Cybersecurity - Turkey

Adopted by the Grand National Assembly on 12 March 2025 and published in the Official Gazette on 19 March 2025, Law No. 7545 is Turkey's first comprehensive cybersecurity statute. It applies to public institutions, professional bodies with public status, private legal entities, and organisations without legal personality that operate in cyberspace; intelligence agencies (MİT, Armed Forces, Gendarmerie) are excluded.

The Cybersecurity Presidency (Siber Güvenlik Başkanlığı) was established by Presidential Decree No. 177 on 8 January 2025 and confirmed as the apex regulatory and certification authority by Law No. 7545. It absorbed all cybersecurity assets and responsibilities previously held by BTK (Information and Communication Technologies Authority) and the Digital Transformation Office within six months of the law's publication.

Article 7(1)(b) of Law No. 7545 requires all in-scope entities to report cyber incidents and vulnerabilities to the Cybersecurity Presidency without delay. The duty extends beyond malicious attacks to internal errors and technical failures. Critical infrastructure operators that maintain a Corporate Cyber Incident Response Team (SOME) must additionally notify USOM (National Cyber Incident Response Centre) and their sectoral SOME without delay.

The Cybersecurity Presidency is empowered to designate sectors as critical infrastructure (energy, telecommunications, finance, and healthcare are expected to be primary designees) and to impose tailored technical and administrative obligations, mandatory security audits, and certification requirements specific to each sector.

Separately, Personal Data Protection Law No. 6698 (KVKK) Article 12(5) requires data controllers to notify both affected individuals and the Personal Data Protection Board within 72 hours of becoming aware of a breach. The KVKK framework runs in parallel to Law No. 7545 and is enforced by the Personal Data Protection Authority (KVKK Kurumu).

Law No. 7545 introduces a tiered administrative fine regime: TRY 100,000–1,000,000 for reporting/monitoring failures; TRY 1,000,000–10,000,000 for general cybersecurity duty breaches; TRY 10,000,000–100,000,000 for critical infrastructure operator violations. For the first time in Turkish law, revenue-based fines of up to 5% of gross annual sales apply to commercial entities. Secondary implementing regulations are pending.