March 2025 – On 19 March, 2025, Türkiye enacted Cybersecurity Law No. 7545 (the “Law”), which introduces comprehensive regulations to enhance cyber resilience in Türkiye. The Law reflects a significant step toward strengthening the security of critical infrastructure, data protection, and incident response mechanisms. Organisations operating in Türkiye must understand these requirements to ensure compliance and mitigate potential risks.
What are the main objectives of the Law?
The primary objective of the Law is to safeguard Türkiye's national cyber infrastructure against both internal and external threats. The Law emphasises the protection of critical infrastructure, the establishment of response teams, and enhanced security protocols for public and private sector organisations. By outlining responsibilities for both government entities and private organisations, the law aims to create a robust cybersecurity framework that supports national security, public safety, and economic stability.
The Law applies to a wide range of entities operating in Türkiye's cyberspace, including public institutions, professional bodies, and private enterprises that provide digital services or manage sensitive data. Notably, intelligence services and specific military activities are exempt from these regulations.
What are the key requirements and compliance standards?
Cybersecurity Board: The Law mandates the formation of the Cybersecurity Board (the “Board”), tasked with coordinating Türkiye’s national cybersecurity policies and strategies. The Board is composed of senior government officials, including the President (or Vice President), key ministers, and representatives from the defence and intelligence agencies. Key responsibilities of the Board include:
- establishing cybersecurity policies;
- overseeing security protocols in critical industries;
- facilitating collaboration between public and private entities.
Critical infrastructure: Another significant aspect of the Law is the requirement for enhanced protection of critical infrastructure. Organisations that provide essential services such as energy, healthcare, finance, and communication must implement heightened security protocols. These include:
- conducting frequent vulnerability assessments and penetration testing;
- performing risk analysis to identify potential threats;
- creating comprehensive incident response plans to ensure rapid recovery after cyber incidents.
SOME teams: To address incident response needs, the Law mandates the creation of SOME Teams (Cyber Incident Response Teams) within key institutions and critical infrastructure providers. These teams are responsible for:
- identifying, responding to, and mitigating cyber incidents;
- collaborating with government agencies to ensure rapid containment and recovery during cybersecurity events;
- ensuring their SOME teams are adequately trained and equipped to handle complex threats.
Compliance and certification: Under the Law, organisations providing cybersecurity services must obtain certification from the Board. Critical infrastructure providers are also required to engage certified cybersecurity professionals to manage security-related processes.
Data privacy: A strong focus is also placed on data protection and privacy. Organisations processing sensitive information must adopt robust data protection protocols to ensure confidentiality, integrity, and accessibility. Personal data obtained during cybersecurity operations must be managed strictly in accordance with data protection principles. The Law requires that personal data collected for cybersecurity purposes be securely erased once the data is no longer required.
Presidency approval for M&A deals: Under the Law, companies engaged in the production of cybersecurity products, systems, software, hardware, and services are required to notify the Cyber Security Presidency of any merger, division, share transfer, or sale transactions. Furthermore:
- Any transaction—whether by a natural or legal person, acting alone or jointly—that results in direct or indirect control or decision-making authority over such companies shall be subject to prior approval by the Cyber Security Presidency. That said, transactions carried out without the required approval shall be deemed legally invalid.
- Additionally, the export of cybersecurity products, systems, software, hardware, and services must comply with the procedures and principles to be determined by the Cyber Security Presidency. If the export involves items subject to approval, prior authorisation must be obtained.
Penalties and sanctions: The Law outlines various penalties and sanctions for non-compliance and unlawful activities:
|
Violation type |
Description |
Fine/Prison term |
|
Failure to provide information |
Refusing to provide requested information, documents, or technical data to authorised authorities. |
1–3 years imprisonment and 500–1,500 days of judicial fines. |
|
Operating without authorisation |
Conducting cybersecurity-related activities without proper approvals, permits, or licenses. |
2–4 years imprisonment and 1,000–2,000 days of judicial fines. |
|
Violation of confidentiality obligations |
Failure to adhere to confidentiality rules or unauthorised disclosure of sensitive data. |
4–8 years imprisonment. |
|
Data breach offenses |
Sharing or selling sensitive data from critical public services without proper authorisation. |
3–5 years imprisonment. |
|
False information and fearmongering |
Creating or spreading false information about cybersecurity incidents causes public panic. |
2–5 years imprisonment. |
|
Cyberattacks targeting national security |
Targeting Türkiye’s national cybersecurity infrastructure, with severe consequences for dissemination or sale of stolen data. |
8–12 years imprisonment (up to 15 years if data is sold or shared). |
Penalties for the above violations may increase significantly under certain conditions:
- if the offense is committed by a public official, penalties are increased by one-third;
- if committed by multiple individuals, penalties are increased by half;
- if part of an organised crime framework, penalties may be increased by up to double the original sentence.
What should organisations do to comply?
To ensure compliance with the Law, organisations should take proactive steps to align with the updated regulations. Under the Law, it is stated that organisations operating in the cybersecurity sector — including associations, federations, foundations, and commercial companies — are required to complete certification, authorisation, and documentation processes within one year.
Key steps for compliance include:
- conducting a comprehensive cybersecurity risk assessment;
- implementing updated security policies in accordance with the new requirements;
- establishing a dedicated incident response team to manage potential breaches.
Furthermore, organisations are encouraged to provide internal training and awareness programs to educate employees about cybersecurity threats, preventive measures, and response protocols.
Conclusion
The enactment of the Law marks a significant evolution in Türkiye's cybersecurity landscape. Organisations operating in Türkiye must promptly assess their cybersecurity frameworks, enhance security measures, and adopt appropriate strategies to mitigate risks. Ensuring compliance with these regulations will not only safeguard organisations against financial penalties but also strengthen their resilience against increasingly sophisticated cyber threats.
For further information or tailored legal guidance on ensuring compliance with the new law, please contact our team.