The long-anticipated Cybersecurity Law No. 7545 came into force in Türkiye following its publication in the Official Gazette on 19 March 2025. Aimed primarily at protecting public institutions, individuals, and private sector entities from cyber threats, the law establishes comprehensive policies and strategies to enhance national cybersecurity. Its broad scope applies to all public institutions, private legal entities, professional associations, and individuals operating in cyberspace.

Duties and powers of the Cybersecurity Directorate

The Cybersecurity Directorate, established under Presidential Decree No. 177 (published in the Official Gazette on 8 January 2025), has been designated as the primary authority for regulating and auditing individuals and entities operating in the cybersecurity sector. It assumes the previous powers of both the Information and Communication Technologies Authority and the Digital Transformation Office.

The main duties of the Cybersecurity Directorate include the following:

  • determination of critical infrastructure and relevant institutions;
  • establishment and coordination of cyber incident response teams;
  • regulating procedures and principles for individuals and entities operating in the cybersecurity field;
  • conducting relevant audits and imposing sanctions in case of incompliance;
  • preparation of standards for the cybersecurity sector;
  • testing and certification of software, hardware, product, system and services related to cybersecurity; and
  • determination of security criteria for use of cybersecurity software, hardware, product, and services in public institutions and critical infrastructure.

The Cybersecurity Directorate is granted extensive authority to audit cybersecurity-related matters. It is entitled to audit all kinds of operations within the scope of the Cybersecurity Law on-site through its own experts or authorised independent auditors; and to examine and collect copies and digital images of all relevant data, documentation, electronic infrastructure, devices, systems, software, and hardware within this scope.

Persons subject to such audits of the Cybersecurity Directorate are required to make their devices, systems, software and hardware accessible, and to ensure that the necessary infrastructure and necessary measures are in place for this purpose. Failure to comply may result in administrative fines ranging from TRY 100,000 to TRY 1,000,000 (approx. EUR 2,440 to EUR 24,400). For commercial companies, these obligations carry an administrative fine of up to 5% of the gross sales revenue.

The Cybersecurity Directorate is also entitled to investigate cyber incidents and provide intervention support to the affected persons; collect information, documentation, data and records from the persons subject to the Cybersecurity Law; appoint and authorise independent auditors to conduct cybersecurity audits and inspections; and determine principles and procedures regarding exportation of cybersecurity products, systems, software, hardware and services outside Türkiye.

Obligations of IT and cybersecurity companies

IT companies

Under the Cybersecurity Law, companies providing services, collecting and processing data, and performing relevant activities through information systems are subject, among others, to the following obligations:

  • providing all kinds of data, information, documentation, hardware, software and any other support requested by the Cybersecurity Directorate as part of its duties and activities in a timely and prioritised manner;
  • adopting legal cybersecurity measures for national security as well as public order and promptly notifying the Cybersecurity Directorate of any vulnerabilities or cyber incidents in their service areas;
  • procurement of cybersecurity products, systems and services to be used in public institutions and critical infrastructure from cyber security experts, manufacturers or companies authorised and certified by the Cybersecurity Directorate; and
  • complying with cybersecurity-related policies, strategies, action plans and other secondary regulations of the Cybersecurity Directorate.

Failure to comply with the obligations described in the second and third items above may result in an administrative fine ranging from TRY 1,000,000 to TRY 10,000,000 (approx. EUR 24,400 to EUR 244,000).

Cybersecurity companies

The Cybersecurity Law imposes the following additional obligations on cybersecurity companies manufacturing cybersecurity products, systems, software, hardware and services:

  • obtaining approval from the Cybersecurity Directorate before starting operations, for cybersecurity companies subject to certification, authorisation and documentation;
  • securing export permission from the Cybersecurity Directorate for certain cybersecurity products subject to export controls;
  • notifying the Cybersecurity Directorate of legal transactions involving mergers, spin-offs, or share transfers or sales; and
  • obtaining prior approval from the Cybersecurity Directorate for any such transactions that result in a direct or indirect change of control.

Failure to comply with the obligations described in the last three items above may lead to an administrative fine ranging from TRY 10,000,000 to TRY 100,000,000 (approx. EUR 244,000 to EUR 2,440,000). Moreover, the transactions subject to the Cybersecurity Directorate’s approval will be deemed legally void if such approval is not obtained.

Cybersecurity-related criminal offences and administrative fines

Criminal offences

The Cybersecurity Law introduces new criminal offences related to cybersecurity, with severe sanctions resulting in imprisonment and judicial fines:

  • imprisonment from one to three years and judicial fines varying from 500 days to1500 days for failure to provide, or preventing the provision, of information, document, software or hardware requested by authorised persons;
  • imprisonment from two to four years and judicial fines varying from 1000 days to 2000 days for conducting transactions without the required approvals, authorisations or licences set forth under the Cybersecurity Law;
  • imprisonment from three to five years for providing paid or free access to personal data or critical public service data upon a data breach, without the prior authorisation of the relevant individuals or entities; and
  • imprisonment from two years to five years for creating or disseminating false content related to cybersecurity breach incidents to cause public fear or to target individuals or institutions.
Administrative fines

The Cybersecurity Law establishes various administrative fines for incompliance with cybersecurity-related obligations, varying from TRY 100,000 to TRY 100,000,000 (approx. EUR 2,440 to EUR 2,440,000). Commercial companies may be imposed fines of up to 5% of their gross sales revenue for the breach of some of these obligations.

Prior to the imposition of an administrative fine, the concerned parties will be given the opportunity to provide defence statements within 30 days of notification by the Cybersecurity Directorate. The administrative fines which are imposed by the Cybersecurity Directorate must be paid within one month from the date of their notification. Decisions of the Cybersecurity Directorate regarding administrative fines can be challenged before the administrative courts.

Transition period

The implementation principles and procedures for the obligations set forth under the Cybersecurity Law will be further detailed by the Cybersecurity Directorate through secondary legislation, to be issued within one year of the publication of the Cybersecurity Law. These regulations will play a crucial role in defining how the Cybersecurity Law will be applied in practice, including compliance and certification procedures for entities in the cybersecurity sector.

Entities operating in the cybersecurity field must complete all certification, authorisation, and licensing processes within one year from the publication of these regulations. Entities failing to comply will be prohibited from operating in the cybersecurity sector. At the end of the transition period, non-compliant commercial companies must remove any cybersecurity-related terms from their corporate names and cease related business activities, or initiate liquidation proceedings for deregistration from the trade registry.

Share

Related area

Information Technologies, Internet Law and New Technologies
Data Privacy, Data Protection and Cybersecurity

Related persons

You can contact us for detailed information.

Stéphanie Beghe Sönmez

Partner

sbeghe@paksoy.av.tr

Zeynep Toma

Counsel

ztoma@paksoy.av.tr

Mert Karakaşlar

Senior Associate

mkarakaslar@paksoy.av.tr

Ayşegül Avcı

Associate

aavci@paksoy.av.tr

Legal Information

This briefing is for information purposes; it is not legal advice. If you have questions, please call us. All rights reserved.