Cybersecurity · Turkey
Cybersecurity regulation in Turkey (2026)
Turkey shaded by its cybersecurity status
Turkey enacted its first comprehensive, standalone cybersecurity law — Law No. 7545 — published in Official Gazette No. 32846 on 19 March 2025. The law creates a unified regulatory authority (the Cybersecurity Presidency), mandates incident reporting without delay for all in-scope entities, and imposes heightened obligations on critical infrastructure operators in sectors such as energy, finance, healthcare, and telecommunications. It complements the pre-existing Personal Data Protection Law No. 6698 (KVKK), which separately requires 72-hour data-breach notification to the Data Protection Board.
Key points
Adopted by the Grand National Assembly on 12 March 2025 and published in the Official Gazette on 19 March 2025, Law No. 7545 is Turkey's first comprehensive cybersecurity statute. It applies to public institutions, professional bodies with public status, private legal entities, and organisations without legal personality that operate in cyberspace; intelligence agencies (MİT, Armed Forces, Gendarmerie) are excluded.
The Cybersecurity Presidency (Siber Güvenlik Başkanlığı) was established by Presidential Decree No. 177 on 8 January 2025 and confirmed as the apex regulatory and certification authority by Law No. 7545. It absorbed all cybersecurity assets and responsibilities previously held by BTK (Information and Communication Technologies Authority) and the Digital Transformation Office within six months of the law's publication.
Article 7(1)(b) of Law No. 7545 requires all in-scope entities to report cyber incidents and vulnerabilities to the Cybersecurity Presidency without delay. The duty extends beyond malicious attacks to internal errors and technical failures. Critical infrastructure operators that maintain a Corporate Cyber Incident Response Team (SOME) must additionally notify USOM (National Cyber Incident Response Centre) and their sectoral SOME without delay.
The Cybersecurity Presidency is empowered to designate sectors as critical infrastructure (energy, telecommunications, finance, and healthcare are expected to be primary designees) and to impose tailored technical and administrative obligations, mandatory security audits, and certification requirements specific to each sector.
Separately, Personal Data Protection Law No. 6698 (KVKK) Article 12(5) requires data controllers to notify both affected individuals and the Personal Data Protection Board within 72 hours of becoming aware of a breach. The KVKK framework runs in parallel to Law No. 7545 and is enforced by the Personal Data Protection Authority (KVKK Kurumu).
Law No. 7545 introduces a tiered administrative fine regime: TRY 100,000–1,000,000 for reporting/monitoring failures; TRY 1,000,000–10,000,000 for general cybersecurity duty breaches; TRY 10,000,000–100,000,000 for critical infrastructure operator violations. For the first time in Turkish law, revenue-based fines of up to 5% of gross annual sales apply to commercial entities. Secondary implementing regulations are pending.
Timeline - major decisions & events
Turkey's first dedicated cybersecurity law was published in Official Gazette No. 32846, establishing the Cybersecurity Council, mandating transfer of BTK's cybersecurity functions to the new Cybersecurity Directorate within six months, and imposing sector-wide obligations — including asset inventories, risk assessments, and mandatory certification — on critical-infrastructure operators in energy, finance, health, and telecoms. Administrative fines range from TRY 1 million to TRY 100 million.
Turkish Official Legislation Portal (Mevzuat.gov.tr) ↗The Presidency created a standalone Cybersecurity Directorate as a public legal entity with financial autonomy, separating national cybersecurity execution from BTK and the Digital Transformation Office ahead of the March 2025 law. The Directorate will absorb all cyber-related assets and personnel from both bodies within six months of Law No. 7545.
Digital Transformation Office of the Presidency of Turkey ↗Turkish officials admitted that names, ID numbers, addresses, and phone data for approximately 108 million citizens were stolen from government servers and stored in Google Drive files; BTK contacted Google to have the files removed. The incident directly catalyzed parliamentary passage of the 2025 Cybersecurity Law.
Duvar English (ministerial confirmation report) ↗BTK activated a centralised automated platform to continuously track and audit public institutions' compliance with the 2020 Information and Communication Security Guide, marking a shift from self-reporting to real-time regulatory monitoring of the country's cyber hygiene posture.
ICLG Cybersecurity Laws and Regulations 2026 – Turkey ↗Issued under Presidential Circular 2019/12, the Guide sets mandatory technical and administrative controls — encrypted server communications, domestic storage of sensitive national data (health, biometric, population records), and institutional email hosting in Turkey — applying to all public bodies and critical-infrastructure operators.
Digital Transformation Office of the Presidency of Turkey ↗The third-generation national strategy introduced a proactive cyber posture, 24/7 critical-infrastructure protection, systematic risk analysis, and explicit targets to reduce dependency on foreign IT vendors — superseding the 2016–2019 plan and aligning with the 2023 national vision.
Ministry of Transport and Infrastructure of Turkey (UAB) ↗Turkey's GDPR-aligned data-protection law established the independent KVKK supervisory authority, imposed mandatory technical and administrative security controls on data controllers, and introduced breach-notification obligations — forming the principal data-security compliance layer that operates in parallel with sector-specific cybersecurity rules.
Personal Data Protection Authority of Turkey (KVKK) ↗The second national strategy formalised objectives across cyber defence, critical-infrastructure protection, cybercrime deterrence, and human-capital development, and for the first time explicitly embedded cybersecurity targets within Turkey's 2023 national development vision.
Ministry of Transport and Infrastructure of Turkey (UAB) ↗Turkey deposited its instrument of ratification of the Council of Europe's Budapest Convention, the primary international treaty on cybercrime and electronic evidence, aligning Turkish substantive criminal law and mutual legal-assistance procedures with European standards.
Council of Europe – Cybercrime Division ↗The inaugural National Cybersecurity Strategy and Action Plan was approved by the newly formed Cybersecurity Board, and the National Cyber Incident Response Centre (USOM/TR-CERT) was stood up under BTK alongside sector-level Cyber Incident Response Teams (SOMEs) — creating the operational incident-response architecture that underpins today's framework.
Information and Communication Technologies Authority (BTK) ↗Council of Ministers Decree No. 2012/3842, published in the Official Gazette on 20 October 2012, established the Cybersecurity Board as Turkey's first whole-of-government cybersecurity governance body and designated BTK as the national coordination authority — the foundational institutional act for all subsequent strategy and regulation.
Information and Communication Technologies Authority (BTK) ↗Law No. 5651 on Regulation of Publications on the Internet established Turkey's legal framework for internet-based offences, imposing cooperation and data-preservation obligations on ISPs and enabling content blocking — the foundational statute on which successive cybersecurity and data-protection regulation was layered.
Turkish Official Legislation Portal (Mevzuat.gov.tr) ↗Turkey - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →