Turkey does not have any dedicated cybersecurity laws. The data protection legislation, including the Personal Data Protection Law No. 6698 (PDPL) , however, contains general requirements with regard to the security of personal data. Cybersecurity breaches can therefore lead to a breach of data protection law.

Following the previous version for the periods between 2013–2014 and 2016–2019, the Ministry of Transport, Maritime Affairs and Communication prepared the 2020-2023 National Cybersecurity Strategy and Action Plan (the National Action Plan), under which definitions, principles, cyberse curity risks and strategic cybersecurity purposes and actions were pre sented. This plan aimed to shape Turkey’s cybersecurity legislation in accordance with international standards and establish a public authority that ensures coordination in the field of cybersecurity.

The 11th Development Plan of the Turkish Republic for the 2019–2023 period (the Strategy Plan for 2019–2023) states that to mitigate national security and ensure technological transformations in primary sectors (eg, chemical industry, medicine and medical equipment, electronics, automotive and rail system equipment), Turkey must enhance its ability to develop cybersecurity and data privacy technologies, fill the gap in the number of qualified persons, further develop its administrative structures and keep its legislation in pace with ever-developing technology. Various plans and strategies are expected to be implemented within the period covered by the Strategy Plan for 2019–2023, including the establishment of new public organisations and committees dealing with cybersecurity. On the other hand, the Turkish Presidency’s Digital Transformation Office (DTO), which was established in 2018, has been carrying out a series of studies and projects in the area of cybersecurity and data security for the purpose of ensuring digitalisation in public services and increasing public awareness thereof.

The Presidential Circular on Information and Communication Security Measures (the Circular), which was published by the Presidency on 6 July 2019, sets forth a series of measures aimed at increasing the security of critical data, including requirements for the domestic localisation of data and limitations on the use of cloud services. The Circular primarily concerns public institutions and organisations, but also private organisations that provide services in critical infrastructure sectors, namely banking and finance, electronic communications, transportation, energy, water management and critical public services. The Circular also provided that the DTO had to prepare an Information and Communication Security Guide (the Guide) to be implemented by public institutions and organisations, as well as organisations providing critical infrastructure services. The current information systems of these institutions shall be gradually aligned with the principles determined in the Guide. The Guide, which entered into force on 24 July 2020, lists a series of security measures to be implemented by institutions within the scope of the Circular and provides a 24month timeline for actions to be taken. In addition, the DTO addressed some of the issues arising under the Circular in the form of frequently asked questions published on its website. On 27 October 2021, the DTO published the Information and Communication Security Audit Guide (the Audit Guide) , which provides the methodology to be followed in planning the audits, implementing the audit procedures and reporting the audit results within the scope of mandatory annual periodic audits.

Despite the lack of general legislation to date, certain sector-specific pieces of legislation apply. The Electronic

Commerce Law No. 6563 and the Banking Law No. 5411 are the most important. In the banking sector, the Regulation on the Information Systems of Banks and Electronic Banking (the Electronic Banking Regulation), published on 15 March 2020, brought a renewed focus on data protection and cybersecurity issues. The Electronic Banking Regulation contemplates at least 90 hours per year of mandatory training for bank personnel and the carrying out of annual penetration tests by independent firms. It puts in place a gradual transition system, with most provisions becoming effective on 1 July 2020, while six provisions in relation to identity authentication came into force on 1 January 2021. The Electronic Banking Regulation is meant to repeal the Communiqué on the Principles Applicable to the Information Systems of Banks (the Communiqué) issued by the Banking Regulation and Supervision Agency (BRSA) in 2007.

In the health and insurance sectors, the data protection legislation imposes stricter requirements in terms of cybersecurity to the extent that healthcare pro viders and health insurers process health personal data, which qualifies as a special category of data and requires enhanced protection. These two sectors also have their own legislation with regard to confidentiality obligations, thus making cybersecurity even more critical. In the telecommunications sector, the Information and Communication Technologies Authority (ICTA) has detailed regulations with regard to technical precautions to be taken by telecommunications providers.

Turkey chapter of “Lexology GTDT – Cybersecurity 2023” written by Stéphanie Beghe Sönmez and Mert Karakaşlar is published.

You may reach the full text of publication here.