify the Presidency regarding mergers, spin-offs and share transfers of companies producing cyber security products, systems, software, hardware and providing such services, and to obtain the approval of the Presidency for transactions that lead to a change of control in the company.
INSPECTION AND SANCTIONS
The Presidency may inspect all acts and transactions falling under the scope of the Law, and may conduct or order on-site inspections in relation to its duties set out in the Law, when it deems necessary. In this context, some important penal provisions in this area are as follows:
| Offences | Sanctions and Fines |
| Failing to provide information, documents, software, data and hardware requested by the authorities competent under this Law. | Imprisonment 1 – 3 years
and Judicial Fine 500 – 1,500 days |
| Operating without obtaining the permits, authorisations or approvals stipulated under the Law | Imprisonment 2 – 4 years
and Judicial Fine 1,000 – 2,000 days |
| Failing to fulfil the obligation to cooperate in inspections conducted by inspectors authorised by the Law
>> In case of failure to fulfil this obligation by commercial companies |
Administrative Fine
TRY 100,000 – 1,000,000 Administrative Fine: Up to 5% of the gross sales revenue in the independently audited annual financial statements |
| Failing to fulfil the responsibilities within the scope of protecting critical infrastructures against cyberattacks and causing a data breach | Imprisonment 1 – 3 years |
| Making accessible, sharing or selling personal data or corporate data within the scope of critical public service, which was previously in cyberspace due to data leakage, without the permission of individuals or institutions | Imprisonment 3 – 5 years |
TRANSITIONAL PROVISIONS
The Law entered into force on the date of its publication. The implementation principles and procedures for the obligations set forth under the Law will be further detailed through secondary legislation, to be issued within one year of the publication of the Law.
In addition, provisional Article 1 of the Law stipulates that entities operating in the field of cybersecurity must complete certification and authorisation procedures within one year from the secondary legislation entering into force. Otherwise, they will not be able to operate in the field of cyber security.
